The main challenges facing cloud computing within, from or to China stem from the information security aspect, which involves issues such as data cross-border transfer, personal information protection, data processing and mining among others.
Taking the data cross-border transferring as an example, in accordance with the Cyber Security Law, operators of critical information infrastructure should store personal information and important data collected and generated during its operation within the territory of China in China. Critical information infrastructure includes public telecommunication and message services, energy, transportation, water conservation services, financing, public services, e-government, as well as those services that may severely threaten national security, people’s livelihoods and public interest, if damage to those infrastructure services takes place. If a business is involved in the provision of critical information infrastructure services in China, it could find that complying with the Cyber Security Law is onerous.
As to personal information protection, although there are no unified measures for regulating the cross-border transfer of personal information in general, personal information in relation to credit information, financial information, health information and the like, are subject to restrictions. It is worth of noting that, ‘personal information’ has been defined as referring to ‘various information that can identify a certain natural person or reflect certain natural person’s activity, whether individually or combining with other information, in electronic or other format, according to the Information Security Technology’ - Personal Information Security Specification (GB/T35273-2017 (the Specification)), which came into effect on 1 May 2018. More specifically, it is now known that personal information may include the following:
- personal basic information (eg, name, birthday, sex, etc);
- personal identity information (eg, ID card, passport, driving licence, etc.);
- personal biological identifying information (eg, genetic details, finger print, vocal print, etc);
- online identity information (eg, system account, IP address, etc);
- personal health physical information (eg, relevant record generated from medical treatment, etc);
- personal education and work information (eg, personal occupation, title, etc);
- personal property information (eg, bank account, etc);
- personal communication information (eg, communication record and content, etc);
- contact information (eg, contact record, friend list, etc);
- personal internet surfing record (eg, user’s operation record stored by log file, etc);
- personal often used equipment information;
- personal location information; and
- other information.
The Specification also sets out the definition of ‘personal sensitive information’, which means personal information that may endanger personal and property security, resulting in damage to personal reputation, physical and mental impairment or discriminatory treatment and so on, once it is disclosed, illegally provided or abused. The scope of personal sensitive information is similar to that of personal information.
Furthermore, in the latest draft of the Measures of Security Assessment of Personal Information and Important Data Exported Abroad issued in 2017, personal information and data being transferred abroad may be subject to evaluation by the industry administrative or supervision departments under certain circumstances, such as containing, or cumulatively containing, the personal information of more than 500,000 individuals; amount of data more than 1000GB; data in the fields of nuclear facility, chemical biology, national defence, demographic health, among others.
On 13 April 2018, the China Financial Standardization Technical Committee (CFSTC) issued a notice concerning solicitation of public opinions for three financial industry standards relating to cloud computing. The three drafted standards are ‘Financial application specification of cloud computing technology - Technical architecture’; ‘Financial application specification of cloud computing technology - Security technical requirement’; and ‘Financial application specification of cloud computing technology - Disaster recovery’.
According to CFSTC’s drafting statement, the purpose of such drafts is to encourage and regulate information technology to be applied in the financial industry, effectively prevent financial risk, enhance finance’s ability to serve the real economy, and fully bring the cloud computing into the play of financial information establishment. Those standards can be applied to various service models, such as IaaS, Paas and SaaS, and different deployment models, such as private cloud, community cloud or hybrid cloud.
The drafts include three parts, which are technology framework, security technology requirements and disaster recovery. In terms of technical architecture, it divides the financial industry cloud computing technology framework into different levels from bottom to top, including basic hardware resource level, resource abstract control level, cloud service level, as well as operation management level; and brings up relevant requirements.
In terms of security technical requirements, it brings up requirements from various aspects, including basic hardware, resource abstract and control, optional components, application, data and management, in order to establish a cloud computing security defensive line from the bottom level to the application top level.
In terms of disaster recovery, it divides the disaster recovery ability of the cloud computing platform into different levels based on the affected scope and the level of impact the suspension of the business will have, and brings up the key index to be reached at each level and the specific technical requirements to be fulfilled.
Back to top