China implemented the Data Security Law on Sept. 1. which requires all companies in China to classify the data they handle into several categories and governs how such data is stored and transferred to other parties.
But lawyers have criticised its ambiguities including its lack of definitions for data.
Thursday’s draft measures describe in detail three categories of data ordinary data, important data, and core data.
The authorities describe ordinary data as data with a minimal ability to impact society at large, or that will affect a small number of individuals or enterprises.
Important data is defined as data that poses a threat to China’s national and economic interests or impact the rights of individuals and organizations, and has an “obvious cascading effect” across a range of industries and enterprises.
Core data, is defined as data that poses a “serious threat” to China’s national and economic interests. Disruption of important data could cause “major damage,” leading to “large-scale shutdowns,” or “large-scale network and service paralysis.”
The regulator adds that organizations may “self-assess” the security of ordinary data, but must conduct annual assessments at least once each year.
Organizations must also receive approval for cross-border transfer of core data and important data via a special mechanism, the rules state.
Data policy has become one of several areas regulators have targeted an ongoing crackdown on industry that has unfolded throughout the past year. China’s data security law builds on the 2017 cybersecurity law, which marked the first major set of rules governing the storage and transfer of data of Chinese origin.