data security File photo

China is mulling establishing a hierarchical data classification management and protection system according to a draft regulation on the data security released by China's cyberspace regulators on Sunday.  

Industry observers view it as a highly anticipated regulation to better allow data to be transferred in a safe way, protecting the legal rights of persons and institutes and safeguard national security.

The Cyberspace Administration of China (CAC) issued a notice, soliciting public opinions on the draft regulation on the management of data security, in a bid to better regulate data processing activities, protect the legal rights of persons and institutes and safeguard national security and public interests.

One of the highlights is that China will establish a hierarchical data classification management and protection system. 

The regulation stipulates that data is classified into three categories - general, important and core - based on their degrees of impact on and significance to national security, public interests or the legitimate rights and interests of individuals or organizations.

The regulation, consisting of nine chapters, is a list of detailed rules to better implement the requirements of data protection stipulated by the Personal Information Protection Law, Cyber Security Law and Data Security Law, Xie Yongjiang, executive director of the internet management and legislation research center of Beijing University of Posts and Telecommunication, told the Global Times on Sunday. 

The core of the regulation is that it standardizes how data can be processed and transferred domestically and cross-border, by clarifying the behaviors of data processors, platform providers and the responsibilities of cyberspace administrators, Xie said. 

The core of cybersecurity is data security, which attaches great importance to national security, public interests and personal legal rights. The release of the draft regulation makes China's legal system on data protection a "practical" and "performable" action, said Qin An, head of the Beijing-based Institute of China Cyberspace Strategy.

"The draft regulation not only ensures mobility of data as a key production factor, but also protects its security," Qin said.

Qin gave an example to illustrate the differences between general data, important data and core data - data of military aircraft or airports is core data, cargo transportation at civil airports is important data, while information on general flights is general data.

Discussions on establishing a hierarchical data classification management and protection system have been going on for many years in China, so its inclusion into the draft regulations marks a big step for internet security management, Liu Dingding, a Beijing-based independent tech analyst, told the Global Times on Sunday. Liu believes that core data may include map data of the country's villages and cities such as geographic location of sensitive areas.

Meanwhile, the regulation details how data collected inside the country will be transferred to overseas regions. Data users who provide personal information collected inside China to overseas recipients should inform the data owners of the recipients' name, contact information and purpose. 

According to the regulation, data users can be fined up to 10 million yuan ($1.56 million) in violation of the stipulations concerning data providing to regions outside China.

Liu said this regulation aims to better regulate data collection of domestic consumers. "Data centers run by domestic companies that do not involve domestic users may still be allowed to be in places outside the Chinese mainland," Liu said.

Experts said the release of the regulations, similar to traffic rules, will not impact normal operation of internet companies as many companies have already established general classifications on data protection, and with the future launch of the new regulation, their classifications will have to match with the national ones, which will make the industry more professional and orderly. 

The draft also proposed that risk assessments should be made if data users want to use biometrics for personal identity authentication. Biometric features such as face, gait, fingerprint, iris and voice print shall not be used as the only means of personal identification to compel individuals to agree with the collection of their personal biometric information.

Besides, the regulation stipulates that data security incidents will be included in the national cybersecurity incident emergency mechanism. When a data security incident occurs, the emergency response mechanism shall be activated in a timely manner, and measures shall be taken to prevent the expansion of hazards and to eliminate potential security risks.

The draft will be open for public suggestions until December 13. As of June, China had 1.011 billion internet users, with 4.22 million internet websites and 3.02 million apps.