China Fleshes Out Details on Sensitive Data Collection by Firms
Chinese authorities have released new regulations to classify data based on the level of importance and risk to national security and overseas interests a month after the Data Security Law (DSL) took effect, in a move that could give much needed clarity to foreign-listed companies and others required to transfer potentially sensitive information abroad.
Industrial and telecoms data handled by companies in China will be categorized into “core data,” “important data” and “ordinary data,” according to draft regulations published last week by the Ministry of Industry and Information Technology (MIIT), which shares jurisdiction over the nation’s rapidly growing internet and information technology sectors.
The draft regulations mark China’s first public attempt to flesh out details on how to classify data and aim to support better implementation of the DSL, which currently only requires companies to sort and classify their data into different categories based on risk and imposes severe penalties on companies moving “core data” out of China. The DSL came into force on Sept. 1.
"This is the first, most clear directive I've ever seen for a state agency to start the process of doing this data categorization within their own industry," said Kendra Schaefer, a partner at consultancy Trivium, who specializes in Chinese data policy.
While China's state agencies have already been directed to start sorting out the data they are responsible for by type and risk, this new release from the MIIT is the first time an agency has given clear examples of what these categories mean, she said.
The draft rules are also the latest step Beijing has taken to strengthen its data-related regulatory regime amid a tightening of control over the listing of companies on U.S. bourses to prevent sensitive information falling into the hands of foreign governments and imposition of stricter controls on cross-border data flows.
Indicative of this change, the MIIT now requires companies to get a government security review before transferring “important data” overseas, while sharing of “core data” with foreign countries is banned outright.
Core data refers to information that poses a “serious threat” to China’s “politics, territory, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources and nuclear security,” said the MIIT, which is soliciting public feedback on the draft regulations until Oct. 30.
In addition, the information has a “serious impact” on the country’s “overseas interests and its data security in space, polar regions, the deep sea and artificial intelligence.”
Data will also be labeled “core” if it has “great impact” on China’s backbone enterprises, key information infrastructure and other important resources or has the potential to lead to “large-scale network and service paralysis.”
Industrial data, meanwhile, is defined as information collected and generated in industries including raw materials, equipment manufacturing, consumer goods and electronics, as well as software and information technology, said the MIIT. Telecoms data refers to information produced and gathered in the provision of telecoms services, it said.
Information that poses a threat to China’s national security, economic stability and technological development, “significantly impacts” the legal rights of individuals and organizations or has an “obvious cascading effect” across a range of industries and enterprises will be classified as “important data,” according to the draft regulations.
“Ordinary data” is defined as information that has a “relatively small impact” on the legal interests of individuals and organizations and the development of enterprises and technologies, the draft said.
In July, the Cyberspace Administration of China (CAC) revised its Cybersecurity Review Measures to make clear that any Chinese companies that hold the personal information of 1 million or more users would need to seek a government cybersecurity review before listing abroad.
A month later, China’s top legislature approved the Personal Information Protection Law, adding legal teeth to the country’s management of how personal data can be gathered and used.
"The question now, and the struggle for companies, for policymakers, and for regulators, is going to be … what is semi-restricted data," said Schaefer, adding that the definition of this middle category was "extremely broad" compared with the definition of national core data which was "much more clearly defined."
A number of regulatory documents indicate that data in the middle category will be allowed to flow out of China after a security check by the Chinese government, she said.
Some legal experts have said that China’s recent efforts to tighten its data-related regulations could allow Chinese companies whose shares are traded on American bourses to resist requests from U.S. regulators to hand over sensitive data in accordance with the Clarifying Lawful Overseas Use of Data Act, also known as the CLOUD Act.
In 2018, then U.S. President Donald Trump signed into law the CLOUD Act, which enables the country’s law enforcement agencies to obtain access to data owned and controlled by entities under American jurisdiction regardless of whether such data is located within or outside the U.S.
"This is going to be an incredible mountain to climb for China, for each regulatory body that has to deal with this,” said Schaefer. “But this document is the kickoff, it is a step closer to implementing the national data strategy within MIIT.”
Contact reporters Ding Yi (email@example.com) and Flynn Murphy (firstname.lastname@example.org) and editor Michael Bellart (email@example.com)
Download our app to receive breaking news alerts and read the news on the go.
Get our weekly free Must-Read newsletter.
- MOST POPULAR