China’s data law: Why hierarchical data classification matters

• China’s data law will soon include a hierarchical data classification management and protection system
• Data will be classified into three categories: general, important, and core
• China aims to build a comprehensive regulatory system for both cybersecurity and data protection governance

It took almost one year and three review periods before the new Data Security Law (DSL) of the People’s Republic of China was officially passed on June 10 of this year. The law took effect on September 1, demonstrating China’s efforts to address the protection and processing of various types of data, under the premise of strengthening the foundation of their national security.

Now, according to DSL draft legislation released by China’s cyberspace regulators on Sunday, the world’s most populous country is considering establishing a hierarchical data classification management and protection system, which will categorize and protect data based on importance. This will exist alongside the tightened restrictions on data transfers, accompanied by severe penalties for noncompliance.

Surprisingly, the notice issued by the Cyberspace Administration of China (CAC) is seeking public opinion on the drafted regulation on the management of data security. It is a bid to better regulate data processing activities, protect the legal rights of persons and institutes, as well as safeguard national security and public interests.

How does hierarchical data classification work?

Overall, non-chapter regulation consists of a list of detailed rules to better implement the requirements of data protection as stipulated by China’s Personal Information Protection Law, Cyber Security Law, and Data Security Law.

According to the regulation, data is classified into three categories – general, important, and core – based on their degree of impact on, and significance to, national security, public interests, or the legitimate rights of individuals or organizations. In a nutshell: the more highly-classed the data, the stricter the management and protection requirements, and the harsher the penalties for a breach. 

“The state provides key protections for personal information and important data, and strictly protects core data,” the regulations read, adding that regional departments will be responsible for putting data in their regions into their requisite categories. 

To illustrate the differences between general data, important data and core data, The Global Times report outlined that “data of military aircraft or airports is core data, cargo transportation at civil airports is important data, while information on general flights is general data.” In particular, national core data and important data will be subject to stricter protection and supervision.

National core data — a new concept under China’s Law

The “national core data” concept refers to the data concerning national security — the lifeline of the national economy, people’s livelihoods, and major public interests. Article 21 provides that a “more stringent regulatory system” shall be implemented in relation to such national core data. 

The DSL does not elaborate further on what such a stringent regulatory system would be; however, the penalty includes a fine of up to RMB10 million on top of other penalties for a violation of the requirements relating to national core data. 

Important data

The idea of important data was first raised in the Cybersecurity Law that came in effect in 2017. Under the law then, network operators in China are required to categorize data and formulate backup and encryption measures for the protection of important data. 

This time, the DSL requires that business operators that process important data must appoint a responsible person and establish a specific internal department for important data protection, carry out risk assessments on a regular basis, and report the risk assessment results to the competent authorities.

Additionally, under the DSL, different administrative regions and industrial sectors are authorized to formulate their own specific important data catalogs with protection requirements. To put it simply, business operators in different regions and industries are also applicable to the specific regional or industrial categorization of important data when running their operations daily.