The China Communications Standards Association (CCSA) has completed the draft for approval of the sector standard Guidelines for the Identification of Key Data in Industrial Fields (hereinafter referred to as the “Guidelines”). It is currently soliciting public comments on the draftit.
The Guidelines outline the basic principles, processes, and considerations for industrial data processors to identify key data in the industrial fields. It aims to i) guide industrial data processors in identifying key data within the industry, and ii) serve as a reference for regulatory authorities to establish catalogs of key data in the industrial fields.
The standard divides the process of identifying key data in the industrial field into three stages: identification, internal approval, and catalog filing. The identification stage aims to form a preliminary list of key data, the internal approval stage aims to confirm the list of key data; whereas the catalog filing stage aims to form the final catalog of key data through the approval of regulatory authorities.
More specifically, during the initial identification stage, the standard proposes defining whether data is considered asis key based on six dimensions, which include: relevance to State secrets, relevance to national security, relevance to the safety of industry development, relevance to export control of industrial items, relevance to industry-specific features, and other important data. Under these six dimensions, the document details dozens of criteria for identifying key data, stating that data meeting any one of these criteria qualifies as key data.
However, some of the identification criteria listed in the document may pose challenges to businesses regarding their trade secrets and the cross-border transfer of data. Here are some examples of what has been classified as key data in the draft: design and production data of high-end medical devices; design data, algorithms, and software/hardware architectures of major computing equipment; AI control programs, algorithms, source codes, training model data, and data mining analysis data; components, software, and equipment that can affect supply chain security, as well as information on industry supply and demand, price trends, and the distribution of suppliers and users; personal information collected, generated, and stored by industrial data processors that affects more than 1 million people, personal information of a group with certain characteristics exceeding 100,000 people, or sensitive personal information of more than 100,000 people.
In China, processors of key data need to fulfill a series of compliance obligations, such as conducting regular risk assessments and submitting a security assessment to China’s cybersecurity authorities before cross-border transfer activities may begin. Given the extensive scope of this standard, once it becomes referenced by legislation in the future, it will significantly increase the compliance burden on businesses. It is recommended that relevant European stakeholders actively provide feedback on the draft Guidelines.
