On 30 September 2021, the Ministry of Industry and Information Technology (MIIT) released the Measures for the Administration of Data Security in Industry and Information Technology (Call for Comments) to the public, and collected comments until 30 October 2021.

The Measures apply to industrial and telecommunication data processing activities within the territory of the People’s Republic of China, and their security supervision. Specifically, industrial data refers to the data generated and collected during the process of R&D, design, production, operations and management, maintenance services and application, in various industries such as the raw material industry, equipment industry, consumer goods industry, electronic information industry, software and information technology service industry and other industries. Telecommunication data refers to the data collected and generated in the operation of telecommunication businesses.

In accordance with the requirements of the Data Security Law, MIIT implements a classified and multi-level management of data, and further divides industrial and telecommunications data into general data, important data and core data. General data refers to the data that has minor impact on personal or public interests, while core data refers to the data that will pose a serious threat once the harm is damaged or leaked.

MIIT, as the main regulator of industrial and telecommunications data processing and security protection, will be responsible for formulating relevant rules for data classification, identification and recognition in the field of industry and information technology. It will also formulate a specific catalogue and a record management platform for important data and core data; in addition to basic information, data disclosure and cross-border transfer should also be recorded on the platform.

With regards to cross-border transfer of industrial and telecommunication data, the Measures outline specific rules. Important data generated and collected within the territory of China by industrial and telecommunications data processors shall be stored within China; in case of absolute necessity to transfer data abroad, a security assessment must be conducted. Core data shall not be exported.

This new regulation could have implications for foreign companies operating businesses in China. Foreign companies need to pay extra attention to the data they want to transfer to overseas headquarters. For instance, data generated by smart internet-connected vehicles, like cartographic information which might be defined as core data, will not be allowed to be transferred outside China. However, apart from cross-border data transfer, law-abiding, compliant foreign companies in China do not have to worry about this new proposal, as it only targets the illegal use of data or those who seek to misuse sensitive data.