The draft is now available for soliciting public comment until January 15, 2024.
China has introduced a four-tier classification mechanism in a draft regulation to address possible data security incidents. Industry observers believe the draft highlights the country's comprehensive security strategy, focusing on promoting industry development and the bottom line of ensuring security.
The draft - released by Ministry of Industry and Information Technology (MIIT) on Friday - specifies how the ministry, local industry regulatory departments, data processors and emergency supporting agencies as well as expert teams should react in the face of security incidents.
The term "data security incident" refers to incidents in which data is tampered with, destroyed, leaked, or illegally obtained or used, causing harm to national security, the public interest, or the legitimate rights and interests of individuals and organizations.
The draft suggests a four-tier warning system with different colors based on harms of the incidents caused to national security, interests of public, social order and economy. Ranked from high to low, they are marked with red, orange, yellow, and blue respectively, corresponding to the possibilities of "extremely grave," "major," "moderate grave," and "general" data security incidents.
If economic losses involve more than 1 billion yuan, or data involving personal information of 100 million people or more, or sensitive personal information of 10 million people or more, the incident should be classified as "extremely grave."
The MIIT draft emphasizes China's comprehensive security strategy, which focuses on promoting industry development while giving priority to security. It is only when we ensure the security of our data that our digital economy can flourish, Li Zonghui, vice president of the Institute of Cyber and Artificial Intelligence Rule of Law affiliated from the Nanjing University of Aeronautics and Astronautics, told the Global Times on Saturday.
This draft coincides with the release of a draft three-year action plan by National Development and Reform Commission (NDRC) on Friday, which projects the annual growth rate of data industry will surpass 20 percent by the end of 2026.
The action plan outlines requirements to develop data industry from five aspects, such as activating the potential of data elements. Among them, there are 12 key actions, mentioning support for general artificial intelligence (AI) large model and AI large model training in vertical fields. By the end of 2026, the three-year draft plan requires the expansion of data element application scenarios, not only on which scale but also on their depth, creating over 300 exemplary application scenarios.
According to the MIIT draft, once a data security incident is detected, data processors are entitled to make the judgment first and if the tier classification is "moderate grave," "major" or "extremely grave," they should report to local industry management departments immediately and in a fact-based manner.
Local industry regulatory departments should report to the data contingency mechanism office via phone in 10 minutes or written format in 30 minutes, in "extremely grave" and "major" incidents.
The draft from the MIIT also requires local industry regulatory departments to conduct drills to cope with possible data security incidents and data processors are asked to conduct at least one annual drill so as to improve their coping capabilities.
Source: Global Times
