This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 7 minute read

Beijing FTZ publishes rules for ‘important data’

Various Beijing authorities, including the Beijing branch of Cyberspace Administration of China, have jointly issued a negative list for outbound transfers of ‘important data’ applicable to organisations registered in the Beijing pilot free trade zone (Beijing FTZ). 

The Beijing FTZ negative list identifies specific examples of ‘important data’ in 23 specific scenarios within five different industry sectors: automotives, pharmaceuticals, civil aviation, and artificial intelligence, retail and the so-called ‘modern service sector’[1]. Within four of these five sectors (excluding the automotive sector, which is governed by a different regime[2]), the usual thresholds for security assessment and standard contract filings for transfer of personal data have also been relaxed.

In addition, the Beijing FTZ authorities have also published ‘reference rules’ for classifying ‘important data’ in 12 general industrial sectors and areas (some of which overlap with the sectors covered by the negative list)[3]

The ‘reference rules’ themselves comprise relatively tight rules for certain categories of data within each sector (ie, sector-specific rules), alongside general rules that apply universally across all sectors.

The scheme of the rules is highly complex, therefore. The Beijing FTZ has confirmed to us that: 

  • the negative list only applies to the 23 scenarios explicitly regulated within the first five sectors
  • the ‘reference rules’ also apply in those first five sectors (ie, in scenarios that are not already addressed by the negative list)
  • the general ‘reference rules’ always need to be taken account of in every industry sector
  • within the specified categories/ sub-categories in the second 12 industry sectors the more specific references rules should be applied in addition to the general rules. 

What data is included on the negative list? 

Summary:

Sector‘Important data’
Auto
  1. Geographic and telemetric data relating to important sensitive areas such as military administrative zones, defence concerns, and party and government offices. “Information inappropriate to be published” generated from connected vehicle services provided to the government, defence concerns and other sensitive institutions. 
  2. Data reflecting economic conditions such as vehicle flows and logistics data. 
  3. Operational data from vehicle charging stations and grids “in certain areas”. 
  4. Video and image data from outside of vehicles that show faces, licence plates or road signs. 
  5. Operational data from ‘key’ connected vehicle services such as vehicle remote control and certain kinds of vehicle operating data (we believe the authorities’ underlying concern is the risk of remote manipulation of vehicles). 
  6. OTA data, including vehicle control and other ‘related information’.
  7. Security information for ‘key’ supply chains for connected vehicle services or other critical information infrastructure (such as facilities for communication and logistics).

Items 1 - 4 above are generally consistent with the categories of ‘important data’ identified in the Several Provisions on Vehicle Data Security Management. 

Pharma

Diagnosis, treatment and other health and physiological information; clinical trial data; biometric data for specific groups “above a certain scale”. 

(The illustrative examples given suggest that ‘above a certain scale’ involves data related to more than 100,000 individuals, but this requires clarification.)  

AI

Any of the following kinds of data transferred for the purposes of training AI:

  1. high value sensitive data related to industrial competitiveness collected and generated in the process of R&D or design; and
  2. audio, images and text data that, once tampered with, destroyed, leaked, or illegally obtained or illegally used, may endanger national security, economic operation, social stability, and public health and safety. (This simply repeats the basic definition of ‘important data’ under the Data Security Law and is thus unilluminating as an inclusion on a negative list.)

No specific kinds of data are included for the retail and modern service sector. The negative list for civil aviation concerns aircraft accidents and isn’t relevant to list out here. 

It can be seen, the descriptions of several of the data types are ambiguous (eg, “information inappropriate to be published”; data that can reflect the operation status of the vehicle charging grid “in certain areas”, etc.), while other data types are described using unmeasurable qualifiers such as “above a certain scale”, “high-value sensitive data related to industrial competitiveness” and “important” medical/ pharmaceutical information. 

Further consultation with the Beijing FTZ management office will be needed to clarify the scope of the negative list where such ambiguities remain.

The ‘reference rules’

As mentioned above, the ‘reference rules’ comprise (i) three general and overarching rules on non-personal data that apply to all industrial sectors, and (ii) sector-specific rules for 12 industry sectors. The sector-specific rules are additional to the general rules within those 12 industry sectors.

The general rules

These are:

  • high-value, sensitive data related to the competitiveness or safety standards in the relevant industry collected and generated in the course of R&D design, manufacturing or business management processes
  • data related to supply chains that may impact national security 
  • the parameters of automatic control systems in ‘strategically-important’ sectors, and data related to the control, operation, maintenance and testing of any of those systems.

The sector-specific rules

The specific rules provide brief descriptions of data types that could be classified as ‘important data’ in 12 industry sectors. 

For example, for banks and insurance companies, ‘important data’ could include data related to business operations, system operations and security management of companies that handle transactions, accounts or policies of “important” enterprises or public institutions (including national defence concerns), or information about such customers themselves. 

For internet platform services, ‘important data’ could include all types of data platform data, to the extent the data should be used to achieve social mobilisation, profile sensitive groups such as veterans, and data recorded and tracked for military and other government customers, etc. 

The full list of specific rules in Chinese is available here.

Application and approval process 

In contrast to earlier classifications of ‘important data’ issued by the free-trade one authorities in Shanghai and Tianjin, the Beijing FTZ rules lay down a more detailed process for security assessment and approval.

Applications should be reviewed within no longer than ten working days, which includes a pre-step for an organisation to establish its eligibility to utilise the Beijing FTZ review mechanism (ie, its establishment in the Beijing FTZ in an eligible sector, etc.). Both stages of the application process are intended to be completed within five working days. In the second stage, detailed information will need to be provided about the type and amount of data to be transferred and the data transfer scenario, etc.

Within the 23 prescribed scenarios in the five sectors for which the Beijing FTZ has issued a negative list (ie, automotives, pharmaceuticals and AI), no security assessment (and no approval) is needed to transfer non-personal data that is not recorded on the negative list in the relevant prescribed scenarios. Only a filing would need to be made with the Beijing FTZ management office instead.

On the other hand, when organisations self-classify ‘important data’ based on the ‘reference rules’ they will need to submit to a full security assessment with provincial-level CAC. 

The Beijing negative list confirms that human genetic resource data constitutes ‘important data’ (which had been anticipated). However, the process for transfer of human genetic resource data will instead be governed by the Administrative Provisions on Human Genetic Resources (HGRAC) and its implementing rules (see earlier briefing here).

A general reservation is also made for data that is subject to export controls under the Technology Import Export Regulation.

Personal data as ‘important data’

The Beijing FTZ has also relaxed the national-level volume thresholds for cross-border transfers of personal data for certain activities in the pharmaceutical, civil aviation, AI, and retail and modern services sectors. For all other activities/ transfer scenarios within those sectors, the existing national-level thresholds will continue to apply (see earlier briefing here).

The rules do not provide for any relaxation in the automotive sector.

Sector

Threshold for security assessment

Threshold for standard contract and certification

Pharma

Transfer in a single calendar year:

  1. the basic (profile) information of clinical trial participants (not including name and contact details) and diagnosis and health and physiological information:
  1. of more than 50,000 individuals in clinical trial and drug R&D scenarios
  2. of more than 100,000 individuals in pharmacovigilance, product complaint and medical consultation scenarios
  1. medical and health professionals, clinical trial researchers, and persons involved in pharmacovigilance reporting or who make product complaints, etc.:
  1. the personal data of more than 200,000 individuals
  2. the sensitive personal data of more than 100,000 individuals.

Transfer in a single calendar year:

  1. as per the column to the left:
  1. more than 10,000 but fewer than 50,000 individuals
  2. more than 10,000 but fewer than 100,000 individuals
  1. as per the column to the left:
  1. the personal data of more than 10,000 but fewer than 200,000 individuals
  2. the sensitive personal information of more than 10,000 but fewer than 100,000 individuals.

Civil Aviation 

Transfer in a single calendar year related to aviation services (including ticketing and loyalty programs):

  1. the personal data of more than five million individuals
  2. the sensitive personal data of more than 100,000 individuals. 

Transfer in a single calendar year related to aviation services (including ticketing and loyalty programs):

  1. the personal data of more than 500,000 but fewer than five million individuals  
  2. the sensitive personal data of more than 100,000 individuals.

Retail 

Transfer in a single calendar year related to loyalty programs:

  1. the personal data of more than five million individuals 
  2. the sensitive personal data of more than one million individuals.

 

Transfer in a single calendar year related to loyalty programs:

  1. the personal data of more than 500,000 but fewer than five million individuals
  2. the sensitive personal data of more than 100,000 but fewer than one million individuals.

AI 

The transfer in a single calendar year in the scenarios of model training, algorithmic development and product testing:

  1. audio data/ image data comprising the sensitive personal data of more than 50,000 individuals
  2. text data comprising the sensitive personal data of more than 100,000 individuals.

The transfer in a single calendar year in the scenarios of model training, algorithmic development and product testing:

  1. audio data/ image data comprising the sensitive personal data of more than 10,000 but fewer than 50,000 individuals
  2. text data comprising the sensitive personal data of more than 10,000 but fewer than 100,000 individuals.

Conversely, large sets of personal data in any of the 12 industry sectors covered by the sector-specific ‘reference rules’ are classified as ‘important data’. With the one exception noted below, overseas transfers of these data sets will generally need to pass a security assessment in any case, but will presumably be treated to stricter standards of review (and perhaps can no longer be exported at all?).

  • the non-sensitive personal data of more than 10 million individuals
  • the sensitive personal data of more than one million individuals
  • the personal bank account, personal insurance account, other accounts registered by individuals or diagnosis and treatment data of more than 100,000 individuals (this threshold is lower than the national-level threshold for security assessment)
  • personal data of more than 100,000 individuals held by an operator of Critical Information Infrastructure (as designated by the relevant sectoral regulator).

 

[1]   eg, retail-related consumer services, hospitality (accommodation and catering), software and information technology services, internet information services and “other related enterprises”.

[2]   Several Provisions on Vehicle Data Security Management (in force since October 2021).

[3]   Strategic materials and bulk commodities; natural resources and environmental industries; heavy industry; the national defence sector; telecommunications; radio, television and online entertainment; financial services; transportation; hygiene, food and drugs; public security; internet services and e-commerce; science and technology. 

Tags

regulatory