On September 30, China's Ministry of Industry and Information Technology (MIIT) issued the Measures for the Administration of Data Security in Industry and Information Areas (Provisional) (Draft for Comment) (工业和信息化领域数据安全管理办法(试行)(征求意见稿)). The draft is now open for public comments until October 30.
According to an explanation (link in Chinese) issued along with the draft, the measures are designed to help implement China's Data Security Law, which took effect on September 1. The measures would only apply to data management in the industry (including raw materials, equipment, consumer goods, electronic information manufacturing, software and information technology service industry, civil explosion, and others) and telecommunication sectors.
The draft (link in Chinese) sets forth a risk-based classification mechanism, requires agencies to formulate rules for data collection, storage, usage, processing, transmission and disclosure, based on the risk levels. The draft sets out three categories of data: Ordinary data, important data and core data.
According to the draft, ordinary data is defined as data with a minor impact on the public interest, individuals, organizations, or society, or the risk of a data breach is of relatively small scale or over a short period, or involves only a low cost to restore or eliminate any negative impact. There is also a catch-all provision stating that any data that is not important data or core data would be considered as ordinary data.
Important data is defined as data which, once at risk, would pose a threat to China's political system, territory, military, economy, culture, society, technology, network, ecology, resources and nuclear security, as well as data related to national security in important areas such as overseas interests, biology, space, polar regions, deep sea, artificial intelligence, etc. Important data could also be data with an impact on the development and operation of industry and telecommunication, or data for which leakage would have obvious cascading effects on society and multiple sectors. If the cost of restoring data or mitigating the negative effect of a data breach is very high, such data would be considered important too.
Core data comes with the highest level of risks. According to the draft, core data is data that, once compromised, poses a serious threat to China's national and economic interests, or data that would, if compromised, have a serious impact on industry, telecommunication, and critical information infrastructure, or result in major damage, large-scale shutdowns or large-scale network and service paralysis of industrial operations or telecommunications.
Important data of industry and telecommunications, which is collected and generated within China, should usually be stored within China according to the relevant laws and regulations. Important data is required to undergo a security assessment when there is a need to transfer it abroad. Core data cannot be exported, according to the draft.
Important and core data are also subject to filing requirements. The draft proposes the establishment of a data filing management system for the industry and telecommunication sectors. The filing should include basic information on the data such as quantity, category, purposes and methods of data processing, scope of usage, safety measures, as well as data disclosure and exportation.
The draft also provides for rules on safety management, data safety warning and emergency response, data safety inspection and evaluation, supervision and legal responsibilities.