China Releases Draft Measures on Data Security in Industry and IT Sectors | Wilmer Hale

The Ministry of Industry and Information Technology (“MIIT”), following the first round of public comments which ended on October 30, 2021, has released a new draft Administrative Security Measures data in the industry and information technology sectors (for implementation on a trial basis) (draft “Measures”) on February 10 for comments until February 21, 2022.¹

As one of the industry regulators specified in the Data Security Act (“DSL”), MIIT is required to refine data security management systems across industry sectors and Information Technology (“IIT Data”). The draft measures would specify requirements for data protection by category and classification and for the management of important data; define the scope of functions of MIIT and those of its local counterparts (each a “local regulator”); and set out requirements for data security protection throughout its lifecycle, all of which are reflected in the 41 articles divided into eight chapters of the draft measures.

Scope

The draft measures first set out important definitions and the limits of application. The draft measures define IIT data to include industry data, telecommunications data and radio data. Industry data, in turn, would mean data generated and collected during R&D and design, manufacturing, business operations, and platform management, maintenance, and operation. -form in various fields and industrial sectors (Article 3, paragraph 1). IIT’s data processors (“data processors”) would include industrial companies, software and IT services companies, telecommunications service operators holding telecommunications operating licenses, as well as users of radio frequencies and station entities (Article 3(2)). IIT data security management involving personal information, military information, state secrets, cryptography, government affairs, defense technology and tobacco would largely be regulated separately in accordance with industry regulations (Articles 37 to 40).

Administration by category and classification

In accordance with DSL implementation requirements, MIIT would formulate standards and specifications for data category and classification, identification and verification of important data and master data, and classified protection of important data. and basic data which must be the subject of priority protection (Article 7).

IIT data would be classified as follows, but not limited to: R&D data, production and operation data, management data, maintenance data and commercial services data (Article 8).

Important data and basic data

In accordance with the wording of the DSL (Section 8), IIT data would be divided into three categories based on the level of sensitivity: ordinary data (i.e. data that does not fall into either of the following two categories), important and basic data. Data.

The draft measures define “significant data” in the IIT sectors as data for which the degree of danger would meet one of the following criteria (Article 10):

1. Represents a threat to political, territorial, military, economic, cultural, social, scientific and technological, electromagnetic, network, ecological, resources or nuclear security, or has an impact on one of the key areas related to national security such as foreign interests, biology, space, polar regions, deep seas and artificial intelligence;
2. Seriously affects the development, production, operational or economic interests of an IIT sector;
3. Causes major data security incidents or production security incidents, has a serious impact on the public interest or the legitimate rights and interests of individuals or organizations, and/or has a significant negative social impact;
4. The cascading effect caused by the damage caused by this data is obvious, the scope of influence involves multiple industries, regions or multiple industry enterprises, or the impact lasts for a long time, causing a serious impact on the development of industry, technological progress and industrial ecology; Where
5. Other Important Data Evaluated and Determined by MIIT.

The draft measures define “basic data” in the IIT sectors as data for which the degree of danger meets one of the following conditions (Article 11):

1. Poses a serious threat to politics, territory, military, economy, culture, society, science and technology, electromagnetics, network, ecology, resources and nuclear security, or has a serious impact on key areas related to national security such as foreign interests, biology, space, polar regions, deep sea and artificial intelligence;
2. Has a significant impact on the ITI and its key business leaders, critical information infrastructure or significant resources;
3. Causes major damage to industrial production and operation, operation and services of telecommunications networks (including the Internet) and radio activities, results in large-scale shutdowns, disruption of large-scale radio activities , a large-scale paralysis of networks and services and the loss of a large number of business processing capacities; Where
4. Other basic data as assessed and determined by MIIT.

Catalog of important data and master data

The draft measures would require processors to make filings with their local regulators regarding their material data and master data. Repositories should include, but are not limited to, data category, classification, and size; purpose and methods of processing; area of ​​use; responsible parties; shared parties; cross-border transfer; and security and protection measures, but not the data itself (Article 12(1)). Data processors would obtain receipts for their deposits if the contents of the deposits met these requirements (Article 12(2)). Data processors would also be required to report a change of 30% or more of material or basic data in terms of category or size to the local regulator (Article 12(3)).

As a distinctive element of the industrial development clause, the draft measures would provide that subcontractors are bound to respect social morals and ethics (Article 5(2)).

Lifecycle Security Management

According to the draft measures, data processors would be the main parties responsible for ensuring the security of their data and would be required to formulate rules and operational procedures with regard to the protection of such data in the context of collection, storage, use, processing, transmission, provision and disclosure. This obligation would include in particular:

Cross border transfer

Important Data and Master Data collected and generated in China should be stored in China as required by applicable laws or regulations such as DSL. This is the data localization requirement. Important data will be subject to a security assessment in the event of a cross-border transfer (Article 21(1)). Master data cannot leave China. The draft measures would further provide that data processors cannot provide IIT sector data stored in China to foreign law enforcement entities in the fields of industry, telecommunications or radio. without the approval of MIIT (Article 21(2)). These requirements are in accordance with the DSL.

It should be noted that with respect to cross-border sharing of data with non-governmental parties overseas, only important data and basic data are subject to the aforementioned compliance requirements and restrictions. When transferring ordinary IIT data overseas, data controllers are not required to carry out a security assessment. In other words, Chinese subsidiaries and joint ventures of multinational IIT companies can freely transfer ordinary data to their headquarters, but will need to carry out security assessment when transferring important data, and cannot transfer data from based.

This means that multinational ITI companies will need to distinguish between ordinary data and important/basic data. Most data related to day-to-day operations should be ordinary data. Many multinational ITI companies have limited access to critical/master data due to restrictions on foreign investment in these sectors (eg telecommunications and broadcasting). Multinational IIT companies should also take precautions not to inadvertently receive important/essential data from other companies, especially public companies, by stipulating such data transfer restrictions in the terms of contract with such other companies. In addition, multinational IIT companies may not transfer any IIT data to IIT regulators in their home country, such as the Federal Communications Commission, Federal Trade Commission, and Securities and Exchange Commission, until they have obtained approval from the MIIT.

Security assessment

Important Data and Master Data Controllers would be required to conduct security assessments at least once a year and provide the assessment reports to the local regulator (Article 31). Data processors for ordinary data are encouraged to perform regular self-security assessments.

Penalties

Companies that violate the measures will be sanctioned in accordance with the DSL and cybersecurity law. Penalties include warnings, fines, confiscation of illegal products, and suspension or revocation of relevant licenses and permits. Criminal liability may also be incurred if the violation constitutes a crime.

In accordance with the DSL, the draft measures present a bias against cross-border data transfer, which is in contradiction with China’s commitments under the General Agreement on Trade in Services (GATS) of the WTO and China’s recently declared desire to become a party to the Comprehensive and Progressive Agreement. for the Trans-Pacific Partnership (CPTPP) and the Digital Economy Partnership Agreement (DEPA), two Asia-Pacific regional trade agreements with strict disciplines to facilitate digital trade, including cross-border information transfers.