China: New Measures for Data Security Management in Industry and Information Technology (Trial Implementation)

PrintMailRate-it
published on 11 January 2023 | reading time approx. 3 minutes
 

The technically secure and, above all, legally compliant handling of data represents one of the greatest challenges in business operations for almost all companies operating in China, at the latest since the Chinese Data Security Law ("DSL") and the Personal Information Protection Law ("PIPL") came into force in 2021. Foreign-invested enterprises are particularly affected, and it is not uncommon for them to have to make considerable additional investments in order to comply with the demanding legal requirements. 

     

     

To make matters worse, the relevant statutory provisions are usually deliberately kept rather general so that they can be specified later by local and/or sector-specific implementing regulations. In practice, this leads to data processing companies having to take technical and organizational measures on the basis of legal requirements which, in the absence of corresponding implementing regulations, leave too much room for different interpretations and thus cannot be a solid basis for business decisions.

 

In the highly sensitive area of cross-border data transfer, the Chinese government was able to create a little more legal certainty in 2022 through various administrative regulations. In addition, since 1 January 2023, industrial enterprises and enterprises engaged in information technology can align their data processing with the Measures for Data Security Management in Industry and Information Technology (for Trial Implementation) (hereinafter "Measures") issued by the Ministry of Industry and Information Technology ("MIIT"). With this article, we would like to outline what these Measures regulate in detail and which effects they entail for affected companies.

  

What the Measures regulate

Purpose, definitions and competent authorities

The purpose of the Measures is primarily to strengthen the handling of relevant data for more data security in the fields of industry and information technology. In addition, the measures emphasize that data development and use should also be promoted through the application of the Measures. This mirror image of mandatory requirements for data security on the one hand and enabling the economic use of data on the other can already be found in the DSL as well as in some high-level government documents, whereby the latter aspect of comprehensive "data governance" is still in the early stages of regulation compared to data security.

    

All industrial companies, software and IT service companies, licensed telecommunications companies, radio frequency and radio station user companies and other legal entities deciding independently on the purpose and methods of data processing, are subject to the Measures.

   

Regarding the material scope of application, the Measures divide protected data into industrial data, telecommunications data and radio data. Industrial data means data generated and collected in the course of research and development, design, production, administration, maintenance, platform operation, etc. in various industrial sectors. Telecommunications data means data generated and collected in the course of telecommunications operations. Finally, the Measures define radio data as data on radio frequencies, transmitters (stations) and other radio wave parameters generated and collected in the course of conducting radio business.

   

The MIIT has the central responsibility for the coordination and supervision of all activities within the scope of the Measures. The local departments of the MIIT implement the Measures within their local jurisdiction.

  

Data classification

Effective data management first requires, in addition to the precise mapping of the data processed by companies, a classification according to suitable characteristics. According to the Measures, the classification is to be carried out in two ways:

  • according to the requirements, characteristics, business needs, data sources and use purposes in the respective industry;
    and
  • according to the degree of potential harm to national security, public interests or the legitimate rights and interests of individuals and organizations if the data are tampered with, destroyed, disclosed or unlawfully obtained or used.

For the first type of classification, the Measures mention (non-exhaustively)

  • Research and development data,
  • Production and operational data,
  • Management data,
  • Maintenance data,
  • Business services data.
 

According to the degree of potential damage, data must be divided into

  • General data,
  • Important data,
  • Core data.
 

The Measures provide some criteria that can be used to identify general, important and core data. In this context, the MIIT as well as its local bodies have the task to publish standards, specifications and catalogues for data classification, which companies must use as a guideline for their own data classification and cataloguing.

 

Particular emphasis must be placed on the obligation of companies to submit their internally compiled catalogues of important data and core data to the locally responsible department of the MIIT for review. The catalogues must indicate, among other things, the respective data sources, categories, levels, scales, carriers, processing purposes and methods, the scope of use, persons responsible, external disclosure, cross-border transfer and security measures taken. The actual data content is explicitly not to be included in the catalogues. If there are significant changes to the data listed in the catalogue after a positive decision by MIIT, these must be notified to the competent authority within three months of the change.

 

Full-lifecycle data security management

Like the DSL, the Measures require data processors to implement a data security management system that covers the entire lifecycle of the data concerned and must include the protection measures prescribed in detail in the Measures for all stages from data generation to deletion. The data security management system must take into account the principle of graded protection. In the case of simultaneous processing of different categories of data (general, important, core data), the highest category of data determines the level of protection to be applied. Companies must therefore take the following measures as a minimum:

  • Establish a security management system with graded protection requirements and operational procedures for data processing,
  • Provision of staff for data security management,
  • Establish and monitor operational authority for data processing activities,
  • Develop contingency plans and conduct emergency drills for data security incidents,
  • Provide regular data security awareness and training to staff.

   

Additional obligations are triggered according to the Measures when processing important as well as core data, such as the establishment of internal registration, authorization and other working procedures.

Finally, companies must fully document all processing activities and keep corresponding logs for at least six months.

 

Early warning and emergency response

The MIIT will establish a nationwide mechanism for monitoring, detecting, reporting and remediating or minimizing data security risks. To this end, both the locally competent authorities and data-processing companies will have indispensable support functions. In the case of companies, this means that they must take measures within the framework of their internal data security management to enable the early identification, processing, reporting and elimination of corresponding risks. In particular, this also includes the establishment of a channel for receiving complaints according to the Measures.

   

Assessment and certification of data security

In order to assess and certify data security in enterprises, the MIIT will establish a system for managing qualified and accredited assessment bodies and formulate necessary standards for this purpose.

  

Processors of critical and core data are required to carry out a risk assessment of their data processing activities at least once a year, to address identified vulnerabilities in a timely manner and to submit risk assessment reports to the locally competent supervisory authorities. Such reports may, but need not, be prepared by an external assessment agency.

  

Enforcement powers and legal liability

With regard to the powers granted to the authorities to enforce the Measures, the latter refer to the powers otherwise granted to the authorities by relevant laws (in particular the Cybersecurity Law, DSL and PIPL) as well as administrative regulations. Consequently, a wide range of possible measures is available to the MIIT and its local branches, such as obtaining information, entering facilities, imposing fines, seizing unlawfully obtained assets or gains or revoking issued permits and licenses. The initiation of criminal investigations is also conceivable in the case of a criminal offence.

   

Implications and recommendations for affected companies

The Chinese Communist Party and government have recognized early on that data is essential for the further development of the Chinese economy and society, and will be even more so in the future. From the point of view of the Chinese state, the main driving force clearly comes from players in industry and information technology, which is why they are to be regulated as a matter of priority with a view to the secure handling of data. This decision is basically understandable, as undetected or untreated vulnerabilities in these sectors can have devastating effects in an increasingly industrialized and digitalized society.

 

On the other hand, establishing and maintaining a robust data management system is also in the very own interest of affected companies. In most cases - especially in the case of small and medium-sized enterprises - data security incidents do not endanger national security or other high-level interests, but rather their own operations, or in the worst case even their existence. Therefore, even without the binding requirements of the new Measures, a systematic and critical assessment of the handling of data in one's own company is absolutely sensible. In this respect, the Measures provide affected companies with a guideline to help with setting up or enhancing their own data management system.

 

For its part, the MIIT announces on its official website (link in Chinese) what activities it intends to undertake after the Measures have come into force:

  • Increased dissemination, information and advice on the practical application of the Measures;
  • Developing supporting specifications and standards with a focus on promoting the implementation of monitoring and early warning systems, emergency response, security assessments and other institutional mechanisms;
  • Strengthening oversight and enforcement against unlawful acts under the Measures.

It remains to be seen how these activities will be prioritized and, above all, balanced against each other. In any case, affected companies should keep their eyes open for future implementation guidelines published by the MIIT.

Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu