February 17, 2022
By Donnie Dong & Amber Huang
CHINA’s Ministry of Industry and Information (MIIT) released its latest draft Measures on the Administration of Data Security in the Sectors of Industry and Information (Measures), seeking public comments by February 21, 2022.
Background
This is the second time MIIT releasing a draft of Measures. The first draft was released in September 2021. The updated draft mentioned the PRC Personal Information Protection Law (PIPL), but personal information protection is not the focus of the Measures.
The Measures focus on another issue: the security of the “important data” and “core data,” which are concepts raised in the PRC Data Security Law (implemented in 2021). In short, “important data” are important to social security and national security and therefore need heightened protection. “Core data” are those datasets even more crucial for national security and social stability.
MIIT and other Chinese authorities (in particular, the Cyberspace Administration of China) have addressed the important data and core data in a few regulatory documents. The Measures will be a clarification of the scope of MIIT’s supervision power. Given the jurisdiction of MIIT among the government departments, the “industry sector” in the context of MIIT-issued regulations mainly refers to the engineering, mechanical, and other heavy industries. In contrast, the “information sector” mainly covers the telecommunication and internet service providers.
Once implemented, the Measures will impact the business operation of multinational companies. In particular, manufacturers or service providers of mobile communication base stations, switch rooms, antennas, mobile terminal devices (cell phones, laptops), radio transmitting equipment, and vehicle networking would be affected. Stakeholders in these sectors may consider submitting comments before the deadline of February 21, 2022.
Key Provisions
Among others, MNCs should pay more attention to the following provisions of the Measures:
Coverage – Expanded to Radio Signals
Further to the “data” in the traditional sense (e.g., personal information and non-personal industrial, financial data), the draft Measures clarify that “radio data” are also regulated. Radio data refers to the radio frequencies, data generated by base stations, and other radio wave parameters, and data generated or transmitted through modulation electromagnetic signals.
The Measures also cover other non-personal industrial and manufacturing data.
Authorities
MIIT’s provincial-level branches will be the law enforcement agencies reviewing the data processing activities of stakeholders, including government authorities, state-owned enterprises, and private companies.
MIIT headquarters will review applications for processing “core data,” and will also be responsible for maintaining national standards for identifying the “important data” and “core data”. It will maintain a registration system for provincial-level branches to register each processor of important data or core data.
Data Classification
– The Measures set out principles in identifying “important data” and “core data” and list certain typical examples. In general, the stronger the impact/hazard to the economy and national security when it is breached, the higher chance a dataset will be classified as “core data” or “important data.”
– MIIT will create standards to guide local (provincial level) authorities in identifying “important data” and “core data” and will maintain a dynamic list of core data and important data.
– Provincial-level local authorities will be responsible to identify “important data” and “core data” according to the MIIT standards and report the identified data to MIIT.
– Companies shall refer to the MIIT standards to conduct self-identification and keep a catalog of “important data” and “core data”.
– If a company believes it possesses “important data” or “core data”, it shall report and register with local (provincial level) authorities. The report should include manners of data processing, the scope of access, whether cross-border transfer, and security measures adopted. On the other hand, being good news, the draft Measures clarified that the report to authorities shall not include the original data.
– If the scale of the dataset changes and the change exceeds 30% of the original data volume, the important data or core data holders shall renew their registration with local (provincial level) authorities within 3 months since the occurrence of the change.
Data Categorization
– Companies shall categorize their data into certain categories, such as “R&D data,” “data generated from manufacturing operation,” “management data,” “maintenance data,” and “business data.”
– The categorization shall be reviewed and updated periodically.
Executives’ Personal Liability
The statutory legal representatives (usually the CEO or Chairman/woman) of a company shall be responsible for the company’s data administration and may be found personally liable for data breach incidents. However, the draft Measures have not detailed the scale and thresholds for finding such personal liability.
Data Destruction
Data processors shall establish a data destruction system, the destruction of important data and core data shall be recorded with authorities, and the destruction must not be reversible.
Compliant Duties during Merger & Acquisition
If a data controller’s legal status is expected to be changed due to merger, acquisition, restructuring, or bankruptcy, the data controller shall inform affected users/data subjects. If the data controller processes “important data” or “core data,” it shall update the registration records with competent local (provincial level) authority.
Government Approval
A possessor of “important data” or “core data” shall seek permission (rather than update registration records) with local (provincial level) authority when it plans to provide, transfer “important data” or “core data” with another entity or mandate a data processor to process data. The local (provincial level) authority shall forward the application to MIIT for review.
* * * * *
Author: Donnie Dong. Admitted to practice in China and New York State, the author is a Certified Information Privacy Manager (CIPM) by the International Association of Privacy Professionals (IAPP). Dr. Dong is also a member of the steering committee for Digital Asia Hub, a non-profit think tank collaborating with leading scholars and practitioners of digital society in Asia.
This communication is intended for informational purposes only. It is not intended to create an attorney-client relationship or constitute any advertisement.