Understanding China’s Data Regulatory Regime: What Are Important Data? And Can They Be Transferred Outside Of China?
The concept of “important data” is a cornerstone of China’s data regulatory regime. The Cyber Security Law (2017) (the CSL) prohibits operators of critical information infrastructures (CIIs) from transferring their “important data” and personal information outside of China. The Data Security Law (2021) (the DSL) and some recent draft regulations indicate that the prohibition on exports of “important data” is likely to apply to all companies, whether CII operators or not.
Then, what are “important data”?
The CSL and the DSL
The CSL does not provide a definition for “important data”.
Pursuant to the DSL, China will establish a data categorization and classification system. Data will be categorized and classified based on their importance to economic and social development, as well as the degree of harm the data may pose to national security, public interests and legitimate rights and interest of individuals if the data are tampered with, damaged, leaked, or illegally obtained or used. A subset of “important data” is the “national core data”, which are data that concern critical issues such as national security, lifelines of national economy, important aspects of people’s livelihood, and material public interests.
The DSL provides that Chinese authorities will formulate a catalogue of “important data”. To date, no such catalogue has been made public.
Network Data Security Regulation
The Cyberspace Administration of China issued the draft Regulation on Administration of Security of Network Data (the Network Data Security Regulation) to solicit public comments on 14 November 2021. This Network Data Security Regulation purports to be a comprehensive implementation regulation for the CSL, the DSL and the Personal Information Protection Law (2021) (the PIPL). Once finalized, it will be enacted by the State Council (China’s central government) as an “administrative regulation”, which is subordinate to the national laws (e.g., the CSL, the DSL and the PIPL) but prevails over all other sectorial and local regulations.
The Network Data Security Regulation defines “important data” as any data that, if tampered with, damaged, leaked, illegally obtained or used, may jeopardize national security or public interests, including:
- unpublished governmental affairs data, work secrets, intelligence data, and law enforcement and judicial data;
- export control data, data relating to core technologies, design schemes, production techniques etc. involved in materials and items subject to export control, and data of scientific and technological achievements having a direct influence on national security or economic competitiveness in areas such as cryptography, biology, electronic information and artificial intelligence;
- national economic operation data, business data of important industries, statistical data and other data that need to be protected or the dissemination of which is restricted according to laws, administrative regulations, or departmental rules;
- data on safe production and operation, and supply chain data regarding key system components and equipment in industrial, telecommunications, energy, transportation, water, financial services, national defense technologies, customs, tax and other key industries and sectors;
- genes, geography, minerals, meteorology and other national basic data on population and health, natural resources and the environment that reach the scale or precision specified by the State;
- data on the construction, operation and security of national infrastructures and critical information infrastructures, as well as geographic locations, security protection conditions and other data of important sensitive areas such as national defense facilities, military administrative zones, research and production units for national defense; and
- other data that may affect the security of national politics, territory, military affairs, economy, culture, society, science and technology, ecology, resources, nuclear facilities, overseas interests, biology, outer space, polar regions, deep sea etc.
While indicative of the concerns that Chinese authorities wish to address with the “important data” concept, the above description is not of much help if a company wishes to determine with certainty whether it possesses any “important data”, considering, in particular, the catch-all language of item 7 above.
Industrial Regulators and their Rules
We expect that the industrial regulators will play a key role in delineating the scope of “important data” and operationalizing the regulations related thereto. This is suggested in the DSL and the Network Data Security Regulation, and also confirmed by some recent industrial rules.
- MIIT Data
The draft Administrative Measures for Data Security in the Industrial and Information Technology Areas (the MIIT Data Measures) issued by the Ministry of Industry and Information Technology (the MIIT) provide that:
(1) Companies processing industrial and information technology data (MIIT Data Handlers) shall identify the “important data” involved in their businesses in accordance with the standards and rules promulgated by the MIIT, and formulate a catalogue of such data (the Catalogue);
(2) MIIT Data Handlers must file their Catalogues with the local MIIT authorities, which will, within 20 working days of receipt of the filing, either approve the filing and issue a filing certificate, or reject the filing and state the reasons for the rejection. For the purpose of such filing, the Catalogues shall include information on the categories, importance levels, scales, processing purposes and means, etc. of the “important data”; however, MIIT Data Handlers are not required to disclose the content of the “important data” to the authorities in the filing.
(3) Local MIIT authorities will submit the Catalogues that they have received and approved to the national MIIT, which will formulate a national catalogue of “important data” based on those Catalogues.
Expected to be finalized soon this year, the MIIT Data Measures provide an example of how the scope of “important data” can be ascertained in practice. The MIIT is a traditional regulator for telecommunications and Internet matters. Regulators in other industries, which have less experience in regulating electronic data and online activities than the MIIT, may follow a similar approach when defining the scope of “important data” within their respective purviews.
- Medical and Healthcare Data
In the medical and healthcare sector, the regulators have not issued their rules regarding the identification of “important data” under the DSL. However, there exist several regulations that restrict cross-border transfers of medical and healthcare data such as “human genetic resources (HGR) information.”
According to the draft Implementation Rules for the Regulation on Administration of Human Genetic Resources issued by the Ministry of Science and Technology (the MOST), “HGR information” refers to information materials such as human genes, and genome data generated from the use of human genetic resources. A security review by the MOST and other relevant authorities must be passed before providing or granting assess to the following HGR information to foreign parties:
(1) HGR information of important genetic families;
(2) HGR information in a specific area;
(3) human exome sequencing and genome sequencing information resources of more than 500 individuals; and
(4) other information that might affect public health, national security and public interests of the State
It remains to be seen how the regulations for HGR information and other medical and healthcare data will tie in with the concept of “important data.” Considering the similarity of the underlying objectives (i.e., protection of national security and public interests), a 2-in-1 security review procedure or solution is hoped for to facilitate the exports of “important data” in the medical and healthcare sector.
Can “Important Data” Be Exported from China?
Yes, if the governmental security review is passed. The procedures for such security review have yet to be finalized. Pursuant to a recent draft regulation, the review process might take two months or more. Moreover, under the draft regulation, once the review is passed, approval will be valid for only two years.
A correct balance must be struck between the government’s security concerns and the needs of a global and increasingly digitalized economy. This is also true for China. It is therefore a challenging task for Chinese authorities to define the exact scope of “important data”. For the same reason, implementation guidelines and identification rules for “important data” are still to be developed in most sectors.
Chinese regulators often publish drafts of important regulations to solicit comments from the public (e.g., two drafts of the MIIT Data Measures have been published in this way) and/or invite chambers of commerce, industry associations and other business groups to provide opinions on the draft regulations. Companies can take such opportunities to communicate with the regulators and help shape future policy.
At the same time, companies that process Chinese data should keep a watch on the developments of China’s data regulations and regularly assess their risk exposures. If a data export security review is likely to be required, the dataflows, contractual arrangements and IT infrastructures will need to be designed in a way compatible with the review and other regulatory requirements.