According to the Measures on Data Export Security Assessment (Draft for Comments) and Network Data Security Management Regulation (Draft for Comments), important data and the obligations of important data processors are explained as follows:
China defines critical data very broadly. Important data is data that may jeopardise national security or the public interest if it is tampered with, destroyed, disclosed or unlawfully obtained or used. This includes, for example:
- Unpublished data on government affairs, labour secrets, intelligence data, and law enforcement and judicial data.
- Export control data, nuclear technology data, design plans and manufacturing processes related to export controlled items, data on scientific and technological achievements in areas such as encryption, biology, electronic information and artificial intelligence that have a direct impact on national security and economic competitiveness.
- National economic operational data, key industry business data and statistical data subject to protection or restricted dissemination.
- Data on the secure production and operation of key industries and sectors such as industry, telecommunications, energy, transport, water, finance, defence, customs and taxation, and data on key system components and equipment supply chains.
- Basic national data on population, health, natural resources and environment, geography, minerals and meteorology.
- Data on the construction, operation and security of national infrastructures and critical information infrastructures. Data on the geographic location or security of key sensitive areas such as national defence installations, military areas and national defence research and production facilities.
- Other data that may have an impact on the security of China’s politics, country, military, economy, culture, society, science and technology, ecology, resources, nuclear facilities, overseas interests, biology, outer space, polar regions and deep sea.
Incidents: If a data security incident involves important data, the incident must be reported to the municipal cyberspace department and relevant authorities within eight hours. An investigation and assessment report must be prepared within five working days of the incident being resolved. The report must include the cause of the incident, the consequences of the damage, responsibility for treatment and improvement measures.
MLPS rating: An IT system that handles critical data should in principle be rated higher than Level 3 when certified under the Multi Level Protection Scheme and should meet the requirements that the MLPS 2.0 places on operators of critical information infrastructures. For sharing, trading, commissioning and annual assessment of critical data, the draft provides for further obligations.
According to the Measures for Data Export Security Assessments (Draft for Comments), conducting a self-assessment of data export risks and then reporting a data export security assessment to the State Internet Information Department are required when data processors transfer critical data abroad.