China Data privacy: Beijing to define data protection law
In a bid to protect the data, the Chinese government has ordered the companies and local organizations, across the country, to conduct regular reviews of their data. This review can then be used to apply proper data protection laws. The data will be classified on a three-level scale.
The order asked the firms to identify data as ‘important’ and ‘core’ and protect it. The definition of these terms has been mentioned in a document released by the government.
Classification of the Data
The ‘important’ data has been defined based on a number of parameters. A few of them include the data that can cause major data security incidents or production safety incidents. It also includes data that ‘poses threats’ that can affect overseas interests and production. This is the type of data that, falls into the enemy’s hands, can harm national security. It covers data on various critical technologies like Artificial Intelligence and Space programs.
The ‘core’ data includes the data that can cause large-scale shutdowns, network and service paralysis, and loss of business processing capabilities. The loss of this data, though still disastrous, would be a little less harmful than the ‘important’ data.
The nature of the data will be determined by the Ministry of Industry and Information Technology. Even if the data does not fall under any pre-defined category, it is up to the ministry to classify the data as ‘important’ or ‘core’.
The agencies have also been asked to formulate emergency plans for data security incidents and for conducting regular drills.
The whole process will be overseen by a party committee formed out of the members of the Communist Party members. Their say will be the final one. The document says that the person in charge of data security is ‘directly responsible’ for appointing people, assigning the duties, and ensuring a smooth communication flow.
The document also cautioned the authorities to not use cheating and ‘stealing’ to collect data. The principles of justice and lawfulness need to be followed, the document said.
Storage of Data important
The data has also been asked to be stored in an encrypted form. Storage has been given a separate article and thus, more importance. The use of technology including cryptographic technology and verification technology has been advised by the government of China.
In case of any mishap, a disaster recovery backup is to be maintained to prevent the loss of data. The core data is stored in the country, it is instructed, in the document, that the ‘remote disaster recovery and backup’ need to be ensured.
In case of anyone needing access to the important or the core data, the document says that a proper approval mechanism must be set in place. Records must be kept and a registration process must be followed.
When the ‘important’ data is accessed by someone else, measures like data ‘desensitization’ need to be put in place. Also, an approval mechanism must be formulated. And in the case of ‘core’ data being shared, it must pass the approval of a safety work coordination mechanism.
The security of this data has been given utmost importance. Even before receiving the data, the industrial and telecommunications data processors need to have a security protection capability in place and a security agreement signed, beforehand. The agreement must clearly state the usage, time limit, and the purpose of data sharing.
Non-Disclosure and Destruction of data
There are also various kinds of data that cannot be disclosed at any cost. They include trade secrets, confidential business information, and data that has implications for national security.
This is not all, a strategy has also been laid for destructing the data, just in case. A data destruction strategy and management system are required to be put in place. The data can be destroyed if need be for national security. It can also be destroyed if the clause of destruction has already been mentioned in the business contract.
With clear guidelines and instructions, China is set to become one of the few countries to have data protection norms. It will not only impact the information going into China but it will also impact the information coming out of China. Various companies who have invested in China as expected to be deeply impacted by this.