On 23 November 2023, the Ministry of Industry and Information Technology (MIIT) initiated the solicitation of opinions on the Administrative Penalty Discretion Guidelines for Data Security in the Industrial and Information Fields (Trial) (hereinafter referred to as the Guidelines). The document further refines the provisions of penalties related to the Data Security Law, establishes an administrative penalty authority system for data security in the industries within MIIT’s jurisdiction, standardizes the scale of administrative penalties for data security, and guides industry regulatory authorities in carrying out administrative penalties for data security. The deadline for feedback is 23 December 2023.

More specifically, the Guidelines explicitly define the scope of the locations where data security violations occur, encompassing the place of residence, network access points, and other relevant areas. Dispute resolution methods are proposed for jurisdiction at different levels, including supervisory jurisdiction, territorial jurisdiction, transfer jurisdiction, and cross-jurisdiction. The document also indicates that the same data security violation by data processors in the industrial and information fields should not be subject to administrative penalties more than twice.

Using the Data Security Law as a benchmark, the Guidelines outline three categories of triggering conditions for illegal acts: (i) failure to fulfill data security protection obligations; (ii) illegally providing data to overseas entities; and (iii) non-cooperation with supervision activities. Taking into account factors such as data level and quantity, harm to public interest, direct economic losses, and scope of impact, the document classifies the severity of data security violations into three tiers of light, medium, and serious circumstances. It clearly defines the discretion steps such as non-punishment, lenient punishment, mitigated punishment, and severe punishment, detailing the applicable conditions for each administrative penalty.

Regarding cross-border data transfers, a matter of widespread concern to overseas stakeholders, the Guidelines state that providing industrial and information data stored in China to foreign industrial, telecommunications, and radio law enforcement agencies without the prior approval of MIIT constitutes one of the situations of illegally providing data overseas. Furthermore, if the data transfer involves key data or core data, or exceeds 10 million generic data, it is considered a moderately serious circumstance; if it involves key data or core data processed by two or more data processors, or exceeds 100 million generic data, it is deemed a serious circumstance. Regulatory authorities will determine the degree of the penalty to be imposed based on the severity of the circumstances, violation records, subjective or passive involvement, and cooperation with supervision.

Alongside the Guidelines, the Administrative Penalty Discretion Benchmark for Data Security in the Industrial and Information Fields was also released. The document lists 14 illegal acts and establishes specific standards for penalties corresponding to each level of discretion for every violation.