Home
Internal
The technically secure and, above all, legally compliant handling of data represents one of the greatest challenges in business operations for almost all companies operating in China, at the latest since the Chinese Data Security Law ("DSL") and the Personal Information Protection Law ("PIPL") came into force in 2021. Foreign-invested enterprises are particularly affected, and it is not uncommon for them to have to make considerable additional investments in order to comply with the demanding legal requirements.
To make matters worse, the relevant statutory provisions are usually deliberately kept rather general so that they can be specified later by local and/or sector-specific implementing regulations. In practice, this leads to data processing companies having to take technical and organizational measures on the basis of legal requirements which, in the absence of corresponding implementing regulations, leave too much room for different interpretations and thus cannot be a solid basis for business decisions.
In the highly sensitive area of cross-border data transfer, the Chinese government was able to create a little more legal certainty in 2022 through various administrative regulations. In addition, since 1 January 2023, industrial enterprises and enterprises engaged in information technology can align their data processing with the Measures for Data Security Management in Industry and Information Technology (for Trial Implementation) (hereinafter "Measures") issued by the Ministry of Industry and Information Technology ("MIIT"). With this article, we would like to outline what these Measures regulate in detail and which effects they entail for affected companies.
The purpose of the Measures is primarily to strengthen the handling of relevant data for more data security in the fields of industry and information technology. In addition, the measures emphasize that data development and use should also be promoted through the application of the Measures. This mirror image of mandatory requirements for data security on the one hand and enabling the economic use of data on the other can already be found in the DSL as well as in some high-level government documents, whereby the latter aspect of comprehensive "data governance" is still in the early stages of regulation compared to data security.
All industrial companies, software and IT service companies, licensed telecommunications companies, radio frequency and radio station user companies and other legal entities deciding independently on the purpose and methods of data processing, are subject to the Measures.
Regarding the material scope of application, the Measures divide protected data into industrial data, telecommunications data and radio data. Industrial data means data generated and collected in the course of research and development, design, production, administration, maintenance, platform operation, etc. in various industrial sectors. Telecommunications data means data generated and collected in the course of telecommunications operations. Finally, the Measures define radio data as data on radio frequencies, transmitters (stations) and other radio wave parameters generated and collected in the course of conducting radio business.
The MIIT has the central responsibility for the coordination and supervision of all activities within the scope of the Measures. The local departments of the MIIT implement the Measures within their local jurisdiction.
Effective data management first requires, in addition to the precise mapping of the data processed by companies, a classification according to suitable characteristics. According to the Measures, the classification is to be carried out in two ways:
For the first type of classification, the Measures mention (non-exhaustively)
According to the degree of potential damage, data must be divided into
The Measures provide some criteria that can be used to identify general, important and core data. In this context, the MIIT as well as its local bodies have the task to publish standards, specifications and catalogues for data classification, which companies must use as a guideline for their own data classification and cataloguing.
Particular emphasis must be placed on the obligation of companies to submit their internally compiled catalogues of important data and core data to the locally responsible department of the MIIT for review. The catalogues must indicate, among other things, the respective data sources, categories, levels, scales, carriers, processing purposes and methods, the scope of use, persons responsible, external disclosure, cross-border transfer and security measures taken. The actual data content is explicitly not to be included in the catalogues. If there are significant changes to the data listed in the catalogue after a positive decision by MIIT, these must be notified to the competent authority within three months of the change.
Like the DSL, the Measures require data processors to implement a data security management system that covers the entire lifecycle of the data concerned and must include the protection measures prescribed in detail in the Measures for all stages from data generation to deletion. The data security management system must take into account the principle of graded protection. In the case of simultaneous processing of different categories of data (general, important, core data), the highest category of data determines the level of protection to be applied. Companies must therefore take the following measures as a minimum:
Additional obligations are triggered according to the Measures when processing important as well as core data, such as the establishment of internal registration, authorization and other working procedures.
Finally, companies must fully document all processing activities and keep corresponding logs for at least six months.
The MIIT will establish a nationwide mechanism for monitoring, detecting, reporting and remediating or minimizing data security risks. To this end, both the locally competent authorities and data-processing companies will have indispensable support functions. In the case of companies, this means that they must take measures within the framework of their internal data security management to enable the early identification, processing, reporting and elimination of corresponding risks. In particular, this also includes the establishment of a channel for receiving complaints according to the Measures.
In order to assess and certify data security in enterprises, the MIIT will establish a system for managing qualified and accredited assessment bodies and formulate necessary standards for this purpose.
Processors of critical and core data are required to carry out a risk assessment of their data processing activities at least once a year, to address identified vulnerabilities in a timely manner and to submit risk assessment reports to the locally competent supervisory authorities. Such reports may, but need not, be prepared by an external assessment agency.
With regard to the powers granted to the authorities to enforce the Measures, the latter refer to the powers otherwise granted to the authorities by relevant laws (in particular the Cybersecurity Law, DSL and PIPL) as well as administrative regulations. Consequently, a wide range of possible measures is available to the MIIT and its local branches, such as obtaining information, entering facilities, imposing fines, seizing unlawfully obtained assets or gains or revoking issued permits and licenses. The initiation of criminal investigations is also conceivable in the case of a criminal offence.
The Chinese Communist Party and government have recognized early on that data is essential for the further development of the Chinese economy and society, and will be even more so in the future. From the point of view of the Chinese state, the main driving force clearly comes from players in industry and information technology, which is why they are to be regulated as a matter of priority with a view to the secure handling of data. This decision is basically understandable, as undetected or untreated vulnerabilities in these sectors can have devastating effects in an increasingly industrialized and digitalized society.
On the other hand, establishing and maintaining a robust data management system is also in the very own interest of affected companies. In most cases - especially in the case of small and medium-sized enterprises - data security incidents do not endanger national security or other high-level interests, but rather their own operations, or in the worst case even their existence. Therefore, even without the binding requirements of the new Measures, a systematic and critical assessment of the handling of data in one's own company is absolutely sensible. In this respect, the Measures provide affected companies with a guideline to help with setting up or enhancing their own data management system.
For its part, the MIIT announces on its official website (link in Chinese) what activities it intends to undertake after the Measures have come into force:
It remains to be seen how these activities will be prioritized and, above all, balanced against each other. In any case, affected companies should keep their eyes open for future implementation guidelines published by the MIIT.
Newsletter China
Sebastian Wiendieck
Partner
Send inquiry
Li Wang
Associate Partner
Rödl & Partner in China
