State interests, not company priorities, determine 'important data,' Chinese official says

7 January 2020 2:46pm
top secret stamp

6 January 2020. By Xu Yuan.

Data referred to as "important" under China's data-protection regime, which is subject to scrutiny before being exported, is evaluated against its importance to the country, not its importance to businesses or individuals, a Chinese cybersecurity official said.

"The important data [as required by the law] is important data for a country, and not for companies or individuals," Liang Bo, director of the Cybersecurity Coordination Bureau of the Cyberspace Administration, told a data conference in Zhuhai.

China's Cybersecurity Law, which came into effect in June 2017, requires localization of personal information and important data collected by operators of critical information infrastructure and security reviews to be carried out for any export.

Liang's remarks are in response to companies' concerns on whether data collected from the operation of multinational companies could be categorized as important data.

In the draft Data Security Management Regulations published last May, important data is defined as data that, if leaked, could directly affect national security, economic security, social stability, public health and security.

Important data doesn't include information relating to companies' internal production, operation or management, or personal data, according to the May draft.

Liang said data can be exported from China if it doesn't impose harm to national security or social interest and personal data involved is property protected.

The Cyberspace Administration, China's Internet regulator, published draft regulations for exporting personal data in June 2019. The regulator is currently drafting similar regulations for important data.

The official said that in drafting the regulations, the regulator had consulted international experiences, including the APEC Cross-Border Privacy Rules and the EU's General Data Protection Regulation.

The regulator has also taken into consideration the demand for cross-border data flows in globalization and sought to balance the relationship between cross-border data flows and data security management, according to Liang.

"We have received a large amount of feedback from both domestic and foreign businesses, experts and government departments," Liang said. "We are currently digesting and revising [the draft]."