China new cross-border data transfer rules and what it means for international firms

China’s new Data Security Law is classifying data into three categories. (Photo by STR / AFP) / China OUT

Three new categories of data under China’s new Data Security Law

  • A month after the Data Security Law took effect, Beijing listed what China’s new data protection law really means.
  • The draft regulations, published by China’s Ministry of Industry and Information Technology, classify data into three categories and ban the exports of what has been classified as core data.
  • The ministry is open to public feedback on the proposed regulation until the end of October

Just last month, China passed a new Data Protection Act, called the Personal Information Protection Law (PIPL).  While it closely resembles the world’s most robust framework for online privacy protections, Europe’s GDPR, it has its own notable differences. Now, a month later, Chinese authorities released new regulations to classify data based on the level of importance and risk to national security and overseas interests.

The whole point of the new set of regulations published by China’s Ministry of Industry and Information Technology to give much-needed clarity to foreign-listed companies and others required to transfer potentially sensitive information abroad. It is a part of the government’s move to address consumer worries about the gradual erosion of their privacy as tech companies make rapid advances.

Data classification under China’s law

According to the draft regulations, data generated from industrial and information technology sectors in China, including raw materials, equipment manufacturing consumer products, electronics manufacturing, explosives for civil uses, and software, are subject to newly proposed restrictions. 

That said, the government will classify data into three categories: general data which has limited social impacts; vital data that could threaten China’s economic, social, cultural, cyber, ecological, and nuclear wellbeing and compromise China’s overseas interests; and core data that seriously threaten national security and could have major social and economic implications. 

Specifically, depending on a data set’s specific impacts, biological, space, polar, and deep-sea activity, and artificial intelligence data is considered to be vital or core data.

Based on the drafted regulations, all the data from industrial and information technology sectors are to be stored within China, as per relevant laws and regulations. 

The proposed regulations also ban core data from leaving the country. Should there be a compelling reason for the data to be transferred outside of China, they require security appraisals to be taken first for the exports of vital data.

So what’s the impact?

Overall, the latest draft regulations are China’s first attempt to churn out details publicly on how to classify data, which aim to support better implementation of the Data Security Law.

Currently, the law only requires companies to sort and classify their data into different categories based on risk and imposes severe penalties on companies moving “core data” out of China. 

According to an analyst quoted by the Global Times, “The new regulations could have implications for foreign companies operating businesses in China.”

Take data generated by smart internet-connected vehicles for instance — it should face limits if a company wants to transfer it outside of China, Xiang said.

Additionally, violation of the regulations could result in fines, suspension of businesses, and revoking of business licenses.