This website use cookies to help you have a superior and more admissible browsing experience on the website.
Share This Article:
Data is a critical factor of production and a fundamental strategic resource in the new era. From the 13th Five-Year Plan to the 14th Five-Year Plan, the importance of data has become increasingly evident, and the digital economy’s share in the national economy continues to grow. In response to the demands of the data era, China has systematically introduced a comprehensive suite of data policies, regulations, and standards.
1. Accelerating the National Big Data Strategy and Building a Digital China
Driven by the wave of digitalization, **Big Data Exchanges** serve as core platforms for data circulation, playing an increasingly crucial role. Since the Guiyang Big Data Exchange was the first to commence operations in 2015, numerous regions in China, including Beijing, Shanghai, Shenzhen, Guangdong, Zhejiang, Guizhou, and Fujian, have established their own data exchanges. These exchanges are tasked with promoting data circulation, regulating trading activities, maintaining market order, and advancing the top-level design and implementation of China’s national big data strategy.
China has consistently promoted the implementation of its Big Data Strategy at the national level. Key milestones include the release of the *Action Outline for Promoting Big Data Development*, the formal proposal of the ‘National Big Data Strategy,’ the issuance of the *Interim Measures for the Management of Government Information Resource Sharing*, and the *Big Data Industry Development Plan (2016-2020)*. The *14th Five-Year Plan for Big Data Industry Development* further cemented the role of big data in economic transformation, government governance, and national competitive advantage.
The **Shanghai Data Exchange**, inaugurated on November 25, 2021, is positioned as a key platform-based infrastructure aiming to facilitate the legal and compliant circulation of data elements and stimulate market vitality. As of the first half of 2024, the Shanghai Data Exchange has listed nearly 3,000 data products, with the transaction volume exceeding RMB 1.3 billion during that period.
While China’s data transaction volume in 2020 (approximately RMB 54.5 billion) was lower than that of the United States (USD 270 billion), its domestic data resource volume accounts for a significant **20%** (8 ZB) of the global total of 40 ZB. This proportion is expected to grow further with accelerated 5G commercialization, underscoring the strategic importance of Big Data Exchanges in China’s digital economy development.
2. Strengthening Data Security and Completing the Legal Framework
China places a high priority on data security, establishing a robust system of security and governance through a series of foundational laws and regulations.
The “Three Laws and Two Regulations” Legal Framework
The legal framework is anchored by the “Three Laws and Two Regulations”:
| Law/Regulation | Abbreviation | Effective Date | Focus |
|---|---|---|---|
| Cybersecurity Law of the PRC | CSL | Jun 1, 2017 | Overall governance of cyberspace, network operation security, and early warning systems. Requires disaster recovery for Critical Information Infrastructure (CII). |
| Data Security Law of the PRC | DSL | Sep 1, 2021 | Regulates data processing activities, establishes the data classification and hierarchical protection system, and increases penalties for violations. |
| Personal Information Protection Law of the PRC | PIPL | Nov 1, 2021 | China’s first dedicated law on personal data protection, covering collection, storage, processing, cross-border transfer, and rights of individuals. |
| Regulations on the Security Protection of Critical Information Infrastructure | CIPS | Sep 1, 2021 | Strengthens security requirements for CII, ensuring secure operations and data protection in key national sectors. |
| Regulations on the Administration of Network Data Security | CDRMR | Jan 1, 2025 | A key administrative regulation supplementing the Three Laws, refining rules for network data security supervision, compliance, and governance. |
These laws collectively fortify the data security defense line, aligning with the *Civil Code* and *E-commerce Law* to prevent data misuse, such as “Big Data price discrimination” or illegal collection of personal information.
Local Data Legislation
In addition to national laws, local governments have pioneered regional regulations. The **Shenzhen Special Economic Zone Data Regulation**, promulgated and effective in 2022, is China’s first fundamental and comprehensive local legislation in the data field, covering personal data processing, public data utilization, the data element market, and legal liabilities. Similarly, the **Shanghai Data Regulation**, also issued in 2022, focuses on data rights protection, circulation, and security management to empower the digital economy.
3. Standardization System for Security and Business Continuity
China’s data security and business continuity management are underpinned by a comprehensive set of national standards, primarily managed by the **Standardization Administration of China (SAC)**.
A. Information Security Technology Standards (Disaster Recovery & Classified Protection)
i. GB/T 20988-2007: Information System Disaster Recovery
The **GB/T 20988-2007: Specification for Information System Disaster Recovery** is China’s first non-mandatory national standard for disaster recovery. Referencing the international **SHARE 78** seven-tier definition, the standard established six disaster recovery capability levels tailored to China’s environment.
The six levels correlate directly with the Recovery Time Objective (RTO) and Recovery Point Objective (RPO):
| SHARE78 Tier | GB/T 20988-2007 Level | Key Characteristic | RTO (Example) | RPO (Example) |
|---|---|---|---|---|
| Tier 0, 1 | Level 1 (Basic) | Off-site storage of backup media. | > 2 days | 1 to 7 days |
| Tier 2 | Level 2 (Backup Site Support) | Network/systems deployable to backup center within a predefined time. | > 24 hours | 1 to 7 days |
| Tier 3 | Level 3 (Partial Equipment) | Electronic transmission of data; backup center with partial equipment. | > 12 hours | Hours to 2 days |
| Tier 4 | Level 4 (Complete Equipment) | Data regularly transmitted in batches; Warm Standby mode. | Hours to 2 days | Hours to 1 day |
| Tier 5 | Level 5 (Real-Time Replication) | Remote replication for real-time data copy; systems ready or running. | Minutes to 2 days | Hours to 1 day |
| Tier 6 & 7 | Level 6 (Zero Data Loss & Clustering) | Real-time backup, zero loss; remote clustering with automatic switchover. | Minutes | 0 to 30 minutes |
ii. GB/T 22239-2019: Cybersecurity Classified Protection (MLPS 2.0)
The **GB/T 22239-2019: Baseline for Cybersecurity Classified Protection**, known as “MLPS 2.0,” replaced the older 2008 version. It aligns with the CSL, imposing stricter enforcement, and broadened the scope of protection to include cloud computing platforms, big data platforms, IoT, and Industrial Control Systems (ICS).
The Multi-Level Protection Scheme (MLPS) divides information systems into five security levels based on the severity of harm caused by system disruption:
- Level 1 (Self-Protection): Harms individual rights but not national security or public interest.
- Level 2 (Guided Protection): Severely harms individual rights or public interest, but not national security.
- Level 3 (Supervised Protection): Severely harms public interest or harms national security.
- Level 4 (Mandatory Protection): Causes particularly severe harm to public interest or severe harm to national security.
- Level 5 (Specialized Protection): Causes particularly severe harm to national security.
Separately, the system for handling state secrets includes **Secret**, **Confidential**, and **Top Secret** levels, which require protection equivalent to MLPS Level 3, 4, and 5, respectively, plus specific secrecy protection requirements.
B. Public Safety Standards (Business Continuity Management)
China’s Business Continuity Management System (BCMS) standards are identical adoptions of international norms, ensuring alignment with global practices:
- **GB/T 30146-2013: Requirements for Business Continuity Management Systems (BCMS):** An identical adoption of ISO 22301:2012, setting the foundational requirements for BCMS.
- **GB/T 31595-2015: Guidance on Business Continuity Management Systems:** An identical adoption of ISO 22313:2012, providing guidance for the planning, implementation, and continuous improvement of a BCMS.
These standards encourage organizations to minimize business interruption, data loss, and secondary damage following disruptive events, thereby enhancing employee security awareness and building resilience.
{{ author_info.name }}
{{author_info.introduction || "No brief introduction for now"}}
More Related Articles
Table of Contents:
Stay Updated on Latest Tips
Subscribe to our newsletter for the latest insights, news, exclusive content. You can unsubscribe at any time.
Ready to Enhance Business Data Security?
Start a 60-day free trial or view demo to see how Info2Soft protects enterprise data.
Please fill out the form and submit it, our customer service representative will contact you soon.
By submitting this form, I confirm that I have read and agree to the Privacy Notice.
