Data privacy in China: Beijing to define data that will not be allowed to leave the country easily
- Data to face restrictions when it comes to overseas transfer will cover areas including economic operations, population, natural resources and the environment
- Data categorisation will be a key part of China’s data governance regime and fine print will have far-reaching implications for Chinese companies
Chinese policymakers will soon release guidelines for defining “important data”, classifying it into eight categories based on their impact on national security, a top researcher at a state-owned cybersecurity think tank has revealed.
Data to face restrictions when it comes to overseas transfer will cover economic operations, population, natural resources and the environment, science and technology, safety and security, application and services, political activities and others, Zuo Xiaodong, vice-president of the China Information Security Research Institute, a Beijing-based think tank that advises the Chinese government on cybersecurity policies, said at an industry conference last week.
His comments were reported by the Southern Metropolis Daily, a local newspaper.
Data categorisation will be a key part of China’s data governance regime and how Beijing defines the importance of data will have far-reaching implications for how Chinese companies, especially China’s tech firms, collect and use relevant customer data.
Didi Chuxing, a ride-hailing giant, recently came under a cybersecurity review after it was accused of “forcing its way” to make an initial public offering in New York.
Zhuang Rongwen, the chief of the Cyberspace Administration of China (CAC), the agency that is leading the probe into Didi, said in Beijing on Monday that one of the regulatory priorities will be “data security and cybersecurity”.
Zhuang told the Global Digital Economy Conference, a forum held by the Beijing municipal government, that the government will also try to prevent “monopolies” and unfair competition by online platforms. Zhuang did not mention Didi Chuxing directly in his speech.
China’s Data Security Law, passed in June and slated to take effect on September 1, has set hefty punishments for companies that transfer key data overseas without proper authorisation from the government.
Under the new law, companies that transfer the state’s “core data” overseas without proper approval from Beijing will face a penalty of up to 10 million yuan (US$1.56 million) and could be forced to shut down, and companies that hand over “important data” to a foreign judiciary or law enforcement agency without prior approval will be fined up to 5 million yuan.
But the law fell short of defining “core data” and “important data”, leaving the Chinese regulator to work out the details for implementation.
“‘Important data’ has only been vaguely defined, frustrating companies as they try to assess how much of their data will be subject to restrictions,” policy research firm Trivium China wrote in a note last Friday.
China’s National Information Security Standardisation Technical Committee, an agency formed by members from different ministries, published a draft policy document that tried to define which data should not be transferred abroad, but the draft which defined data in 28 specific industries proved hard to be enforced, said Zuo.