This article was first published on October 18, 2021, and republished on February 18, 2022 to include the latest updates to the draft legislation.
Update: On February 10, 2022, the Ministry of Industry and Information Technology (MIIT) has begun soliciting opinions on the draft version of the Measures for the Administration of Data Security in the Field of Industrial and Information Technology sectors (Trial) (the “Measures”). The new draft contains amendments based on feedback from a previous draft that was first released in September 2021.
The most notable amendment is the removal of the outright ban on exporting “core data” – something which industry stakeholders may have considered too stringent.
The MIIT will be soliciting opinions from the public on the new draft until February 21, 2022.
This article contains updates of the latest draft Measures issued in February 2022 and an overview of the classification of different types of data and how they must be handled under the law.
Note that for the purposes of this article and in the draft Measures, the term “data processor” is used to refer to industrial enterprises, software and information technology service companies, and companies that acquire telecoms business operations that collect, store, use, process, transmit, provide, and disclose data in the field of industry and information technology.
The “draft Measures” mentioned in this article refer to the latest edition released in February 2022 unless otherwise specified.
Following the Data Security Law, China has drawn up a new regulation clarifying how firms should handle sensitive industrial and telecoms data. The draft Measures classifies data into “core”, “important”, and “ordinary” categories, and requires firms to take different degrees of protection measures when collecting, processing, transferring, and disposing of data.
The draft Measures apply to all kinds of enterprises in industrial, telecom, and radio communications fields, especially software and information technology (IT) service providers and telecom business license holders. They aim to regulate the industrial and telecoms data processing activities carried out in China.
The draft Measures set out detailed requirements regarding data storage, processing, disclosure, disposal, and cross-border transfer. Data processors may be obliged to record and report their activities on processing important and core data to the government.
The Measures are the first data security regulations formulated by a state agency in charge of industrial sectors since the Data Security Law went into effect on September 1, 2021.
The latest draft document specifies three types of industry data that fall under the definition of “industrial and telecoms data”, up from just two types in the original draft document.
The three types of data are “industrial data”, “telecoms data”, and “radio data”, with “radio data” being the latest addition.
Ensure your ERP systems are compliant with local regulations in China - contact our professionals for help
The definition of “Industrial data” has also changed. Whereas in the previous edition of the draft Measures it was defined as information collected and generated in a list of specific sectors, including raw materials, machinery, and consumer goods, the definition now is much broader, simply defined as, “data generated and collected in the process of R&D and design, manufacturing, operation and management, operation and maintenance, and platform operation in various industrial fields”.
The definition of “telecoms data” remains unchanged: information produced or gathered during the operation of telecommunications services.
Meanwhile, “radio data” is defined as “radio wave parameter data, such as radio frequencies and stations, generated and collected during the operation of radio business activities.”
According to Article 7 (Article 11 of the original draft), businesses are obliged to sort and classify these industrial and telecoms data into three different risk categories: “core”, “important”, and “ordinary” data. Businesses must then submit a catalogue of the important and core data to the local branch of the MIIT.
The document lists respective principles for identifying core, important, and ordinary data (please refer to the table below).
Generally, information that poses a threat to national security, economic stability, and technological advancement, or significantly impacts China’s industrial and telecommunication sectors can be labeled as important data or core data. However, the Measures does not provide any specific examples, leading many to find the definition still quite subjective.
According to the draft Measures, firms are required to sort out and record important and core data and report a data catalogue. The data catalogue must then be submitted to a different government body depending on the type of data that is collected: to the MIIT for industrial data, the Bureau of Communication Management for telecom data, and to the local radio administration institute for radio data.
The data to be included in the filing includes data type, category, scale, processing purpose and method, scope of usage, responsible agent, external sharing and cross-border transfer of the data, safety protection measures, and so on. It does not include the data content itself.
After the catalogue has been filed, the local authority in charge of the filing will then conduct a review of the information provided within 20 working days. Filings that meet requirements will be approved, and the data processor (the company that processes the data) will be issued with a filing certificate.
If reported data changes, firms are also obliged to report the updated information to the government within three months.
The previous draft of the draft Measures prohibited core data from being transferred overseas while requiring a government security review before important data could be transferred overseas. The latest version of the draft Measures, however, removes the clause that outright bans the export of core data, and instead stipulates that core data also requires a security review before it can be exported.
The new version of the draft Measures also stipulates that the MIIT is responsible for handling requests from foreign entities, such as industrial or telecom companies, to provide industrial or telecoms data, which it will do in accordance with any international treaties signed that China has signed or acceded to. The Measures still require both important and core data to be stored within China’s territory.
Our due diligence team can help your business limit risks by assessing the credibility of a supplier, purchaser, or business partner in China
This is consistent with China’s Data Security Law and Cybersecurity Law. The Cybersecurity Law stipulates that the operator of a critical information infrastructure should store important data collected and generated domestically within the territory of China. Where such information and data must be provided abroad for business purposes, a security review should be conducted.
China’s Data Security Law, while not offering detailed rules on the safety management for cross-border transfers of important data, prescribes the penalties for firms that transfer important data overseas in violation of the Cybersecurity Law as well as other data security measures. The penalties include fines, suspension of the relevant business, suspension of the business that committed the violation, and revocation of the relevant business permit or business licenses.
The draft Measures require data processors are required to set up a department that is responsible specifically for data compliance and appoint a main person to be in charge of data security management. The data processor must also clarify the key positions and personnel in charge of data processing. These staff members must also sign a data security responsibility letter.
The data processor is required to reasonably establish the authority of different staff members to engage in different data processing activities and strictly manage personnel authority. They must also conduct regular safety training and education for the security staff.
Based on the risk category of the data, firms should set up a safety management system and adopt different degrees of protection measures for the entire data life cycle, including collection, storage, processing, transfer, provision, disclosure, and disposal of important and core data.
Where it is unclear what risk category of data is being handled or where it is difficult to separate different risk categories of data, the highest level of security measures should be implemented.
Data processors are required to formulate an emergency response plan for data security incidents and carry out periodic emergency drills.
The following compliance requirements also deserve the attention of enterprises:
China has been tightening its data-related regulations. This summer, the government launched a cybersecurity investigation into ride-hailing app Didi after it rushed its public listing in the US. Didi was accused of seriously violating laws and regulations in its collection and use of personal information and was ordered to suspend new user registrations.
In July, the Cyberspace Administration of China (CAC) revised its Cybersecurity Review Measures to make clear that any Chinese companies that hold the personal information of one million or more users would need to seek a government cybersecurity review before listing abroad.
A month later, China’s top legislature passed the Personal Information Protection Law. And in September, China’s new Data Security Law went into effect. The MIIT’s Measures, once passed, will be yet another key regulatory document on data security and help make rules clearer.
The MIIT plays a significant role in China’s data security supervision system. This ministry regulates several industries, such as equipment and consumer goods manufacturing, telecommunications, electronic information products manufacturing, software, and the internet, which are vital to the country’s digital economy.
Overall, the draft Measures offers more detailed judgment criteria of important and core industrial and telecoms data and put forward enhanced compliance requirements at the practical level, and this should hold great importance for enterprises in relevant sectors.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « China Trade Unions – Considerations for Employers Under New Amended Law
Next Article Serbia and China to Sign Free Trade Agreement by End 2022？ »
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Doing Business in China 2021 is designed to introduce the fundamentals of investing in China. Compiled by the ...
Most businesses with experience in China are accustomed to the complex, paper-intensive, and laborious manual ...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.