China’s cyber watchdog unveils new draft data management regulations

The Cyberspace Administration of China, the nation’s cybersecurity watchdog, issued a set of draft regulations on Sunday aimed at protecting the nation’s internet data security.

Among other things, China intends to divide data into three categories -- common, important, and core -- depending on its importance to national security, the public interest and, individual privacy, the regulations said.

“The state provides key protections for personal information and important data, and strictly protects core data,” the regulations read, adding that regional departments will be responsible for putting data in their regions into their requisite categories.

The proposed regulations, which run for pages, are short on precise details. It is unclear, for example, what constitutes a national security concern. Explanatory notes suggest a wide range of “important data” could be deemed a national security concern including everything from unpublished government information to economic data.

The new regulations would “apply to data processing activities and the supervision and management of network data security within the territory of the People's Republic of China,” the draft reads, and will also apply to individuals and organizations outside of China that provide “products or services within China.”

Any company that “analyzes and evaluates the behavior of domestic individuals and organizations or are involved with important domestic data processing” would be bound by the new regulations, the draft said.

That suggests that foreign companies like Google, Meta, and Twitter would have to comply with the new rules even if they don’t have operations in China.

The regulations also address cyber security. They will require, for example, that data processors establish some sort of a data security emergency response mechanism that would be activated when a breach happens.

“If a security incident causes harm to individuals or organizations, the data processor shall notify the security incident team and assure that remedial measures have been taken within three working days,” the regulations read. “If a security incident is suspected of being a crime, the data processor shall report the case to the public security organ in accordance with regulations.”

For large breaches that either involved important data or the personal information of more than 100,00 people, the data processor is also required to report the incident to municipal authorities within eight hours of its discovery and provide a report about the cause of the incident, its consequences and any remediation to the local network department within five working days.