Long-awaited identification guide for key data to be released for comment soon

What's the context?

The PRC Data Security Law will come into effect on 1 September 2021. It imposes a local storage requirement for key data on selected organisations and makes their cross-border transfers of key data subject to a pre-transfer security assessment.

The concept of “important data” was first introduced under PRC Cybersecurity Law back in 2016, although the scope of this type of data has remained undefined for nearly 5 years. Even if government officials’ rationale for changing the English translation to “key data” seems unclear, finally, with the tight deadline for compliance with the Data Security Law looming, industry’s long wait for guidelines on the definition and scope of this data classification may soon be over.

You cannot judge a book by its cover

The cover of draft Information Security Technology - Identification Guide of Key Data (the “Draft”) shows the content was finalised on 18 June. Although the full text of the Draft has yet to be officially released by rule-makers, it is not uncommon for technical standards like this one to be released a few days, or even months, after completion.

In this case, the wait could be down to the potentially profound impact of the Draft on China’s digital ecosystem. As we have seen before, rule-makers may be taking time for initial private and semi-private consultations before wider publication of a crucial piece of their regulatory framework. For example, one of the guideline’s drafters (from an influential thinktank reporting to Chinese Ministry of Industry and Information Technology) held a seminar in Shanghai on 29 June to discuss the Draft with people from commerce and academia. It is possible that the version of the Draft eventually published online for public comment will reflect feedback from these sessions.

What do we know for now?

Under the Draft, key data means: “any data the alteration, destruction, disclosure or illegal acquisition or exploitation of which may have a direct impact on national security, economic operation, social stability, public health and safety”. A note in the Draft make it clear that personal information normally does not constitute key data. On the other hand, statistics and data derived from a large amount of personal information may constitute key data.

For those with good memories, the definition of key data and the carve-out for personal information are consistent with the 2019 draft Administrative Measures on Data Security (the “Data Security Measures”). This indicates that Chinese legislators seem keen to continue a dual-track approach to supervising personal data and “important / key data” in their bid to safeguard cybersecurity alongside promoting protection of individual’s privacy.

Key data has 8 categories under the Draft. They related to (1) economic operations, (2) population and health, (3) natural resources and the environment, (4) science and technology, (5) security and protection, (6) application services, (7) government activities, and (8) others. While the Draft goes on to detail further subcategories and requirements attached to each of them, there is not the level of granularity on the types of data within each subcategory as was seen in Annex A of the 2017 Information Security Technology - Guidelines for Data Cross-Border Transfer Security Assessment (the “2017 Guidelines”).

This may be a good thing! The 2017 Guidelines covered 28 industries and were thought by industry at the time to be too wide-ranging to be workable by businesses in practice. Indeed, the fact that the new descriptions under the Draft are less detailed and expansive seems to be deliberate, with the drafters explaining that they aim to narrow down the scope of key data compared to the 2017 Guidelines. Thumbs up for legislators listening to industry, though the more generic categories in the current form of the Draft may make it more difficult for organisations’ personnel to run precise internal data mapping processes to ensure compliance.

Do we have all the answers?

No. Crucial questions remain:

  • How will the scope of “key data” to be defined under the local and industry standards contemplated under the Data Security Law differ from that under the Draft?
  • How will this Draft, when finalised and promulgated, work with local and industry standards (for example, banks and securities companies already have industry standards to comply with regarding data categorisation) – will existing categorisation guidelines be withdrawn and re-written despite some businesses having changed their practices to comply with them?
  • Will the other key data type introduced under the Data Security Law – “national core data” – be further defined under similar guidelines?
  • How do the scope and handling requirements for national core data interact with key data?

The Draft itself says, “[t]his document serves as a reference for each region and department in the formulation of a catalogue of key data for the respective region, department and the relevant industry sectors and fields, and supports the protection of data security.” However, without a better understanding of the hierarchy between new and old, and regional and industry, catalogues, drawing a clear reference from this Draft may be easier said than done. The practical impact on these local and industry rules will need to be further analysed as these emerge. We will continue to follow developments and of course keep you posted!