Definition of important data
Being able to identify important data is crucial in determining whether data handlers will be subject to the compliance requirements applicable to important data. Although generic definitions of important data are scattered across various Chinese laws, regulations and national standards, there has not yet been a unified definition of important data. According to the Information Security Technology – Guidelines for Identification of Important Data (the Draft Guidelines) released in January 2022, important data is defined as data that exists in electronic form, the tampering, sabotage, leakage or illegal acquisition or use of which, once it occurs, may endanger national security or public interests (and so excludes state secrets and personal information, but potentially encompasses statistical data or derived data generated from a substantial amount of personal information).
By contrast, the Draft New Rules define important data as data within specific fields, groups or regions, or data that possesses a certain level of detail and scale, that, once leaked or tampered with or destroyed, may directly endanger national security, economic stability, social order, or public health and safety. This is almost the same as the definition in the draft Network Data Classification and Categorisation Requirements issued in September 2022.
The definition of important data under the Draft Guidelines is broad and vague. However, it seems that the Draft New Rules’ definition is even broader and vaguer. In addition, the above definitions also differ from the definition under the CAC Security Assessment Measures for Cross-border Data Transfer. If the Draft Guidelines and the Draft New Rules are finalised in their current form, it is likely that companies will still need guidance from industry regulators on how to identify important data.
Security of infrastructure
Cloud services are commonly used by data handlers today, posing potential risks to data security. The Draft New Rules require a risk assessment before engaging any cloud services to process important data. For the purpose of risk assessment, important data handlers must demonstrate the necessity of using cloud services to process the data, as well as the trustworthiness and security of those cloud services. As far as existing cloud services are concerned, data handlers must conduct a risk assessment on a regular basis and cease to use the cloud services if any unacceptable risks are identified. Further, the Draft New Rules provide that any information systems used to process important data must adhere to the multi-level protection scheme (MLPS) and be certified as Level III or higher.
This may have a significant impact on both cloud services providers and data handlers. In particular, given that MLPS certification would require that all the IT systems must be deployed within China, it could be challenging for cloud service providers with servers deployed outside of China to process important data in China.
How to process important data
The Draft New Rules specify in detail the data security requirements and measures involved in the full lifecycle of data processing activities, including data collection, storage, use and processing, transmission, disclosure, and deletion.
Among other responsibilities, important data handlers are required to formulate and regularly update the important data identification system, establish an important data catalogue and comply with the requirements of the national data security classification and categorisation system. This is in line with the Data Security Law and other Chinese data and cybersecurity laws and regulations. Given that national rules on data classification and categorisation are still in the process of being enacted, we believe this will provide further guidance for data handlers on how best to establish data security classification and categorisation regime once the national data classification and categorisation rules are in place.
The Draft New Rules introduce several specific requirements that complement existing legal obligations. For example, important data handlers must conduct security background checks on all operational and maintenance staff of the data centres where important data is stored.
The transfer or sharing of important data requires the important data handler and the recipient to enter into a contract setting out the purpose and scope of, and method used for, processing the important data, as well as security obligations. Furthermore, the important data handler must conduct an assessment on data sharing or transmission for internal approval. If the data handler engages a third party for processing important data, the data handler must enter into a contract with the third-party data processor to specify the security obligations. This bears certain similarities to the legal requirements applicable to personal information.
With respect to the cross-border transfer of important data, the Draft New Rules reaffirm the necessity for a security assessment and governmental approval, as required by other laws and regulations. Additionally, the Draft New Rules clarify that the data handler must resolve complaints involving cross-border data transfers, and records of these transfers must be kept on file for at least three years.
Organisational security obligations
The Draft New Rules require that important data handlers appoint an individual in charge of data security, and develop internal security management policies on the processing of important data.
With respect to the supplier of the IT system used to process important data, the data handler must establish a supplier management system and enter into an agreement with the supplier to clarify the parties’ data security responsibilities. Therefore, the contract with the supplier must be carefully crafted to mitigate potential risks.
In order to establish a comprehensive data security management system, the Draft New Rules also provide that important data handlers must create emergency plans to address important data security incidents, establish emergency response centres and teams, and conduct audits of important data processing activities. Furthermore, important data processors should establish a data security risk assessment system, generate assessment reports, conduct annual assessments of important data processing activities, and cooperate with the relevant authorities while following their guidance.
Practical take-away
The Draft New Rules will have a significant impact on important data handlers as well as on the suppliers and vendors of IT infrastructure and services used in the processing of important data. Although they are not mandatory, the Draft New Rules serve as best practice guidance and will be referenced by Chinese regulators for law enforcement purposes, especially considering that the Cybersecurity Law and the Data Security Law do not contain sufficient details on how important data should be handled from a practical perspective. Therefore, important data handlers must carefully adhere to the security requirements under these Draft New Rules as they apply to data collection, storage, use, transmission, sharing and destruction, to ensure compliance. From a practical perspective, business organisations should consider implementing the following risk management measures:
- In order to minimise the risk of non-compliance with important data regulations, it is essential to seek professional advice on regulatory requirements, including those relating to data sharing, cross-border data transfer and risk assessments.
- Where a company engages a third party service provider to supply IT infrastructure or provide IT services (for example, cloud computing services) for the processing of important data, it is crucial to have a well-drafted and reviewed contract, to ensure an adequate level of protection and minimise the risk of non-compliance with the relevant laws and regulations.
- Data processing agreements between data handlers and entrusted data processors must contain the requisite terms and conditions on data security obligations and the security measures to be taken.
- Companies must keep close track of all compliance efforts, including properly documenting cross-border data transfers of important data, establishing internal data security management policies and programmes, conducting compliance training, and implementing measures to protect important data.
- More detailed rules are expected to be released, providing clarity on the definition, identification, classification and categorisation of important data. International companies are strongly advised to closely monitor the latest developments for compliance purposes and take appropriate compliance actions.
The deadline for the public to submit comments on the Draft New Rules is 24 October 2023. We will continue to monitor the developments until the official, final version is published. If you require any assistance with the above, please do not hesitate to get in touch.
In-depth 2023-198