Draft rules seek to safeguard network data security

China's top cyberspace regulator has released draft regulations on assessing network data security risks as it seeks to strengthen and promote the lawful, reasonable and effective use of data.

The Cyberspace Administration of China said in a statement on Saturday that the proposed measures are intended to safeguard network data security.

According to the draft, a network data security risk assessment refers to the identification, analysis and evaluation of security risks related to data and data-processing activities.

The rules require processors of "important data" to conduct risk assessments of their data-processing activities annually. If major changes occur in the security status that could adversely affect overall data security, a targeted assessment must be carried out promptly.

Processors of "general data" are encouraged to conduct a risk assessment at least once every three years.

According to the draft, data processors may conduct assessments themselves or entrust certified third-party institutions to do so on their behalf. However, if an assessment institution identifies major data security risks, it must promptly notify the data processor and, in line with relevant regulations, report the matter to cyberspace authorities at or above the provincial level, as well as to relevant regulators.

The draft also specifies several situations in which data processors must hire a certified assessment institution. These include cases in which data-processing activities pose relatively high security risks, or when a data-security incident has occurred that resulted in the leak or theft of important data or large-scale personal information.

A certified assessment is also required if data-processing activities pose a threat to national security or the public interest.

The draft outlines obligations that data processors must fulfill during risk assessments, including granting assessment personnel access to necessary data facilities, systems and operation logs. Processors are also required to address problems identified during an assessment and submit a rectification report within 15 working days after completion.

If authorities discover, during the assessment process, that certain data-processing activities may endanger national security or the public interest, they must order the processor to make corrections. For entities that refuse to comply or fail to meet rectification requirements, regulators may impose additional measures, including ordering them to stop processing important data.

Wang Zhicheng, an official responsible for data and technical support at the Office of the Central Cyberspace Affairs Commission, said the draft measures establish a "full life cycle and multi-element "evaluation system designed to respond to emerging security challenges posed by technologies such as artificial intelligence, big data and blockchain.

In a commentary published on the administration's website, Wang said the measures embed risk assessment throughout the entire data life cycle, from collection, storage and use to processing, transmission, provision, disclosure and deletion.

The draft also evaluates multiple dimensions, including technology, management, personnel and institutional mechanisms.

Technologically, it examines the effectiveness of security protections; in management, it assesses internal rules and their implementation; and in personnel, it reviews job roles and divisions of responsibility.

Members of the public are encouraged to provide feedback on the draft rules by Jan 5.