What Chinese data is “important”?
The National Information Security Standardization Technical Committee (also known as TC260) published the draft of a brief (non-binding) guideline on the identification of “significant data” (the Identification Guideline).
The concept of “significant data” was first introduced by the Cybersecurity Act (the CSL) in 2017 and was more recently passed into the Data Security Act (the DSL). It’s a sui generis category of data which has a national security, national economy, social stability, public health and safety or other public interest dimension, and which is subject to additional controls on cross-border transfers as well as to other protective measures.
The term, however, has never been exhaustively defined. As part of the DSL, regional and sectoral regulators have been tasked with formulating ‘big data’ catalogs for their respective sectors”based on the importance of the data to economic and social development and the degree of harm that its destruction, disclosure, unlawful acquisition or use, or alteration, would cause to national security, the public interest or rights and legitimate interests of individuals and organizations”.
The Identification Directive, released on January 13, 2022, is the first step toward implementing this nationwide “significant data” classification system. The guideline aims to guide Chinese authorities in the formulation of sector catalogs and also to help organizations identify the “important data” they hold.
The identification directive refers to “important data” as “data that exists in electronic form and that may endanger national security and public interests when falsified, destroyed, disclosed or obtained or used illegally”. The limitation to electronic data is new.
The guideline also clarifies that “significant data” is not intended to encompass data that is uniquely important or sensitive to an organization (such as data relating to the internal management of an organization). Nor is it intended to include personal data, except that the guideline explains that neither statistical data nor other data derived from “very large” amounts of personal information are excluded from constituting “data important”. In general, the identification guideline emphasizes both the qualitative and quantitative aspects of “significant data”, which may indicate that volume thresholds are likely to appear in certain categories.
Prior to the Identification Directive, the clearest articulation of any industry authority’s ‘meaningful data’ was in the several provisions on vehicle data security management in force from 1 October 2021. Unlike In the latter directives, these provisions stipulated that a set of data comprising the personal data of more than 100,000 individuals (i.e. vehicle owners, drivers, passengers, etc.) constitute ” important data”.
The draft identification guidelines identify 14 factors that should be considered when identifying “significant data”. These factors can be grouped into the following three general categories:
Defense interests, i.e. information relating to:
- National strategic reserves and emergency mobilization capacities, for example, strategic material production capacity and reserves.
- Information that can be used to launch military attacks against China, for example, geographic information above a certain scale.
- Confidential Information of Defense Contractors and Other Government Suppliers.
National security interests, i.e. information relating to:
- Physical security of key infrastructure and assets, e.g., construction design, internal structure information, security of significant production enterprises or national assets (such as railways, oil pipelines, etc.) .
- The operation of critical infrastructure or industrial production in key areas.
- Security protecting critical information infrastructure, for example, network security plans, system configuration, basic software and hardware design, system topology, contingency plans, etc.
- Supply chains for critical equipment and system components that could be used to mount a cyberattack, for example, important customer lists, undisclosed vulnerabilities, etc. ;
- Export controlled items, for example, design principles, technological processes and production methods.
- The production and use of equipment that may be sanctioned by foreign governments, for example, data on the financial transactions of key enterprises, information on the production and manufacture of important equipment or equipment used in the construction of major national projects and other activities.
- Government and government agency operations, including intelligence agencies, law enforcement and courts, including unpublished statistics.
- Intellectual property rights related to national security (or national defense interests) and other scientific and technological information affecting China’s international competitiveness.
Strategic economic interests, i.e. information relating to:
- The health and physiological status of certain population groups and genetic information, etc., such as population census data, human genetic resource information, and original gene sequence data.
- National natural resources and environmental data, for example, unpublished hydrological observation data, meteorological observation data and environmental monitoring data.
Finally, the identification directive contains a catch-all, typical of Chinese regulations, for other data that may affect national security, the military, nuclear facilities, the Chinese economy, culture and society. interests, Chinese interests in technology, ecology, resources, biology, outer space, polar regions or the high seas, or China’s foreign interests, etc.other data that reflects the performance of the economyas well as a list of more specific types of automotive-related data that constitute “significant data”.
Organizations that hold “significant data” will need to pass a government security assessment and obtain permission to transfer that information overseas. They will also need to appoint a data security officer, conduct annual risk assessments, and submit an annual risk assessment report to the provincial cybersecurity administration (and possibly also the municipal police) as well as a report annual report on transfers abroad of “significant” elements. Data’. See here, here and here for more information.
The draft network data security by-law issued in November 2021 would, if enacted as the draft proposal, require organizations to also report to the provincial cyber security administration within 15 working days. following the identification that they hold “important data”.