Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 16
16
and PIPL is focused entirely on the regulation
of personal data, the DSL is concerned with
“important data” and “core data”, which may
include personal data, but are more likely to
be non-personal data identified as such by
reference to their importance to state interests
rather than privacy.
Extra-territorial application
Notably, the DSL extends the geographic scope
of Chinese data laws, applying to organizations
or individuals outside China if they carry out
data activities in such a way that may
undermine national security, other public
interests of China or the legitimate rights of any
citizens or organisations in China.
Core Data
The concept of “core data” was introduced to
the DSL as a last-minute inclusion, making its
terms of reference even more scant than
“important data”. The DSL broadly defines “core
data” as data related to China’s national
security, the lifelines of the national economy,
important people’s livelihoods and vital public
interests. The DSL provides that more stringent
requirements would be developed in respect
of core data.
Important Data
A key feature of DSL is a national data
security working coordination mechanism, a
procedure for the development of catalogues
of important data at the central level, while
local authorities and industry supervising
authorities will, in turn, identify important
data within their regulatory remits, as well as
specify enhanced protections applicable to
each category.
Further to the introduction of the concept of
important data in the DSL, CAC defines
“important data” for the first time in the
Measures for Security Assessment for
Cross-Border Data Transfers (effective from
September 1, 2022) as data which, if distorted,
Hogan Lovells
damaged, leaked, or illegally obtained or used,
may endanger national security, economic
operation, social stability, public health, and
security, etc. Subsequently, the definition of
important data has been further developed in
the Regulation on Network Data Security
Management (Network Data Regulation,
effective on January 1, 2025), as data
associated with specific field, specific group,
or specific region or with a certain degree of
accuracy and scale, which, once tampered
with, destroyed, divulged, illegally obtained or
illegally used, may directly endanger national
security, economic operations, social stability,
public health, and security.
In a relaxation that may prove to be
significant, the Provisions to Promote and
Regulate Cross-Border Data Transfers (CBDT
Provisions) (effective March 22, 2024) and the
Network Data Regulation state that, unless
industry or local regulators have published or
notified industry participants of a particular
type of data as being important data, such data
exportation will not be subject to a CAC
security assessment that applies to cross-border
transfer of important data.
The topic of “important data” continues to
cloud China’s data regulation landscape. There
has been some movement to define “important
data”, with a number of industry regulators
consulting on data catalogues and
classification rules.
On March 21, 2024, TC260 released the
non-binding national standard, GB/T 436972024 Data security technology — Rules for
data classification and grading (2024 Data
Classification GB), effective on October 1, 2024.
According to Article 6.5 (b) of the 2024 Data
Classification GB, data that meets any of the
following conditions is identified as important
data. The 2024 Data Classification GB also
provides that data that only affects
individual organisations or citizens is not
classified as important data E.g., data related to
