China: A Step Forward: MIIT Again Seeks Public Comments On Administrative Measures For Data Security

Authors: Kevin DUAN 丨 Kemeng CAI¹

On February 10, 2022, the Ministry of Industry and Information Technology ("MIIT") issued a second draft of the Measures for Administration of Data Security in the Field of Industry and Informatization (for Trial Implementation) (Draft for Comment) (the "Measures"), which makes revisions to the first draft in response to public comments received following its issuance on September 30, 2021. This second draft opened for public comments until February 21, 2022.

Since 2021, the MIIT and the Cyberspace Administration of China ("CAC") have proposed detailed rules to implement the Data Security Law of the People's Republic of China (the "Data Security Law") and the Personal Information Protection Law of the People's Republic of China (the "PIPL"), which focus on implementation in distinct fields. To strengthen data security management in the field of industry and informatization, the MIIT has issued the Measures to implement provisions of the Data Security Law and other relevant laws and regulations. The Measures provide approaches to apply the national data security management mechanism in the field of industry and informatization in an effort to establish the data security supervision and administration system in the field of industry and informatization, through further clarification of the data classification and data grading system, management of important data and core data, and other specific requirements². In respect of cyber data³, the CAC released the Regulations for the Administration of Cyber Data Security (Draft for Comment) ("Cyber Data Regulations") for public comment on November 14, 2021. The Cyber Data Regulations propose rules for implementing relevant systems established by the Data Security Law and the PIPL; they also refine relevant requirements imposed by those laws while creating some new ones, such as the filing and annual reporting obligations of important data processors, security management duties of data processors that undertake cross-border data transfers, and responsibilities to be assumed by Internet platform operators.

Both at their formulation stage, the Measures and the Cyber Data Regulations are implementing rules respectively issued by China's two major data security regulators. Despite certain overlap between the two, they highlight different regulatory aspects due to the nature of the data they regulate, reflecting the different regulatory scopes and approaches adopted by the MIIT and the CAC.

As revised, the Measures comprise 41 articles in eight chapters (fewer than the previous 44 articles) and differ from the first draft in the following aspects:

• Separate protection for personal information: PIPL added as an enabling law.
• Expanding definition of data: includes radio data into the regulatory scope.
• Further clarifies regulators' scope of authority: confirms MIIT's supervisory role over local regulatory departments.
• Revises data classification and data grading standards: changes made to grading criteria and categorization methods.
• Clearer guidance for the filing system: more specific requirements for filing applications, filing reviews, and change filings.
• Persons responsible for data security: shifts primary responsibility to legal representatives and tightens internal management requirements for enterprises.
• Updated requirements for full life-cycle data management: removes language prohibiting core data exports and imposes security obligations for processing core data among different persons.
• Coordinates data security reviews: adds flexibility to provisions on security assessments, cooperation with supervision, and other requirements.

Below, by comparing the first draft Measures (0930) and the revised draft Measures (0210), we summarize and comment on key adjustments made in the revised draft.

Separate protection for personal information: PIPL added as an enabling law

As stressed in its drafting notes, the Measures (0930) adhere to the philosophy of the Data Security Law, which emphasizes control over personal information by categorizing it in catalogues of important data and core data, thus implementing full life-cycle security management of personal information without imposing any separate protection requirements for personal information⁴. Given that, the Measures (0930) cited as their enabling laws the Cybersecurity Law and the Data Security Law, not the Personal Information Protection Law. However, the Measures (0210) add the PIPL to the list of enabling laws and correspondingly adjust other relevant provisions with respect to personal information. For example:

• "Personal information" is removed from the list of data categories in Article 8 (Methods of Data Classification and Data Grading), where non-personal information categories are retained, such as management data, operation and maintenance data, and research and development data.
• The following provision is added as Article 37 (Personal Information Protection) in Chapter 8 (Supplementary Provisions): "Data processing activities involving personal information shall also be subject to relevant laws and administrative regulations."

Given the above changes in the Measures (0210), it appears that the MIIT has turned its personal information protection approach away from "unified management by categorizing personal information in the catalogue of important data and core data" and is heading toward separate protection of personal information. This shift of direction conforms to regulatory documents issued mainly after the Measures (0930). On November 14, 2021, the Cyber Data Regulations were issued for public comments, in which personal information was not covered by the specified definitions of important data and core data. In addition, a revised public comment draft of the Information Security Technology - Guideline for Identification of Critical Data (Draft for Comment) (the "Guideline") issued by the Secretariat of the National Information Security Standardization Technical Committee on January 13, 2022, as well as its initial draft for public comment released on September 23, 2021, both define important data clearly as "not including state secrets and personal information, but may include statistical data and derived data formed on the basis of massive quantities of personal information." To achieve consistency and coordination among relevant laws and regulations, the Measures (0210) change their approach to personal information management, emphasizing the PIPL's role as the legal basis for personal information protection.

Footnotes

1 Yibing Zhao, a Han Kun intern, also contributed to this legal commentary.

2 Please refer to the drafting notes of the Measures for Administration of Data Security in the Field of Industry and Informatization (for Trial Implementation) (Draft for Comment) by clicking: https: //www.miit.gov.cn/cms_files/filemanager/1226211233/attach/20219/1d1668e46e644b42b04a95db43854607.pdf.

3 "Cyber data" refers to any data recorded in electronic form, which is not limited to data generated by using the internet or network or processed therein. For more information, please click: https：//mp.weixin.qq.com/s/3uewzfNMEP_2Rr9SpaULnw.  

4 Please refer to the drafting notes of the Measures for Administration of Data Security in the Field of Industry and Informatization (for Trial Implementation) (Draft for Comment) by clicking: https://www.miit.gov.cn/cms_files/filemanager/1226211233/attach/20219/1d1668e46e644b42b04a95db43854607.pdf  

To read the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.