China sets out new rules to protect ‘critical information infrastructure’ as it bolsters data security push
- China’s State Council passes long-awaited rules on ‘critical information infrastructure’ as Beijing tightens control of domestic data
- Companies still need to wait to find out which category they fall into and what rules specifically apply to them
China has set out special rules to put companies in the telecoms, energy, transport, finance and defence sectors under closer cybersecurity scrutiny as Beijing seeks to tighten its control of domestic data.
The new regulations, released by the State Council on Tuesday, provide more clarity on Beijing’s thinking around ensuring its critical information infrastructure, a term included in China’s Cybersecurity Law but which lacks specific guidance.
The new articulation comes as Beijing seeks to build a data governance framework to ensure the security of what it deems as important data, putting limits on how businesses collect and use sensitive personal data, while encouraging the circulation of less sensitive data to unleash its economic value.
The new rules “reveal the continuing emphasis that China’s top brass puts on protecting the most sensitive parts of the country’s digital networks,” said Alex Roberts, Linklaters’ TMT counsel in Shanghai.
Under the news rules and the 2017 Cybersecurity Law, it is clear that operators of critical information infrastructure receive special attention from Beijing, as any loss or damage to their systems could “severely endanger” national security, peoples’ livelihoods and the public interest.
When China’s internet watchdog the Cyberspace Administration of China (CAC) last month launched a cybersecurity probe into Chinese ride hailing giant Didi Chuxing, soon after the company went public in the US, many analysts argued that it could be because Didi was being treated as an operator of key infrastructure, which by law means a cybersecurity review due to national security issues.
