news

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

to implement the legal requirements, the cyberspace administration of china has issued and implemented the measures for data cross-border security assessment, measures for standard contracts for personal information cross-border, and provisions on promoting and regulating cross-border data flow (hereinafter referred to as the provisions) in recent years, which have established the basic framework of my country's cross-border data flow management system. article 6 of the provisions clearly states that "the pilot free trade zone can independently formulate a list of data in the zone that needs to be included in the scope of data cross-border security assessment, standard contracts for personal information cross-border, and personal information protection certification management (hereinafter referred to as the negative list) under the framework of the national data classification and classification protection system". on august 30, beijing issued the china (beijing) pilot free trade zone data cross-border management list (negative list) (2024 edition) and its supporting measures for the administration of the negative list of data cross-border in the china (beijing) pilot free trade zone (trial) (hereinafter referred to as the measures), which are important measures for the chinese government to actively explore and enhance data security governance and supervision capabilities and establish an efficient, convenient and secure cross-border data flow mechanism, reflecting beijing's determination to promote high-quality development and high-level security.

1. conduct in-depth analysis and scientific formulation of negative lists

beijing attaches great importance to the cross-border flow of data, and regards the reform of cross-border data facilitation services as an important measure to release the value of data elements, promote high-level opening up to the outside world, and promote the high-quality development of the digital economy. it has been included in the municipal government work report and a number of special plans and plans for continuous advancement. after the release of the "regulations", beijing actively made good use of the policy dividends and immediately launched the research and formulation of the negative list and supporting management measures. the goal is to explore and establish a mechanism that can facilitate data flow and ensure security. the scientific nature of beijing's negative list is mainly reflected in the following aspects:

first, in light of the actual industrial situation in beijing’s free trade zone, in accordance with the principle of “emergency first, small steps and fast progress”, the compilation work is promoted in different industries, fields and batches, and a batch is released when it is mature, rather than seeking to be large and comprehensive. the compilation of the negative list is an innovative work involving a wide range of industries and highly professional data. at the beginning of the list, the beijing municipal cyberspace administration organized a special meeting to discuss the formulation principles and whether it is necessary to cover the entire industry. considering that the “national economic industry classification” involves more than 20 industry categories and nearly 100 major categories, the business scenarios and data involved in each industry are specific. it is difficult to formulate a large and comprehensive negative list that is convenient for enterprises to use in one step. in addition, the scope of industries that the various free trade groups in beijing focus on developing at present and in the future is relatively stable, and the significance of being large and comprehensive is limited. therefore, a scientific route of batches, focus and dynamic adjustment has been determined.

second, it fully refers to and draws on the previous work foundations of data outbound security assessment and personal information outbound standard contract filing. the beijing cyberspace administration has comprehensively sorted out the data outbound situations in the automotive, pharmaceutical, civil aviation, retail, artificial intelligence and other industries involved in the approved security assessment cases of more than 40 enterprises and the standard contract filing cases of more than 150 enterprises, and conducted in-depth research on the purpose of data outbound, typical scenarios, data types, data processing methods, the amount of outbound personal information and data protection measures in the above five industries, and comprehensively judged and scientifically set the level of personal information and sensitive personal information.

third, it is convenient for enterprises to use and does not make "brainless" innovations. at present, enterprises often sort out their own data outbound activities according to business scenarios, so it is most friendly to enterprises to use "enterprise language" to formulate negative lists. based on the previous work, the negative list sorted out the typical data outbound scenarios and data items of 5 industries. compared with the "regulations", the number of people going abroad has been further moderately relaxed, but the number of people relaxed in each business scenario is different, and there is no "one-size-fits-all" threshold. this is because the regulatory requirements of various industries are different, and through a large number of enterprise surveys, it is found that the scale of personal information going abroad in a reasonable business in a year is relatively stable. for example, many foreign-funded pharmaceutical companies have reported that the number of people going abroad in drug clinical trial scenarios generally does not exceed 50,000 per year. therefore, the meaning of relaxing to 1 million people is the same as relaxing to 50,000 people, which can meet the needs of most pharmaceutical companies. at the same time, from the perspective of security risks, on the basis of limiting the data usage scenarios and purposes, relaxing to 50,000 people is obviously more controllable.

fourth, the government and enterprises jointly govern data security and guide enterprises to improve their own data security and compliance capabilities. the unit of digital economic development is the enterprise. the improvement of the enterprise's own security awareness and compliance capabilities will bring about the continuous improvement of my country's data security and personal information protection capabilities. therefore, the negative list can not only achieve a balance between leniency and strictness, but also play a positive guiding role. for example, the ota online upgrade scenario in the automotive industry is clear. ota types, ota main control modules, networked terminals, remotely upgradeable systems and other data principles should be reported for data outbound security assessment, but "it has been filed with the ministry of industry and information technology and has been processed through relevant security technical measures to ensure that the upgrade package data is not tampered with." these details reflect a more convenient scientific management orientation for enterprises with strong compliance awareness, strong technical capabilities, and standardized management measures to conduct business.

2. face the demands of enterprises and ensure that the negative list is convenient and usable

since the implementation of the cross-border data flow management system, there has been a lot of discussion in society. enterprises still face some difficulties in carrying out data outbound compliance work. there is a general expectation that the cost of data outbound compliance will be lower and the channels for data outbound flow will be more convenient. the negative list provides corresponding answers to the above issues.

first, the users of the negative list are enterprises. beijing adheres to the problem-oriented approach, establishes the principle of "a good negative list is one that enterprises think is useful", and solidly conducts enterprise research and solicits opinions. in the process of compiling the list, the beijing cyberspace administration and the free trade zone management agency organized more than 10 seminars with leading enterprises in key industries and fields, conducted in-depth research and visits to nearly 100 enterprises, listened carefully to the suggestions of enterprises, and investigated the difficult problems faced by enterprises. after carefully studying the industry regulations and standards and the current status of supervision, fully considering the sensitivity of industry data and the necessity of export, and widely soliciting opinions from competent departments, industry experts and leading enterprises, scientifically calculated and delineated the scale of personal information and sensitive personal information that needs to be included in the negative list by industry and scenario, and improved the convenience of data export in the free trade zone and the practicality of the negative list.

second, enterprises should understand and use it. the negative list contains 48 items in 5 fields, each of which includes data categories, basic data characteristics, applicable business scenarios and data item examples. according to the characteristics of data outbound in relevant industries, the negative list focuses on the provisions and explanations of important data and personal information, including 18 items of important data and 30 items of personal information. to further improve the practicality, the negative list lists 23 specific scenarios and 198 data fields as examples to help enterprises quickly understand the management requirements of the negative list. in terms of important data, the identification conditions for outbound important data are further refined and clarified by adding limiting conditions and example explanations, making the list more operational and enforceable. in terms of personal information and sensitive personal information, the negative list accurately quantifies and moderately relaxes the scale of personal information and sensitive personal information allowed to be outbound, tries to solve the reasonable demands of enterprises, and improves the convenience of data outbound in the free trade zone and the practicality of the negative list.

the third is to clarify the division of responsibilities and refine the implementation process so that enterprises know who to contact and how to handle it. the "management measures" clearly state that the negative list is managed by the municipal cyberspace administration, the municipal commerce bureau, and the municipal digital bureau, and the seven free trade groups, including chaoyang, haidian, changping, tongzhou, shunyi, daxing, and yizhuang, are responsible for the specific implementation, organizing and guiding the data processors in the group to use the negative list in compliance, formulating and issuing the supporting implementation guidelines for the negative list, clarifying the users and declaration procedures of the negative list, guiding data processors to carry out the application and filing work, strengthening the tracking and supervision of data outbound activities, and forming the ability to store evidence in the process and supervise after the event. if an enterprise needs to use the negative list, it can submit an application to the free trade group in accordance with the procedures, submit the filing and obtain approval, and then carry out data outbound activities in compliance.

3. establish a security baseline to ensure data outbound security is not downgraded

the facilitation of data outbound travel does not mean a reduction in security responsibilities. the shorter the negative list, the greater the security responsibility. how to coordinate the relationship between development and security is the top priority in the formulation of the negative list. therefore, beijing has simultaneously launched the "management measures" to explore the construction of a data outbound security management and service model that matches the negative list, so that security is not downgraded.

the first is to implement enterprise access management and outbound data filing, control the legal and compliant operation of data processors, and review business compliance. this can be compared to credit evaluation management in the financial field.

the second is to strengthen the supervision capabilities during and after the event. each free trade delegation shall adopt a consistency sampling method to verify the consistency between the actual data outflow of data processors and the registered content. this can be compared to the flight inspection in the medical field.

third, by strictly limiting business scenarios, outbound fields, etc., the scale of personal information and sensitive personal information can be accurately quantified and appropriately relaxed, so as to minimize the risk of personal information outbound travel within the relaxed scope, and ensure that the reasonable and necessary data outbound travel demands of enterprises are met as much as possible on the basis of safety, manageability and control.

fourth, a dynamic management mechanism for the negative list will be established. the municipal management department will track and evaluate the implementation and security risks of the negative list that has been issued, coordinate the revision of the negative list, and transfer the corresponding outbound data into or out of the negative list management according to the level of security risks.

in general, the negative list system in the free trade zone is an innovative measure to build a high-level basic system for the management of data outbound flow. it is also a new and challenging task. related work in various places has just started. there may be many difficulties and problems that need to be further studied and solved in the future. let us look forward to the implementation results in beijing and provide useful reference for the whole country.

author: zhuo zihan, senior engineer, national computer network emergency response technical processing coordination center

source: beijing internet information office