Data Security in China’s Industrial Sector

China’s data governance framework is made up of layers of formal regulations and more nuanced “plans,” “measures,” and “guidelines.” What role does the Implementation Plan play in this context, and how does it fit into China’s data security landscape? What does the on-the-ground execution of the plan look like?

In China’s policy and legal ecosystem, plans of this kind serve different functions from a formal regulation. They do not introduce new laws but instead build on bedrock data policies (i.e., the Data Security Law and Cybersecurity Law) by outlining high-level objectives that address specific bottlenecks or attempt to smooth out some aspect of implementation.

The Implementation Plan for Improving Data Security in the Industrial Sector (2024–2026) outlines three-year goals to raise awareness and improve standardization of data security management among industrial companies, which is particularly pressing now given that China’s Cybersecurity Law and Data Security Law are relatively new, and research indicates that there is low awareness and adoption of data security compliance and data security practices, even among the largest industrial firms. Thus, this plan is primarily focused on fostering new business norms for industrial companies and improving the overall data security environment.

The Ministry of Industry and Information Technology and its local branch offices will be the primary bodies working to implement the efforts laid out in this plan, likely through increasing engagement with businesses through programs like data security trainings, establishing call centers to field questions, hosting salons or seminars, or publishing data security journals. Other regulators, such as the Cyberspace Administration of China and the new National Data Bureau, are also likely to participate in pushing companies to improve business practices and legal compliance.

The Implementation Plan targets China’s industrial sector specifically. What is the current state of data security in the sector, and how does this plan attempt to resolve any disparities with policy mandates?

Domestic research firms have published several reports indicating that data security awareness and strong data security management, even at large industrial firms and state-owned enterprises, are extremely low. Targets outlined within the Implementation Plan support those findings. In China’s cybersecurity regime, one of the foundational tasks of implementing data security management is for the company to conduct an audit of all data they manage, collect, and process, and then classify that data into legal categories such as “general data,” “important data,” and “core data,” indicating varying levels of sensitivity. Companies must then implement security practices to protect sensitive data based on the category the data falls into. However, you’ll notice the plan calls for “at least 10% of [top] industrial enterprises by revenue” to have “carried out data classification and hierarchical protection” by 2026—indicating that not even 10% of large industrial firms have done so, never mind smaller industrial enterprises.

The plan’s targets also give us a clue as to how regulators intend to mitigate that problem. They will first begin by fostering compliance by hand-holding the largest companies and then push for that compliance to trickle down the supply chain. Regulators are targeting the top 10% of industrial firms because they can get the most bang for their regulatory buck by securing their data. The hope is that when companies at the top are following these practices, they will start to require their suppliers and smaller partners to do the same, creating a culture shift across the industry.

More broadly, this policy is part of a push to force a cultural shift in the way that domestic businesses think about both data security and data management. Looking at the issue over a multi-decade timeline, it is worth noting that data security has not been part of business culture—particularly not in traditional industrial enterprises—for very long. It will take many years—and many data security awareness plans—for attitudes to shift.

The state faced (and still faces) a similar issue in changing the way that companies and society think about intellectual property (IP). When China entered the World Trade Organization, it brought an entire generation of Chinese businesses that did not take IP seriously. The general attitude among companies was, “What’s wrong with counterfeiting? Why wouldn’t I take what is already successful and just copy it or make it a little better, increasing my chance of profit? It seems dumb to do all that work again from scratch.” The state made law after law about IP protection but was (and still is) battling entrenched attitudes, though such attitudes are slowly shifting.

China will have to climb a similar mountain on the data security front. Many traditional industrial companies simply do not see data security as a critical issue, and regulators will have to convince companies to prioritize and spend more money on data protection.

Ambiguity around the classification of “core,” “important,” and “general” data seems to be the most pervasive bottleneck within China’s wider data security environment. What are some of the main obstacles in defining these categories?

To understand the current obstacles that Chinese regulators are facing in the rollout of data security rules and data classifications, it helps to first understand what policymakers intended to do and what they wanted to see happen, and then look at where that plan has gone awry. Put very simply, the original idea behind China’s data security regime was that each state agency would define a list of data for its sector that was considered “important data” (potentially sensitive data requiring extra protections and approval to export) and then would work with national security authorities—likely the Ministry of State Security—to identify a set of “core data” (extremely sensitive data related to national security, requiring the highest level of protections, which cannot be exported). Data that did not fall under these classifications would be considered “general data,” with only basic protections required. So, for example, the Ministry of Industry and Information Technology would define a list of important data—called an “important data catalog”—for industrial and ICT companies, while the Ministry of Natural Resources would define what important data is for the mining sector, and the Ministry of Ecology and Environment would define what it is for environmental data and mapping data. Companies would then assess which types of data they have and implement appropriate protections and management practices.

I don’t think the state realized how ambitious this plan was before undertaking it. Defining important data (and core data) for any given sector has proved to be much more complicated than regulators anticipated. Indeed, important data has only been defined for a couple of sectors, and many regulators are struggling with the data definition process for one reason or another. Some state agencies simply do not have the technical expertise to define important data, some are not motivated to do so because their priorities lie elsewhere, and some are engaged in bureaucratic infighting over the definition of important data with other regulators, among other issues. For example, signs indicate that the People’s Bank of China has been arguing with the Cyberspace Administration of China over data classifications for the financial sector.

The definition of core data is an even more complex problem. Speaking frankly, this is because in addition to the issues that regulators face defining important data, national security–focused officials are involved in decision-making. That means that the process for defining important data is opaque and a certain level of paranoia enters the mix.

Meanwhile, companies are expected to classify their data into categories that have not yet been fully defined, which is highly problematic for the business environment. It will likely be five to ten years before important data is fully defined and possibly even longer before core data is fully defined. But the laws requiring companies to protect that data are already in place.

Given this lack of clarity, it is easy to understand why companies—in this case, industrial companies—have been unmotivated to adopt data security measures. Not only is there little historical culture of data security awareness within the firms, but the state is not giving them much guidance or clear policy in terms of what they ought to be doing. The Implementation Plan is partly an effort to mitigate the bureaucratic morass caused by poor data policy implementation by hand-holding major industrial firms and pushing them to get their houses in order on the data front, while regulators work on these definitions.

Only three days after the release of the Implementation Plan, the National Bureau of Statistics reported that manufacturing activity in China fell for the fifth straight month. How is China working to balance data security regulations with efforts to develop its data economy?

Going back twenty years, Beijing’s highest hopes for new digital technologies have always centered on how those technologies could make China’s industrial and manufacturing sectors more advanced and efficient. Twenty years ago, when Zhu Rongji was busy establishing policymaking bodies to steward the development of internet adoption in China, he was mostly focused on the internet’s potential as an industrial tool. The mobile internet, cloud computing, and virtual reality, among other new technologies, followed the same pattern—policymakers have always looked for ways in which those new technologies could boost the real economy.

That remains the case today. Listen to any speech by today’s top leaders on the economic benefits of big data and artificial intelligence, and they are primarily excited about the potential contributions to industrial upgrading and the digital transformation of manufacturing enterprises. The state is highly motivated to see the data economy flourish—for companies to collect, use, and profit from data.

China’s official economic theories hold that data is the key strategic resource driving the creation of economic value in the digital age. The idea is that the more data companies have and the better they are at collecting and using it, the more efficient they will be, the more value they can create, and the more wealth they can generate. Of course, companies must generate this value while also using data safely—or, as policymakers often put it, they must balance development and security. This goes double for companies in China’s critically strategic industrial sector. But how can companies use data efficiently and safely if even basic data management and security mechanisms are not in place?

That is why the state sees the development of a data security regime as being a necessary precursor component to developing a robust data economy. The fundamental thinking is that the state should first define which types of data are unsafe to use and trade, thus enabling the robust application and trading of safe data. Anyone skeptical about that should reread China’s Data Security Law. Half of the law focuses on the state’s obligations to define a clear data security regime so that data can be used for economic gain. Xi Jinping himself often talks about the necessity of developing China’s data economy, and the National Data Administration was formed at the end of 2023 for this very purpose.

That said, there is always an underlying tension between security and economic development. This is particularly true in China, where the information environment is highly censored and controlled, and the state’s kneejerk response to any instability or criticism is to restrict data flows. The popularization of AI and big data have really brought this tension into stark contrast, and in some respects, the state is increasingly struggling with itself in terms of where to allow the free flow of data to boost economic activity and where to heavily restrict it. Sometimes laws and regulations lean one way, sometimes the other.

The state does not yet have the answer to this conundrum and is still feeling its way forward. Historically in China, ever-tighter control over the flow of data and information has typically won out over economic development, particularly under Xi. That said, such restrictions have not prevented China from developing competitive global tech companies and strong tech capabilities. There is reason to be at least a little optimistic that the state can take input from international stakeholders and will continue to seek a balance that works. As a case in point, data export rules were recently rolled back when it became clear that the restrictions were damaging to the business environment, particularly for foreign companies.

Kendra Schaefer is a Partner at Beijing-based strategic advisory consultancy Trivium China and a Nonresident Fellow with the National Bureau of Asian Research.

This interview was conducted by Alayna Bone, an intern with the Political and Security Affairs group at NBR.