Draft law aims to bolster data security

China is stepping up efforts to strengthen data security, especially that to be provided overseas, by legislation to better regulate data processing and safeguard State and personal information security.

The Cyberspace Administration of China, the country's top internet watchdog, unveiled on Wednesday a draft regulation on managing data related to automobiles, to intensify the protection of personal and other crucial data generated on the Chinese mainland.

The draft applies to operators that design, produce, sell, maintain the service of and manage automobiles on the mainland, when they collect, analyze, store, transmit, inquire about, use and delete personal information and key data.

It stipulates that individuals must agree to the collection of their personal data, and personal information or key data should be stored on the Chinese mainland. Data that is to be provided offshore must receive and pass data exit safety assessments by the nation's cyberspace authorities.

When operators offer personal information or key data abroad, they will need to take effective measures to clarify and supervise that receivers' use of the data is in accordance with the purpose, scope and manner agreed to by the two sides, in order to ensure data security, according to the draft regulation.

The administration released the full text of the draft regulation online for public advice before June 11. On Wednesday night, US car manufacturer Tesla said in a statement regarding the draft regulation on Sina Weibo, China's equivalent of Twitter, that it supports and answers the call to have a more regulated industry, and "the public is welcome to offer suggestions to the authorities".

The latest draft follows an earlier draft law on data security that was submitted to the Standing Committee of the 13th National People's Congress, China's top legislature, for a second review in late April. The draft law highlighted the security of outbound data while aiming to promote the development of the data sector.

The draft law specifies that those who privately provide domestic data to judicial or law enforcement agencies overseas may face a fine of up to 1 million yuan ($155,000), and it tightens management of operators trying to take data collected or generated on the mainland to overseas areas.

Besides operators of critical information infrastructure, more data processors, including those of enterprises and data analysis centers, will also face stricter management if they produce or collect data on the mainland, according to the new draft law.

"In other words, the scope of outbound data security management in the latest draft law has been expanded," said Zhang Tao, a lawyer at Beijing Huaxun Law Offices who specializes in the sector.

"The move is necessary, as the aim of the legislation is to ensure data activities are safe in each step," he said, adding that security is the foundation of data use and development.

How to keep a balance between ensuring data security while promoting the sound development of the sector has become a hot topic in China, as the country has seen a rapid growth of big data and data flow in recent years.

Liu Yaohua, a researcher at the China Academy of Information and Communications Technology, published an article in China Economic Weekly in April, in which he said China urgently needed to improve rules on cross-border data flow, as the data sector is booming and many new challenges have surfaced.

The article cited a survey by the Washington-based Brookings Institution, which found that between 2009 and 2018, cross-border data flow contributed about 10 percent to global GDP growth, and the contribution could exceed $11 trillion by 2025. It also noted that the United States, the European Union and other countries or regions have made different cross-border data flow policies based on their own security and economic growth situations.

Liu said a series of high-level policies and rules on cross-border data flow have been implemented at the national, industrial and enterprise levels in China since the Chinese Cybersecurity Law took effect in 2017. He also said China should ensure that data will flow in a legal and orderly manner.

Li Guangqian, a researcher at the Development Research Center of the State Council, said that at present, countries have different attitudes toward cross-border data flow, but he believes that protecting personal information and key data for a country is as important as promoting the development of the data industry.

"China should deal with the cross-border data flow from the perspective of compliance, and formulate relevant rules in line with our own national conditions," he was quoted as saying by the Financial News in April.