Key drafter reveals internal re-cut of Guideline for Identification of Critical Data
Then, out of nowhere, another kind of leak: one of the drafters at China’s committee on technical standards – the “TC260” – decided to give his WeChat followers a sneak-peak at an internal draft of the standard that will be used to identify “important data” under the China’s main data laws – the Information Security Technology: Guideline for Identification of Critical Data.
Although the document has not been officially published on the TC260’s portal as for the last iteration, the revisions shown in this draft dated 16 March provide those operating in the tech sector and beyond insights into regulators’ potential direction of travel.
Scope of data caught
Aside from the guideline (now named “rules”) reverting to identifying “key data” (in place of the January draft’s emphasis on “critical data”), the substance of the concept has also reverted from the short-form expression of “public interest” seen in September’s draft and November’s Network Data Security Management Regulations to re-introducing explicit references to “economic operation, social stability or public health and safety”, as well as “national security”, to characterise this type of data.
While this extrapolation may reflect the multi-faceted pressures from real estate sector debt to pandemic anxiety currently heaped on the Chinese authorities, it also emphasises that rules relating to important data could apply beyond SOEs and large public infrastructure operators – data classification will be a necessary exercise for most businesses to understand where they sit in this compliance framework.
The revised definition also refocuses the application of the rules on describing important data as being related to a specific field, group or region, or reaching a certain precision and scale. This mostly seems helpful in continuing the trend across drafts of these rules to attach the label of important data only to datasets relating to multiple enterprises or an entire industry, rather than a single organisation. In doing so, the new draft should reduce the likelihood of data localisation and other associated restrictions applying to any one international business’s everyday activities.
Indeed, this trend is further reflected in several of the rule’s heavily revised factors that should be considered when identifying important data. For example:
- CII operators: In the January rules, data “support[ing] the operation of [one company’s] critical infrastructure” could arguably be characterised as important data. Based on the new draft, however, this same factor seems more clearly to look across sectors at “data that supports the core business operation of the industries or fields of critical infrastructure”. This should generally relieve tech platforms and financial institutions, for instance, which might be designated as “critical information infrastructure operators” under China’s cybersecurity rules, as their basic business data should not constitute important data. However, the compliance net might still catch the BATs and other tech giants of China since their vast CRMs contain data representative of their sectors as a whole.
- Biotech/healthcare: As well as data relating to, among others, R&D and the application of biotechnology and genetic information, the new rules narrow in-scope data in this sector to that reflecting the health and physiological status of national or regional groups, and the diagnosis/treatment and health management data of the mass population. Despite existing healthcare guidelines suggesting that even the medical data of one patient could constitute important data, this burdensome interpretation may have disappeared. That said, data on just one “specific drug test” could be important data, which will trouble those conducting international clinical trials.
In his post, the drafter emphasises that underpinning all identification factors is the principle of maintaining national security and that the factors set out should be read from the perspective of the impact of the data types rather than that the data types alone being the determinative factor. Emphasis on context is also re-iterated in the draft rules, which is comforting given that some factors, such as the reference to the “business secrets of key enterprises”, remain vague and potentially broad in application.
The process and template schedule for reporting on identified important data has been expanded under the revised draft. More instructions are laid out and three new columns of details are required, making the reporting process increasingly akin to a data audit.
Considering the launch of the Personal Information Protection Law in November only just added personal information protection impact assessments to the roster of requirements on Chinese operations, international players already complying with data protection impact assessments and transfer impact assessments under the GDPR may not appreciate the extra paperwork. Calls for harmonisation will likely ramp up again.
Completing the report will be one thing. Signing it off will be another, with the name and contact details of the individuals in-charge of the organisation (presumably a CEO or legal representative) and the officer(s) supervising security of important data each having to be filed with the Chinese authorities.
There is no explicit bar on global CISOs or DPOs being listed, but political sensitivities regarding important data, and the practicalities of time zones and language capabilities, might make it necessary to delegate this responsibility – even if with robust reporting lines to HQs of multinationals needed given that very sensitivity.
Watch this space!
Developments in China’s regulation of data should not be ignored by U.S. businesses that engage with data from China.