It is risky to use a European mind-set to interpret the PRC data protection regime. Since long this seems to have been the case, as when starting a discussion on data compliance in China, European colleagues usually refer to GDPR first. This naturally leads to a misperception that a data protection exercise in China will – like in Europe - only concern privacy-rich businesses like e-commerce and other consumer sectors, while for B2B business such as the traditional manufacturing, this may not be critical. Various laws enacted in the past, for example, the 2017 Cyber Security Law and the 2021 Data Security Law (DSL), may have touched upon non-privacy aspects, but the question of how relevant a data protection exercise is to a manufacturing company always remains quite vague and open. A clearer answer is now available after the Ministry of Industry and Information Technology (MIIT) introduced another updated draft Administrative Measures on Data Security in Industrial and Information Areas (Trial) on February 10, 2022 (“Draft”) to solicit public comments.
Expanded scope
Compared with the earlier draft published for public comments on September 30, 2021, the application scope of the latest Draft has been expanded by certain rewording, namely
- the earlier draft applied to data processing activities in the “industrial and telecom” (i.e. 工业和电信 in Chinese) areas within the territory of PRC. The latest Draft now replaces the latter with “informationization” which is derived from its Chinese counterpart (信息化) and is literally very similar to digitalization.
- when referring to industrial sector, the former draft explicitly addressed industries such as raw materials, equipment, consumer goods, electronic manufacturing, software and IT services, civil explosives. These examples have been crossed out under the latest Draft, and a general word “industrial” is now used.
The collection, storage, use, processing, transmission, provision and publication of data generated and collected in the course of R&D, manufacturing, operation and management, maintenance, platform operation in the industrial and informationization areas shall be governed by the Draft. This is already sufficient to cover almost all manufacturing operations.
Important data
The Draft is apparently aimed at implementing the DSL of last year by introducing a national wide data classification mechanism. The Draft reiterates that industrial data shall be classified into three categories, namely core data, important data and general data. Compared with the highly sensitive core data upon which foreign operations in China is unlikely to touch, the ambiguous definition of important data under the DSL has become a controversial issue as it is more likely to be touched by international companies operating in China.
The Draft addresses this issue more clearly by referring to the severity of the damage (which could be caused by a data breach). Any of the below consequential features will qualify the respective data as important
- creating a threat to the security of political, national land, military, economy, culture, society, scientific technology, electromagnetic (environment), cyber, ecology, resources or nuclear, jeopardizing a critical area relating to national security like overseas interest, biology, space, polar area, deep ocean and AI,
- causing a substantial impact on the development of the industry and informationization, on production, operation or economic interests,
- causing a major data security breach or a production accident, or causing serious impact on public interests or the legitimate rights and interests of individuals and organizations, resulting in adverse social impact,
- having an obvious cascading effect that impacts multiple industries, regions or multiple enterprises in an industry, or it lasting a long time which causes a serious impact on industrial development, technological progress or industrial ecology,
- other important data identified by the MIIT upon its assessment.
However, it remains not fully clear how the above classification mechanism aligns with the data classification system under some other earlier MIIT rules, namely the (draft) Industrial Data Categorization and Classification Guidance (Trial) published for public comments on February 27, 2021 (“Guidance”). According to this Guidance, industrial data refers to data generated and applied across the entire circle of products and services in industrial sector (e.g. R&D, manufacturing, operation and maintenance, industrial online platforms) which has quite some overlap with the Draft. The Guidance uses grade one, grade two and grade three to classify industrial data also by referring to different severity of breach impact upon e.g. national economy and security, industrial security. Nevertheless, the exact classification criteria appear different and these three grades may not necessarily be the equivalent of the core data, the important data and the general data as addressed by the Draft. How the Guidance will interplay with the Draft remains to be seen.
Statutory Obligations
The Draft introduces a “data lifecycle” approach to regulate the obligations of industrial data processors. This includes establishing a data security management system for different categories of industrial data covering its entire lifecycle, allocating dedicated resources and hands to manage data security management, including cooperating with regulatory authorities, having in place privilege management and contingency plans, and implement regular training. As far as data of different categories are intermingled, compliance measures shall be taken by reference to security measures applicable to the category of higher sensitivity.
As far as important data (as well as core data) is concerned, the Draft emphasizes the following:
- management liability: the legal representative or main person in charge shall be the first to be pursued in terms of liabilities, while the management member in charge of data security shall be the direct responsible person (this term will have significant legal implications in case of e.g. administrative punishment cases),
- written undertaking: key positions of data processing shall sign a data security undertaking letter;
- documentation: an internal registration and approval mechanism shall be established to strictly manage and record data processing activities.
It should be noted that statutory obligations associated with important data may have a spillover effect. Article 14 of the Draft stipulates that those who indirectly access important data (e.g. by processing important data provided by others) shall have in place a respective agreement or undertaking letter to specify the legal liabilities among relevant parties. In practice, this may become important for international companies whose Chinese subsidiaries are serving sensitive Chinese customers which quite often may push their own statutory data protection obligations to vendors or service providers. In this regard, it should particularly be noted that any expunge of important data (e.g. those received from a Chinese customer) needs to be reported to the local MIIT in a timely manner, and – upon reporting - any recovery of such important data for whatever reason or by whatever means is not allowed.
Your Actions
The Draft explicitly addresses manufacturing operations and will also apply to digital business models. Its broad scope and coverage makes a detour almost impossible. All manufacturing companies in China are already advised to take actions to ramp up into a compliant mode as anticipated by the Draft as well as the whole regime that has evolved rapidly in recent years. The actions may include
- analyzing the specific relevance of the Draft to one’s operation in China, in which context compliance requirements under other existing laws and regulations shall also be considered. Please refer to our earlier summary of the DSL implications for instances.
- preparing a data mapping throughout each and every business process to determine data sensitivity level of the operation, where particularly attention shall be paid to the topic of important data which may not necessarily come from within but also from outside.
- keeping a close eye on the ongoing legislative development, respecting the fact that the Draft remains general but quite some details are to be substantiated by further interpretation as well as enforcement practice.
- paying particular attention to cross border data transfer cases. As is already the case under existing laws like the DSL and the Personal Information Protection Law, the Draft reiterates that any provision of industrial data to a foreign law enforcement agency shall require prior approval of MIIT.
Considering the serious legal consequence of a non-compliance case (in particular potential management liabilities), spending justified compliance effort at early stage will be highly recommendable for international companies operating in China.
