Reed Smith In-depth

China’s National Information Security Standardisation Technical Committee published the Information Security Technology – Security Requirements for Processing of Important Data for public comment (the Draft New Rules) on 25 August 2023. Important data is a significant concept under Chinese data and cybersecurity regulations and can have critical implications for investors and business operators in a wide range of sectors, including the automotive, aviation, energy, financial, health care, infrastructure, mining, public utilities, and telecoms industries. The Draft New Rules outline security requirements for data handlers to process important data and, upon finalisation and implementation, will serve as best practice as well as regulatory guidance for law enforcement in relation to important data.

Important data is subject to enhanced compliance requirements under the PRC Cybersecurity Law, Data Security Law and other relevant laws and regulations, but the detailed rules on the processing of important data still lack clarity. This client alert aims to summarise the key requirements and highlights under the Draft New Rules and discuss the major implications for business organisations.

Definition of important data

Being able to identify important data is crucial in determining whether data handlers will be subject to the compliance requirements applicable to important data. Although generic definitions of important data are scattered across various Chinese laws, regulations and national standards, there has not yet been a unified definition of important data. According to the Information Security Technology – Guidelines for Identification of Important Data (the Draft Guidelines) released in January 2022, important data is defined as data that exists in electronic form, the tampering, sabotage, leakage or illegal acquisition or use of which, once it occurs, may endanger national security or public interests (and so excludes state secrets and personal information, but potentially encompasses statistical data or derived data generated from a substantial amount of personal information).

By contrast, the Draft New Rules define important data as data within specific fields, groups or regions, or data that possesses a certain level of detail and scale, that, once leaked or tampered with or destroyed, may directly endanger national security, economic stability, social order, or public health and safety. This is almost the same as the definition in the draft Network Data Classification and Categorisation Requirements issued in September 2022.

The definition of important data under the Draft Guidelines is broad and vague. However, it seems that the Draft New Rules’ definition is even broader and vaguer. In addition, the above definitions also differ from the definition under the CAC Security Assessment Measures for Cross-border Data Transfer. If the Draft Guidelines and the Draft New Rules are finalised in their current form, it is likely that companies will still need guidance from industry regulators on how to identify important data.

Security of infrastructure

Cloud services are commonly used by data handlers today, posing potential risks to data security. The Draft New Rules require a risk assessment before engaging any cloud services to process important data. For the purpose of risk assessment, important data handlers must demonstrate the necessity of using cloud services to process the data, as well as the trustworthiness and security of those cloud services. As far as existing cloud services are concerned, data handlers must conduct a risk assessment on a regular basis and cease to use the cloud services if any unacceptable risks are identified. Further, the Draft New Rules provide that any information systems used to process important data must adhere to the multi-level protection scheme (MLPS) and be certified as Level III or higher.

This may have a significant impact on both cloud services providers and data handlers. In particular, given that MLPS certification would require that all the IT systems must be deployed within China, it could be challenging for cloud service providers with servers deployed outside of China to process important data in China.