Following the Data Security Law, China has drawn up a new regulation clarifying how firms should handle sensitive industrial and telecoms data. The draft regulation classifies data into “core”, “important”, and “ordinary” categories, and requires firms to take different degrees of protection measures when collecting, processing, transferring, and disposing data.
On September 30, 2021, the Ministry of Industry and Information Technology (MIIT) published the Measures for the Administration of Data Security in the Field of Industrial and Information Technology sectors (Trial) (Draft) (hereafter “Measures”) and is soliciting public opinions until October 30, 2021.
The draft Measures apply to all kinds of enterprises, especially software and information technology (IT) service providers and telecom business license holders.
They aim to regulate data processing on an industrial scale. In particular, companies are clearly prohibited fIt aims to regulate the industrial and telecoms data processing activities carried out in China. Notably, it clearly bans enterprises from moving “core data” out of China. And it requires companies to get a government security review before providing “important data” abroad.
The document sets out detailed requirements regarding data storage, processing, disclosure, disposal, and cross-border transmission. Data processors may be obliged to record and report to the government on their activities in processing important and core data.
The Measures have become the first data security regulation formulated by a state agency in charge of industrial sectors, since the Data Security Law became effective on September 1, 2021.
Definition and classification of industrial and telecoms data
In the document, “industrial data” is defined as information collected and generated in sectors such as raw materials, machinery, consumer goods, electronics manufacturing, and software and information technology. “Telecoms data” refers to information produced or gathered from the broad communications network market.
According to Article 11 of the Measures, businesses are obliged to sort and classify these industrial and telecoms data into core, important, and ordinary categories, and submit the catalog of important and core data to the local branch of the MIIT.
The document lists respective principles for identifying core, important, and ordinary data.
Generally, information that can pose a threat to national security, economic stability, and technological advancement, or significantly impact China’s industrial and telecommunication sectors can be labeled as important data or core data. However, the Measures does not provide any specific examples, leading many to find the definition still quite subjective.
Classification of Industrial Data and Telecom Data
- Information that poses a serious threat to China’s politics, territory, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources, and nuclear safety, and that has a great impact on the country’s overseas interests and its data security in space, polar regions, the deep sea, and artificial intelligence.
- Information that has a great influence on China’s industrial and telecommunications sectors as well as key backbone enterprises, key information infrastructure, and other important resources.
- Information that can do major damage to industrial production and operations, telecommunications, and internet services, which has the potential to lead to large-scale shutdowns and network and service paralysis.
- Other information assessed and recognized as core data by the MIIT.
- Information that poses a threat to China’s politics, territory, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources, and nuclear safety, and that has an impact on the country’s overseas interests and its data security in space, polar regions, the deep sea, and artificial intelligence.
- Information that has an influence on the development, production, operations, and economic interests of China’s industrial and telecommunications sectors.
- Information that can cause major data security incidents or production safety accidents, that has a significant impact on the legal rights of individuals and organizations, and that has a great negative impact on society.
- Information that has obvious cascading effects across a range of industries and enterprises or has long-lasting effects that can seriously impact China’s industry development, technological advancement, and industrial ecology.
- The cost of recovering this information is potentially high, or the cost of removing the negative impact of this information could be considered high.
- Other information assessed and recognized as important data by the MIIT.
- Information that has a relatively low impact on the legal interests of individuals and organizations.
- Information that can only affect a small number of users and enterprises or a small scope of production and living areas, that only has a short-term effect, and that has a relatively low impact on the operations of enterprises, industry development, technological advancement, and industrial ecology.
- The cost of recovering this information may be low or the cost of removing the negative impact of this information may be low.
- Other data excluded from the catalog of important and core data.
What are the responsibilities of data holders?
According to the draft Measures, firms are required to sort out and record important and core data and report a data catalogue to the local branch of the MIIT. If reported data changes, firms are also obliged to report the updated information to the government within three months.
Based on the importance of the data, firms should adopt different degrees of protection measures when collecting, storing, processing, transferring, providing, disclosing, and disposing the important and core data.
Most notably, when it comes to cross-border data flows, the Measures has clearly prohibited core data from being transferred overseas and transferring important data overseas will be subject to government review.
This is consistent with China’s Data Security Law and Cybersecurity Law. The Cybersecurity Law stipulates that the operator of a critical information infrastructure should store important data collected and generated domestically within the territory of China. Where such information and data have to be provided abroad for business purpose, a security review should be conducted.
China’s Data Security Law, while it doesn’t offer detailed rules on the safety management for cross-border transfers of important data, prescribes the penalties for firms transferring important data overseas in violation of the Cybersecurity Law as well as other data security measures. The penalties include fines, suspension of the relevant business, suspension of the business for rectification, and revocation of the relevant business permit or business license.
In addition, the draft Measures point out that enterprises should set up the responsible departments and identify main persons in charge of data security management, as well as make clear key positions and personnel for data processing.
The following compliance requirements also deserve the attention of enterprises:
- Without the consent of the individual or the entity, enterprises shall not obtain accurate user portraits or restore data of specific subjects through data mining, association analysis, or other technical means.
- When it is necessary to protect national security and social and public interests, enterprises should destroy the data when a third-party organization provides proof to request such destruction.
- Enterprises should establish registration and approval mechanisms and keep record of its transmission of important data, and its use and processing of important data and core data.
- The transmission and provision of core data shall be approved by the State.
The significance of the MIIT data security measures
China has been tightening its data-related regulations. This summer, the government launched a cybersecurity investigation into ride-hailing app Didi after it rushed its public listing in the US. Didi was accused of seriously violating laws and regulations in its collection and use of personal information and was ordered to suspend new user registration.
In July, the Cyberspace Administration of China (CAC) revised its Cybersecurity Review Measures to make clear that any Chinese companies that hold the personal information of one million or more users would need to seek a government cybersecurity review before listing abroad.
A month later, China’s top legislature passed the Personal Information Protection Law. And in September, China’s new Data Security Law went effective. The MIIT’s Measures, once passed, will be yet be another key regulatory document on data security and help make rules clearer.