On February 10, 2022, the Ministry of Industry and Information Technology (MIIT)  released their second draft of the Administrative Measures for Data Security in Industry and Information Technology Sectors (for trail Implementation)（hereinafter referred to as “the Measures”）to call for public comments for the second round.

The Measures was first released for public comments on September 30, 2021. This document was developed because: 1) China has launched a series of scrutiny measures on data security and cyber security after a booming ICT development in recent years. Several laws and regulations have been issued or implemented within the past 18 months. 2) the Data Security Law of People’s Republic of China was put into effect on September 1, 2021, forming a general framework and principle for China’s administration on data security.

According to previously received public comments on the Measures, the MIIT made revisions and modifications. Once again, MIIT has requested public comments from February 10 to 21 of 2022.

The latest draft of the Measures that was released for public comments includes the following ten important changes:

1.    Incorporate radio data into the applicable scope and add radio administrative organization as one of the supervising authorities. The new draft of the Measures also adds electromagnetic influence into the judging criteria for important data and core data.

2.    Data processors in industrial and information technology fields can subdivide the types and levels of data under the three bases: general data, important data, and core data.

3.    Stop using levels of the cost of recovering data or eliminating negative influences as a standard criterion for general data or important data.

4.    Require the local authorities of industry and information, administration of communication, as well as radio administrative agencies to complete the review within 20 working days after the data processor in relevant field submits the filling application.

5.    Clarify the requirement for filing a modification/change: in the case that important data and core changes by more than 30 percent in data categories or scales, or if any major change has taken place in other filing information, data processors in the industrial and information field should apply for filing change within three months of the actual change.

6.    Data processors must apply to relevant departments of industry and information, communication administrations, and radio administrative agencies to update the filing contents before destroying important data and core data.

7.    Cancel the requirement that forbids core information from going abroad. In the new version, relevant data in the industry and information technology field can be sent abroad after approval by MIIT.

8.    Add in requirements for cross-subject processing of core data. Such data should be assessed for security risk, and processors should provide necessary protective measures for security. Cross-subject data processing should only be carried out after reviewing the local department of regulation and administrations.

9.    Cancel the requirement for security review.

10. Cancel the mandatory requirement for relevant data processors on establishing a customer complaint system.

If you need more information on the topic, or the complete English version of the draft, please contact:

assistant@bestao-consulting.com