Briefing
Divergent approaches to the categorisation of ‘important data’ in China
Richard Bird, Fan Li, Leslie Xu
The PRC Data Security Law (DSL) set up a categorisation and grading system for ‘important data’ accounting for the importance of the data on economic and social development, and the impact on national security and other public interests, etc. Each region, department or sector is required to formulate a specific catalogue of ‘important data’ for that region or industrial sector, etc.
The progress toward building this system has been slow since the DSL came into effect on 1 September 2021. However, in recent weeks, the Ministry of Industry and Information Technology (MIIT), a key sectoral regulator, the Lingang high-tech hub within the free Shanghai free trade zone (FTZ) and the FTZ of Tianjin, the seventh largest city in China, have each finalised their respective approaches. And each adopts a different structural form:
- MIIT: an annual assessment filing system, without either specific catalogue or definition of ‘important data’ to reference.
- Lingang high-tech hub in the Shanghai FTZ: a white-list for certain sub-sectors only, namely intelligent connected vehicles, biotech and mutual funds.
- Tianjin FTZ: a catalogue.
Background
A National Information Security Standardisation Technical Committee (TC 260) coordinating document states that where the level of threat arising from leakage, etc. of data is “serious” to social stability or the public interest, or “general” as regards national security or economic stability, the data should be classified as “important”.[1] A higher threat level in any of these areas would classify the data as ‘core data’.
Only a small number of specific catalogues and regulations have been issued so far: in relation to vehicle data security[2], core operational aircraft data[3] and the collection and storage of geographic mapping information by vehicles equipped with sensors and the use of mapping data for road testing and operation of autonomous vehicles[4].
The principal restriction on ‘important data’ is that all overseas transfers are required to undergo a security assessment with the Cyberspace Administration of China (the CAC) and obtain the CAC’s approval. The final rules for security assessments issued on 22 March 2024 do, however, clarify that organisations will not need to apply for security assessment in respect of transfers of potential ‘important data’ unless the corresponding data type has already been formally classified as ‘important data’.[5]
The CAC’s final rules also enables China’s FTZs to produce their own catalogues of ‘important data’.
MIIT implementing rules
The MIIT’s implementing rules for data security risk assessment require organisations operating in the field of information technology, internet and electronic goods, etc. to file annual assessments of the ‘important data’ and ‘core data’ they hold.[6]
- The risk assessment should:
- describe the kinds and amounts of ‘important data’ held
- describe the data processing activities being conducted and the business scenarios involved, the security measures taken and the risk impact
- address the legality, legitimacy and necessity of those data processing activities in the form of a compliance assessment, taking account of (i) the purpose and scope of the processing, (ii) how the processing is conducted, (iii) the technical and organisational measures taken to protect the data (in particular, the training of personnel on the organisation’s security policies, etc.), and (iv) the potential impact on national security and public interests of a data security incident
- address the data security capabilities of service providers involved in processing of ‘important data’
- disclose data security incidents and the impact on national security and public interests.
- The assessment report should be filed with the relevant local branch of the MIIT. The head office of a corporate group should submit a single consolidated report.
- No timeline is given for the MIIT’s review as regards ‘important data’, although the MIIT can notify any non-compliance and require the issue to be rectified.[7]
- Risk assessments should be updated following any changes in data processing activities or major changes in an organisation’s security posture that may adversely affect the security of the data, or following a security incident. A new risk assessment will also be required when engaging new service providers or transferring ‘important data’ or ‘core data’ to a different third party.
Organisations can either carry out the assessment itself or through a third-party assessment agency. No template is provided, however. The implementing rules also provide for a certification system for third-party security assessors.
The MIIT’s implementing rules do not provide either a definition for organisations to refer in the preparation of risk assessments or a catalogue of ‘important data’, etc.
The MIIT’s implementing rules came into force on 1 June 2024.
Shanghai FTZ white-list
On 16 May 2024, the Lingang high-tech hub in the Shanghai FTZ published three white-lists of data of various types that can be freely transferred out of China in the domains of intelligent connected vehicles, biotech and mutual funds.[8]
Data on the white-list can be transferred out of China by registering and making a filing with the Administrative Committee of the Lingang area.
Intelligent connected vehicles
The white-list comprises data involved in the following four scenarios:
- global manufacturing of vehicles (including, for example, production plans, inventory of raw materials and parts, cost information, information regarding logistics supply chain such as the names of logistic suppliers, logistic costs, information on receipt and delivery of goods, etc.)
- R&D and testing (including, for example, drawings, software code, technical specifications, market research reports, reliability tests which evaluate the ability of a vehicle or a component to perform its intended function, human-machine interface (HMI) tests, etc.)
- provision of after-sale services to customers worldwide (including, for example, VIN numbers, vehicle configuration data, information about malfunctions, records of customer service, purchase orders, and logistics information about purchase of spare parts from after-sales centres, recall announcements and records of recalls, etc.)
- trade of domestic second-hand cars in international markets (including, for example, basic information such as VIN numbers, colour, engine number, model, date of manufacturing, records of maintenance and insurance, etc.)
The white-list does not apply to any data that is transmitted directly from a vehicle (which is the preserve of the Several Provisions on Vehicle Data Security Management, 2021.
Biotech
The white-list comprises data involved in the following five different scenarios:
- clinical trials and R&D (including, for example, anonymised basic personal information of subjects, basic personal information of the researcher, education and work information of the researcher, etc.)
- pharmacovigilance and adverse event monitoring (for safety evaluation only) (including, for example, anonymised basic personal information of patients, basic physiological information, medical records, etc.)
- medical enquiries (including, for example, anonymised basic personal information, enquiry time, records, etc.)
- complaints (including, for example, anonymised basic personal information, etc.)
- vendor management (including, for example, contact information, contract number, payment amount, payment date, etc.).
Transfers of human genetic resource data remains subject to the Administrative Provisions on Human Genetic Resources and its implementing rules, including a requirement to file the transfer with the competent authority along with a back-up copy of the data. See earlier briefing on this topic here.
Mutual funds
The white-list comprises data involved in the following two scenarios:
- market research (including, for example, industry name, industrial analysis, macroeconomic analysis, etc.)
- internal management (including, for example, supplier information, investor management data (e.g., total number of customers per day and customer retention rate), financial management data (e.g., balance sheet, profit distribution statement and cash flow statement), project management data (e.g., project name, task name, status), etc.)
The white-list frames these examples as the most typical examples of data types within each scenario, and are not intended to be exhaustive.
Additionally, the white-list is subject to certain other caveats, including the general caveat that none of the transferred data reflects the status or operation of the national economy. Other specific caveats apply to certain scenarios, for example, information about material manufacturing accidents is excluded from the scenario of the ‘global manufacturing of vehicles’. Under the scenario of ‘R&D and testing’, information that may affect the security of any national key technologies[9] is similarly excluded.
It has been reported that the white-list was developed in conjunction with a group of more than 15 auto OEMs, including several prominent international companies.
Tianjin FTZ negative list
The approach of the Tianjin FTZ is the opposite to that of the Lingang area; namely a negative list of types of data, also of various kinds, that could only be exported after undergoing a security assessment/ making a standard contract filing with the CAC.[10]
The negative list published on 9 May 2024 includes 43 categories of data (with exhaustive examples) in 12 industries or sectors.
Tianjin is governed as one of the four municipalities (alongside Beijing, Shanghai, and Chongqing) under the direct administration of the State Council of China. It might be inferred from this that the list is in some measure reflective of national-level policy.
The Tianjin measure provides a list of examples of data that would require a CAC security assessment in Tianjin FTZ to import from China:
- data relating to the petroleum, petrochemicals or natural gas industries that may imply the operating status of important areas involving major national strategies, e.g., storage and transaction data, international trade data, information about strategic reserves
- data relating to the international cooperation and international agricultural trade, e.g., international cooperation data, international trade data, information about strategic reserves
- data relating to natural resource industries and the environment, for example, remote sensing image data showing sensitive areas, unpublished environmental inspections or enforcement that may affect public safety or foreign affairs, meteorological monitoring data used for military or national defence purposes
- industrial data, for example, the research and manufacturing capacities and development plans of major organisations in the national defence technology industry, R&D and production of high-tech equipment used in military and aerospace fields, data relating to intelligent vehicles that reflects geographical information, traffic flow and vehicle telemetry data indicating sensitive areas such as areas under the administration of the military, or the locations of national defence military industrial units or government agencies
- data in the finance sector that once leaked may affect national security, the safety of the relevant financial institutions or more than a million customers, such as account information and transaction data of important organisations, financial leasing data involving party and government agencies or national defence and military enterprises
- statistical data that may reflect the operation of a certain aspect of the macroeconomy, unless the data has already been officially published
- digital media data that can be used for social mobilisation but, if used illegally, may affect cultural and public security, or online behaviour data of more than 100,000 users, etc.
- data relating to housing provident funds that may cause leakage of the sensitive personal data of more than 100,000 people, or which could be compiled for use for analysing the status of the real estate market
- human genetic resource data that reflects the overall situation of races or which relates to biosafety, as well as biosafety data and disease control data that relates to national security or the safety of human life. Examples include records of the individual diagnoses and treatment of more than 100,000 individuals
- data in the food industry that once leaked or tampered with may cause serious food safety incidents; the parameters of and control data for automatic control systems in food production
- pharmaceutical data that may affect biosecurity or public safety
- information about Tianjin’s cybersecurity situation, construction layout planning and supply chain management for critical information infrastructure, or information about important networks and information systems with a cyber security protection level of III or above on the MPLS 2.0 scale, or undisclosed cybersecurity vulnerabilities, etc.
- information with public opinion attributes or social mobilisation capabilities held by Internet platforms, for example, behavioural analysis data of sensitive groups such as government officials and veterans, records of services rendered for the military industry, government agencies, and records of services provided to operators of critical information infrastructure, etc.
- data related to technologies subject to export control laws
- other technical information that may affect national security, for example, scientific research papers, monitoring data, and information about industrial process and techniques that could significantly improve national security capabilities or directly affect national security.
[1] Data Security Technology Data Classification and Rating Rules, 21 March 2024
[2] The Several Provisions on Vehicle Data Security Management (effective from October 2021)
[3] The Civil Aviation Administration of China published the Administrative Measures for Civil Aviation Data (for comments) and the Administrative Measures for the Civil Aviation Data Sharing (draft for comment)
[4] Notice from the Ministry of National Resources on Promoting the Development of Intelligent Connected Vehicles and Protecting the Security of Surveying and Mapping Geographic Information, 25 August 2022
[5] The Provisions on Promoting and Regulating Cross-Border Data Flows, 22 March 2024
[6] Circular of the Ministry of Industry and Information Technology on Issuing the Implementing Rules for Data Security Risk Assessments in the Field of Industry and Information Technology, 10 May 2024. The DSL also requires organisations that hold ‘important data’ to conduct periodic risk assessments, to be submitted to the applicable sectoral regulator(s).
[7] In contrast, the MIIT is required to complete its examination of filed assessments of ‘core data’ within 20 working days, and report up the chain to central MIIT.
[8] Measures for Categorised and Graded Administration of Cross-Border Data Flows in Lingang New Area (for Trial Implementation)
[9] See, for example, the NDRC’s Implementation Plan for the Industrialisation of Key Technologies for Intelligent Vehicles for examples of key strategic technologies.
[10] Administrative List (Negative List) for Data Export in China (Tianjin) Pilot Free Trade Zone (year 2024 version)