China to Strengthen Data Security in Industry and IT Sectors

In this article, we highlight the key provisions of the Measures and set out our observations on the proposed measures.

BACKGROUND

The Data Security Law (DSL) proposed to establish a data security management regime (Data Security Regime) centred around a data classification and categorisation protection scheme. Under the Data Security Regime, data will be divided into different classes in accordance with the levels of its importance to the economy and society and potential harm caused by unauthorised alteration, destruction, leakage or illegal acquisition or use and categorised either as important or core data. The DSL does specify how to determine the category of the data.

The DSL has imposed special obligations to protect important data and core data and requires sectoral regulators and local governments to publish their catalogues of important data. However, the DSL is silent on the scope of important data and core data.

In September 2021, the MIIT became the first sectoral regulator to publish a draft regulation to implement the Data Security Regime. In February 2022, the MIIT released a second draft for consultation (for our comments on the second draft, please click here), which incorporated public feedback that MIIT had received after the release of the first draft. As expected, the final Measures are e to the second draft.

In December 2021 the MIIT announced that it would establish a work group to oversee a pilot program for data security management that was expected to be completed by September 2022. Provincial offices of the MIIIT selected enterprises in key sectors for the pilot program, which covered data security management, protection, evaluation and monitoring, promotion of data security products, and data export security management. In February 2022, the MIIT published the list of regions that took part in the pilot program and recently released a selected list of typical cases and distinguished regions.

KEY PROVISIONS AND OBSERVATIONS

I. Scope of the Measures

Industry and IT Data

The Measures apply to data in the industry and information technology sector (Industry and IT Data), which includes the following three types of data:

1. industrial data, meaning data generated and collected in the process of research and development, design, manufacturing, business management, operation maintenance and platform operation in various industry sectors;
2. telecom data, meaning data generated and collected in the process of telecom service operations; and
3. radio data, meaning radio waves data generated and collected in the process of carrying out radio operations, including radio frequencies and radio stations.

Industry and IT Data Processors

Under the Measures, data processing activities include collection, storage, use, handling, transfer, provision and publication of data. Notably, the Measures amend the concept of processor of Industry and IT Data (“Industry and IT Data Processor”), which is defined as the industry enterprises, software and information technology service providers, licensed telecom service providers and the users of radio frequencies and stations that determine the purpose and means of the processing in data processing activities.

With Measures applying only to the Industry and IT Data Processors, they effectively carve out from the scope entities which process the Industry and IT Data on another entity’s behalf and cannot determine the processing purpose and means. If this is the effect intended by the MIIT, it will narrow the scope of the Measures.

The Measures further divide the Industry and IT Data Processors into industry data processors, telecom data processors and radio data processors in accordance with the sectors in which they operate.

II. Data Security Regime

Responsibilities of regulatory bodies

The MIIT will be responsible for supervising and guiding the local MIIT offices in regulating data security and administering data processing activities and security protection. More importantly, the MIIT will formulate standards and rules for the identification of the important data and core data, data categorisation and classification, and catalogues of important data and core data in the industries. These responsibilities together with publishing catalogues of important and core data, fall on the local MIIT offices.

Industry and IT Data Processors are required to regularly update their data inventory, identify important data and core data, and formulate their own catalogues.

There will be three sources of catalogues of the important data and core data: (i) the catalogue published by the MIIT for the industries, (ii) the catalogues published by the local MIIT offices of the MIIT for the regions, which will need to be filed with the MIIT; and (iii) the catalogues formulated by the Industry and IT Data to Processors after identifying their own important data and core data.

Classes and categories of data

The Industry and IT Data is divided into different categories in accordance with the requirements and characteristics of the industries, business needs, sources of data and uses. Examples include research and development data, manufacturing and operation data, administration data, maintenance data, and operational service data.

The Industry and IT data is also divided into three classes in accordance with the level of harm to national security, public interests and legal interests of individuals in the case of unauthorised alteration, destruction, leakage or illegal acquisition or use of the data (Breach Event). The three levels are: ordinary data, important data and core data.

Notably, processors of the Industry and IT Data are allowed to further divide the data into sub-levels and sub-classes.

Ordinary data is defined as the data, the level of harm involving which in the Breach Event meets one of the below criteria:

1. The impact upon public interest or legal interests of individuals or organisations is relevantly small with slight negative social impact;
2. The number of users and enterprises being impacted is relatively small; the production or living area being impacted is relatively small; the duration of impact is relatively short; the impact on enterprise operation, industry development, technology advances and industry ecosphere is relatively small; or
3. Other data that is not included in the classes of important data and core data.

Important data is defined as the data, the level of harm involving which in the Breach Event meets one of the below criteria:

1. Posing a threat to the security of politics, territories, militaries, economy, culture, society, technology, electromagnetism, network, ecosystem, resources and nuclear or impacting the overseas interest, biology, space, polar areas, deep sea, artificial intelligence or other key areas relevant to national security;
2. Having a serious impact upon the development, production, operation and economic interest in the industry and information technology sectors;
3. Causing a serious data security incident or production safety accident or having a serious impact on the public interest or legal interest of individuals or organisations with a significant negative social impact; or
4. Causing a significant cascade effect that impacts multiple sectors or regions or multiple enterprises in the same sector, lasts for a long period of time, or has a serious impact upon the development of industry, advance of technologies and the ecology of industries.

Core data is defined as the data, the level of harm involving which in the Breach Event that meets one of the below criteria:

1. Posing a serious threat to the security of politics, territories, militaries, economy, culture, society, technology, electromagnetism, network, ecosystem, resources and nuclear or seriously impacting the overseas interest, biology, space, polar areas, deep sea, artificial intelligence and other key areas relevant to national security;
2. Having a significant impact upon the industry and information technology sectors and relevant key enterprises, critical information infrastructure, and important resources; or
3. Causing serious harm to industry production and operation, telecom network (including the internet) operation and radio services, large-scale cease of work and production, disruption of radio services in large areas, large-scale stoppage of network services and loss of a large number of service functions.

Filing of catalogues

Processors of important data and core data must file their catalogues with the local offices of MIIT. Information to be filed include the classes, categories and volume of data, purposes and means of processing, scope of use, responsible entity and information on data sharing with third parties, cross-border transfer and security protection measures.

Local offices of MIIT will complete a review of the filing within 20 working days and decide whether to issue a filing certificate to the applicant and pass on the filing information to the central MIIT. Where the filing is rejected, the applicant may make a second filing within 15 business days after being notified of the rejection.

An updated filing must be made within three months of any significant changes to the filed information, for instance where the scale (meaning the number of entries or storage volume) of important data or core data in a particular category has changed by 30% or more.

III. Security obligations

General security obligations

Industry and IT Data Processors are under general obligations to implement the Data Security Regime and protect the data, which include:

1. Affording data of different classes corresponding level of protection;
2. Implementing protection of the highest level if data of different levels is being processed and it is difficult to implement different levels of protection;
3. Establishing a full life-cycle data security management system, consisting of specific protection requirements and operation procedures for different classes of data;
4. Designating data security management personnel, who will be responsible for security supervision and administration and assisting with the sectoral regulators;
5. Rigorously managing operation authorisations of personnel in data processing;
6. Formulating contingency plans and conducting periodical data contingency drills;
7. Periodically running data security trainings for relevant personnel; and
8. Other measures provided for under the laws and regulations.

Special security obligations

Processors of important data and core data in the industry and IT sectors are under special regulations to:

1. Establish a data security system and a permanent communication and coordination regime in their own organisations;
2. Clearly designate the person in charge of data security and the internal department for data management, making it clear that the legal representative or the head of the organisation will be considered the person primarily responsible for data security and the person responsible for data security in the management team will be considered the person directly responsible for data security;
3. Specify key data processing positions and relevant responsibilities and require the personnel holding key data processing positions to acknowledge in writing their data security responsibilities; and
4. Establish internal registration and approval procedures, rigorously manage processing of important data and core data and keep records.

The Measures do not explain the differences between “person primarily liable” and “person directly liable” or whether the differences will have any implications for the liability of the relevant persons in the event of a violation. We note that under the DSL the key management personnel of the processor and other personnel “directly responsible” for the violation will be penalized personally.

Data life-cycle management obligations

The Measures have also provided for obligations at key links of the data life cycle. We highlight below some notable obligations for processors:

1. Collection: record the sources, time, types, volume, frequency and direction of the data flows, and, where the processors obtain important data and core data indirectly, sign a written document with the data provider to specify their respective legal liabilities;
2. Storage: for important data and core data, use validation and encryption technologies to securely store the data, implement disaster recovery backup, securely manage storage media, and conduct periodical data recovery tests;
3. Processing: where automated decision-making is used, ensure transparency and fairness, and, for important data and core data, strengthen access control;
4. Transmission: for important data and core data, implement measures, such as validation and encryption technologies, security transmission channels or secure transfer protocols;
5. Provision to third parties: sign a data security agreement with the recipient, evaluate or verify the data recipient’s security protection capability, and implement necessary security protection measures;
6. Publication: evaluate the impact on public interests and national security before publicly disclosing the data;
7. Destruction: establish a data destruction mechanism and not recover any destructed data;
8. Transfer in the case of a merger, reorganisation and bankruptcy: prepare a transfer plan and notify the impacted users ;
9. Entrusted processing: sign a contract with the entrusted party to specify its data security responsibilities and obligations, evaluate and verify the data security protection capability of the entrusted processor;
10. Third-party processing of core data: evaluate security risks, take necessary measures, and report to the MIIT via its local offices for inspection and evaluation; and
11. Record keeping: keep a record of data processing, authorisation management and personnel operation for a least six months.

     

IV. Data export

The Measures require all Industry and IT Data Processors to store locally any important data and core data collected or generated within the Chinese territory. Any export of data must pass the data export security assessment conducted by the government. This is in line with the regulation on security assessment published by the Cyberspace Administration of China and clarifies that the export of core data will also be subject to security assessment and localisation requirements.

Processors must not provide any Industry and IT Data stored in China to a foreign industry, telecom or radio enforcement bodies before first obtaining an approval from the MIIT, which reflects the position under the DSL. However, the DSL does not specify what such enforcement bodies may include, and such restrictions could render it difficult for entities to comply with any data submission requirements under foreign regulations.  

CONCLUSION

As expected, the MIIT becomes the first sector regulator to publish regulations to implement the Data Security Regime, after completing the pilot programs and two rounds of consultation. With practical experiences gained through the pilot programs, the MIIT is expected to publish its catalogues of important data and core data soon. Other ministries are likely to follow MIIT’s suit and draw reference from the Measures.

Companies in the industry and information technology sectors should be prepared to initiate the process of identifying their own important data and core data and prepare their own catalogues once the MIIT catalogues are ready. The obligations for protecting data security under the Measures will also require the companies to take a series of remedial actions. For those exporting important data or core data, they should plan early for the security assessment and localisation, which could pose a challenge to their operation.