China’s plan to block export of ‘core’ data raises questions over implementation
- A draft regulation by the Ministry of Industry and Information Technology seeks to protect core domestic technology data from leaving China’s borders
- The proposed rules, which define data according to their level of importance, lack clarity, experts said
China’s latest efforts to retain certain technology data within its borders have raised questions over how private businesses should categorise their information to comply with the new guidelines.
The country’s Ministry of Industry and Information Technology (MIIT) released a draft regulation last week that seeks to block the export of core industrial and telecommunications data, marking China’s first regulatory attempt to draw up detailed rules under its sweeping Data Security Law rolled out this year.
China to bar overseas transfer of ‘core’ industrial, telecoms data
Under the regulation, all businesses that handle such data are required to classify their information into three categories. The sharing of “important” data with foreign parties requires special government review and approval, while “core” information is strictly barred from leaving China. All relevant data, including those labelled “ordinary”, should be listed in a catalogue and reported to the MIIT’s local branches.
Core data is broadly defined as any information that concerns national and economic security, people’s welfare and important public interest, according to China’s Data Security Law, which was promulgated in June and came into force on September 1.
As such, much of the data handled by major state-owned enterprises, including business secrets, can be construed as “core”, according to Xia Hailong, lawyer at law firm Shanghai Shenlun.
“The export ban on core data can be understood as China’s new way of protecting key business secrets,” Xia said.
While the MIIT’s proposed regulation elaborates on the definition of each category, the descriptions remain broad and vague, making it difficult for businesses to judge in practice, according to analysts.
Industrial data is defined as any information gathered and produced in sectors including raw materials, machinery, consumer goods, electronics manufacturing, software and information technology. Telecoms data refers to those gathered and produced in the communications network market.
How China’s new data laws will make cross-border business much harder
The rules specify that data should be labelled as “important” if its leakage, tampering or illegal use is likely to threaten China’s “politics, land, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources and nuclear security”. Data that affects that country’s overseas interest, as well as its data security in space, polar regions, deep sea and artificial intelligence, is also deemed important.
Any information that poses a “serious threat” to these areas will be considered “core”.
Moreover, the draft regulation categorises information as “important” if it can affect the “development, production, operation and economic interest of industries”, including the telecoms sector. Data is classified as “core” if its export can significantly impact major enterprises, information infrastructure and other important resources in China.
Only data whose leakage, tampering or illegal use will have “little impact” on the society is classified as “ordinary”.
It is not always clear what counts as “little impact”, Xiong Dingzhong, partner at Beijing-based TsingLaw Partners, told Chinese media Southern Metropolis Daily, since there are no quantifiable standards. In reality, this means that authorities are likely to have the final say.
“This will be one of the biggest difficulties for regulating data in the future. Regulators have huge discretionary power in law enforcement,” said Xiong.
