1 December 2023

China’s “Important Data” Regime Challenges Global Norms

Scott Livingston

China has recently launched a series of provincial “data security escort” special action campaigns (数安护航”专项行动) to speed implementation of a new regulatory regime that focuses on the identification and protection of a specific subset of data known as “important data” (重要数据) (GDCENN, October 26; Anquan Neican, August 15; Jiangsu Government, June 29). [1] The development of this regime introduces a novel new element to data protection laws, one in which private data holdings must be assessed for their national security implications and, where such data is deemed “important,” reported to the government and restricted from overseas transfer unless approved.

China’s new requirements on “important data” end a more halcyon era in which companies were largely free to exchange their Chinese data with overseas corporate affiliates and business partners, provided that such data did not constitute a “state secret.” The new rules add an additional layer to an increasingly crowded cybersecurity compliance landscape in China, while also increasing the insight the Chinese Party-state has into private data holdings.

For China’s trading partners, this new regime poses a further challenge to the open internet, one in which cross-border data flows are increasingly restricted in the name of national security. This policy has the potential to significantly reshape global data flows over the next decade.

From ‘Who Holds the Data?’ to ‘Who Does the Data Affect?’

Data protection laws in the European Union, United States, and China have, to date, largely focused on regulating the collection, processing, and sharing of individuals’ personal information (PI). Governments may deem certain data as “classified” (or in China, a “state secret”), while many corporations may designate sensitive private data as “trade secrets” to protect them from third parties. In general, however, these governments have declined to mandate a data protection regime for the non-classified, non-PI data of natural or legal persons.

To these traditional data protection elements, China is now introducing a new category of sensitive—though non-classified—“important data,” which ignores traditional public-private distinctions to focus on the potential impact the data might have on national, social, or individual interests if illegally disclosed.

Hong Yanqing (洪延青), a Peking University law professor who sits on the TC260 standards drafting committee, is one of the primary drafters of numerous national standards regulating data protection (Beijing Institute of Technology School of Law, accessed November 13). In a 2021 article in China Law Review, he explains China’s new approach as based on a recognition that “in many cases, the value of the data in the hands of enterprises is higher to the country, society, and individuals than to the enterprise.” Once a security incident occurs, “the harm [to these parties] may be greater than the harm to corporate interests” (Anquan Neican, November 1, 2021).

As an example, Hong cites the Cambridge Analytica scandal, where corporate data on personal information was illegally used to influence the Brexit referendum and the presidential election in the United States, both in 2016. [2] Because these disclosures had a far greater impact on the affected societies than they did on the company itself, Hong argues for abandoning the “question of ‘who controls the data’… and to instead judge [data] from the value and interests the data may affect.” Because these values and interests may “go beyond the organization’s internal perspective,” it is necessary for “the state to make a decision ‘from the top down.’” [3] This “top-down” decision is, in essence, China’s new “important data” regime. [4]

Important Data Defined

The concept of “important data” was first introduced in the PRC Cybersecurity Law (Xinhua, November 11, 2016) and later expanded on in the PRC Data Security Law (DSL) (Xinhua, June 10, 2021). However, neither law defined the term itself. This lack of an overriding national definition appears purposeful as the new regime calls for local government and industry regulators to take the lead in identifying what constitutes “important data” in their sectors and then to collate lists of identified data in “important and core data catalogues,” (重要数据和核心数据目录) that are submitted to higher authorities (see for example: MIIT, December 7, 2022, Article 7). “Core data” (核心数据) is an even more sensitive subcategory of “important data.” It will not be discussed in depth here.

While this overall legal regime remains a work in progress, the current approach appears as follows:

From the top-down, local governments and industry regulators are instructed to publish specific guidelines for identifying “important” and “core” data in their respective region or industry. For example, the Regulations on the Management of Automobile Data Security (Trial), promulgated by the Cyberspace Administration of China (CAC) and four other ministries, sets out six general categories of “important data,” including “data reflecting operations such as vehicle flow and logistics, data on the operation of the automobile charging network, and video and image data from outside the vehicle containing facial information or license plate information.” The Ministry of Industry and Information Technology (MIIT) has also drafted guidelines for the identification of “important data” related to industrial data—which account for more than a third of data sources in China—but this document has yet to be made public. [5]

In drafting these identification guidelines, local and industry regulators will likely refer to certain general definitions for the term that have been provided in ministerial regulations and national standards. For example, under the 2022 Measures for the Security Assessment of Cross-Border Data Transfers (CBDT Measures), “important data” is defined as “any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety” (CAC, July 7, 2022). Similar—though not identical—definitions are found in two recent draft national standards (which can be downloaded at: TC260; SAMR, January 7, 2022), as well as a draft data security regulation published in 2021 (CAC, November 14, 2021).

These general definitions serve as guideposts for local officials and industry regulators to craft more specific identification guidance and data handling regulations to clarify how companies should protect the “important data” that exists in their region or sector (see DSL, Art. 21: PRC State Council, June 11, 2021). In short, the scope of “important data” will be determined by a variety of regulatory officials in China, each of whom will have substantial discretion to define what should be considered “important data” and how this data should be handled.

Important Data Requirements

The designation of certain data as “important” brings with it two significant requirements. First, because the CBDT Measures require government approval before the export of any “important data,” there is a de facto (and, in certain industries, de jure) data localization requirement for all “important data.” That is, all such data must be stored within the borders of the PRC. Second, as mentioned above, the DSL requires lower-level departments to draft their own implementing regulations for data security and to adopt strengthened requirements for the handling and processing of “important data.”

To date, the first and only comprehensive sector-specific regulation has been the Interim Measures for Data Security Management in the Industrial and Information Technology Industries (Interim Measures), published by MIIT in December 2022 (MIIT, December 7, 2022). The Interim Measures require that MIIT-supervised companies comply with 19 specific requirements to establish a “full life-cycle data security management system” (数据全生命周期安全) within their operations, with certain heightened requirements for handlers of “important” and “core” data. [6]

Among these requirements, companies must regularly audit, classify, and grade their data holdings, and report their “important” and “core” data holdings in certain “important and core data catalogues” which are filed with their local MIIT office. In these reports, companies are obliged to include a wide variety of information relating to their data, such as the data’s source, their purpose and method of processing, the scope of their use, and the external entities with whom they are shared. However, the specific content of the data themselves does not need to be included (MIIT, December 7, 2022, Article 12). Local MIIT offices then collate these individual data catalogues into an overall “important data” catalogue for their area, which is reported through higher-level MIIT offices up to Central MIIT, where it forms a national catalogue of “important data” for this sector.

Implications for Companies

The developing jurisprudence surrounding “important data” adds to a growing list of cybersecurity compliance obligations for companies operating in China.

This includes China’s Multi-Level Protection Scheme (信息安全等级保护制度) under which companies are required to identify and report their information systems to the Ministry of Public Security (Ministry of Public Security, July 24, 2007). In addition, CAC released a draft measure in August 2023 requiring regular compliance audits for a company’s PI holdings (CAC, August 3).

While these measures are aimed at strengthening the country’s overall cybersecurity, one obvious side-effect is to increase the visibility national regulators have into the digital assets of private enterprises, be it their information systems, data, or PI. While this should not be a surprise for any company operating in China’s socialist market economy, it does constitute a regression from some of the independence enjoyed by private firms from 2001 in the immediate post-World Trade Organization accession period.

Perhaps more importantly, the data localization element of this new regime will cause complications for companies, as any international transfers involving “important data” must now be delayed while regulatory approval is sought and obtained. Dealmakers will need to consider whether their transactional data involve (or could involve) “important data,” and how the deal might be impacted if Chinese regulators subsequently identify certain parts of those data as “important.” In some cases, such as where imported data may be further modified or processed in China, the new rules may create an “Hotel California” situation for companies, who may be fearful of transferring their technology or data into China lest it never be allowed to leave. Such cross-border restrictions may, in the end, hamper China’s own indigenous technology drive and domestic R&D efforts.

There are signs, however, that China understands these risks, and believes that this policy should be applied lightly. In September 2023, the CAC released a draft measure that would relax some of the requirements related to cross-border data transfers, particularly with respect to PI (CAC, September 28). For “important data,” the draft measure clarified that cross-border transfer approval should only be sought for “important data” that had been “notified or publicly announced” and not merely suspected of falling into that category.

While this creates some breathing room for corporations in China, it remains an open question how well China can constrain the scope of “important data,” given the vast discretion local governments and industry regulators have to define its terms in the various catalogues. Ensuring that this new area does not hamper overall economic development will be an important priority for Chinese regulators over the coming years, and companies will need to closely track the development of these catalogues for indications of whether Chinese regulators are favoring protecting national security over economic development.

Conclusion

Applied prudently, there is certainly nothing wrong with the protection of sensitive information that does not rise to the level of “classified” data. In this regard, Chinese regulators have shown some vision in understanding the new national challenges arising in an era of vast data resources and how to respond to them.

There are some signs that this approach is paving the way for other countries to follow suit. In October 2023, the Financial Times reported that Belgian intelligence was investigating Alibaba’s logistics center at Liège Airport over concerns that the sensitive economic data processed by the facility might be shared with the Chinese government (Financial Times, October 4). Although this investigation was not portrayed in language indicative of the “important data” framing, the core concern behind it—that some sensitive (though non-classified) private data may impact national interests—is identical to the concerns driving China’s approach.

While the future protection of non-classified business data might be a reasonable legal advancement, there are valid concerns over the potential for competing national laws requiring localization for whatever respective domestic regulators deem “important data.” Such an approach heralds a new front in the ongoing technology rivalry between nations. Taken to its limits, this threatens a damaging, zero-sum view of international data resources. As China continues to define this space, prudence will be paramount, lest their national security prerogatives give rise to a new “data security dilemma” between countries, as each nation looks to respond to foreign data restrictions by erecting barriers of their own.

No comments: