Han Kun Law Offices
  March 10, 2022 - Mainland China

A Step Forward: MIIT Again Seeks Public Comments on Administrative Measures for Data Security
  by Han Kun Law Offices

On February 10, 2022, the Ministry of Industry and Information Technology (“MIIT”) issued a second draft of the Measures for Administration of Data Security in the Field of Industry and Informatization (for Trial Implementation) (Draft for Comment) (the “Measures”), which makes revisions to the first draft in response to public comments received following its issuance on September 30, 2021. This second draft opened for public comments until February 21, 2022.

Since 2021, the MIIT and the Cyberspace Administration of China (“CAC”) have proposed detailed rules to implement the Data Security Law of the People’s Republic of China (the “Data Security Law”) and the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), which focus on implementation in distinct fields. To strengthen data security management in the field of industry and informatization, the MIIT has issued the Measures to implement provisions of the Data Security Law and other relevant laws and regulations. The Measures provide approaches to apply the national data security management mechanism in the field of industry and informatization in an effort to establish the data security supervision and administration system in the field of industry and informatization, through further clarification of the data classification and data grading system, management of important data and core data, and other specific requirements[1]. In respect of cyber data[2], the CAC released the Regulations for the Administration of Cyber Data Security (Draft for Comment) (“Cyber Data Regulations”) for public comment on November 14, 2021. The Cyber Data Regulations propose rules for implementing relevant systems established by the Data Security Law and the PIPL; they also refine relevant requirements imposed by those laws while creating some new ones, such as the filing and annual reporting obligations of important data processors, security management duties of data processors that undertake cross-border data transfers, and responsibilities to be assumed by Internet platform operators.

Both at their formulation stage, the Measures and the Cyber Data Regulations are implementing rules respectively issued by China’s two major data security regulators. Despite certain overlap between the two, they highlight different regulatory aspects due to the nature of the data they regulate, reflecting the different regulatory scopes and approaches adopted by the MIIT and the CAC.

As revised, the Measures comprise 41 articles in eight chapters (fewer than the previous 44 articles) and differ from the first draft in the following aspects:

Below, by comparing the first draft Measures (0930) and the revised draft Measures (0210), we summarize and comment on key adjustments made in the revised draft.

Separate protection for personal information: PIPL added as an enabling law

As stressed in its drafting notes, the Measures (0930) adhere to the philosophy of the Data Security Law, which emphasizes control over personal information by categorizing it in catalogues of important data and core data, thus implementing full life-cycle security management of personal information without imposing any separate protection requirements for personal information[3]. Given that, the Measures (0930) cited as their enabling laws the Cybersecurity Law and the Data Security Law, not the Personal Information Protection Law. However, the Measures (0210) add the PIPL to the list of enabling laws and correspondingly adjust other relevant provisions with respect to personal information. For example:

Given the above changes in the Measures (0210), it appears that the MIIT has turned its personal information protection approach away from “unified management by categorizing personal information in the catalogue of important data and core data” and is heading toward separate protection of personal information. This shift of direction conforms to regulatory documents issued mainly after the Measures (0930). On November 14, 2021, the Cyber Data Regulations were issued for public comments, in which personal information was not covered by the specified definitions of important data and core data. In addition, a revised public comment draft of the Information Security Technology - Guideline for Identification of Critical Data (Draft for Comment) (the “Guideline”) issued by the Secretariat of the National Information Security Standardization Technical Committee on January 13, 2022, as well as its initial draft for public comment released on September 23, 2021, both define important data clearly as “not including state secrets and personal information, but may include statistical data and derived data formed on the basis of massive quantities of personal information.” To achieve consistency and coordination among relevant laws and regulations, the Measures (0210) change their approach to personal information management, emphasizing the PIPL’s role as the legal basis for personal information protection.

Expanded definition of data: includes radio data into the regulatory scope

The Measures (0210) revise Article 3 (Definition of Data) as follows:

Further clarifies regulators’ scope of authority: confirms MIIT’s supervisory role over local regulatory departments

The Measures (0210) further specify the functions and powers of data security regulators at the central and local levels:

Revises data classification and data grading standards: changes made to grading criteria and categorization methods

The Measures reiterate management requirements for data classification and data grading stipulated in the Data Security Law. The Measures (0210) make revisions to the data classification and grading working requirements and methods, as well as the criteria for identifying general data, important data, and core data, mainly in the following aspects.

However, enterprises still await clearer guidance in practice for how to implement the classification and grading of important data and core data, because the Measures lack quantified standards to identify factors such as “materially affect”, “severely affect”, or “materially damage”.

Clearer guidance for the filing system: more specific requirements for filing applications, filing reviews, and change filings

Based on the Measures (0930), the Measures (0210) provide further guidance for data processors’ obligations to file catalogues of important data and core data, specifically in the following aspects.

Persons responsible for data security: shifts primary responsibility to legal representatives and tightens internal management requirements for enterprises

The Measures (0930) stipulated that the first step for enterprises in fulfilling their data security management obligations was to establish and improve their data security leadership system. The Measures (0930) further provided that the Party committee (group) or leadership team would undertake primary responsibility for data security, the head of the enterprise is the first responsible person for data security, and the person in charge of data security is the person directly responsible for data security. The Measures (0210) consolidate the previous Article 13 (Subject Responsibilities), Article 14 (Working Systems), Article 15 (Key Position Management), and Article 16 (Data Collection) into a sole Article 13 (Subject Responsibilities) and modify the provisions as follows.

Therefore, we recommend enterprises that process important data and core data to pay close attention to the above changes and to adjust their organizational structures going forward. Legal representatives, first responsible persons, directly responsible persons, and key personnel who are subject to data security responsibilities should attach greater importance to data compliance and take active part in data security trainings, so as to improve their data management expertise.

Updated requirements for full life-cycle data management: removes language prohibiting core data exports and imposes security obligations for processing core data among different persons

The Measures (0210) update the general requirements for protection of various grades of data in the full life-cycle of data management, as well as the additional requirements for the processing of important data and core data. We recommend enterprises to pay attention to the following changes in the compliance requirements:

Coordinates data security reviews: adds flexibility for security assessments, cooperation with supervision, and other requirements

According to the Measures (0930), the State will implement data security supervision and administration through data security inspection, assessment, authentication, supervision, inspection and security reviews. Enterprises are obligated to conduct security assessments, assist with regulators’ supervision and inspections, and pass data security reviews. The Measures (0210) make the following changes that would add flexibility in Article 5 (Data Security Monitoring, Authentication and Assessment) and Article 6 (Supervision and Inspection):

Conclusion

Compared to the first draft, the Measures (0210) make quite a number of changes. In addition to the substantial compliance obligations mentioned above, the revised draft also makes changes in terms of wording and the assumption of legal liability (e.g., It removes the provision that incorporates data processors’ data security liability into the credit management system and puts those who commit data security violations on the blacklist of dishonest subjects). The second draft coordinates the Measures with relevant laws and regulations, rectifies the wording of relevant concepts, and adds flexibility to supervision and compliance approaches. As the overarching regulatory design in the field of industry and information technology, the Measures set forth many specific compliance requirements to which enterprises in the industry and information technology field should pay great attention.

Important Announcement

This Legal Commentary has been prepared for clients and professional associates of Han Kun Law Offices. Whilst every effort has been made to ensure accuracy, no responsibility can be accepted for errors and omissions, however caused. The information contained in this publication should not be relied on as legal advice and should not be regarded as a substitute for detailed advice in individual cases.

If you have any questions regarding this publication, please contact:

Kevin DUAN

Tel: +86 10 8516 4123

Email: mailto:[email protected]

Kemeng CAI

Tel: +86 10 8516 4289

Email: mailto:mailto:[email protected]




Footnotes:

[1] Please refer to the drafting notes of the Measures for Administration of Data Security in the Field of Industry and Informatization (for Trial Implementation) (Draft for Comment) by clicking:
https: //www.miit.gov.cn/cms_files/filemanager/1226211233/attach/20219/1d1668e46e644b42b04a95db43854607.pdf.


[2] “Cyber data” refers to any data recorded in electronic form, which is not limited to data generated by using the internet or network or processed therein.  For more information, please click:
https://mp.weixin.qq.com/s/3uewzfNMEP_2Rr9SpaULnw.


[3] Please refer to the drafting notes of the Measures for Administration of Data Security in the Field of Industry and Informatization (for Trial Implementation) (Draft for Comment) by clicking:
https://www.miit.gov.cn/cms_files/filemanager/1226211233/attach/20219/1d1668e46e644b42b04a95db43854607.pdf