CHINA: Data Regulations Expand to Radio Signals and Other Non-personal Industrial Data
By Donnie Dong & Amber Huang
CHINA’s Ministry of Industry and Information (MIIT) released its latest draft Measures on Administration of Data Security in the Sectors of Industry and Information (Measures), seeking public comments by February 21, 2022.
This is the second time MIIT releasing a draft of Measures. The first draft was released in September 2021. The updated draft mentioned the PRC Personal Information Protection Law (PIPL), but personal information protection is obviously not the focus of the Measures.
The Measures focus on another issue: security of the “important data” and “core data”, which are concepts raised in the PRC Data Security Law (implemented 2021). In short, “important data” are datasets that are important to social security and national security and therefore need heightened protection. “Core data” are those datasets even more crucial for national security and social stability.
MIIT and other Chinese authorities (in particular the Cyberspace Administration of China) have addressed the important data and core data in a few regulatory documents. The Measures will be functioned to be a clarification on the scope of MIIT’s supervision power. Given the jurisdiction of MIIT among the government departments, the “industry sector” in the context of MIIT-issued regulations mainly refers to the engineering, mechanical, and other heavy industries, while the “information sector” mainly covers the telecommunication and internet service providers.
Once implemented, the Measures will impact the business operation of multinational companies. In particular, manufacturers or service providers of mobile communication base stations, switch rooms, antennas, mobile terminal devices (cell phones, laptops,), radio transmitting equipment, vehicle networking would be affected. Stakeholders in these sectors may consider submitting comments before the deadline of February 21, 2022.
Among others, MNCs should pay more attention to the following provisions of the Measures:
Coverage – Expanded to Radio Signals
Further to the “data” in the traditional sense (e.g., personal information and non-personal industrial, financial data), the draft Measures clarify that “radio data” are also regulated. Radio data refers to the radio frequencies, data generated by base stations and other radio wave parameters, as well as data generated or transmitted through modulation electromagnetic signals.
Other non-personal industrial and manufacturing data are also covered by the Measures.
MIIT’s provincial-level branches will be the law enforcement agencies reviewing the data processing activities of stakeholders, including government authorities, state-owned enterprises, and private companies.
MIIT headquarters will review applications for processing “core data”, and will also be responsible to maintain national standards for identifying the “important data” and “core data”. It will maintain a registration system for provincial-level branches to register each processor of important data or core data.
– The Measures set out principles in identifying “important data” and “core data” and list out certain typical examples. In general, the stronger impact/hazard to the economy and national security when it is breached, the higher chance a dataset will be classified as “core data” or “important data”.
– MIIT will create standards to guide local (provincial level) authorities in identifying “important data” and “core data” and will maintain a dynamic list of core data and important data.
– Provincial-level local authorities will be responsible to identify “important data” and “core data” according to the MIIT standards and report the identified data to MIIT.
– Companies shall refer to the MIIT standards to conduct self-identification and keep a catalog of “important data” and “core data”.
– If a company believes it possesses “important data” or “core data”, it shall report and register with local (provincial level) authorities. The report should include manners of data processing, the scope of access, whether cross-border transfer, as well as security measures, adopted. On the other hand, being good news, the draft Measures clarified that the report to authorities shall not include the original data.
– If the scale of the dataset changes and the change exceeds 30% of the original data volume, the important data or core data holders shall renew their registration with local (provincial level) authorities within 3 months since the occurrence of the change.
– Companies shall categorize their data into certain categories, such as “R&D data”, “data generated from manufacturing operation”, “management data”, “maintenance data”, and “business data”.
– The categorization shall be reviewed and updated periodically.
Executives’ Personal Liability
The statutory legal representatives (usually CEO or Chairman/woman) of a company shall be responsible for the company’s data administration and may be found personally liable to data breach incidents. However, the draft Measures has not detailed the scale and thresholds for finding such personal liability.
Data processors shall establish a data destruction system, the destruction of important data and core data shall be recorded with authorities, and the destruction must not be reversible.
Compliant Duties during Merger & Acquisition
If a data controller’s legal status is expected to be changed due to merger, acquisition, restructuring, or bankruptcy, the data controller shall inform affected users/data subjects. If the data controller processes “important data” or “core data”, it shall update the registration records with competent local (provincial level) authority.
A possessor of “important data” or “core data” shall seek permission (rather than just update registration records) with local (provincial level) authority when it plans to provide, transfer “important data” or “core data” with another entity or mandate a data processor to process data. The local (provincial level) authority shall forward the application to MIIT for its review.
* * * * *
Author: Donnie Dong. Admitted to practice in China and New York State, the author is a Certified Information Privacy Manager (CIPM) by the International Association of Privacy Professionals (IAPP). Dr. Dong is also a member of the steering committee for Digital Asia Hub, a non-profit think tank collaborating with leading scholars and practitioners of digital society in Asia.
This communication is provided as a service to FuJae Partners’ clients and contacts. It is intended for informational purposes only. It is not intended to create an attorney-client relationship or to constitute any form of advertisement.