Recent changes to how China regulates the export of so-called "important data" are being misinterpreted by foreign companies. This misreading could put organizations behind the compliance eight ball.
On 22 March, the Cyberspace Administration of China issued the Provisions on Promoting and Regulating Cross-Border Data Flows, significantly easing data export requirements for companies operating in China. The CAC regulations address two main categories of data: personal information and important data.
For personal information, quantitative thresholds triggering compliance obligations were raised, and certain common business activities were excluded from cross-border review. There is already a strong consensus on the details and impact of these changes.
For important data, Article 2 of the final CAC regulations introduces new language requiring companies to identify and declare their important data "in accordance with relevant regulations." However, the subsequent sentence clarifies that important data shall only be covered by a cross-border data transfer security review once it has been "designated or notified by the relevant regulations."
This reference to direct government notification has caused confusion among practitioners, as some have read it as suggesting companies may adopt a passive approach to important data identification and wait until they are expressly notified by regulators. This reading is understandable if one considers that a related process for identifying operators of critical information infrastructure in China also relies on direct notice from regulators.
But this reading is in error. The importance of the new language in Article 2 is to clarify two distinct, and indeed consecutive, regulatory workstreams. First, companies should work with their supervisory regulator to identify and confirm their important data holdings. Then, once these holdings have been confirmed, companies should file a CBDT application with the CAC for any important data they wish to export. At this stage the CAC's CBDT review team will review the export case but not the underlying important data determination.
Important data and China's data classification framework
First, a bit of background. Important data is a type of sensitive high-risk data first referenced in the Cybersecurity Law of the People's Republic of China and later expanded upon in the Data Security Law and related implementing measures and standards. Although lacking a precise overall definition, important data is generally described in regulations, such as the Measures for the Security Assessment of Outbound Data, as "data that, once tampered with, destroyed, leaked, illegally obtained, or illegally used, may endanger national security, economic operation, social stability, public health and safety, etc."
Under the DSL, this general description is meant to be supplemented by more specific identification guidelines drafted by industry regulators and local governments. Essentially, the DSL instructs these authorities to use their expertise to provide more granular, actionable lists of important and core data types for entities under their jurisdiction. Core data is a more sensitive form of important data.
This important data identification system — known formally as "data classification and (security) grading" — is now being rolled out nationwide and is poised to be one of the top compliance challenges for companies in China over the next few years. If a company possesses important data, then it must implement enhanced security protocols for this data and comply with more stringent audit and reporting requirements set out by their local government or industry regulator. Crucially, important data may not be exported unless it has passed the CAC-led CBDT security review.
Important data and CBDTs
Turning to our main topic, it is crucial to distinguish between a company's identification of its important data holdings and the CBDT security review.
Article 2 of the CAC regulations emphasizes that data handlers shall "identify and declare important data in accordance with relevant regulations." This sentence, newly added after an earlier draft for public comment, is intended to reference the evolving corpus of data classification regulations that are now being promulgated to help companies identify important data. The idea here is that important data identification is its own task, and companies should first handle this task "in accordance with relevant regulations" before applying to the CAC for important data export.
Despite this, some practitioners are confused by the subsequent language in Article 2, which excludes from the CBDT review process important data that "has not been designated or notified by relevant (authorities)." Read in isolation, this sentence suggests companies can sit tight and not notify the CAC of anything until they have received an explicit direction from the authorities.
However, this is not the drafters' intent. At a recent data classification Q&A in the Tianjin Free Trade zone, one local official cautioned that companies are still expected to carry out their relevant important data identification responsibilities under the new rules. This official made it clear companies should be "proactive" with reporting important data, and specifically referenced the first sentence of Article 2 as "clearly outlining companies' obligations in proactively reporting."
The proactive steps defined in the first half of Article 2 reference the data classification and grading requirements now being implemented across various localities and industries.
China data classification and grading
How does one carry out these proactive steps? While the specific practice in each industry may differ ― and in most industries is still being developed and rolled out ― regulators are generally issuing two types of data classification measures: important data identification guidelines and data security measures.
Typically found in both general national standards and industry-focused ones — many currently still in draft form — important data identification guidelines aim to provide further clarity on data categories deemed "important" by listing more specific categories of data meeting this criteria.
For example, a recent draft national standard issued by the Ministry of Industry and Information Technology in May 2024 includes such items as "AI control programs, algorithms, source code, training model data, and data mining data," as well as "advanced, design and manufacturing technologies for integrated circuits."
In some cases, important data identification guidance has been included in legal measures targeting a specific industry, such as automobiles, or related to certain experimental free trade zones. These free trade zone guidelines may specify important data types via either a negative list, as in the Tianjin Free Trade Zone, or a whitelist, as in the Shanghai Lingang Free Trade Zone.
Data security measures, on the other hand, typically instruct companies on initial data classification and grading work related to the three categories of data — general, important and core — and the related compliance measures required for each. As of April 2024, only two industry regulators, the MIIT and the Ministry of Natural Resources, have issued this type of measure.
Corporate compliance with this new regulatory workstream typically takes the form of a self-audit followed by a submission to regulators for review and confirmation. Companies may be asked to submit a spreadsheet or other record containing information on their data holdings, such as the various data categories held, their security levels, processing purposes and various questions related to data usage.
This initial submission may include a company's "general" data types as well, so the local authority is able to review and sign off on the company's self-assessed security grade. Note, while there is a natural concern about the potential invasiveness of this process, authorities have made it clear they do not expect to review the contents of any actual data holdings to conclude the process.
After a company has submitted its data records to the local authority, the authorities will then review the submission and report back with either a confirmation of the company's own self-audit, or a request to reclassify some of the submitted data. Once this is sorted, the company will have clarified its general, important and core data holdings. It should have greater clarity over what regulatory and security requirements are necessary for each type and, importantly, what data must be reported to the CAC for purposes of the CBDT review process.
Providing reassurance
Since the introduction of important data into the Chinese regulatory lexicon, the enduring compliance questions for foreign companies have been whether they are unknowingly exporting important data and, crucially, whether that could land them in trouble.
The CAC's intention behind Article 2 is partially to alleviate this uncertainty. The new language in Article 2 seems intended to free companies from the threat of penalties during the period before they have identified their important data and, crucially, to clarify that the CAC's CBDT review team is not the authority for determining important data holdings.
Scott Livingston is legal counsel at Dell Technologies.
Tom Nunlist is the associate director at Trivium China.