Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Governance. Show all posts
Law
AI China Compliance Cyber Security Data Governance Law

China Announces Major Cybersecurity Law Revision to Address AI Risks

 



China has approved major changes to its Cybersecurity Law, marking its first substantial update since the framework was introduced in 2017. The revised legislation, passed by the Standing Committee of the National People’s Congress in late October 2025, is scheduled to come into effect on January 1, 2026. The new version aims to respond to emerging technological risks, refine enforcement powers, and bring greater clarity to how cybersecurity incidents must be handled within the country.

A central addition to the law is a new provision focused on artificial intelligence. This is the first time China’s cybersecurity legislation directly acknowledges AI as an area requiring state guidance. The updated text calls for protective measures around AI development, emphasising the need for ethical guidelines, safety checks, and governance mechanisms for advanced systems. At the same time, the law encourages the use of AI and similar technologies to enhance cybersecurity management. Although the amendment outlines strategic expectations, the specific rules that organisations will need to follow are anticipated to be addressed through later regulations and detailed technical standards.

The revised law also introduces stronger enforcement capabilities. Penalties for serious violations have been raised, giving regulators wider authority to impose heavier fines on both companies and individuals who fail to meet their obligations. The scope of punishable conduct has been expanded, signalling an effort to tighten accountability across China’s digital environment. In addition, the law’s extraterritorial reach has been broadened. Previously, cross-border activities were only included when they targeted critical information infrastructure inside China. The new framework allows authorities to take action against foreign activities that pose any form of network security threat, even if the incident does not involve critical infrastructure. In cases deemed particularly severe, regulators may impose sanctions that include financial restrictions or other punitive actions.

Alongside these amendments, the Cyberspace Administration of China has issued a comprehensive nationwide reporting rule called the Administrative Measures for National Cybersecurity Incident Reporting. This separate regulation will become effective on November 1, 2025. The Measures bring together different reporting requirements that were previously scattered across multiple guidelines, creating a single, consistent system for organisations responsible for operating networks or providing services through Chinese networks. The Measures appear to focus solely on incidents that occur within China, including those that affect infrastructure inside the country.

The reporting rules introduce a clear structure for categorising incidents. Events are divided into four levels based on their impact. Under the new criteria, an incident qualifies as “relatively major” if it involves a data breach affecting more than one million individuals or if it results in economic losses of over RMB 5 million. When such incidents occur, organisations must file an initial report within four hours of discovery. A more complete submission is required within seventy-two hours, followed by a final review report within thirty days after the incident is resolved.

To streamline compliance, the regulator has provided several reporting channels, including a hotline, an online portal, email, and the agency’s official WeChat account. Organisations that delay reporting, withhold information, or submit false details may face penalties. However, the Measures state that timely and transparent reporting can reduce or remove liability under the revised law.



Read more »
Privacy
China Data Flow Data Governance Global Trade Privacy

EU’s Initiative to Define ‘Important Data’ in China: A Step Towards Global Data Governance


The flow of data across borders is often hampered by varying national regulations. One such challenge is China’s restrictive data export laws, which have left many international businesses grappling with compliance. The European Union (EU) is now stepping up efforts to address this issue, seeking to pin down China on its ambiguous definition of “important data.”

The Importance of Data in Global Trade

Data is a critical asset for businesses, enabling everything from supply chain management to customer relationship strategies. For multinational companies, the ability to transfer data seamlessly across borders is essential for operational efficiency and innovation. However, differing regulatory landscapes can create significant hurdles.

China’s data export laws, particularly the Cybersecurity Law and the Data Security Law, have introduced stringent requirements for data leaving its borders. These laws mandate security assessments and government approvals for the transfer of “important data,” a term that remains vaguely defined. This ambiguity has led to uncertainty and compliance challenges for foreign businesses operating in China.

Cross-Border Data Flow Communication Mechanism

In response to these challenges, the EU has launched the “Cross-Border Data Flow Communication Mechanism.” This initiative aims to engage with Chinese authorities to clarify the definition of “important data” and streamline the data export process for European companies. The goal is to ensure that businesses can continue to operate efficiently while adhering to regulatory requirements.

The mechanism focuses on several key sectors, including finance, pharmaceuticals, automotive, and information and communication technology (ICT). These industries are particularly data-intensive and heavily reliant on cross-border data flows. By addressing the specific needs of these sectors, the EU hopes to mitigate the impact of China’s data export restrictions.

The Challenges of Defining “Important Data”

One of the primary challenges in this endeavor is the lack of a clear and consistent definition of “important data.” China’s laws provide some examples, such as data related to national security, economic stability, and public health, but these categories are broad and open to interpretation. This vagueness creates a compliance minefield for businesses, as they must navigate the risk of inadvertently violating Chinese regulations.

The EU’s efforts to engage with China on this issue are crucial for providing much-needed clarity. By establishing a more precise definition of “important data,” businesses can better understand their obligations and take appropriate measures to comply with the law. This, in turn, will facilitate smoother data flows and reduce the risk of regulatory breaches.

Global Data Governance

The EU’s initiative is not just about resolving a bilateral issue with China; it also has broader implications for global data governance. As data becomes increasingly vital to economic activity, the need for harmonized and transparent regulations is more pressing than ever. The EU’s proactive approach sets a precedent for other regions to follow, encouraging international cooperation on data governance.

Moreover, this initiative highlights the importance of dialogue and collaboration in addressing complex regulatory challenges. By working together, countries can develop frameworks that balance the need for data security with the imperative of economic growth. This collaborative approach is essential for fostering a global digital economy that is both secure and innovative.

Read more »
Subscribe to: Comments (Atom)