MIIT Seeks Comments on Proposed Data Security Enforcement Rules

On 23 November 2023, the Ministry of Industry and Information Technology (the “MIIT”) of China released the Draft Guidelines on the Administrative Penalty Discretion for Data Security in the Field of Industry and Information Technology (Draft for Comments) (the “Draft Guidelines”). The Draft Guidelines play a noteworthy role in refining the MIIT’s enforcement and serve as a practical reference for enterprises evaluating compliance risks in the realm of data security. In this article, we embark on a pragmatic exploration of the enforcement landscape, providing a detailed analysis of the Draft Guidelines. 

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

BACKGROUND

The PRC Administrative Penalty Law, the PRC Cybersecurity Law (the “CSL”), and the PRC Data Security Law (the “DSL”) have granted law enforcement agencies, including the MIIT, the authority to enforce network and data security regulations. However, it has been rare to witness the MIIT's active involvement in data protection law enforcement.

A comprehensive examination of publicly available sources reveals compelling trends in data security law enforcement. Since the DSL’s enactment in 2021, there have been more than 30 administrative penalty decisions referencing DSL that were publicly disclosed. Remarkably, only two of these cases originated from the Cyberspace Administration of China (the “CAC”), with the rest falling under the jurisdiction of local public security agencies. Surprisingly, neither central nor local MIITs issued any administrative penalties in these instances. In contrast, the enforcement landscape of the CSL paints a different picture, with over 30,000 cases involving the CSL’s application. However, central, or local MIITs were responsible for fewer than 30 of these cases. The MIIT’s limited involvement in CSL enforcement underscores the urgent need for cohesive regulatory frameworks and clear enforcement guidance.

Furthermore, it is worth noting that administrative penalty decisions, except the information provided in the Q&A of cybersecurity reviews, have often lacked the clarity and transparency seen in rulings by other regulatory authorities, such as the State Administration for Market Regulation in antitrust cases. This discrepancy highlights the significance of precision and transparency in administrative penalty decisions, a vital aspect comprehensively addressed by the Draft Guidelines.

The MIIT’s proactive engagement in data security legislation became evident towards the end of 2022 when it embarked on an extensive legislative campaign dedicated to data security, including Measures for the Management of Data Security in the Industrial and Information Fields (Trial) (the “Trail Measures”), which provides comprehensive requirements for data security. In terms of administrative penalties, the MIIT had primarily relied on the List of Administrative Law Enforcement Matters of the Ministry of Industry and Information Technology (2022 Edition) to establish jurisdiction. However, this list proved to be overly broad and lacked the detailed instructions required for effective enforcement. Consequently, the MIIT issued the Provisions on Administrative Punishment Procedures for Industrial and Information in May 2023, followed by the release of the Draft Guidelines as specific guidance in the field of data protection a few months later. These developments mark a pivotal transition towards enhancing the precision and effectiveness of data protection regulations under the MIIT's purview.

OBSERVATIONS

The Draft Guidelines consist of a core text comprising five chapters and 26 articles, along with an accompanying annex of 14articles. The key elements encompass a defined scope, the concept of administrative penalty discretion, jurisdictional matters, conditions triggering data security violations, the severity categorisation of violations, etc.

I. Procedure of determining the administrative penalties

While the Draft Guidelines do not outline specific procedures, they provide essential insights that help shape the framework for executing data security administrative penalties. The first step in the process involves determining the appropriate jurisdiction for addressing a data security violation. Once jurisdiction is established, the focus shifts to determining the nature of the misconduct. After identifying the misconduct, an assessment of the severity of the misconduct should be conducted. The circumstances that can either aggravate, mitigate, or exempt an entity from administrative penalties should also be considered. We have summarised the procedures in the table below.

II. How to determine the jurisdiction?

1. Jurisdiction Determination Criteria

   The local or central MIIT where the misconduct occurred has the jurisdiction of the case. To pinpoint the jurisdiction where a data security violation occurred, a range of criteria are examined, encompassing various aspects of the misconduct: (a) place of residence, (b) business operation place, (c) business registration place (business operation place shall prevail if the business registration and business operation place is not the same), (d) network access point, (e) permits and records-filing location, (f) locations of website builders, managers, and users, (g) computers and other terminal equipment location, (h) the centralised location for data storage, trading, or export.

2. Jurisdictional Conflict Resolution

   In cases where multiple administrative penalty authorities (local MIITs) claim jurisdiction over the same data security violation, the Draft Guidelines establish a clear process:

   1. Priority Jurisdiction: The administrative penalty authority that first initiates the case assumes jurisdiction.
   2. Negotiation: If multiple authorities contest jurisdiction, they must engage in negotiations within seven days from the date of the dispute's occurrence.
   3. Appointment of Jurisdiction: If negotiations do not yield a resolution, the common superior should designate the jurisdiction over the case. In addition, the MIIT may also designate jurisdiction in the following circumstances: (i) serious violations, (ii) jurisdiction disputes at provincial level, (iii) cross-regional or cross-industry violations; or (iv) other circumstances.
   4. Referral: In certain situations, the case may be transferred between different MIIT offices or between the MIIT and other governmental bodies, ensuring that it falls under the appropriate authority.
3. No Further Penalties in One Case

   An essential principle in data security enforcement is the concept of “No Double Penalty for One Violation.” This means that once a case has been penalised, further penalties will not be imposed for the same violation.

III. What misconduct may be subject to administrative penalties?

The Draft Guidelines delineate three distinct categories of data security misconduct:

1. Failure to perform Data Security Obligations: This category encompasses violations arising from non-compliance with data security protection obligations, such as the failure to establish internal data security policies, formulate contingency plans, conduct regular training, etc.
2. Unlawful Data Exports: Violations in this category involve the unauthorised provision of data to foreign entities or individuals, contravening data security regulations. This includes instances of exporting core or important data without undergoing the necessary data export security assessment.
3. Non-Cooperation with Regulatory Authorities: This category pertains to instances where entities decline to collaborate with regulatory authorities or fabricate false materials during data security investigations or inspections.

The penalty framework for these misconducts draws upon provisions found in the CSL and the DSL. Nevertheless, considering the significant legislative advancements in data security by the MIIT in recent years, enterprises should also refer to the Trail Measures and the Guidelines on the Classification and Grading of Industrial Data (Trial) (the “Data Classification Measures”) when identifying specific data security violations. However, it should be noted that several documents, including the Data Classification Measures, were drafted prior to the promulgation of the DSL and may not reflect the latest requirement. Currently, we are still awaiting the release of the MIIT’s own catalogue of important data and core data.

IV. How to determine the severity of the misconduct?

The Draft Guidelines prescribe three distinct levels for assessing the severity of misconduct in ascending order:

1. Mild Consequences
2. Serious Consequences
3. Severe Consequences

The criteria for judgment are primarily determined by the type or quantity of data, the extent of damage caused, and the scope of impact, etc. We have summarised the criteria for the determination of the severity in the table below.

How to determine the administrative penalties?

Following the initial determination of administrative penalties based on the severity of misconduct and its impact, the Draft Guidelines prescribe circumstances in which penalties may be aggravated, lightened, mitigated, or exempted:

CONCLUSION

The Draft Guidelines bring certainty and stability to the realm of law enforcement, providing clear criteria for assessing and penalising data security misconduct. As the MIIT has embarked on an extensive legislative campaign focused on data security, we can expect that data security will continue to be a prominent area of MIIT's law enforcement efforts in the future.

For enterprises operating in the industrial and information fields, it is imperative to pay close attention to data security, particularly if they process important data and core data. Enterprises engaged in business that may affect China’s overseas interests, biology, space, polar regions, deep sea, artificial intelligence, and other key areas related to national security should attach significant importance. With the MIIT’s proactive engagement and the release of the legal drafts related to data security, enterprises must ensure their compliance with data security regulations to avoid potential administrative penalties.