- China’s Data Security Law stipulates that sectoral regulators should take charge of data security regulations in their respective sectors. Consequently, since the law went into force in September 2021, China’s finance, transport, healthcare and education sectors have already issued rules and regulations to govern data security.
- After seeking comments twice and tests in pilot programs, the final version of the “Measures for data security in industry and information sectors” was released on December 13, 2022, and will enter into force on January 1, 2023. The regulation targets the manufacturing, telecommunications and radio frequency sectors, the centerpiece of China’s digital economy.
- Industrial companies are required to classify data into three levels following data identification rules previously issued. Companies will struggle to carry out this task as in fact most of the data classification guidelines are still drafts and therefore provide only limited points of reference.
- For important data and core data, enterprises have to take on extra obligations, including compiling a catalog of the data, filing the catalog with regulators, strengthening security measures, reporting of security incidents to regulators, and conducting regular risk assessments.
- The MIIT is set to push for enforcement after the Measures go into force next year. Companies in China should expect special campaigns and increasing inspections. China’s data-rich state-owned enterprises will feel the pressure to comply first. Multinational companies should also now take stock of their data management status and implement early actions to avoid compliance gaps.
- Companies face legal liabilities for violating the measures, including fines, suspension of business and termination of business licenses, depending on the severity of the violation.
Sinolytics is a European research-based consultancy entirely focused on China. It advises European companies on their strategic orientation and concrete business activities in the People’s Republic.