The Ministry of Industry and Information Technology (“MIIT”), following the first round of public comments which concluded on October 30, 2021, published a new draft of the Administrative Measures on Data Security in the Industry and Information Technology Sectors (for Trial Implementation) (draft “Measures”) on February 10 for comment through February 21, 2022.1
As one of the industry regulators specified in the Data Security Law (“DSL”), MIIT is duty-bound to refine the security management systems for data in the industry and information technology sectors (“IIT Data”). The draft Measures would specify requirements for data protection by category and classification and for the management of Important Data; define the scope of MIIT’s duties and those of its local counterparts (each a “Local Regulator”); and set out the requirements for full life-cycle data security protection, all of which are reflected in the 41 articles across eight chapters of the draft Measures.
Scope of Application
The draft Measures first set forth important definitions and the bounds for application. The draft Measures define IIT Data to include industry data, telecommunications data and radio data. Industry Data, in turn, would mean data generated and collected in the course of R&D and design, manufacturing, business operations and management, maintenance, and platform operation in various industry fields and sectors (Article 3, para 1). IIT Data processors (“Data Processors”) would include industrial enterprises, software and IT service enterprises, telecommunications service operators with telecommunications business operating licenses, as well as radio frequency and station entity users (Article 3, para 2). Management of the security of IIT Data involving personal information, military information, state secrets, cryptography, government affairs, defense technology and tobacco would largely be regulated separately pursuant to sector-specific regulations (Articles 37-40).
Administration by Category and Classification
In accordance with the requirements to implement the DSL, MIIT would formulate standards and specifications for data category and classification, identification and verification of Important Data and Core Data, and classified protection of Important Data and Core Data which are to be subject to priority protection (Article 7).
IIT Data would be categorized as, but not limited to: R&D data, production and operating data, management data, maintenance data, and business service data (Article 8).
Important Data and Core Data
Consistent with the language of the DSL (Article 8), IIT Data would be divided into three categories based on the level of sensitivity: ordinary data (i.e., data that does not fall into either of the following two categories), Important Data and Core Data.
The draft Measures define “Important Data” in the IIT sectors as data for which the degree of hazard would meet any of the following criteria (Article 10):
- Poses a threat to political, territorial, military, economic, cultural, social, scientific and technological, electromagnetic, network, ecological, resource, or nuclear security, or impacts any of such key areas related to national security as overseas interests, biology, space, polar regions, deep seas, and artificial intelligence;
- Seriously affects the development, production, operational or economic interests of an IIT sector;
- Causes major data security incidents or production safety incidents, has a serious impact on the public interest or the legitimate rights and interests of individuals or organizations, and/or has a large adverse social impact;
- The cascading effect caused by the damage of such data is obvious, the scope of influence involves multiple industries, regions, or multiple enterprises in the industry, or the impact lasts for a long time, causing serious impact on the development of the industry, technological progress, and industrial ecology; or
- Other important data as assessed and determined by MIIT.
The draft Measures define “Core Data” in the IIT sectors as data for which the degree of hazard meets any of the following conditions (Article 11):
- Poses a serious threat to politics, territory, military, economy, culture, society, science and technology, electromagnetic, network, ecology, resources, and nuclear security, or has a serious impact on such key areas related to national security as overseas interests, biology, space, polar regions, deep sea, and artificial intelligence;
- Has a significant impact on IIT and its key leading enterprises, critical information infrastructure or important resources;
- Causes major damage to industrial production and operation, telecommunications networks (including Internet) operation and services, and radio business, results in large-scale shutdowns, large-scale radio business interruption, large-scale network and service paralysis, and loss of a large number of business processing capabilities; or
- Other core data as assessed and determined by MIIT.
Catalogue of Important Data and Core Data
The draft Measures would require Data Processors to make filings with their Local Regulators regarding their Important Data and Core Data. The filings would need to include, without limitation, the category, classification and size of data; purpose and methods of processing; scope of use; responsible parties; shared parties; cross-border transfer; and security protection measures, but not the data itself (Article 12, para 1). Data Processors would obtain receipts for their filings if the content of the filings satisfied these requirements (Article 12, para 2). Data Processors would also be required to report a 30% or larger change of Important or Core Data in terms of category or size to the Local Regulator (Article 12, para 3).
As a distinctive element in the industrial development clause, the draft Measures would provide that Data Processors are required to comply with social morality and ethics (Article 5, para 2).
Full Life-Cycle Security Management
Under the draft Measures, Data Processors would be the primary parties responsible for ensuring the security of their data and would be required to formulate rules and operating procedures with respect to protecting such data in connection with data collection, storage, use, processing, transmission, provision and disclosure. This obligation would include in particular:
Important Data and Core Data collected and generated in China would be required to be stored in China as required by applicable law or regulations such as the DSL. This is the data localization requirement. Important data will be subject to a security assessment in case of cross-border transfer (Article 21, para 1). Core Data may not leave China. The draft Measures would further provide that Data Processors may not provide IIT sector data stored inside China to foreign industry, telecommunications or radio law enforcement entities without MIIT approval (Article 21, para 2). These requirements are consistent with the DSL.
It is worth noting that, when it comes to cross-border data sharing with non-government parties overseas, only Important Data and Core Data are subject to the above-mentioned compliance requirements and restrictions. When transferring ordinary IIT Data overseas, Data Processers are not required to conduct a security assessment. In other words, Chinese subsidiaries and joint ventures of multinational IIT companies can freely transfer ordinary data to their head offices, but will need to conduct a security assessment when transferring Important Data, and cannot transfer Core Data.
This means that multinational IIT companies will need to carefully distinguish between ordinary data and Important/Core Data. Most of the data related to daily operations should constitute ordinary data. Many multinational IIT companies have little access to Important/Core Data because of restrictions on foreign investment in such sectors (e.g., telecommunications and radio broadcasting). Multinational IIT companies should also take precaution not to inadvertently receive Important/Core Data from other companies, especially state-owned enterprises, by stipulating such data transfer restrictions in contractual terms with such other companies. In addition, multinational IIT companies may not transfer any IIT Data to the IIT regulators in their home countries, such as the Federal Communications Commission, Federal Trade Commission and Securities and Exchange Commission, before obtaining approval from MIIT.
Important Data and Core Data Processors would be required to conduct security assessments at least once a year and provide the assessment reports to the Local Regulator (Article 31). Data Processors for ordinary data are encouraged to conduct self-security assessments on a regular basis.
Companies that violate the Measures will be penalized pursuant to the DSL and Cybersecurity Law. Penalties include warnings, fines, confiscation of illegal proceeds, and suspension or revocation of relevant licenses and permits. Criminal liability may also be imposed if the violation constitutes a crime.
Consistent with the DSL, the draft Measures present bias against cross-border data transfer which is in tension with China’s commitments under the WTO’s General Agreement on Trade in Services (GATS) and China’s recently stated desire to become a party to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the Digital Economy Partnership Agreement (DEPA), two Asia-Pacific regional trade agreements with strong disciplines on facilitating digital trade, including cross-border transfers of information.