Beijing Strengthens Data Security with New Regulations, Expanding Control Over Domestic and Cross-Border Data

By:

Age: 1 week

Screenshot of CCTV broadcast announcing that the State Council has approved the Network Data Security Management Regulations. (Source: Security 419 via Sohu)

Executive Summary:

  • New Network Data Security Management Regulations approved by the People’s Republic of China (PRC) State Council will serve as a national-level framework to clarify and enhance the implementation of existing laws, including the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Security Law (PIPL), while also superseding subordinate measures from local and ministerial authorities.
  • The Regulations aim to routinize audits of all data stored in the PRC, applying broader and stricter data security controls, particularly over “important data,” which includes categories affecting national security and economic information—including intellectual property. Companies handling such data will need to voluntarily disclose and submit to audits by the Cyberspace Administration of China.
  • The Regulations will extend the PRC’s data security laws to cover both domestic and international data processing and ensure compliance with PRC security requirements for cross-border data flows, which will likely accelerate foreign entities’ compartmentalization and localization of data storage related to the PRC.

The State Council of the People’s Republic of China (PRC) approved draft regulations updating key features of the country’s data security regime in a meeting chaired by premier Li Qiang (李强) late last month (Xinhua, August 30). Once released, the Network Data Security Management Regulations (网络数据安全管理条例) are expected to clarify the implementation of higher-level laws such as the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Security Law (PIPL). As a national-level framework, these regulations will supersede data security measures issued by subordinate ministries and local governments.

Legal and extralegal support for PRC security authorities’ access to networks already exists. As earlier drafts signal, however, the Regulations will routinize and intensify the auditing of all data stored in the PRC locally, while simultaneously expanding the scope of information security and privacy measures to encompass other jurisdictions.

A readout of the State Council Standing Committee meeting held on August 30 stated that the purpose of the Regulations is to (Xinhua, August 30):

  • protect data according to type and sensitivity level based on the multi-level protection scheme (MLPS);
  • clarify the responsibilities of related entities;
  • implement network data safeguarding measures;
  • clarify security “boundaries;”
  • safeguard the cross-border flow of data according to the PRC’s laws; and
  • create a “good” environment for promoting economic development and technological and industrial innovation.

The Regulations will also codify commercial data absorption plans initiated by Chinese Communist Party (CCP) General Secretary Xi Jinping in 2019, when he and the Politburo directed the rest of the CCP to begin work on a single, integrated data infrastructure. This infrastructure was to be capable of supporting strategic objectives including political security, social management, private-public information sharing, and rapid digitization of the economy (Hoover Institution April 18, 2023; 12371.cn, October 31, 2019). Specifically, the Regulations reinforce an emerging compliance system of “data classification and security grading” which requires companies to voluntarily disclose their “important data” and submit to audits coordinated by the Cyberspace Administration of China (CAC) (IAPP, July 11).

PRC legal-regulatory definitions of “important data”—among the categories of data most subject to security controls—are both vague and broad (China Brief, November 17, 2023). Data related to national security, economic development, the public interest, or that have the possibility of “affecting” national security are all potentially classifiable as “important data (重要数据).” Like personal information data and the even more sensitive category of “core data (核心数据),” processing of important data may, in theory, subject all handlers of PRC-related data to the requirement that they disclose their full data assets to PRC authorities as a precondition of offering services and doing business there.

The pinnacle of data security regulation is the Party body that controls the CAC itself, the Central Commission for Cybersecurity and Informatization (CAC, November 14, 2021). Xi Jinping has led this body since its establishment in 2014, with key deputy Cai Qi (蔡奇) reportedly stepping into a key role sometime in 2023 (SCMP, March 28; People’s Daily, July 27, 2023). Below the level of the Party Center, security organs, government ministries, enterprises, and officially approved data security “evaluators” comprise the matrix of entities tasked with data classification, handling, review, and security enforcement. The Ministry of Industry and Information Technology (MIIT), for example, has already issued its own multi-year action plan for data security implementation and supervision targeting industries such as semiconductors, automobiles, steel, and textiles (SECRSS/Industrial Internet, February 26). MIIT officials have signaled that one overarching objective of new requirements governing cross-border data flows will be to facilitate absorption of foreign “data factor resources” in high-value industrial sectors (SECRSS/Expert Observations, June 7).

An unmistakable intention of Beijing’s ongoing data regulation efforts is therefore expanding access to—and control over—foreign data along with enhancing protections for PRC data. Consistent with the CSL, DSL, and PIPL, the Regulations would seek to apply PRC data security law to data processing activity both inside and outside of the PRC (CAC, November 14, 2021). This includes requirements that handlers of PRC-related data report breaches to the CAC and the PRC’s public security departments. The Regulations create sweeping access by PRC authorities to data processing activity—including all records of such activity. For entities forced to comply with PRC outbound cross-border requirements, localization and compartmentalization of PRC-related data storage may serve as the only mitigating factors to that access.