China - New high-octane rules for data security

Last week WeChat users were given sight of the latest tome in China’s legislative series on data security before its official release by the Chinese regulators, which is expected soon. This followed a private viewing for some lucky industry insiders in June. With the catchy title of the “Information Security Technology – Identification Guide of Key Data”, this draft national standard seeks to prescribe what “key data” or “important data” (terms used interchangeably) means under the Data Security Law, Cybersecurity Law and other rules central to the management of data in China’s increasing influential digital economy.

Important data has greater compliance burden

As a general premise, additional obligations and restrictions attach to important data held by enterprises under the Cybersecurity Law and Data Security Law. For example:

  • an enterprise must appoint a designated officer and a management body to manage the security of this data type and undertake regular risk assessments for submission to the PRC authorities; and
  • important data must be stored within the PRC and undergo a regulator-led security assessment before it is transferred abroad, which is of particular relevance to international businesses.

As such, knowing whether a business handles important data will influence the structuring of the enterprise’s network infrastructure and its data flows, as well as impacting its general compliance burden. Since the launch of the Cybersecurity Law in 2017, therefore, businesses in the PRC have searched for definitive indicators of what important data comprises. This guide should provide those details – but whilst it seems the standard gives us some, it certainly doesn’t provide all of the answers businesses would like

A framework approach – Further regional and industry guidance awaited

The national standard has been formulated as a framework that identifies the characteristics of important data. It then instructs (as prescribed by the Data Security Law) regional authorities and departments to apply that outline to further define the categories and characteristics of, and how to identify, important data in their respective regions and industries through their own standards and guidelines.

While the standard gives businesses a better idea of the relevance of important data to their operations, these subordinate standards and guidelines must be released before managers can know with confidence whether important data will have a real business impact on them. This wait may frustrate foreign-invested businesses that operate in China’s vast service sector, as these beneficiaries of the continuing opening-up of the world’s second largest economy would not expect to process data endangering national security.

However, unfortunately no timetable has been laid out for release of further guidelines. Almost certainly though, businesses must plan for updates being published after 1 November, such that any analysis and implementation measures to be made by them will not be able to run concurrently with those made for China’s Personal Information Protection Law (PIPL).

Local and sector rules still apply

As a corollary to the interplay among national, regional and industry guidelines, the draft standard states that its objective is not to re-write any existing rules at local or sector levels. Since “data containing user accounts or reflecting financial transactions” is no longer included, it seems that Fintechs, banks, securities companies and other financial institutions, for example, which already have industry standards to comply with regarding data categorisation, only need to look to the local and sector guidelines to understand how their data is regulated.

Pending further rules, the hierarchy among different echelons of government and its development priorities will be interesting to watch, as not all regulators and sectors are created equal.

What is key or important data?

National security and public interest implications
  • Under the draft standard, important data means any data the alteration, destruction, disclosure or illegal acquisition or exploitation of which may endanger national security and public interest (“public interest” seemingly a concise replacement for the June draft’s “economic operation, social stability, public health and safety”).
  • “Endanger” replaces what was previously “directly impact”, and arguably installs a higher, more adverse threshold that should comfort operators of non-sensitive businesses.
Only electronic data
  • Interestingly, important data now comprises only data in electronic form. This fits with the thrust of commerce’s digitalisation but will probably have little impact in practical terms in today’s online and mobile-enabled world.
  • Continuing regulatory pressure on platforms, the standard also retains the hedge that, although “personal information” (now aligned with the definition under the Personal Information Protection Law) does not normally constitute important data, statistics and data derived from a large amount of personal information may constitute important data.
Eight categories
  • As per the June draft, there are eight characteristics of important data, although seven have been revised to various degrees. In total, there would seem to be a slight narrowing in the scope of important data which should, in turn, reduce the data processing restrictions imposed on business operators.
  • This resulting reduction in restrictions is in keeping with the supplemented core principle for identifying important data (chapter 4 of the standard) that the “free flow of non-critical and general data” should be promoted to “unlock the value of data” – this is also a central theme of the PRC central government’s “Digital China” initiatives, emphasised under the 14th Five Year Plan approved in March.
  • More specifically, in addition to the removal of data types directly relating to financial transactions and other activities, the new text omits trade secrets of state-owned entities, video information collected through more than 500 cameras, and audio data which involve more than 10,000 persons.
Critical information infrastructure operations
  • Overall, the new draft seeks to classify several data characteristics by reference to critical information infrastructure (or CII) operations rather than giving specific examples of important data.
  • As explained in our assessment of the CII security regulations, this seems positive for most foreign-invested organisations because those regulations’ test for CII seems less likely to catch enterprises of smaller scale or those with operations not readily-associated with national security.

Data mapping requirements

Once regional authorities and departments have set out their own classification guidelines for important data, each organisation must then map and report on its important data as follows:

  • Identify, in accordance with the requirements of the relevant region or department, its own important data, including organising its data assets, determining the possible impact on national security if that data is compromised, and classifying its important data by scope, field and other specifications.
  • Review the important data identification.
  • Prepare a summary of the identified data’s characteristics in the form prescribed in the annex of the standard. Notes in chapter 7 of the standard explain the required content including details on the source of the important data, its purpose, with whom it is shared and how it is protected.
  • Prepare a catalogue that records the identification details determined as described above.
  • Report its important data identification to the relevant authority (presumably using the summary table).
  • Promptly report to the relevant authority any change that occurs in the information initially reported.

Periodic assessments

The Data Security Law already requires businesses to periodically assess the risks of important data processing and report on the types and amount of important data processed, how processing is carried out, the threats faced, and the corresponding protection measures implemented, as well as apply for regulatory approvals to transfer important data overseas.

The standard’s initial and ongoing reporting obligation is not completely new (subject to seeing any overlay of requirements imposed at a regional and industry level). That said, businesses possessing important data will have to align internal processes with the standard and any subsequent regional and industry requirements.

Open questions

While the standard gives clarity to information security personnel in that regard, various organisations will be left with questions as to how they should apply the prescribed process to their business:

  • Sector priority: Where conglomerates and other larger organisations that operate across different sectors – particularly given the convergence that tech has brought to industry – must they classify important data under each different sector guidelines and report to different authorities (regardless of the inevitable cross-over and duplication)?
  • Regional approach: Similarly, if a company operates in different regions (whether through a branch or other less formal structure) does it apply multiple regional standards to the same data?
  • Group exemption: Will there be a group reporting mechanism for affiliated entities as under, for example, the securities trading disclosure regime? Otherwise, each entity in a large group structure, where data is constantly shared for operational purposes, must report separately on what may be similar disclosures across the group.
  • Time-lapse: The summary table to be reported to the PRC authorities includes a description of the duration for which important data will maintain its materiality. A similar concept is used to regulate state secrets and the standard makes clear that the timeframe for important data will not be longer than that of state secrets. However, considering the operational obligations and transfer restrictions that attach to important data, query why any private enterprise would voluntarily report long materiality periods. The practical application of this requirement, and whether the authorities have a de facto approval function before accepting reports, waits to be seen.
  • Data ownership: The standard seems to require organisations to identify and report on their own important data but is not clear whether “ownership” or possession of the important data is the trigger. Does every third-party recipient of important data as part of normal business operations have an obligation to identify and report holding it? Important data can be held by multiple parties at the same time – does this require multiple assessments and reports? Unlike privacy regimes that rely on concepts of “controller” and “processor” (or “entrusted party” to use the PIPL’s term) and strings of contractual obligations between parties holding the same personal information, we do not yet have mechanisms to regulate the respective responsibilities of those that share important information – yet…

What’s next?

Interestingly, in commentary subsequently released by one of the chief drafters of the standard, we learnt that the Cyberspace Administration of China (or CAC, the regulatory authority that has been in the headlines recently for conducting high-profile cybersecurity reviews) is still to provide formal input on the standard.

Given the importance of “important data” to the powers of the CAC, it may well have comments to feed into the next iteration of the standard. Businesses should continue to monitor for developments in this fast-moving area of law.