Beijing explains what China's new data protection law really means – a month after it took effect

China has ordered local organisations to conduct annual reviews of the data they hold, so they can apply proper protections as defined on a new three-tier classification scale.

The order addresses confusing omissions in China's new data protection law which, as we reported upon its introduction, called for companies to define data as "core" or "important" and protect it accordingly – without defining those terms.

A document [PDF] issued yesterday does define the terms.

"Important" data has been defined as having potential to harm national security if it falls into the wrong hands, or cause major production problems across multiple industries within China. Machine translation of the document suggests the definition of "important" also covers AI technology, and details of China's polar, deep sea, and space exploration programs.

"Core" data covers all of the above, but loss of such material would be less disruptive to Chinese security and industry than would be the case for "Important" data.

The new document requires Chinese organisations to self-assess their data and decide what belongs in each bucket, then apply lifecycle management to ensure their classification efforts are up to date. Annual reviews will help things along.

• China demands internet companies create governance system for algorithms
• For the nth time, China bans cryptocurrencies
• China discloses new space tech: Coloured cargo labels to replace beige ones taikonauts found fiddly

The Party Committee – a group of Communist Party members who hold leadership positions in Chinese organisations – will keep an eye on compliance.

The document also stipulates use of data destruction policies, and that data in motion must be encrypted. Mergers and acquisitions are also addressed, with data handover requirements including contact with individuals to let them know their personal data has a new owner.

Core data can leave China, but only with approval. That provision is yet another new consideration for Chinese businesses contemplating offshore activities, on top of other recent edicts preventing car companies sending data offshore (which saw Tesla create a Chinese datacentre) and laws making offshore investments rather more difficult. ®