Following the Data security law, China has drafted a new regulation clarifying how companies should handle sensitive industrial and telecom data. The draft regulation classifies data into “essential”, “important” and “ordinary” categories and requires companies to take different degrees of protection measures when collecting, processing, transferring and disposing of data.
On September 30, 2021, the Ministry of Industry and Information Technology (MIIT) released the Measures for the administration of data security in the field of industry and information technology (trial) (draft) (hereinafter “Measures”) and is solicitation of public opinions until October 30, 2021.
The draft measures apply to all kinds of businesses, in particular software and IT service providers and telecommunications licensees.
It aims to regulate industrial and telecom data processing activities carried out in China. Notably, it clearly prohibits companies from moving “master data” out of China. And that requires companies to get a government security review before providing “important data” overseas.
The document sets out detailed requirements for the storage, processing, disclosure, disposal and cross-border transmission of data. Subcontractors may be required to register and report to the government their processing activities with important and essential data.
The Measures became the first data security regulation formulated by a state agency in charge of industrial sectors, since the The Data Security Law entered into force on September 1, 2021.
Definition and classification of industrial and telecom data
In the document, “industry data” is defined as information collected and generated in industries such as raw materials, machinery, consumer goods, electronics manufacturing, software and information technology. “Telecommunications data” refers to information produced or collected from the large market for communications networks.
According to Article 11 of the measures, companies are required to sort and classify such industrial and telecommunications data into essential, important and ordinary categories, and to submit the catalog of important and essential data to the local branch of MIIT.
The document lists the respective principles for identifying essential, important and ordinary data (please refer to the following table).
In general, information that may pose a threat to national security, economic stability, and technological progress, or have a significant impact on China’s industrial and telecommunications sectors, can be characterized as important data or data. based. However, the Measurements do not provide any specific example, which leads many to find the definition still quite subjective.
|Classification of industrial data and telecom data within the framework of measures for the administration of data security in the field of industrial and IT sectors|
|Basic data||Information that poses a serious threat to China’s politics, territory, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources and nuclear security , and which have a significant impact on the country’s foreign interests and data security in space, polar regions, deep sea and artificial intelligence.
Information that has a great influence on China’s industrial and telecommunications sectors as well as major core businesses, key information infrastructures and other important resources.
Information that can cause significant damage to industrial production and operations, telecommunications and internet services, which can lead to large-scale shutdowns and crippling of networks and services.
· Other information assessed and recognized as baseline data by MIIT.
|Important data||Information that poses a threat to China’s politics, territory, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources and nuclear safety, and which have an impact on the country’s foreign interests and the security of its data in space, the polar regions, the deep sea and artificial intelligence.
· Information that influences the development, production, operations and economic interests of China’s industrial and telecommunications sectors.
· Information that can cause major data security incidents or production security accidents, which have a significant impact on the legal rights of individuals and organizations, and which have a significant negative impact on society.
Information that has obvious cascading effects on a range of industries and businesses or has long-term effects that may have a serious impact on the development of Chinese industry, technological progress and ecology industrial.
· The cost of retrieving this information is potentially high or the cost of removing the negative impact of this information could be considered high.
· Other information assessed and recognized as important data by MIIT.
|Ordinary data||· Information that has a relatively low impact on the legal interests of individuals and organizations.
Information which may affect only a small number of users and companies or a small expanse of production and living areas, which has only a short-term effect and which has a relatively low impact on business operations, industry development, technological progress, and industrial ecology.
· The cost of retrieving this information may be low, or the cost of removing the negative impact of this information may be low.
· Other data excluded from the catalog of important and essential data.
What are the responsibilities of the data holders?
According to the draft measures, companies are required to sort and record important and essential data and report a data catalog to the local branch of MIIT. If the reported data changes, companies are also required to report the updated information to the government within three months.
Depending on the importance of the data, companies should adopt different degrees of protection measures when collecting, storing, processing, transferring, providing, disclosing and disposing of important and essential data. .
Specifically, with regard to cross-border data flows, the measures have clearly prohibited the transfer of master data abroad, and the transfer of important data abroad will be subject to government scrutiny.
This is consistent with China Data security law and the law on cybersecurity. The cybersecurity law provides that the operator of a critical information infrastructure should store important data collected and generated nationally on the territory of China. When this information and data is to be provided abroad for business purposes, a security review should be performed.
China’s Data Security Law, although it does not offer detailed rules on managing security for cross-border transfers of important data, provides penalties for companies transferring important data overseas in violation. cybersecurity law as well as other data security measures. Sanctions include fines, suspension of the affected business, suspension of the business for rectification, and revocation of the affected business license or business license.
In addition, the draft measures specify that companies must set up the responsible departments and identify the main people in charge of data security management, as well as clearly define the key positions and personnel for data processing.
The following compliance requirements also deserve the attention of companies:
- Without the consent of the individual or entity, companies should not obtain accurate user portraits or restore data from specific subjects through data mining, association analysis or other technical means.
- Where it is necessary to protect national security and social and public interests, companies should destroy data when a third party provides evidence to request such destruction.
- Businesses should establish registration and approval mechanisms and keep track of their transmission of important data, as well as their use and processing of important data and master data.
- The transmission and provision of basic data is approved by the State.
The importance of MIIT data security measures
China has tightened its data regulations. This summer, the government launched a cybersecurity investigation into the Didi ridesharing app after rushing its public listing in the United States. Didi was charged with seriously breaking laws and regulations in his collection and use of personal information and was ordered to suspend the registration of a new user.
In July, the Cyberspace Administration of China (CAC) revised its cybersecurity review measures to clarify that any Chinese company with the personal information of a million or more users should apply for a government cybersecurity review before filing. register abroad.
A month later, China’s highest legislature passed the Privacy Act. And in September, China’s new data security law came into effect. The MIIT measures, once adopted, will be another key regulatory document on data security and help make the rules clearer.
MIIT plays an important role in China’s data security oversight system. This ministry regulates several sectors, such as equipment and consumer goods manufacturing, telecommunications, electronic information product manufacturing, software and the Internet, which are essential to the country’s digital economy.
Overall, the draft measures propose more detailed judgment criteria for important and essential industrial and telecommunications data and propose enhanced compliance requirements at the practical level, which should be of great importance to companies in the sectors concerned. .
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors in China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the company for assistance in China at [email protected]
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our commercial research facilities along the Belt and Road Initiative. We also have partner companies that assist foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.