In 2023, countries worldwide continued to strengthen their cybersecurity capabilities and systems in response to their national needs, using regulatory means to enhance their cybersecurity management. Based on continuous tracking and research, NSFOCUS summarized the development of global cybersecurity regulations and policies in 2023, hoping to provide valuable insights and guidance for stakeholders, policymakers, and cybersecurity professionals navigating this dynamic landscape.
The series includes four aspects: “Network Security,” “Data Security,” “Privacy Protection,” and “Tech Development and Governance,” with content organized in chronological order. (Related Link: 2023 Cybersecurity Regulation Recap (Part 1): Network Security)
This article focuses on regulations and policies of data security, which mainly cover the following aspects:
- Data Security Industry Planning
- Strategic Alignment
- Cross-Border Data Security
- Industry Data Security Supervision
- Data Foundation System
- Data Security Sharing Mechanism
The Ministry of Industry and Information Technology of China, the State Internet Information Office, and sixteen other departments jointly issued the Guiding Opinions on Promoting the Development of the Data Security Industry.
The Guiding Opinions accelerate the implementation and improvement of the data security industry system and capabilities. It not only enriches the fundamental theory of the data security industry but also clarifies the system and elements of the data security industry, providing strong impetus for the development of enterprises on the supply side of data security.
The Guiding Opinions focus on two key perspectives: “how to view” and “how to do,” addressing four fundamental questions about the development of the data security industry: industry definition, industry goals, industry system, and development elements. It also has plans for how to build the data security industry system and capabilities.
The release of the Plan can lead to breakthroughs in four aspects:
- Systematically improving the development pattern. The Plan, through the framework of “2522” and a design oriented towards systematic and ecological development, assists in expanding the scale of China’s network and data security industry.
- Pragmatically expanding application demands. The Plan connects key application areas with large projects and platforms under construction or to be constructed, helping to inspire and expand the incremental market for network data security applications.
- Inherently specifying the supply direction. The Plan proposes requirements for technological self-reliance and security controllability, which will be a crucial breakthrough for leading and expanding market growth.
- Emphasizing mechanism guarantees. The Plan, through specific guarantee measures such as institutions and funds, as well as strengthening the assessment and skill requirements for “Party and government leading cadres and civil servants,” will broaden the development dimensions of the network and data security market.
With the accelerated global digital transformation, data has gradually become an indispensable resource in the process of societal development. How to fully leverage the value of data while ensuring data privacy has become a common challenge faced by countries in safeguarding data security.
In response to such issues, the Strategy proposes to accelerate the research and application of PPDSA, combined with robust data governance measures. This aims to promote data sharing and analysis while protecting individual privacy and sensitive data, ultimately fostering innovation in the United States related to personal information and data security technology.
The Strategy’s proposed PPDSA is a solution that balances data collection, analysis, and ethical social technological issues. It includes a series of technologies and methods, such as methodologies, technologies, and social technologies. It utilizes Privacy-Enhancing Technologies (PETs) for data analysis, extracting data value while ensuring user privacy. PETs, as defined in the Strategy, refer to a broad range of technologies that protect privacy by removing personal information, reducing personal data processing, or preventing illegal processing of data while maintaining the functionality of the system.
In recent years, the United States and the European Union have been exploring bilateral mechanisms for cross-border data transfer. However, due to differences in legislative systems, previous agreements such as Safe Harbor and the Privacy Shield were rejected by the European Court of Justice. In March 2022, the U.S. and the EU reached a preliminary agreement on the new EU-U.S. Data Privacy Framework. In October 2022, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ to implement the U.S. commitments under the EU-U.S. Data Privacy Framework. The formal adoption of the EU-U.S. Data Privacy Framework by the European Commission marks the third formal collaboration on cross-border data transfer between Europe and the United States. The Framework’s ongoing operation will undergo regular reviews by EU and U.S. authorities to verify whether the relevant commitments are fully implemented and effectively practiced within the U.S. legal framework.
China’s National Internet Information Office and five other departments jointly issued the Notice on Regulating Matters Related to Data Services of Currency Brokerage Companies, strengthening data security governance in the financial sector.
Currency brokerage companies, due to their business nature, involve a significant amount of financial raw data and the cross-border movement of related data, posing potential data security risks. The joint issuance of the Notice by multiple departments highlights the complexity and high attention to data security issues in the financial sector. The Notice specifies the data security protection obligations that currency brokerage companies should fulfill, focusing on establishing a sound data governance mechanism to ensure data security and strengthening protocol management. It also clarifies two criteria for providing data standards and the list of data service agencies.
The Guiding Opinions define data assets as specific resources that a particular entity legally owns or controls, capable of being measured in currency, and bringing direct or indirect economic benefits. It presents three major attributes, four factors, and five characteristics of data assets, along with a basic solution for measuring the value of data elements. The Guiding Opinions provide essential operational guidance for data asset assessment.
At the national standard level in China, data asset assessment is still in a blank state. The Guiding Opinions, as an operational code in the asset assessment industry, will be an important reference for the subsequent drafting of national standards in this field. However, ensuring the security and compliance of relevant data information during the assessment process is also an important consideration for assessment standards. Especially, how to use technological means to ensure the security of assessed data assets is one of the key directions that the cybersecurity industry needs to focus on.
China’s National Internet Information Office issues the Regulations on Standardizing and Promoting Data Cross-Border Flow (Draft for Comments), optimizing and improving the management system for data cross-border flow.
Cross-border data flow has always been one of the core areas of supervision for data security and personal information security. In response, the National Internet Information Office of China has previously issued and implemented various regulatory documents, including the “Measures for Security Assessment of Data Export,” “Guidelines for Declaration of Data Export Security Assessment (First Edition),” “Rules for the Implementation of Personal Information Protection Certification,” “Methods for Standard Contract Filing for the Export of Personal Information (First Edition),” and other related regulations and normative documents.
The Regulations mainly further clarify the declaration scope of the data export security assessment system and make provisions for situations that do not require declaration (Articles 1-6). At the same time, it specifies the legal basis for data export regulations in specific regions and departments. In addition, it further clarifies that if data has not been informed by relevant authorities as important, data processors are not required to declare the data for the data export security assessment, and the time range for counting the quantity of exported personal information has been adjusted from “cumulative since January 1 of the previous year” to “within one year.”
The Regulations are proposed after a period of implementation of relevant cross-border data regulations, reflecting a summary and feedback on the stage of regulatory practice. It, to some extent, embodies the aim of reducing the workload of relevant parties in data security and compliance efforts.
The DGA was formally proposed in November 2020 and reached a political agreement in June 2023. It is a crucial legislative measure to implement the European Data Strategy, further innovating the European data governance model. The goal is to create a unified data market within the EU, enabling more effective transformation and utilization of data by EU technology companies.
The approach proposed in the DGA to establish data intermediaries has significance for other countries in building and improving mechanisms for the development and utilization of data elements. Exploring the role of third-party intermediaries, especially non-profit organizations, in promoting and improving the benign development of data at the development level is a new and meaningful research direction.
The Implementation Measures elaborate on the requirements for data security risk assessment in the “Measures for the Management of Data Security in the Industrial and Information Fields (Trial)”. This marks a further step towards the actual implementation of the data security risk assessment system in the industrial and information fields.
The Implementation Measures clarify three core issues:
- Who is assessed. The objects of risk assessment are “important data and core data processors in the industrial and information fields” engaged in data processing activities.
- Who conducts the assessment. The main executor of the assessment is a third-party assessment organization.
- Who supervises the assessment. The supervisory body includes industry regulatory departments at the central and provincial levels, such as the Ministry of Industry and Information Technology, provincial industrial and information authorities, provincial communications management bureaus, provincial radio management institutions, and state-owned enterprises.
Cross-border data flow is a core area of regulation in EU data security and personal privacy protection. In recent years, the EU has been exploring bilateral mechanisms with other countries for cross-border data flows, such as the Adequacy decision for the EU-U.S. Data Privacy Framework, the EU-New Zealand trade agreement, and the EU-UK Trade and Cooperation Agreement, all of which include rules related to cross-border data flows.
The EU’s establishment of a “data security whitelist” through the formulation of bilateral agreements significantly reduces compliance costs for enterprise data transfers, promoting the exchange and development of the digital economy between the parties.
This bilateral approach to eliminating certain barriers to cross-border data flows is an exception to the general principles of controlling cross-border data flows. The provisions in the EU’s bilateral agreements on the scope and conditions of cross-border flow of data are worth studying and continuously observing.
The Data Act was initially proposed by the European Commission in February 2022 and reached a provisional agreement by the EU Council and the European Parliament in June 2023. Both The Data Act and the previously effective Data Governance Act (DGA) are important legislative measures to implement the European Data Strategy. The Act specifies the object, scope, general principles, and exceptions of data sharing. After approval by the EU Council, the Act will be formally published.
The specific systems proposed in the EU’s Data Act, such as data portability rights, the circulation of data from businesses to governments, and the promotion of data flow between enterprises, have reference significance for other countries and regions in building and improving data system structures.
With the official launch of China’s National Data Administration, the country’s data management work is accelerating. The symposium reflects that the pricing mechanism for data elements, especially data elements, is a key focus of national data management work.
The pricing mechanism for public data elements is a crucial part of the “Public Data Rights Confirmation and Authorization Mechanism” proposed in the Opinions of the Central Committee of the Communist Party of China and the State Council on Building a Better Data Foundation System. It is related to whether the marketization of public data resources can be smoothly implemented.
It is important to note that the pricing mechanism for public data resources included in the price mechanism covers only “conditional paid use of public data for industrial and sectoral development” and does not apply to “public data used for public governance and public welfare,” nor does it include “public data subject to confidentiality requirements by law and regulations.” This indicates that the pricing mechanism for public data resources is based on the premise that the application of these data resources must be limited to industrial and sectoral development.
China’s Ministry of Industry and Information Technology released the Administrative Penalty Discretion Guidelines for Data Security in the Industry and Information Technology Sector (Trial) (Draft for Comments).
This document, embodying characteristics of both procedural and substantive law, is an effort to implement the Provisional Measures for Data Security in the Industry and Information Technology Sector (referred to as the “Management Measures”), holding groundbreaking significance in the field of regulatory enforcement for industry data security.
It is noteworthy that, in the context of “non-administrative penalties” (Article 18), the guidelines consider “lack of subjective fault” as a crucial basis for non-punishment. This holds groundbreaking significance in addressing the longstanding debate in the field of network data security regarding the question of “whether compliance exempts from liability.”
However, it is acknowledged that certain provisions may require further refinement, such as the incomplete coverage of the “Management Measures” and the need for more precise articulation of the principles of territorial jurisdiction.
One of the essential responsibilities of the China National Data Administration is to promote the construction of data infrastructure. This discussion marks the first time that the National Data Administration introduced the theory of “data infrastructure,” enriching and advancing the connotations of new types of infrastructure. The essence of data infrastructure intersects with the previously proposed concept of “new infrastructure” by the National Development and Reform Commission (NDRC), demonstrating both cross-inheritance and innovative development. The cross-inheritance is evident in the inclusion of elements from the information infrastructure, such as “network infrastructure” and “computing power infrastructure,” within the framework of data infrastructure. The innovative development of the concept is reflected in areas like “data circulation facilities” and “data security facilities.”
The Action Plan assigns a crucial position to data security, not only treating data security requirements as a fundamental principle that must be adhered to throughout the entire process of creating and realizing the value of data elements but also making systematic arrangements for data security.
The Action Plan explicitly defines the role of data security in safeguarding data elements and outlines the dual connotations of institutional provision and material supply concerning data security for data elements.