1 March 2022
It is risky to use a European mind-set to interpret the PRC data protection regime. Since long this seems to have been the case, as when starting a discussion on data compliance in China, European colleagues usually refer to GDPR first. This naturally leads to a misperception that a data protection exercise in China will – like in Europe - only concern privacy-rich businesses like e-commerce and other consumer sectors, while for B2B business such as the traditional manufacturing, this may not be critical. Various laws enacted in the past, for example, the 2017 Cyber Security Law and the 2021 Data Security Law (DSL), may have touched upon non-privacy aspects, but the question of how relevant a data protection exercise is to a manufacturing company always remains quite vague and open. A clearer answer is now available after the Ministry of Industry and Information Technology (MIIT) introduced another updated draft Administrative Measures on Data Security in Industrial and Information Areas (Trial) on February 10, 2022 (“Draft”) to solicit public comments.
Compared with the earlier draft published for public comments on September 30, 2021, the application scope of the latest Draft has been expanded by certain rewording, namely
The collection, storage, use, processing, transmission, provision and publication of data generated and collected in the course of R&D, manufacturing, operation and management, maintenance, platform operation in the industrial and informationization areas shall be governed by the Draft. This is already sufficient to cover almost all manufacturing operations.
The Draft is apparently aimed at implementing the DSL of last year by introducing a national wide data classification mechanism. The Draft reiterates that industrial data shall be classified into three categories, namely core data, important data and general data. Compared with the highly sensitive core data upon which foreign operations in China is unlikely to touch, the ambiguous definition of important data under the DSL has become a controversial issue as it is more likely to be touched by international companies operating in China.
The Draft addresses this issue more clearly by referring to the severity of the damage (which could be caused by a data breach). Any of the below consequential features will qualify the respective data as important
However, it remains not fully clear how the above classification mechanism aligns with the data classification system under some other earlier MIIT rules, namely the (draft) Industrial Data Categorization and Classification Guidance (Trial) published for public comments on February 27, 2021 (“Guidance”). According to this Guidance, industrial data refers to data generated and applied across the entire circle of products and services in industrial sector (e.g. R&D, manufacturing, operation and maintenance, industrial online platforms) which has quite some overlap with the Draft. The Guidance uses grade one, grade two and grade three to classify industrial data also by referring to different severity of breach impact upon e.g. national economy and security, industrial security. Nevertheless, the exact classification criteria appear different and these three grades may not necessarily be the equivalent of the core data, the important data and the general data as addressed by the Draft. How the Guidance will interplay with the Draft remains to be seen.
The Draft introduces a “data lifecycle” approach to regulate the obligations of industrial data processors. This includes establishing a data security management system for different categories of industrial data covering its entire lifecycle, allocating dedicated resources and hands to manage data security management, including cooperating with regulatory authorities, having in place privilege management and contingency plans, and implement regular training. As far as data of different categories are intermingled, compliance measures shall be taken by reference to security measures applicable to the category of higher sensitivity.
As far as important data (as well as core data) is concerned, the Draft emphasizes the following:
It should be noted that statutory obligations associated with important data may have a spillover effect. Article 14 of the Draft stipulates that those who indirectly access important data (e.g. by processing important data provided by others) shall have in place a respective agreement or undertaking letter to specify the legal liabilities among relevant parties. In practice, this may become important for international companies whose Chinese subsidiaries are serving sensitive Chinese customers which quite often may push their own statutory data protection obligations to vendors or service providers. In this regard, it should particularly be noted that any expunge of important data (e.g. those received from a Chinese customer) needs to be reported to the local MIIT in a timely manner, and – upon reporting - any recovery of such important data for whatever reason or by whatever means is not allowed.
The Draft explicitly addresses manufacturing operations and will also apply to digital business models. Its broad scope and coverage makes a detour almost impossible. All manufacturing companies in China are already advised to take actions to ramp up into a compliant mode as anticipated by the Draft as well as the whole regime that has evolved rapidly in recent years. The actions may include
Considering the serious legal consequence of a non-compliance case (in particular potential management liabilities), spending justified compliance effort at early stage will be highly recommendable for international companies operating in China.
Michael Tan, Julian Sun, Paul Voigt and Wiebke Reuter look at what China's new SCCs mean for businesses looking to export personal data from China to the EU.
by multiple authors
by Michael Tan
by Michael Tan