On 10 February 2022, the Ministry of Industry and Information Technology (MIIT) issued the second draft of the Administrative Measures for Data Security in Industry and Information Technology Sectors (hereinafter referred to as “the Measures”), calling for public comments.
Compared to the previous edition (first draft for comments issued on September 30, 2021), the second draft contains ten important changes:
- Radio data (radio frequency, radio wave parameters, etc.) are included into thescope of the regulation, and electromagnetic security is considered as one of the judging criteria for identifying important data and core data.
- The three levels of data – i.e., general data, important data, and core data – can be further divided by data processors into more levels for the purpose of management and handling.
- Costs for recovering data or eliminating negative influences are no longer considered as a criterion to identify whether the data is general data or important data.
- Local authorities shall complete review within 20 working days after a data processor submits an application for the filing of their inventories of important data and core data.
- A modification of the filing is needed if important data and core data change by more than 30 percent in data categories or scales, or if any major change has taken place in other filing information. Data processors shall complete the modification filing within three months.
- An update of the filing is needed if data processors are to destroy important data and core data.
- The provisions prohibiting the cross-border transfer of core data are canceled; the process can be done upon MIIT’s approval.
- New requirements are included for core data processed by multiple processors: security assessment, safeguarding measures, and local authorities’ review are necessary.
- The original requirement for security audit is canceled.
- The original requirement for data processors to establish a customer complaint system is canceled.
