On August 25, 2023, China's National Information Security Standardization Technical Committee (SAC/TC260) issued the draft for comments on "Information security technology - Security requirements for the processing of Key Data" (hereinafter referred to as the Security Requirements). This standard forms a crucial component of China's data classification management system, wherein data is categorized into three levels: core data, key data, and generic data. Each level carries specific protection prerequisites and processing protocols. The Security Requirements are tailored for the handling of key data. Public comments are welcome until October 24, 2023.
The Security Requirements encompass six main sections: application scope, normative reference documents, terminology and definitions, device security, security measures for data processing, and operations and management security. It applies not only to key data processors but also serves as a guideline for supervisory authorities, evaluation bodies, and other stakeholders involved in overseeing and assessing key data processing activities.
Of particular relevance to foreign stakeholders, especially those engaged in cross-border data transfers, is Article 5.4.6 of the Security Requirements. This section outlines the responsibilities for entities transferring key data to overseas recipients, which include:
- Reporting to the Cyberspace Administration of China and undergoing a cross-border security assessment.
- Implementing technical and managerial measures aligned with the intended purpose, scope, method, data type, scale, etc., of the transfer. Transfer activities must align with the submitted report to the Cyberspace Administration of China for security assessment.
- Handling user complaints related to cross-border data transfer.
- Maintaining relevant cross-border data transfer logs for a minimum of three years.
- Providing information in plain, legible form to the competent department or law enforcement agency verifying the type and scope of key data to be transferred overseas.
- Halting transfer activities and implementing effective measures to safeguard the transferred data's security if competent authorities do not authorize the transfer.
- Refraining from disclosing key data stored in China to foreign judicial or law enforcement agencies without prior approval from the relevant Chinese authorities.
For foreign stakeholders, the initial step is to assess if the data collected from China falls within the purview of key data. The classification must be determined based on the national or industry-specific key data catalogues released by public authorities, as outlined in the Cyber Security Standards Practice Guide - Guidelines on Classification and Classification of Network Data released by SAC/TC260. In the absence of such catalogues, data processors will need to refer to the forthcoming key data grading rules and standards and conduct a thorough assessment of the potential impact of cross-border data transfers.
Data Grading | Impact Objects | |||
National Security | Public Security | Personal Legitimate Rights | Legitimate Rights of Organizations | |
Core Data | Ordinary damage or Serious Damage | Serious Damage | / | / |
key data | Minor Damage | Ordinary Damage or Minor Damage | / | / |
General Data | No Damage | No Damage | No damage, Minor Damage, Ordinary Damage or Serious Damage | No damage, Minor Damage, Ordinary Damage, or Serious Damage |
Form 1: Framework for Data Grading
As outlined in the Guide, impact objects are classified into four distinct types: (i) national security, (ii) public interest, (iii) personal legitimate rights, and (iv) legitimate rights of organizations. Similarly, the level of impact is categorized into four types: (i) severe damage, (ii) moderate damage, (iii) minor damage, and (iv) negligible damage. Data that, if manipulated, destroyed, disclosed, or unlawfully accessed or utilized, could potentially result in minor harm to national security or moderate to minor harm to public security, will be classified as key data.
As of now, there isn't an established key data catalog specifically tailored for the agricultural and construction machinery industry. Stakeholders in this sector have the option to either refer to the key data definition outlined in the automotive industry, as stipulated in the Several Provisions on the Management of Automobile Data Security (for Trial Implementation), or conduct an initial impact assessment to preliminarily determine the data's classification level.