On 13 January, the National Information Security Standardisation Technical Committee of China (or “TC260” to use the catchier title of China’s chief committee on technical standards) released another draft of its guidelines to be used to identify “important data” under the nation’s main data laws – the Information Security Technology: Guideline for Identification of Critical Data.
Those following a drawn-out drafting process will appreciate that this type of data typically attracts a higher compliance burden and requires regulator consent to transfer it overseas.
Set out below are some thoughts from us on what the revised formulation could mean for those operating in the tech sector and wider businesses alike.
- What do we call it? The chameleon of data, we have another change of appearance! Although the definition of this data type remains unchanged (namely “any data in electronic form, the alteration, destruction, disclosure or illegal acquisition or exploitation of which may endanger national security and public interest”) and its Chinese moniker has not been altered (重要数据), the English name has now gone from “important data” to “key data” to “critical data”. With the admitted prevalence of foreign reference materials in the thinking of the drafters, this change may be a nod towards the use of “criticality” in NIST parlance in the US – more below. De-coupling is so 2021.
- What’s its purpose? The previous version of the document gave fairly detailed suggestions on the aspects relevant to each of the 8 characteristics of key data. Maybe worryingly, the document now specifies only the “basic principles and considerations in identifying critical data” – there is more detail to come? We knew from the last draft that industry and regional departments would be mandated to craft their own catalogues of what comprises this data type in their respective sector or locality, but that empowerment now seems to have increased. Unhelpfully for business, the timetable for those subordinate lists is unclear.
- Scope: wider or narrower? If, as a matter of semantics, “critical” seems narrower than “key”, the descriptions of this data type are certainly trimmed down. The explanatory note alludes to the reasons being the release of further data laws in the period between drafts of this guideline (especially the Network Data Security Management Regulations) and – in a pleasing acknowledgement to the worth of lobbying – consultation feedback! Although the draft has moved to 14 “factors” to be considered rather than a mere 8 “characteristics” – a shift towards the approach taken by NIST – the extent of descriptions and examples given is massively reduced from about 6,000 to 1,000 words.
- Form over substance? Actually, the substance of what is “critical” is broadly the same when you inspect the small print. However, there are some descriptors that may cause concern due to their vagueness. For instance, critical data can be data “related to technological strength” or “influencing international competitiveness”. The embedded example for this suggests it could be connected to IP rights relating to “defence and national security”. Yet all China CEOs in today’s digital economy will hope that they hold some intel on their own “technological strength”. The drafters’ explanations of how to read the factors focus on national security and presenting as small a scope as possible, but they do seem open to interpretation. Considering that this section of the guideline ends by announcing that “Any data that have one of the above factors are critical data”, a narrow interpretation will be critical!
- Process driven? The sections on how lower-level authorities and organisations identify this data type in their systems has been removed. Good news? Businesses will likely welcome formulating their own approach.
- What to report? The reporting format and explanatory text remain from the last draft, albeit with tweaks. Interestingly for larger businesses, it seems they are no longer required to report based on where the data is located, but where they are registered. This may reduce the compliance burden of those operating from multiple premises with dispersed data hosting infrastructure – i.e., business which would otherwise need to report by reference to varying catalogues of different regional authorities.
- Emphasis on export controls. To better align with existing laws on similar topics, reference is added in the guideline to the PRC Export Control Law. While the substance of the factor relating to export controls seems unchanged, this citation emphasises the importance of this category of data in the context of cross-border transfers – lest international businesses forget that the export of important data (indeed, of any quantity) was specifically called out for regulatory assessment under the October draft measures regulating this transnational processing activity.
- What standard are we judging our data by? A subtle change maybe, but the new version of the guideline has been downgraded from a “standard” (标准) to a “standardised document (标准化文件). We understand from one of the drafters that this revision is not material and it should not be read to mean a faster route to finalisation. However, the final form should be expected no earlier than the end of 2022.
All the answers are therefore not in this Chinese New Year’s red envelope. Businesses’ wait for clarity on this operationally – and, in some cases, strategically important – issue goes on.
For those celebrating the coming of the Tiger, best wishes to you, your families, and your colleagues!
Securing Chinese data flows is now a core element of China’s evolving cybersecurity strategy.