On behalf of the 260 members of the US-China Business Council (USCBC), we appreciate the opportunity to submit comments on the Draft Data Security Administrative Measures for the Industry and Information Technology Sector.
USCBC received comments from companies across multiple sectors, including energy, automotive, information and communications technology, and manufacturing.
The draft serves as an important implementing measure to the recently enacted Data Security Law (DSL), and we welcome the clarity it brings to the sectoral management of data. Nonetheless, in light of industry concerns, USCBC and its member companies would urge the Ministry of Industry and Information Technology to consider the following suggestions.
- The data classification process should be simplified: Articles 8, 9 and 10 of the draft identify core data, important data, and general data as categories companies must prepare compliance procedures for. Managing the compliance requirements of these broad and vague categories will prove significantly burdensome to companies and may result in interruptions of company operations or negatively affect customer service in the People’s Republic of China. Simplification of the data classification process under the DSL would relieve some of the challenges arising from the law’s requirement to classify integrated data sets.
- Mandatory government reviews should be transparent and efficient: Companies note that their cross-border regulatory reporting on product incidents requires the free flow of information and data. This process demands swift collection and analysis of data from locations across the globe. However, Article 24 of the draft stipulates compulsory government cross-border data transfer reviews that may hamper or stifle the ability of companies to conduct these necessary procedures. Transparency and efficiency in the review process is essential to ensure safe and responsive services for companies serving Chinese customers.
- Localization of important data should not be required：The globally integrated information technology systems used by many multinational companies are designed to efficiently process data and make that data available to key decision-makers with the goals of ensuring efficiency, safety, and providing great customer service. Data localization as mandated by Article 24 undermines this process and makes data less secure by forcing companies to store data at a single access point. This will harm globally integrated systems that share important data, and adulterate the ability of companies to respond to security incidents and customer complaints. USCBC urges the Chinese government to reconsider requirements to localize important data, but if this is not possible, the scope of important data should at least be minimized to a degree that will not impede company operations.
- The draft should exclude personal information: Personal information is already regulated under the Personal Information Protection Law (PIPL). However, the draft includes personal information under the purview of data security in multiple places. Data security and privacy are distinct in their aim and management, and the inclusion of personal information in the draft increases the possibility of unnecessary regulatory overlap and conflict. This creates the potential for both companies and government agencies to hold varying views on data security obligations, which could lead to compliance and enforcement challenges. Excluding personal information from the draft would help avoid these pitfalls.
Our detailed article-by-article comments are attached in the Chinese version.