BEIJING—The Chinese regime published new draft measures on Thursday aimed at bolstering its new data security law, including definitions of what it considered “core” and “important” data.
The Chinese regime implemented the Data Security Law on Sept. 1. which requires all companies in China to classify the data they handle into several categories and governs how such data is stored, and transferred to other parties.
But lawyers have criticized its ambiguities including its lack of definitions for data.
Thursday’s draft measures describe in detail three categories of data—ordinary data, important data, and core data.
The Chinese regime describe ordinary data as data with a minimal ability to impact society at large, or that will affect a small number of individuals or enterprises.
Important data is defined as data that poses a threat to the Chinese regime’s national and economic interests or impact the rights of individuals and organizations, and has an “obvious cascading effect” across a range of industries and enterprises.
Core data, meanwhile, is defined as data that poses a “serious threat” to the Chinese regime’s national and economic interests. Disruption of important data could cause “major damage,” leading to “large-scale shutdowns,” or “large-scale network and service paralysis.”
The regulator adds that organizations may “self-assess” the security of ordinary data, but must conduct annual assessments at least once each year.
Organizations must also receive approval for cross-border transfer of core data and important data via a special mechanism, the rules state.
Data policy has become one of several areas regulators have targeted amid an ongoing crackdown on industry that has unfolded throughout the past year. China’s data security law builds on the 2017 cybersecurity law, which marked the first major set of rules governing the storage and transfer of data of Chinese origin.
By Josh Horwitz