China Cybersecurity and Data Protection: MIIT Pioneers its Data Security Regime

In this article, we highlight the key provisions of the Draft Measures and set out our observations on the proposed measures.

Background

The Data Security Law (DSL) proposed to establish a multi-level classification data protection regime (Data Security Regime), under which data will be divided into different levels in accordance with its importance to the economy and society and the harm caused by unauthorized alternation, destruction, leak or illegal acquisition or use as well as different classes.
The DSL has imposed special obligations to protect important data and core data and requires sectoral regulators and local governments to publish their catalogues of important data. However, the DSL is silent on the scope of important data and core data as well as their relationship with the Data Security Regime.

In September 2021, the MIIT became the first sectoral regulator that had published its proposed draft regulation in relation to the Data Security Regime, i.e. the first Draft Measures. This second draft has incorporated public comments that have been adopted by the MIIT after the release of the first draft. The much shorter consultation period indicates that the second draft could be very close to the final draft of the Draft Measures.

In December 2021, the MIIT announced it would establish a work group to oversee a pilot program for data security management that is expected to be completed by September 2022. Provincial offices of the MIIIT are required to also select enterprises in key sectors for the pilot program. The pilot program covers data security management, protection, evaluation and monitoring, promotion of data security products, and data export security management.

Key Provisions and Observations

I. Scope of the Draft Measures

The Draft Measures apply to data in the industry and information technology sector (Industry and IT Data), which includes the following three types of data:

i. industrial data, meaning the data generated and collected in the process of research and development, design, manufacturing, business management, operation maintenance and platform operation in various sectors of industry;

ii. telecom data, meaning the data generated and collected in the process of telecom service operations; and

iii. radio data, meaning that radio waves data generated and collected in the process of carrying out radio operations, including radio frequencies and radio stations.

The processors of Industry and IT Data include industry enterprises, software and information technology service providers, licensed telecom service providers and the users of radio frequencies and stations.

II. Data Security Regime

Responsibilities of regulatory bodies

The MIIT will be responsible for formulating standards and rules for the Data Security Regime, publishing catalogues of important data and core data in the industries and supervising and administering the implementation of the Data Security Regime.

The local offices of the MIIT will be in charge of administering the Data Security Regime, organising identification of important data and core data and publishing catalogues of the important data and core data in in their respective region. Notably, processors of Industry and IT Data are also required to regularly update their data inventory and formulate catalogues of important data and core data.

It seems that there will be three types of catalogues of the important data and core data: (i) the catalogue published by the MIIT for the industries, (ii) the catalogues published by the local offices of the MIIT for the regions, which will need to be filed with the MIIT; and (iii) the catalogues formulated by processors of the Industry and IT Data to identify their own important data and core data.

Classes and Levels of data

The Industry and IT Data is categorised into the following classes in accordance with the requirements and characteristics of the industries, business needs, sources of data and uses: research and development data, manufacturing and operation data, administration data, maintenance data, operation service data.

The Industry and IT data is divided into three levels in accordance with the level of harm to the national security, public interest or legal interests of individuals in the case of unauthorised alteration, destruction, leak or illegal acquisition or use of the data (Breach Event). The three levels include ordinary data, important data and core data.

Notably, processors of the Industry and IT Data are allowed to further divide the data into sub-levels and sub-classes.

Ordinary data is defined as the data, the level of harm of which meets one of the below criteria in the Breach Event:

i. The impact upon public interest or the legal interests of the individuals or organisations is relevantly small with slight negative social impact;

ii. The number of users and enterprises being impacted is relatively small; the area or scope of life or product being impacted is relatively small; the time of impact is relatively short; the impact on enterprise operation, industry development, technology advances and industry ecosphere is relatively small; and

iii. Other data that is not included in the catalogues of important data and core data.

Important data is defined as the data, the level of harm of which meets one of the below criteria in the Breach Event:

i. Posing a threat to the security of politics, territories, militaries, economy, culture, society, technology, electromagnetic, network, ecosystem, resources and nuclear or impacting the overseas interest, biology, space, polar areas, deep sea, artificial intelligence and other key areas that are relevant to national security;

ii. Having a serious impact upon the development, production, operation and economic interest in the area of industry and information technology;

iii. Causing a serious data security incident or production safety accident or having a serious impact on the public interest or legal interest of individuals or organisations with a significant negative social impact; or

iv. Causing a significant cascade effect that impacts multiple sectors, regions or enterprises in the same sector, lasts for a long period of time, or has a serious impact upon the development of industry, advance of technologies and the ecology of industries.

Core data is defined as the data, the level of harm of which meets one of the below criteria in the Breach Event:

i. Posing a serious threat to the security of politics, territories, militaries, economy, culture, society, technology, electromagnetic, network, ecosystem, resources and nuclear or seriously impacting the overseas interest, biology, space, polar areas, deep sea, artificial intelligence and other key areas that are relevant to national security;

ii. Having a significant impact upon the industry and information technology sector and relevant key enterprises, critical information infrastructure, and important resources; or

iii. Causing serious harm to industry production and operation, telecom network (including the internet) operation and services and radio services, large-scale cease of work and production, disruption of radio services in large areas, large-scale paralysis of network services and loss a large number of service functions.

Filing of catalogues

Processors of important data and core data must file their catalogues of important data and core data with the local offices of MIIT. Information to be filed include the classes, level and volume of data, purposes and means of processing, scope of use, responsible entity and information on sharing with third parties, cross-border transfer and security protection measures.
Local offices of MIIT will complete review of the filing within 20 working days and decide whether to issue a filing certificate to the applicant. An updated filing must be filed within three months of any changes if the categories or volume of important data or core data has changed 30% or more or other significant changes to the filed information have occurred.

III. Security obligations

General security obligations

Processors of Industry and IT Data are under general obligations to implement the Data Security Regime and protect the data. The obligations include:

i. Implementing protection of the highest level if data of different levels are being processed and it is difficult to implement different levels of protection measures;

ii. Establishing a full life-cycle data security management system, consisting of specific protection requirements and operation procedures;

iii. Designating data security management personnel, who will be responsible for security inspection and administration and assisting with the sectoral regulators;

iv. Rigorously managing authorisations of personnel in data processing;

v. Formulating contingency plans and conduct periodical data contingency drills;

vi. Periodically running data security trainings for relevant personnel; and

vii. Other measures provided

Special security obligations

Processors of important data and core data in the industry and IT sectors are under special regulations to:

i. Establish a data security system and daily communication and coordination regime in their own organistions;

ii. Clearly designate the person in charge of data security and the internal department for data management, in particular that the legal representative or the head of the organization will be considered the person primarily responsible for data security and the person responsible for data security in the management team will be considered the personal directly responsible for data security;

iii. Specify key data processing positions and relevant responsibilities and require the personnel holding key data processing positions to acknowledge their data security responsibilities in writing; and

iv. Establish internal registration and approval procedures, rigorously manage processing of important data and core data and keep records.

The Draft Measures do not explain the differences between “person primarily liable” and “person directly liable” or whether the differences will have any implications for the liability of the relevant persons in the event of a violation. We note that under the DSL the key management personnel of the processor and other personnel “directly responsible” for the violation will be penalized.

Data life-cycle management obligations

The Draft Measures have also provided for obligations at key links of the data life cycle. We set out below some notable obligations for processors of important data and core data, where the processors must:

i. Collection: where the processors obtain important data and core data indirectly, sign a written document with the data provider to specify their respective legal liability;

ii. Storage: use validation and encryption technologies to securely store the data, refrain from providing access via public information network, implement discovery recovery backup and security management of storage media, conduct periodical data recovery test, and implement offsite disaster recovery backup for core data;

iii. Processing: strengthen access control;

iv. Transmission: implement measures such as validation and encryption technologies and security transmission channel or secure transfer protocol;

v. Provision to third parties: evaluate or verify the data recipient’s security protection capability and implement necessary security protection measures;

vi. Publication: as well as other processors of Industry and IT Data, evaluate the impact on public interest and national security before publicly disclosing the data;

vii. Destruction: timely report to local offices of MIIT and not recover any destructed data;

viii. Transfer in the case of a merger, reorganisation and bankruptcy: report to local offices of MIIT;

ix. Entrusted processing: evaluate and verify the data security protection capability of the entrusted processor;

x. Inter-entity processing of core data: evaluate security risks, take necessary measures and report to the MIIT via its local offices if core data is being provided, transferred or processed by entrust between entities.

IV. Data export

The Draft Measures require all processors of Industry and IT Data to store locally any important data and core data collected or generated within the Chinese territory and any export of the data to pass the data export security assessment conducted by the government. Processors must not provide any Industry and IT Data stored in China to a foreign industry, telecom or radio enforcement bodies before first obtaining an approval from the MIIT. This has reflected the position under the DSL and draft regulations on data export (please click here for further reading).

Future Development

Shortly after the release of the Draft Measures, the MIIT issued a notice selecting a list of regions where the local offices of MIT will run a pilot program of data security management, which shows that the MIIT is committed to completing the pilot program on time. We expect that the MIIT will continue to pioneer the implementation of the Data Security Regime and the Draft Measures are likely to be the first sectoral regulation to be finalized under the DSL. The regime established under the Draft Measures will set an example for other sector regulators.