On February 10, 2022, China’s Ministry of Industry and Information Technology (“MIIT”) published the Administrative Measures for Data Security in the Industry and Information Technology Fields (Draft for comments) (“the Second Draft”). This was an updated version of the first draft which had been released in September 2021.
The Second Draft shows MIIT’s commitment to establishing detailed data security rules for China’s industrial and information technology sectors. We expect a final version will be issued before the end of this year.
Compared to the first draft, the Second Draft refines some aspects of the classification standards for data, and removed the blanket prohibition on cross-border transfer of core data. This is crucial as this now means transfer of core data offshore is possible provided a security assessment has been made in accordance with PRC laws and regulations.
The main takeaways of the Second Draft are highlighted as follows:
1. Scope of Application
The Second Draft applies to data processing activities in industrial and information technology sectors which are carried out within China. Although the scope of application appears limited, the specific activities captured within such scope are open to interpretation.
Under the Second Draft, data includes Industrial Data, Telecommunications Data and Radio Data. (a) “Industrial Data” refers to the data generated and collected in the process of research and development and design, production and manufacturing, operation and management, maintenance, platform operation, etc. in all areas and fields of the industry; (b) “Telecommunications Data" refers to the data generated and collected in the course of telecommunications business operations; and (c) “Radio Data” refers to the data of radio wave parameters such as radio frequencies and stations that are generated and collected in the course of radio business operations.
2. Standards of Data Classification
China’s Data Security Law (DSL), which came into force on September 1, 2021, requires the establishment of a data classification and protection system, and adoption of different approaches to protect data.
Under the Second Draft, data is classified into three levels based on the potential degree of harm that misuse/leakage could cause to national security, public interest or the legitimate rights and interests of individuals and organizations:
1) Important data - Includes data if misused or illegally used could (1) threaten political stability, territory, military, economy, culture, society, science and technology, electromagnetic fields, etc. and impact China’s overseas interests, biological data, space, artificial intelligence, etc.; (2) cause serious impact on interests to the development, production, operation and economy of the industrial and information technology sectors; (3) cause major data security incidents or production safety accidents, or serious impact on public interest or the legitimate rights and interests of individuals or organizations; (4) result in an event that cascades into multiple sectors or affects multiple enterprises in the same region or sector, or which has a long term serious impact on the sector.
2) Core data – Includes data if misused or illegally used could (1) seriously threaten political stability, territory, military, economy, culture, society, science and technology, electromagnetic fields, etc., and have a serious impact on China’s overseas interests, biology, space, artificial intelligence, etc.; (2) have significant impact on the sectors of industry and information technology and its key enterprises, key information infrastructure, important resources, etc.; (3) cause material damage to industrial production and operation, telecom network (including the Internet) operation and services, radio business development and so on, and result in large-scale shutdown and production suspension, loss of large amount of business processing capacity, etc.
3) General data – Includes data if misused or illegally used will have a relatively minor impact on public interest or the legitimate rights and interests of individuals and organizations.
3. Filing of Catalogues of Important Data and Core Data
Under the Second Draft, data processors are obliged to file their catalogues of important data and core data to local competent authorities. Where the category or scale of important data or core data changes by more than 30%, or if there is any material change in other filed information, the data processor is required to undergo the formalities to change the record-filing within three months upon occurrence of such change.
4. Data Lifecycle Security Management
The Second Draft also requires data processors to establish a data lifecycle security management system and to formulate specific hierarchical protection requirements and operating procedures for data collection, storage, use, processing, transmission, provision and disclosure. The noteworthy requirements under the Second Draft include:
1) Data collection – In the process of data collection, corresponding security measures shall be taken according to the data security level, and the collection time, type, quantity, frequency and direction shall be recorded. In addition, if important data and core data are acquired indirectly, the data processor and the data provider must specify the legal liabilities of both parties by signing binding agreements and letters of undertaking.
2) Cross-border transfer - In the first draft, core data was prohibited from being transferred overseas. The Second Draft has removed this prohibition. Both important data and core data can be transferred overseas provided a security assessment has been carried out in accordance with PRC laws and regulations. An important rule added in the Second Draft is that, without the approval of the MIIT, no data in the industrial and information technology sectors can be transferred or provided by a China data processor to an offshore regulatory authority. The DSL has established similar restrictions against offshore judicial or law enforcement agency that seek to obtain data in China without the approval of Chinese authorities.
3) Data transfer - Where a data processor needs to transfer data due to merger, reorganization, bankruptcy or any other reason, it shall specify the data transfer plan and notify the affected users by telephone, text message, mail or announcement. In cases where important data and core data are involved, data processors shall timely report the matter to the local authorities under MIIT. This requirement is similar to Article 22 of the Personal Information Protection Law (PIPL)[1].
4) Data entrusted handling - Where a data processor entrusts another party to carry out data processing activities, the data security responsibilities and obligations of both parties shall be specified through signing of a contract or other means. Where the processing of important data and core data is entrusted, the data security protection capability and qualification of the entrusted party shall be evaluated or verified. In addition, the entrusted party shall not provide the data to a third party without the consent of the entrusting party.
In addition, the Second Draft sets out more detailed rules for data processing activities and companies are required to make filing to the authorities (e.g. destroying important data or core data).
Summary
The MIIT released the Second Draft to implement data security in the sector of industry and information technology in line with the requirements of the DSL and other PRC laws and regulations. It is anticipated that more detailed data security rules may be drafted by China’s regulatory bodies on a sector basis.
Companies operating in China would need to consider how to cope with China’s increasingly strict regulations on the handling of important data and core data. More detailed rules on identification of important data and core data should be released to help companies identify the important data and core data they may handle.
In respect of the Second Draft, if it is released in its current form, data processors in this sector shall pay attention to the following obligations:
1) Regularly sort out data and create their own catalogues of important data and core data.
2) (a) File its catalogue of important data and core data with the local competent authorities for record; (b) when destroying important data and core data, it shall update the filing with the local competent authorities in a timely manner; and (c) when transferring important data and core data, it shall update the filing with the local competent authorities in a timely manner.
3) Strictly comply with the security requirements in the whole lifecycle of data, including data collection, storage, transfer, destruction, and offshore transfer.
PIPL Article 22: Where personal information processors need to transfer personal information due to merger, division, dissolution or declaration of bankruptcy, it shall inform the individual of the name and contact information of the recipient. The receiving party shall continue to fulfill its obligations as a personal information processor. If the receiving party changes the original purpose or method of processing, it shall obtain the individual's consent anew in accordance with this Law.
