The concept of “important data" emerged for the first time in China under the PRC Cybersecurity Law (The “Cybersecurity Law").  The Cybersecurity Law stipulates that a critical information infrastructure operator (“CIIO") should store important data collected or generated during its operation in China within the territory of China[1]. Since then, the definition and scope of “important data" has been anticipated. 

On May 27, 2017, to echo the Cybersecurity Law, the National Information Security Standardization Technical Committee issued the Draft Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment (the “2017 Draft") for public comments. Appendix A of the 2017 Draft is a draft of “Guidelines for the Identification of Important Data" (the “2017 Draft Guidelines"). The 2017 Draft Guidelines list important data in 28 industries, including oil and gas, electricity, communication, transportation, finance, and meteorology, etc. However, the 2017 draft never became effective.

On Sept. 1, 2021, the PRC Data Security Law (the “DSL") came into effect.  The DSL defines “Data" as “any record of information in electronic or other forms"[2].  The DSL provides that China will establish a data classification and hierarchical protection system (the “Data Classification System") and coordinate relevant authorities to prepare an important data catalogue. Based on the Data Classification System, each regional and sectoral authority will then determine a specific important data catalogue of its own region, sector, industry and field.

To provide guidance for relevant authorities to prepare the important data catalogue, the National Information Security Standardization Technical Committee, instructed by the Cyberspace Administration of China, drafted the Draft Guidelines for the Identification of Important Data (the “2021 Draft Guidelines"). Unlike the 2017 Draft Guidelines, the 2021 Draft Guidelines do not identify the important data based on industries, but on specific regulatory principles and the characters of data. It was reported that the 2021 Draft Guidelines would be soon issued to solicit the public’s comments[3].

“Important Data" is defined as:

“Data that exists electronically, and once it is tampered with, destroyed, leaked , or illegally obtained or utilized, national security and public interests may be endangered."[4]

It is worth noting that important data specifically excludes state secrets and personal information. However, statistical data and derivative data formed based on massive personal information may be regarded as important data.

Under Article 4 of the 2021 Draft Guidelines, when identifying important data, an entity should follow the principles below:

1. Possible Impact on National and Public Safety

This principle emphasizes that when identifying important data, an entity should focus on its impact on the national security and public health and safety, etc., rather than its impact on a specific entity. If the data is only important or sensitive to a specific entity (e.g., data related to a company’s internal management), it will not be identified as important data. 

2. Promoting the Flow of Data

This principle aims to promote the flow of data. To utilize data effectively, it is important to promote the data flow. Therefore, this principle emphasizes that:

(i) the scope of important data should be limited, in order to prevent overprotection. Non-important data should flow freely in accordance with relevant laws;

(ii) the scope of important data should be clear, so that the flow of non-important data will not be obstructed due to ambiguity of the scope of important data; and

(iii) upon satisfying related regulatory requirements, the important data can also flow.

3. Coordinating With Existing Regulations

This principle emphasizes that when identifying important data, an entity should fully consider and respect existing regional regulations, as well as characters of each industry.  In other words, the 2021 Draft Guidelines requires important data identification work to be in consistent as much as possible with the existing regional and industrial regulations and standards.

4. Comprehensively Assessing Risks

Under this principle, an entity should identify important data based on different characters of data, such as data’s confidentiality, integrity, availability, authenticity, and accuracy, rather than only concentrating on one character or aspect.  In addition, when identifying important data, an entity should comprehensively consider data’s using purpose, and risks of being tampered with, destroyed, leaked or illegally obtained or utilized.

5. Considering both the Quantity and the Nature of Data

When identifying important data, an entity should consider both the nature of data and the quantity of data.  While some data should be identified as important data based on its nature, type or character regardless of the quantity, some other data may not be regarded as important data only until it reaches a specific quantity.

6. Reviewing the Data Identification Periodically

This principle requires an entity to review the result of identification periodically.  Once there is any change to data’s using purpose, sharing method and sensitivity, the data processor may need to re-identify such data.  

The 2021 Draft Guidelines state that data with any one of the following characters (the “Important Data Characters") may be identified as important data[5]:

1. Related to the Operation of Economy

The following data may impact the operation of China’s economy, and thus may be identified as important data:

a) Data which can reflect the strategic reserve situation, such as data on grain reserve, energy reserve and other strategic material reserve.

b) Data which supports industrial production, such as data related to R&D （Research and Development）in the course of CIIO’s production.

c) Data which supports the operation of important industries and fields, such as data directly supports the operation of CIIO’s core business.

d) Statistic-related data that can reflect the operation of the whole economy of China or impact China’s ability to control the whole economy.

2. Related to Population and Health

The following data relating to population and health may be identified as important data:

a) Non-public census-related data, and genetic data and genetic resources.

b) Data related to healthcare, such as information related to epidemic management, medical treatment and health management.

c) Data relating to food and drugs, such as specific (i) drug experimental data, (ii) medical device experimental data, (iii) food and drug safety data, and (iv) information on major (emergency) food and drug safety events.

3. Related to Natural Resources and Environment

Data relating to geographic information (such as specific map data, and navigation data), water conservancy conditions, earthquake information, meteorological information, environmental monitoring information, and marine environment monitoring information, may be identified as important data.

4. Related to Science and Technology

Data relating to export-controlled items, special intellectual property, key inventions and discoveries, and state technology plans, may be identified as important data.

5. Related to Security Protection

Data relating to both physical security and internet security may be identified as important data.

6. Related to Service Providing

a) The important data which is entrusted to store in other entities’ system is still important data.

b) Users’ data generated during the process of providing services to government authorities, entities of public affairs or key projects belongs to important data.

7. Related to Government Affairs

Data generated by state authorities and data submitted by individuals and enterprises to the government may be identified as important data.

8. Others

Other non-state secret information which may endanger national security and public interests, if it is tampered with, destroyed, leaked or illegally obtained or utilized, belongs to important data.

1. Clarify Important Data Identification Rules of Regions and Sectors

Each region and sector will, based on the Important Data Characters and special conditions and situations of its own region and sector, clarify the rules of its own region and sector to identify important data[6].  Regional and sectoral rules should be more detailed than the 2021 Draft Guidelines.

2. Identify Important Data Within One Organization

Each organization will then, based on the rules governing its region and sector, identify important data of its own and form a catalogue of important data.  Such organization should follow the following procedures[7]:

a) Specify and classify its own data assets, and form a list of data assets.

b) Assess the impact of data on the security. Clarify the purpose of the data use, and the main security threats to the data. Assess the impact the data may have on national security and public interests once it is destroyed, damaged, or stolen.

c) Identify possible important data of its own entity based on the rules of its own region and sector.

d) Review the possible important data that has been identified to finalize the important data list.

e) Describe the important data identified after review and form its own important data catalogue.  The 2021 Draft Guidelines provide a standard form to help describe the important data.

3. Report the Identification Result

Each organization should report the identification result to relevant authorities.  If the type, using purpose and sharing method of important data change, such organization should re-submit the report[8].