Type to search

China’s new data security law extends sovereignty to cyberspace

facial recognition technology that can be used to make deepfakes
The case comes at a time when China is tightening scrutiny of technology and apps capable of manipulating voice and facial data. Photo: Reuters

(ATF) With China planning to spend trillions of yuan on technology upgrades, from 5G to the industrial Internet, and massively boosting its data capacity, a new law governing this new state infrastructure has been announced. It will affect more than just people living in China, as there are international aspects as well.

China is well known for its ‘Great Firewall’ – a nationwide intranet with only two gateways to the outside world. Under this new law, dominion is spread to all of cyberspace.

China’s new Data Security Act is close to coming into force. A draft of the law has been released, which raises data security to the legislative level. In this, organisations and individuals carrying out data activities are clearly defined, along with data security protection obligations and responsibilities, with basic security management systems such as data classification outlined.

A consultative briefing by Hangzhou Mechuang Technology research has been published, drafted by Cui Congcong, Secretary-General of the Cyberspace Security Law and Public Policy at the China Cyberspace Security Association, and Xiao Sa, director of the China Banking Law Society.

Article 2 of the draft clearly stipulates that the scope of the law applies to data activities carried out within China, and that includes the special administrative regions of Hong Kong and Macao.

‘Extraterritorial application’

But the draft also seeks to endow this law with an extraterritorial application, by including provisions in regard to organisations and individuals outside China who carry out data activities that damage the country’s national security, public interests, or legitimate rights and interests of its citizens and organisations.

The scope of application should be a prerequisite for understanding the law. Article 2 says although in the traditional legal theory, such provisions can only be dominant within the territory and space of a sovereign nation, the law itself is a manifestation of the will that China, in an interconnected world, believes the extension of its sovereignty is boundless in cyberspace.

China accepts it may not actually be able to investigate and enforce the law unilaterally. But it plans to establish bilateral and multilateral agreements at the national level, and promote a settlement on data security issues through diplomatic channels.

The draft says the state’s security leadership is responsible for decisions and coordination in relation to data security. It then clarifies that each region and department has the main responsibility for data and security of that, in terms of how it is aggregated and processed. Public security organs and national security agencies supervise security in their respective areas of responsibility.

A person takes part in a conference on Zoom. China is preparing for a digital future. The information superhighway is coming. Photo: Albert Gea/ Reuters.

Obligations, blockchain

Chapter 4 goes into detail about the obligations to secure state data. It supplements the areas where management responsibilities may be missed, and forms a complete set of management responsibility systems.

A transaction management system will be introduced, using blockchain, with a nationwide “closed loop” managed from the centre, with countless closed loops within the main national one. Everyone from bond traders to farmers selling vegetables will operate within this system, and be supervised under this law.

The implementation of mechanisms and systems requires the support of platforms and technical capabilities. In fact, the draft law also has certain clear requirements. For example, Article 20 says that the country must establish a centralised, efficient and authoritative data security risk assessment and reporting function, with information sharing, monitoring and an early warning mechanism. It also discusses strengthening the acquisition, analysis, research and judgment of “risk information”.

Later, in Article 28, it says that risk assessment reports should include the type and quantity of important data held by an organisation, the status of collection, storage, processing, and use of data, the data security risks faced, and what to do in response measures.

Data transaction management

Article 17 says the country must set up and improve a data transaction management system to regulate the data transactions and cultivate a data transaction market.

Articles 30 and 31 outline the relevant requirements and supervisors related to the data transactions department. The passing of the law will be an important step as China moves towards being a cashless society.

The new law is expected to support a digital economy, and is a reflection of the “security and development” of that. Future service opportunities such as increasing development of the digital economy, a data trading market, and data security testing and certification will be done under the umbrella of this law.

In a bid to become a leader in the field of data security and governance, many Chinese tech firms will also focus on data security solutions. From data security governance, data use security, data flow security, external intrusion security (hacking), data storage encryption, prevention of crime, data security situation awareness, and other issues, China will build a comprehensive data security protection system for various industries.

That will enhance the construction of a digital government and digital China.

Chris Gill

With over 30 years reporting on China, Gill offers a daily digest of what is happening in the PRC.


AF China Bond