China’s Data Security Law (DSL) aims to classify and protect data based on its relevance to the state’s economic development, national security, public interest, and individuals’ and entities’ legitimate rights and interests.
The DSL was passed on June 10, 2021 and came into effect last September 1, 2021.
The Data Security Law applies to all data processing activities within the territories of the People’s Republic of China and their security supervision. However, if data processing activities carried out outside the territories of the People’s Republic of China infringes on the national security, public interests, or the rights and interests of citizens or organizations of the People’s Republic of China, they shall still be penalized in accordance with law. Data refers to any record of information in electronic or any other form (Article 3). Data processing includes the collection, storage, use, processing, transmission, provision, disclosure, etc., of data. Data security means employing necessary measures to ensure that data is effectively protected and legally used as well as possessing the capacity to ensure a sustained state of security.
Cyberspace Administration of China (CAC): central internet regulator, censor, oversight, and control agency for the People’s Republic of China
Ministry of Industry and Information Technology (MIIT): responsible for regulating and managing China’s telecommunication and software sectors, as well as the electronics and information technology manufacturing industries; on 30th September 2021, the MIIT published the Measure for the Administration of Data Security in the Field of Industry and Informatization for public comments. This closed on 30th October 2021. The document revises and further defines General Data, Important Data, and Core Data. The measure was also released for public comments and the forum was closed on 30th October 2021. However, MIIT opened another period for further comments until 21st February 2022.
Industry Regulatory Bodies: ex. National Medical Products Administration (NMPA) and People’s Bank of China
Local Province/Local Government:
Examples of governance parties and their regulations include:
• Shanghai: Shanghai Data Regulations – Regionalising data protection in China last 6th December 2021.
• Fujian: Provincial Congress approves Big Data Development Regulations last 29th December 2021.
• Shenzhen: Shenzhen Special Economic Zone Data Regulation – Regionalising data protection in China last 10th January 2022.
Data Processors of the Company: The conduct of data handling activities shall be in compliance with the provisions of laws and administrative regulations, establishing and completing a data security management system for the entire workflow, organizing and conducting data security education and training, and adopting corresponding technical measures and other necessary measures to ensure data security. The conduct of data handling activities using the Internet or other such information networks shall perform the data security protection obligations described above on the basis of the cybersecurity Multi-Level Protection System (Article 27, Chapter 4, DSL).
Data Handlers: People who process data; Important data handlers shall clearly designate persons responsible for data security, and management bodies to implement data security protection responsibilities (Article 27 and 31, DSL).
General Data: causes a small impact on the public interest or the lawful rights and interests of individuals or organizations and having a small negative impact on society.
• The number of affected users and enterprises is small, the scope of production and living areas is small, the duration is short, and the business operation, industry development, and technological progress are made, and industrial ecology and other impacts are small.
• Other data that is not included in the catalog of important data or core data.
Important Data: data whose degree of harm meets one of the following conditions:
• Posing a threat to politics, land, military, economy, culture, society, science and technology, electromagnetics, networks, ecology, resources, nuclear security, etc., and affecting overseas interests, biology, space, polar regions, deep seas, artificial intelligence and other key areas related to national security.
• Seriously affecting the development, production safety accidents, causing a serious impact on the public interest or the lawful rights and interests of individuals or organizations, and having a large negative impact on society.
• The cascading effect caused by it is obvious, and the scope of influence involves multiple industries, regions or multiple enterprises in the industry, or the impact lasts for a long time, causing serious impact on industry development, technological progress and industrial ecology.
• Other important data assessed and determined by MIIT.
Core Data: data whose degree of harm meets one of the following conditions:
• Posing a threat to politics, land, military, economy, culture, society, science and technology, electromagnetics, networks, ecology, resources, nuclear safety, etc., and seriously affecting overseas interests, biology, space, polar regions, deep seas, artificial intelligence, etc., and countries as well as security-related focus areas.
• Have a major impact on the field of industry and informatization and its important backbone enterprises, key information infrastructure, important resources, etc.
• Causing major damage to industrial production and operation, the operation and service of telecommunication networks (including the Internet), the development of radio services, etc., resulting in wide-scale suspension of work and production, large-scale interruption of radio services, large-scale network and service paralysis, and loss of a large amount of business processing capacity.
• Other core data determined by MIIT.
• The highest level of three-level system, it refers to data that “have a bearing on security, the lifelines of national economy, people’s key livelihood and major public interests.” (Art. 21)
• The national core data are subject to a stricter management system by the state than important data.
• Identifies sectors in industry, such as telecommunications, transportation, finance, natural resources, hygiene and health, education, and technology are to undertake data security regulatory duties in their respective field.
• Critical Information Infrastructure operators are controlled by the Cyberspace Administration of China (CAC).
• Defined in the Art. 21 of the DSL and will be provided in the data classification and hierarchical protection catalogue developed by respective regions and departments and for relevant industries and field.
• QTS have engaged with local government and we now know that Important data is being defined by Ministry of Industry and Information Technology (MIIT), Industry regulatory bodies,
ex. Automotive, Aerospace, and local province/local government.
• Meanwhile, other cybersecurity and information security legislation define important data as related to “national security, economic development and public interests, but do not involve core data (the national secrets).”
Non-compliance to DSL shall result in an imposition of a fine of ¥50,000 up to ¥10 million, with select cases leading to a criminal charge.
Administrative penalties typically begin with a warning leading to rectification until severe incompliance results in the suspension of business, revocation of permits or licenses and/or re-organization.
• Risk monitoring, remedy, and incidents reporting
• Conduct training and education
• Collaborate with domestic law enforcement effort
• Follow the purposes and scope of data collection as stipulated by authorities
• Security management system
• Adopt needed technologies and other measures
• Creation of hierarchical folder structure to separate Core, Important and General business data
• Carry out MLPS (2.0) & follow-up with classification and hierarchical protection
• If DSL certification is Level 2 or above, seek supervision for data processing. If below, the entity can self-certify
• Management organ with designated personnel
• Regular risk assessment and reporting
• Follow specific rules for data importing
• Catalogues of important data are being defined by the Ministry of Industry and Information Technology, industry regulatory bodies, and local province/government
• Strict compliance with DSL and CAC’s further regulations
QTS Global is an American IT company based in Asia Pacific for over a decade with a mission to vanquish needless IT suffering wherever our clients operate in APAC, UAE, and Germany.
We embrace a seamless, drama-free approach to IT problem-solving.
We work within the nuances of different cultures, companies and people, not around them.
We help centralize your IT in APAC while ensuring control remains at your Global headquarters.
As such, we can help end your DSL woes and more:
• CSL/DSL/PIPL audit
• Translations of DSL, Data Guidance, DSL checklist
• Support options via phone, email and on-site visits
• SLA escalation process
• Breadth of hardware and software knowledge
• Initial pay by incident or work hours cost model
• Flexible to adapt to client growth and expansion within region
The ability to operate at the level of multinational corporations calls for partners that operate with the same set of core principles to have a smooth and harmonious relationship.
Efficient, interoperable, cost-effective with integrity, QTS Global has been a committed partner.
Want more information?