UPDATE: Latest China Data Protection Regulations for Industrial and Telecom Companies

Posted by Written by Zoey Zhang and Arendse Huld Reading Time: 8 minutes

This article was first published on October 18, 2021, and republished on February 18, 2022 to include the latest updates to the draft legislation.   

Update: On February 10, 2022, the Ministry of Industry and Information Technology (MIIT) has begun soliciting opinions on the draft version of the Measures for the Administration of Data Security in the Field of Industrial and Information Technology sectors (Trial) (the “Measures”). The new draft contains amendments based on feedback from a previous draft that was first released in September 2021.  

The most notable amendment is the removal of the outright ban on exporting “core data” – something which industry stakeholders may have considered too stringent.  

The MIIT will be soliciting opinions from the public on the new draft until February 21, 2022.  

This article contains updates of the latest draft Measures issued in February 2022 and an overview of the classification of different types of data and how they must be handled under the law.  

Note that for the purposes of this article and in the draft Measures, the term “data processor” is used to refer to industrial enterprises, software and information technology service companies, and companies that acquire telecoms business operations that collect, store, use, process, transmit, provide, and disclose data in the field of industry and information technology.  

The “draft Measures” mentioned in this article refer to the latest edition released in February 2022 unless otherwise specified.   

Overview of China data protection requirements for industrial and telecom companies 

Following the Data Security Law, China has drawn up a new regulation clarifying how firms should handle sensitive industrial and telecoms data. The draft Measures classifies data into “core”, “important”, and “ordinary” categories, and requires firms to take different degrees of protection measures when collecting, processing, transferring, and disposing of data. 

The draft Measures apply to all kinds of enterprises in industrial, telecom, and radio communications fields, especially software and information technology (IT) service providers and telecom business license holders. They aim to regulate the industrial and telecoms data processing activities carried out in China.   

The draft Measures set out detailed requirements regarding data storage, processing, disclosure, disposal, and cross-border transfer. Data processors may be obliged to record and report their activities on processing important and core data to the government.  

The Measures are the first data security regulations formulated by a state agency in charge of industrial sectors since the Data Security Law went into effect on September 1, 2021. 

Definition and classification of industrial and telecom data  

The latest draft document specifies three types of industry data that fall under the definition of “industrial and telecoms data”, up from just two types in the original draft document.  

The three types of data are “industrial data”, “telecoms data”, and “radio data”, with “radio data” being the latest addition. 

 

The definition of “Industrial data” has also changed. Whereas in the previous edition of the draft Measures it was defined as information collected and generated in a list of specific sectors, including raw materials, machinery, and consumer goods, the definition now is much broader, simply defined as, “data generated and collected in the process of R&D and design, manufacturing, operation and management, operation and maintenance, and platform operation in various industrial fields”.  

The definition of “telecoms data” remains unchanged: information produced or gathered during the operation of telecommunications services.  

Meanwhile, “radio data” is defined as “radio wave parameter data, such as radio frequencies and stations, generated and collected during the operation of radio business activities.”  

According to Article 7 (Article 11 of the original draft), businesses are obliged to sort and classify these industrial and telecoms data into three different risk categories: “core”, “important”, and “ordinary” data. Businesses must then submit a catalogue of the important and core data to the local branch of the MIIT.  

The document lists respective principles for identifying core, important, and ordinary data (please refer to the table below).  

Generally, information that poses a threat to national security, economic stability, and technological advancement, or significantly impacts China’s industrial and telecommunication sectors can be labeled as important data or core data. However, the Measures does not provide any specific examples, leading many to find the definition still quite subjective.  

Classification of Industrial Data and Telecom Data under the Draft Measures for the Administration of Data Security in the Field of Industrial and IT Sectors  
Category   Definition  
Core data  
  • Information that poses a serious threat to China’s politics, territory, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources, and nuclear safety, and that has a great impact on the country’s overseas interests and its data security in space, polar regions, the deep sea, and artificial intelligence. 
  • Information that has a great influence on China’s industrial and telecommunications sectors as well as key backbone enterprises, critical information infrastructure, and other important resources. 
  • Information that can do major damage to industrial production and operations, telecommunication network operations and services (including internet), and radio business development, which has the potential to lead to large-scale shutdowns, large-scale radio business interruption, large-scale network and service paralysis, and loss of a large number of business processing capabilities. 
  • Other information assessed and recognized as core data by the MIIT.  
Important data  
  • Information that poses a threat to China’s politics, territory, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources, and nuclear safety, and that has an impact on the country’s overseas interests and its data security in space, polar regions, the deep sea, and artificial intelligence. 
  • Information that has an influence on the development, production, operations, and economic interests of China’s industrial and telecommunications sectors. 
  • Information that can cause major data security incidents or production safety accidents, has a significant impact on the legal rights of individuals and organizations, and has a great negative impact on society. 
  • Information that has obvious cascading effects across a range of industries and enterprises or has long-lasting effects that can seriously impact China’s industrial development, technological advancement, and industrial ecology. 
  • Other information assessed and recognized as important data by the MIIT.  
Ordinary data  
  • Information that has a relatively low impact on the legal interests of individuals and organizations. 
  • Information that can only affect a small number of users and enterprises or a small scope of production and living areas, that only has a short-term effect, and that has a relatively low impact on the operations of enterprises, industry development, technological advancement, and industrial ecology. 
  • Other data excluded from the catalogue of important and core data.  

What are the responsibilities of data processors?  

Compiling and maintaining a data catalogue  

According to the draft Measures, firms are required to sort out and record important and core data and report a data catalogue. The data catalogue must then be submitted to a different government body depending on the type of data that is collected: to the MIIT for industrial data, the Bureau of Communication Management for telecom data, and to the local radio administration institute for radio data.   

The data to be included in the filing includes data type, category, scale, processing purpose and method, scope of usage, responsible agent, external sharing and cross-border transfer of the data, safety protection measures, and so on. It does not include the data content itself.  

After the catalogue has been filed, the local authority in charge of the filing will then conduct a review of the information provided within 20 working days. Filings that meet requirements will be approved, and the data processor (the company that processes the data) will be issued with a filing certificate.  

If reported data changes, firms are also obliged to report the updated information to the government within three months.  

Data security review and data export requirements  

The previous draft of the draft Measures prohibited core data from being transferred overseas while requiring a government security review before important data could be transferred overseas. The latest version of the draft Measures, however, removes the clause that outright bans the export of core data, and instead stipulates that core data also requires a security review before it can be exported.  

The new version of the draft Measures also stipulates that the MIIT is responsible for handling requests from foreign entities, such as industrial or telecom companies, to provide industrial or telecoms data, which it will do in accordance with any international treaties signed that China has signed or acceded to. The Measures still require both important and core data to be stored within China’s territory. 

 

This is consistent with China’s Data Security Law and Cybersecurity Law. The Cybersecurity Law stipulates that the operator of a critical information infrastructure should store important data collected and generated domestically within the territory of China. Where such information and data must be provided abroad for business purposes, a security review should be conducted.  

China’s Data Security Law, while not offering detailed rules on the safety management for cross-border transfers of important data, prescribes the penalties for firms that transfer important data overseas in violation of the Cybersecurity Law as well as other data security measures. The penalties include fines, suspension of the relevant business, suspension of the business that committed the violation, and revocation of the relevant business permit or business licenses.  

Appointing responsible persons for data management  

The draft Measures require data processors are required to set up a department that is responsible specifically for data compliance and appoint a main person to be in charge of data security management. The data processor must also clarify the key positions and personnel in charge of data processing. These staff members must also sign a data security responsibility letter.  

The data processor is required to reasonably establish the authority of different staff members to engage in different data processing activities and strictly manage personnel authority. They must also conduct regular safety training and education for the security staff.  

Protection measures for important and core data  

Based on the risk category of the data, firms should set up a safety management system and adopt different degrees of protection measures for the entire data life cycle, including collection, storage, processing, transfer, provision, disclosure, and disposal of important and core data.  

Where it is unclear what risk category of data is being handled or where it is difficult to separate different risk categories of data, the highest level of security measures should be implemented.  

Data processors are required to formulate an emergency response plan for data security incidents and carry out periodic emergency drills.  

Other compliance requirements  

The following compliance requirements also deserve the attention of enterprises:  

  • Without the consent of the individual or the entity, enterprises shall not obtain accurate user portraits or restore data of specific subjects through data mining, association analysis, or other technical means.  
  • When it is necessary to protect national security and social and public interests, enterprises should destroy the data when a third-party organization provides proof to request such destruction.  
  • Data processors should establish registration and approval mechanisms and keep a record of its transfer of important data and its use and processing of important data and core data.  
  • The transfer and provision of core data must be approved by the State.  

The significance of the China data protection requirements 

China has been tightening its data-related regulations. This summer, the government launched a cybersecurity investigation into ride-hailing app Didi after it rushed its public listing in the US. Didi was accused of seriously violating laws and regulations in its collection and use of personal information and was ordered to suspend new user registrations 

In July, the Cyberspace Administration of China (CAC) revised its Cybersecurity Review Measures to make clear that any Chinese companies that hold the personal information of one million or more users would need to seek a government cybersecurity review before listing abroad.  

A month later, China’s top legislature passed the Personal Information Protection Law. And in September, China’s new Data Security Law went into effect. The MIIT’s Measures, once passed, will be yet another key regulatory document on data security and help make rules clearer.  

The MIIT plays a significant role in China’s data security supervision system. This ministry regulates several industries, such as equipment and consumer goods manufacturing, telecommunications, electronic information products manufacturing, software, and the internet, which are vital to the country’s digital economy.  

Overall, the draft Measures offers more detailed judgment criteria of important and core industrial and telecoms data and put forward enhanced compliance requirements at the practical level, and this should hold great importance for enterprises in relevant sectors. 


About Us

China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.

Dezan Shira & Associates has offices in VietnamIndonesiaSingaporeUnited StatesGermanyItalyIndia, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The PhilippinesMalaysiaThailandBangladesh.