UPDATE: Finalized China Data Protection Measures for Industrial and Telecom Companies Released

Posted by Written by Zoey Zhang and Arendse Huld Reading Time: 8 minutes

This article was first published on October 18, 2021, and last updated on December 29, 2022, to include the latest updates to the measures.   

UPDATE: On December 13, 2022, the Ministry of Industry and Information Technology (MIIT) released the final version of the Measures for Data Security Management in the Field of Industry and Information Technology (Trial Implementation) (the “Trial Measures”). The Trial Measures have been finalized after two rounds of solicitation for public comment, the last of which ended in February 2022. The Trial Measures, which outline data security requirements for companies in the field of industry and information technology sectors, will come into effect on January 1, 2023.

UPDATE: On February 10, 2022, the MIIT began soliciting opinions on the draft version of the Measures for the Administration of Data Security in the Field of Industrial and Information Technology sectors (Trial) (the “draft Measures”). The new draft Measures contain amendments based on feedback from a previous draft that was first released in September 2021.  

This article contains the updated requirements of the latest Trial Measures issued in December 2022 and an overview of the classification of different types of data and how they must be handled under the law.  

Note that for the purposes of this article and in the Trial Measures, the term “data processor” is used to refer to industrial enterprises, software and information technology service companies, and companies that acquire telecoms business operations that collect, store, use, process, transmit, provide, and disclose data in the field of industry and information technology.  

The “Trial Measures” mentioned in this article refer to the latest edition released in December 2022, while the “draft Measures” refer to the version released in February 2022, unless otherwise specified.   

Overview of China data protection requirements for industrial and telecom companies 

Following the Data Security Law, China has drawn up a new regulation clarifying how firms should handle sensitive industrial and telecoms data. The Trial Measures classify data into “core”, “important”, and “ordinary” categories, and require firms to take different degrees of protection measures when collecting, processing, transferring, and disposing of data. 

The Trial Measures apply to all kinds of enterprises in industrial, telecom, and radio communications fields, especially software and information technology (IT) service providers and telecom business license holders. They aim to regulate the industrial and telecom data processing activities carried out in China.   

The Trial Measures set out detailed requirements regarding data storage, processing, disclosure, disposal, and cross-border data transfer (CBDT). Data processors may be obliged to record and report their activities in processing important and core data to the government.  

The Measures are the first data security regulations formulated by a state agency in charge of industrial sectors since the Data Security Law went into effect on September 1, 2021. 

Definition and classification of industrial and telecom data  

The latest Trial Measures specify three types of industry data that fall under the definition of “industrial and telecom data”. 

The three types of data are “industrial data”, “telecoms data”, and “radio data”, with “radio data” being the latest addition. 

Find Business Support
Ensure your ERP systems are compliant with local regulations in China - contact our professionals for help
 

In the Trial Measures, “industrial data” is defined as “data generated and collected in the process of R&D and design, manufacturing, operation and management, operation and maintenance, and platform operation in various industrial fields”.

“Telecoms data” is defined as “information produced or gathered during the operation of telecommunications services.” 

Meanwhile, “radio data” is defined as “radio wave parameter data, such as radio frequencies and stations, generated and collected during the operation of radio business activities.”  

According to Article 7, businesses are obliged to sort and classify these industrial and telecoms data into three different risk categories: “core”, “important”, and “ordinary” data. Businesses must then submit a catalogue of the important and core data to the local branch of the MIIT.  

The document lists respective principles for identifying core, important, and ordinary data (please refer to the table below).  

Generally, information that poses a threat to national security, economic stability, and technological advancement, or significantly impacts China’s industrial and telecommunication sectors can be labeled as important data or core data. However, the Trial Measures do not provide any specific examples, leading many to find the definition still quite subjective.  

Classification of Industrial Data and Telecom Data under the Draft Measures for the Administration of Data Security in the Field of Industrial and IT Sectors  
Category   Definition  
Core data  
  • Information that poses a serious threat to China’s politics, territory, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources, and nuclear safety, and that has a great impact on the country’s overseas interests and its data security in space, polar regions, the deep sea, and artificial intelligence. 
  • Information that has a great influence on China’s industrial and telecommunications sectors as well as key backbone enterprises, critical information infrastructure, and other important resources. 
  • Information that can do major damage to industrial production and operations, telecommunication network and internet operation services, and radio business development, which has the potential to lead to large-scale shutdowns, large-scale radio business interruption, large-scale network and service paralysis, and loss of a large number of business processing capabilities. 
  • Other information assessed and recognized as core data by the MIIT.  
Important data  
  • Information that poses a threat to China’s politics, territory, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources, and nuclear safety, and that has an impact on the country’s overseas interests and its data security in space, polar regions, the deep sea, and artificial intelligence. 
  • Information that has an influence on the development, production, operations, and economic interests of China’s industrial and telecommunications sectors. 
  • Information that can cause major data security incidents or production safety accidents, has a significant impact on the legal rights of individuals and organizations, and has a great negative impact on society. 
  • Information that has obvious cascading effects across a range of industries and enterprises or has long-lasting effects that can seriously impact China’s industrial development, technological advancement, and industrial ecology. 
  • Other information assessed and recognized as important data by the MIIT.  
Ordinary data  
  • Information that has a relatively low impact on the legal interests of individuals and organizations. 
  • Information that can only affect a small number of users and enterprises or a small scope of production and living areas, that only has a short-term effect, and that has a relatively low impact on the operations of enterprises, industry development, technological advancement, and industrial ecology. 
  • Other data excluded from the catalogue of important and core data.  

What are the responsibilities of data processors?  

Compiling and maintaining a data catalogue  

According to the Trial Measures, firms are required to sort out and record important and core data and compile a data catalogue. The data catalogue must then be filed with the authorities. The draft Measures stipulated that the data catalogue should be submitted to a different government body depending on the type of data that is collected (to the MIIT for industrial data, the Bureau of Communication Management for telecom data, and to the local radio administration institute for radio data), but the finalized Trial Measures simply state that the catalogue should be submitted to the “regional industry regulatory authorities”.

The information that the firms must enter into the catalogue includes (but is not limited to) the data source, category, classification level, scale, carrier, processing purpose and method, scope of use, responsible party, external sharing, cross-border transmission, security protection measures, and more. It must not include the data content itself.

After the catalogue has been filed, the local regulatory authority that is in charge of the filing will then conduct a review of the information provided within 20 working days. Filings that meet requirements will be approved, and the data processor (the company that processes the data) will be issued with a filing certificate. If the filing does not meet the requirements, the company will be informed and will have 15 days to amend and refile the catalogue.

If there are “major” changes to the reported information, firms are also obliged to report the updated information to the government within three months. A “major” change refers to a change of more than 30 percent in a certain type of important data and the scale of core data (for example, the number of data entries or total storage), or changes in other filing content.

Data security review and data export requirements  

A previous draft version of the Measures had prohibited core data from being transferred overseas while requiring a government security review before important data could be transferred overseas. The finalized version of the Measures, however, removes the clause that outright bans the export of core data and instead stipulates that core data also requires a security review before it can be exported

The final Trial Measures also stipulate that the MIIT is responsible for handling requests from foreign entities, such as industrial or telecom companies, to provide industrial or telecom data, which it will do in accordance with any international treaties signed that China has signed or acceded to. The Measures still require both important and core data to be stored within China’s territory. 

Find Business Support
Our due diligence team can help your business limit risks by assessing the credibility of a supplier, purchaser, or business partner in China
 

This is consistent with China’s Data Security Law and Cybersecurity Law. The Cybersecurity Law stipulates that the operator of a critical information infrastructure should store important data collected and generated domestically within the territory of China. Where such information and data must be provided abroad for business purposes, a security review should be conducted.  

China’s Data Security Law, while not offering detailed rules on the safety management for cross-border transfers of important data, prescribes the penalties for firms that transfer important data overseas in violation of the Cybersecurity Law as well as other data security measures. The penalties include fines, suspension of the relevant business, suspension of the business that committed the violation, and revocation of the relevant business permits or business licenses.  

Appointing responsible persons for data management  

The Trial Measures stipulate additional security and management requirements for data processors that handle important and core data. These requirements are:

  1. Establishing a data security system that covers all of the company’s relevant departments. The company must also appoint a main person to be in charge of data security management.
  2. Clarifying the key positions and personnel in charge of data processing, and requiring these staff members to sign a data security responsibility letter. This letter must include (but is not limited to) data security responsibilities, obligations, punishment measures, and precautions.
  3. Establishing an internal mechanism for registration, approval, and other work procedures for the important and core data, and strictly managing and keeping a record of all of the processing activities of important data and core data.

Protection measures for important and core data  

Based on the risk category of the data, firms should set up a safety management system and adopt different degrees of protection measures for the entire data life cycle, including collection, storage, processing, transfer, provision, disclosure, and disposal of important and core data.  

Where it is unclear what risk category of data is being handled or where it is difficult to separate different risk categories of data, the highest level of security measures should be implemented.  

Data processors are required to formulate an emergency response plan for data security incidents and carry out periodic emergency drills.  

Other compliance requirements  

The following compliance requirements also deserve the attention of enterprises:  

  • Without the consent of the individual or the entity, enterprises shall not obtain accurate user portraits or restore data of specific subjects through data mining, association analysis, or other technical means.  
  • When it is necessary to protect national security and social and public interests, enterprises should destroy the data when a third-party organization provides proof to request such destruction.  
  • Data processors should establish registration and approval mechanisms and keep a record of its transfer of important data and its use and processing of important data and core data.  
  • The transfer and provision of core data must be approved by the State.  

The significance of the China data protection requirements 

China has been tightening its data-related regulations over the past couple of years. In the summer of 2022, after the government launched a cybersecurity investigation into ride-hailing app Didi, the company was fined US$1.2 billion for violating laws and regulations in its collection and use of personal information.

In July 2021, the Cyberspace Administration of China (CAC) revised its Cybersecurity Review Measures to clarify that any Chinese companies that hold the personal information of one million or more users would need to seek a government cybersecurity review before listing abroad.

A month later, China’s top legislature passed the Personal Information Protection Law. And in September, China’s new Data Security Law went into effect. The MIIT’s Trial Measures are yet another key regulatory document on data security and help make rules clearer.

Over the summer and fall of 2022, government bodies released a series of measures regulating CBDT, including measures for contracts, applications, and security review measures for CBDT.

The MIIT plays a significant role in China’s data security supervision system. This ministry regulates several industries, such as equipment and consumer goods manufacturing, telecommunications, electronic information products manufacturing, software, and the internet, which are vital to the country’s digital economy.

Overall, the Trial Measures offer more detailed judgment criteria of important and core industrial and telecoms data and put forward enhanced compliance requirements at the practical level, which should be of great importance for enterprises in relevant sectors.

About Us

China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.

Dezan Shira & Associates has offices in VietnamIndonesiaSingaporeUnited StatesGermanyItalyIndia, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The PhilippinesMalaysiaThailandBangladesh.