On 14 November 2021, the Cyberspace Administration of China (CAC) released the draft Network Data Security Management Regulations (the draft Regulations) and is accepting public comments until 13 December 2021.
The draft Regulations comprise 9 chapters and 75 articles with broad coverage of all types of electronic data. Once finalised and adopted by the CAC, the draft Regulations will provide more detailed practical guidance on how to implement the general legal requirements under national laws with a higher legal authority that have been adopted by the National People’s Congress and its Standing Committee, such as the Cybersecurity Law (CSL), the Data Security Law (DSL) and the Personal Information Protection Law (PIPL).
In this alert, we focus on and summarise the supplemental rules introduced by the draft Regulations, including: (i) the data classification and multi-level protection scheme (MLPS); (ii) special obligations for processors of important data; (iii) special obligations for online platform operators; (iv) prohibited activities; (v) data incident reports; and (vi) network security assessments.
Data classification and multi-level protection scheme (MLPS)
The CSL and DSL laid down the principle that the state will establish a categorised and hierarchical data protection system. Further to this, the draft Regulations clarify how data should be categorised under this system:
- There are three main categories of data: general data, important data and core data. It is critical first and foremost to determine if any data is important or core data. Data that falls within neither of these categories is classified as general data.
- While core data1 is defined in the same way as in the DSL, the draft Regulations provide the following illustrations of what would constitute important data:
(i) undisclosed government data, work secrets, intelligence data and judicial enforcement data;
(ii) data which is subject to export control, data concerning a core technology, a design proposal, or production flow, and data derived from scientific research in the fields of, among others, encryption, biology, electronic information, or AI, that could have a direct impact on national security or China’s economic competitiveness;
(iii) the state’s economic operating data, business data of key industries and statistical data that is explicitly required to be protected and controlled pursuant to national laws, administrative regulations or departmental measures;
(iv) data concerning safety production, operations, key system components or supply chains in any of China’s key industries, such as manufacturing, telecoms, energy, transport, water conservation, financial services, and national defence, as well as the state’s tax and customs regime;
(v) state’s basic data relating to populations and health, natural resources and the environment in the fields of genetics, geology, mining, meteorology, etc., where the data exceeds a specific volume or level of accuracy specified by the competent authorities;
(vi) operational and security data pertaining to the nation’s infrastructure and critical information infrastructure (CII), and data concerning the geographical location of and security measures in force at national defence facilities, military areas, national defence research and production entities, and other important and sensitive places; and
(vii) other data that may impact the nation’s political system, its sovereignty, the military, the economy, culture, social interests, technology, ecology, resources, nuclear facilities, offshore interests, biology, outer space, the Arctic and deep sea.
It is not a straightforward yes or no answer as to whether data constitutes important data or core data. A comprehensive analysis needs to be done as part of this process and it is also essential to check if any industry-specific laws, regulations or national standards apply.
- Personal data and important data will be subject to “key” protection and core data to “strict” protection.
- Any system that may, in principle, process important data must hold above level 3 MLPS certification and meet the security requirements for CII. A system processing core data must enforce stringent security measures pursuant to applicable regulations.