China has recently released data protection measures for industrial and telecom companies. The Ministry of Industry and Information Technology (MIIT) finalized the Measures for Data Security Management in the Field of Industry and Information Technology (Trial Implementation) on December 13, 2022. These measures, which will take effect in January 2023, provide guidelines for data security requirements in the industry and information technology sectors.
Under the Trial Measures, data is classified into three categories: “core data,” “important data,” and “ordinary data.” Companies must implement varying degrees of protection measures based on the classification of the data during collection, processing, transfer, and disposal. These measures are applicable to companies in industrial, telecom, and radio communications industries, with a specific focus on software, information technology (IT) service providers, and telecom business license holders. The aim is to regulate data processing activities within these sectors in China.
The Trial Measures establish detailed requirements for data storage, processing, disclosure, disposal, and cross-border data transfer (CBDT). Companies handling important and core data may be obligated to record and report their data processing activities to the government. These measures represent the first data protection and security regulations formulated by a state agency responsible for industrial sectors since the implementation of the Data Security Law in September 2021.
The Trial Measures introduce definitions and classifications for industrial and telecom data. “Industrial data” refers to data generated and collected throughout various industrial fields, encompassing R&D, design, manufacturing, operation and management, operation and maintenance, and platform operation. “Telecoms data” pertains to information produced or gathered during the operation of telecom services. The latest addition, “radio data,” includes radio wave parameter data generated and collected during radio business activities.
Businesses are required to sort and classify these industrial and telecoms data into risk categories: “core,” “important,” and “ordinary.” Companies must submit a catalog of important and core data to the local branch of the Ministry of Industry and Information Technology. However, the Trial Measures do not provide specific examples, leaving the classification somewhat subjective within the classifications listed below.
Core data refers to information that poses a significant threat to China’s politics, territory, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources, and nuclear safety. It also includes data that has a profound impact on China’s industrial and telecom industries, as well as key backbone enterprises, critical information infrastructure, and other vital resources. Additionally, core data encompasses information that can cause severe damage to industrial production and operations, telecommunication networks, internet services, and radio business development. This damage could lead to large-scale shutdowns, disruptions in radio business, paralysis of networks and services, and the loss of substantial business processing capabilities. The Ministry of Industry and Information Technology (MIIT) may also assess and recognize other types of information as core data.
Important data refers to information that carries potential risks to various aspects of China’s interests, including politics, territory, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources, nuclear safety, and data security in space, polar regions, deep sea, and artificial intelligence. It also encompasses data that influences the development, production, operations, and economic interests of China’s industrial and telecom industries. Additionally, important data includes information that can lead to major data security incidents or production safety accidents, significantly affect the legal rights of individuals and organizations, and have a substantial negative impact on society. Furthermore, it encompasses data with cascading effects across multiple industries or long-lasting effects that negatively impact China’s industrial development or technological advancements.
Ordinary data refers to information that has a minimal impact on the legal interests of individuals and organizations. It only affects a small number of users, enterprises, or a limited scope of production and living areas. Its effects are short-term and have a relatively low impact on the operations of businesses, industry development, technological advancement, and industrial ecology. Ordinary data also includes any other data that is excluded from the catalog of important and core data.
Data processors have specific responsibilities outlined in the Trial Measures. They must compile and maintain a data catalog, which includes information such as data source, category, classification level, processing purpose and method, security protection measures, and more. The catalog is then filed with the regional industry regulatory authorities for review. The authorities conduct a review within 20 working days, and approved filings result in a filing certificate for the data processor. If the filing does not meet the requirements, the company has 15 days to amend and refile the catalog.
Data processors handling important and core data must establish a data security system covering relevant departments and appoint a designated person responsible for data security management. Key positions and personnel involved in data processing must sign a data security responsibility letter. The Trial Measures also emphasize the establishment of an internal mechanism for registration, approval, and other work procedures related to important and core data processing. Additionally, data processors should implement appropriate protection measures throughout the data life cycle, develop an emergency response plan for data security incidents, and conduct periodic emergency drills.
Furthermore, the Trial Measures address data export requirements. The final version removes the previous ban on exporting core data overseas. Instead, it stipulates that both important and core data require a security review prior to export. The Ministry of Industry and Information Technology (MIIT) is responsible for handling requests from foreign entities to access industrial or telecom data, aligning with international treaties that China has signed or acceded to. However, both important and core data must be stored within China’s territory.
Overall, these data protection measures are part of China’s ongoing commitment to enhancing its data-related regulations and ensuring the security of critical information. These efforts align with the country’s recent enactments of significant laws, including the Data Security Law, Cybersecurity Law, and Personal Information Protection Law. By introducing the Trial Measures, the Ministry of Industry and Information Technology (MIIT) aims to provide industry-specific guidelines and compliance requirements for data protection within the industrial and information technology sectors.