On 8 December 2022, the Ministry of Industry and Information Technology (MIIT) released the final version of the Interim Administrative Measures for Data Security in Industry and Information Technology (Measures) after two rounds of public consultation, which became the first sectoral regulation on the data security regime that the Data Security Law proposed to establish.
In this article, we highlight the key provisions of the Measures and set out our observations on the proposed measures.
The Data Security Law (DSL) proposed to establish a data security management regime (Data Security Regime) centred around a data classification and categorisation protection scheme. Under the Data Security Regime, data will be divided into different classes in accordance with the levels of its importance to the economy and society and potential harm caused by unauthorised alteration, destruction, leakage or illegal acquisition or use and categorised either as important or core data. The DSL does specify how to determine the category of the data.
The DSL has imposed special obligations to protect important data and core data and requires sectoral regulators and local governments to publish their catalogues of important data. However, the DSL is silent on the scope of important data and core data.
In September 2021, the MIIT became the first sectoral regulator to publish a draft regulation to implement the Data Security Regime. In February 2022, the MIIT released a second draft for consultation (for our comments on the second draft, please click here), which incorporated public feedback that MIIT had received after the release of the first draft. As expected, the final Measures are e to the second draft.
In December 2021 the MIIT announced that it would establish a work group to oversee a pilot program for data security management that was expected to be completed by September 2022. Provincial offices of the MIIIT selected enterprises in key sectors for the pilot program, which covered data security management, protection, evaluation and monitoring, promotion of data security products, and data export security management. In February 2022, the MIIT published the list of regions that took part in the pilot program and recently released a selected list of typical cases and distinguished regions.
The Measures apply to data in the industry and information technology sector (Industry and IT Data), which includes the following three types of data:
Industry and IT Data Processors
Under the Measures, data processing activities include collection, storage, use, handling, transfer, provision and publication of data. Notably, the Measures amend the concept of processor of Industry and IT Data (“Industry and IT Data Processor”), which is defined as the industry enterprises, software and information technology service providers, licensed telecom service providers and the users of radio frequencies and stations that determine the purpose and means of the processing in data processing activities.
With Measures applying only to the Industry and IT Data Processors, they effectively carve out from the scope entities which process the Industry and IT Data on another entity’s behalf and cannot determine the processing purpose and means. If this is the effect intended by the MIIT, it will narrow the scope of the Measures.
The Measures further divide the Industry and IT Data Processors into industry data processors, telecom data processors and radio data processors in accordance with the sectors in which they operate.
The MIIT will be responsible for supervising and guiding the local MIIT offices in regulating data security and administering data processing activities and security protection. More importantly, the MIIT will formulate standards and rules for the identification of the important data and core data, data categorisation and classification, and catalogues of important data and core data in the industries. These responsibilities together with publishing catalogues of important and core data, fall on the local MIIT offices.
Industry and IT Data Processors are required to regularly update their data inventory, identify important data and core data, and formulate their own catalogues.
There will be three sources of catalogues of the important data and core data: (i) the catalogue published by the MIIT for the industries, (ii) the catalogues published by the local MIIT offices of the MIIT for the regions, which will need to be filed with the MIIT; and (iii) the catalogues formulated by the Industry and IT Data to Processors after identifying their own important data and core data.
The Industry and IT Data is divided into different categories in accordance with the requirements and characteristics of the industries, business needs, sources of data and uses. Examples include research and development data, manufacturing and operation data, administration data, maintenance data, and operational service data.
The Industry and IT data is also divided into three classes in accordance with the level of harm to national security, public interests and legal interests of individuals in the case of unauthorised alteration, destruction, leakage or illegal acquisition or use of the data (Breach Event). The three levels are: ordinary data, important data and core data.
Notably, processors of the Industry and IT Data are allowed to further divide the data into sub-levels and sub-classes.
Ordinary data is defined as the data, the level of harm involving which in the Breach Event meets one of the below criteria:
Important data is defined as the data, the level of harm involving which in the Breach Event meets one of the below criteria:
Core data is defined as the data, the level of harm involving which in the Breach Event that meets one of the below criteria:
Processors of important data and core data must file their catalogues with the local offices of MIIT. Information to be filed include the classes, categories and volume of data, purposes and means of processing, scope of use, responsible entity and information on data sharing with third parties, cross-border transfer and security protection measures.
Local offices of MIIT will complete a review of the filing within 20 working days and decide whether to issue a filing certificate to the applicant and pass on the filing information to the central MIIT. Where the filing is rejected, the applicant may make a second filing within 15 business days after being notified of the rejection.
An updated filing must be made within three months of any significant changes to the filed information, for instance where the scale (meaning the number of entries or storage volume) of important data or core data in a particular category has changed by 30% or more.
Industry and IT Data Processors are under general obligations to implement the Data Security Regime and protect the data, which include:
Processors of important data and core data in the industry and IT sectors are under special regulations to:
The Measures do not explain the differences between “person primarily liable” and “person directly liable” or whether the differences will have any implications for the liability of the relevant persons in the event of a violation. We note that under the DSL the key management personnel of the processor and other personnel “directly responsible” for the violation will be penalized personally.
The Measures have also provided for obligations at key links of the data life cycle. We highlight below some notable obligations for processors:
The Measures require all Industry and IT Data Processors to store locally any important data and core data collected or generated within the Chinese territory. Any export of data must pass the data export security assessment conducted by the government. This is in line with the regulation on security assessment published by the Cyberspace Administration of China and clarifies that the export of core data will also be subject to security assessment and localisation requirements.
Processors must not provide any Industry and IT Data stored in China to a foreign industry, telecom or radio enforcement bodies before first obtaining an approval from the MIIT, which reflects the position under the DSL. However, the DSL does not specify what such enforcement bodies may include, and such restrictions could render it difficult for entities to comply with any data submission requirements under foreign regulations.
As expected, the MIIT becomes the first sector regulator to publish regulations to implement the Data Security Regime, after completing the pilot programs and two rounds of consultation. With practical experiences gained through the pilot programs, the MIIT is expected to publish its catalogues of important data and core data soon. Other ministries are likely to follow MIIT’s suit and draw reference from the Measures.
Companies in the industry and information technology sectors should be prepared to initiate the process of identifying their own important data and core data and prepare their own catalogues once the MIIT catalogues are ready. The obligations for protecting data security under the Measures will also require the companies to take a series of remedial actions. For those exporting important data or core data, they should plan early for the security assessment and localisation, which could pose a challenge to their operation.