China clarifies scope of “critical data” in cross-border data protection regime
On 13 January 2022, the China National Information Security Standardisation Technical Committee (also known as TC260) issued a draft of a guideline titled “Information Security Technology - Guideline for Identification of Critical Data” (“Guideline”) which sets out what constitutes “critical” data, also translated prior to the issuance of this Guideline as “important” data. The term “important data” is used in our previous articles. The public consultation on the Guideline will end on 13 March 2022.
The term was introduced by the Cybersecurity Law in 2017 (“CSL”) and has since been used by various other legislative documents, including the recent Data Security Law (“DSL”), which came into force on 1 September 2021, and draft regulations and measures published by the Cyberspace Administration of China. For instance, the CSL provides that the personal information and critical data collected and produced by critical information infrastructure operators during their operations in China shall be stored in China. Similarly to the CSL, the DSL does not set out the type of data which should be considered critical, while authorising each region and department to determine the specific catalogues of critical data in the region or department and in relevant industries and fields.
For more on these laws and other instruments which mention obligations relating to “important” data, please see our article titled “New legal framework for cross-border data transfer in China”.
Scope
The Guideline sets out the basic principles for the identification of critical data, considerations and a format for describing critical data. The Guideline applies where data processors identify critical data in their possession. This document provides support for the security protection of critical data, and serves as a reference for the development of specific catalogues of critical data in the region, sector and related industries and fields by all regions and sectors.
Definition
The term “critical data” is defined in the Guideline as data that exists in electronic form and which, if tampered with, destroyed, leaked or illegally accessed or used, may endanger national security or public interest. Critical data does not include State secrets and personal information, but statistical data and/or derived data based on large amounts of personal information may be considered critical data.
Identification of critical data
Principles
The Guideline sets out basic principles in the identification of critical data:
- Focus on security implications: Identify critical data from the perspective of national security, economic operations, social stability, and public health and safety. Data that is important or sensitive only to the organisation itself is not considered critical, such as data related to the internal management of an enterprise.
- Focus on protection: Classify data and differentiate the focus of protection for data at different levels, to allow the adequate and orderly flow of general data and critical data flow under the premise of meeting security protection requirements, and to generate more value from the data.
- Connect with existing regulations: Take full account of existing local management requirements and industry characteristics, and closely connect with local and departmental data management policies and standards that have been developed and implemented.
- Comprehensively consider risks: Based on factors such as the use of data and threats to data, consider the risks of data tampering, destruction, leakage or illegal access or illegal use and identify the importance of data from various perspectives such as confidentiality, integrity, availability, authenticity and accuracy.
- Combine quantitative and qualitative approaches: Identify critical data in a combination of quantitative and qualitative ways and adopt quantitative or qualitative approaches depending on the specific data type and characteristics.
- Dynamic identification and reassessment: With the change of use, sharing, and importance of data in mind, dynamically identify critical data and regularly review the results.
Identification
The Guidelines lists factors that should be considered when identifying critical data:
- reflects the country’s strategic reserves and emergency mobilisation capacity;
- supports the operation of critical infrastructure or industrial production in key areas;
- reflects the network security protection of critical information infrastructure, which can be used to implement cyber-attacks on critical information infrastructure;
- relates to export controlled items;
- may be used by other countries or organisations to launch military strikes against China;
- reflects the physical security protection of key targets, important sites or the location of undisclosed geographical targets that may be used by terrorists or criminals to commit sabotage;
- may be used to damage the supply chain of critical equipment, system components, for the purpose to launch cyber-attacks;
- reflects the health and physiological status of groups, ethnic characteristics, and genetic information;
- concerns national natural resources and the environment;
- relates to scientific and technological strength and affects international competitiveness;
- relates to production and transactions of sensitive items and equipping and using of important equipment, which may be used by foreign governments to impose sanctions on China;
- is generated in the course of providing services to government agencies, military enterprises, and other sensitive and important institutions, that is not suitable for disclosure;
- relates to unpublished government data, work secrets, intelligence data, and law enforcement and judicial data; and
- may affect the security of China’s politics, territory, military, economy, culture, society, science and technology, ecology, resources, nuclear facilities, overseas interests, biology, space, polar, and deep sea.
