On March 21, 2024, China released the Data Security Technology - Rules for Data Classification and Grading, which will take effect from October 1, 2024.
The Rules further clarify how Chinese regulatory authorities will categorize different types of data as core data or important data requiring extra protection.
U.S. colleges and universities should understand the Rules to anticipate the types of data likely to be categorized as core data or important data and to start preparing to comply with existing restrictions on handling such data.
On March 21, 2024, the National Technical Committee 260 on Cybersecurity of Standardization Administration of China (“TC260”) released the Data Security Technology - Rules for Data Classification and Grading (GB/T 43697-2024) (“Rules”), which will take effect from October 1, 2024. The Rules, which stipulate the basic principles, rules, and processes for data classification and grading, are relevant to any organization that meets the definition of a data handler under the Data Security Law or the Personal Information Protection Law (“PIPL”).
Data Security Law and PIPL Applicability to U.S. Higher Education Institutions
U.S. colleges and universities are data handlers subject to the Data Security Law when they handle any type of data within the borders of China, and they also may be subject to liability under the law if they handle data outside China in a manner that harms Chinese national security, public interests, or the rights and interests of Chinese citizens or organizations. The PIPL applies to U.S. colleges and universities as data handlers when they handle personal information (“PI”) within the borders of China (e.g., operating academic partnerships in China or conducting research in China) and/or when they handle PI outside China in order to provide products or services to individuals located in China (e.g., accepting and evaluating applications from prospective students in China) or to analyze or evaluate the behaviors of individuals located in China (e.g., conducting targeted advertising or health monitoring of clinical trial subjects in China).
The Data Security Law establishes a national data classification and grading protection system to provide categorized and hierarchical protection for data based on the importance of data in economic and social development and the degree of harm (to Chinese national security, the public interest, or the lawful rights and interests of individuals and organizations) that may be caused by data tampering, destruction, divulgence, or illegal acquisition or utilization of data. Under the Data Security Law, Chinese regulatory authorities are responsible for developing and publishing catalogs that classify and grade various types of data as core data, important data, or general data, and they must establish systems and rules for protecting data based on such classifications and grades (with core data being the most protected and general data being the least protected). In turn, under the Data Security Law and Article 51 of the PIPL, data handlers are responsible for identifying and documenting the data they handle in accordance with the classifications and grades determined by Chinese regulatory authorities, and they must protect the data in accordance with the systems and rules established by Chinese regulatory authorities.
Relevancy of the Rules to U.S. Higher Education Institutions
Chinese regulatory authorities have not yet developed such catalogs that classify and grade various types of data, but they have published some rules governing the protection of data based on how the data is classified and graded. For example, the 2021 Outbound Data Transfer Security Assessment Measures require data handlers to complete a Cyberspace Administration of China security assessment before transferring important data from China to a location outside China.
In response to confusion regarding how data handlers are supposed to identify core data and important data in order to comply with such rules in the absence of such catalogs, the Measures on Facilitating and Regulating Cross-Border Data Flows, which took effect March 22, 2024, clarify that data handlers should treat data as general data (the least protected category) unless and until it has been designated as important data by Chinese regulatory authorities, either through direct notification to the data handler or through the publication of catalogs (with the implicit understanding that data not deemed important data is also not deemed core data). This means that, until Chinese regulatory authorities publish catalogs of important data, institutions serving as data handlers should categorize all data that they handle as general data unless they have been directly notified otherwise. And, moving forward, after the catalogs are published, institutions need not worry about miscategorizing important data or core data as general data because they should have clear notice when the relevant data must be graded as important or core data; all other data can be graded as general data.
To help develop the catalogs categorizing important data, the Rules offer clear guidance to Chinese regulatory authorities on how to classify and grade data. While the Rules do not apply directly to data handlers, data handlers should understand them to better anticipate the types of data likely to be categorized as core data or important data. By anticipating the types of data likely to be categorized as core data or important data, data handlers can start preparing now to comply with existing restrictions on handling such data.
Data Classification
According to the Rules, data should first be classified by the industry that the data is associated with (e.g., industrial data, telecommunications data, financial data, energy data, transportation data, natural resources data, health data, education data, scientific data, etc.). Next, it should be classified according to business attributes of the data (i.e., business scope, business type, business functions, regulatory departments, target objects, business process, data subjects, content, data usage, data handling, data sources, etc.).
Certain data categories must be classified in accordance with the specific requirements of relevant laws and regulations. For example, PI can be classified as basic PI, personal identity information, personal biometric information, online identity information, physiological and health information, personal educational and professional information, personal property information, personal communication information, contact information, personal web surfing record, personal location information, other information, etc., in accordance with the Information Security Technology—Personal Information Security Specification (GB/T 35273—2020). Data handlers may flexibly refine the data classification based on the requirements of data management and usage in combination with existing data classification and business attributes.
Data Grading
Pursuant to the data grading framework specified in the Data Security Law, the Rules classify the data into three levels: 1) core data, defined as important data that has a high degree of coverage or reaches a high degree of precision, a large scale, or a certain depth in the field, group, or region, and that may directly affect political security if illegally used or shared; 2) important data, defined as data in certain fields, groups, regions or reaching a certain level of precision and scale, and that may directly harm national security, economic operation, social stability, public health and safety if leaked or tampered with or destroyed; and 3) general data, defined as data other than core data and important data. Impact target and impact degree should be considered when determining the data grading (see the chart below). The Rules include examples of a “Particularly Serious Hazard,” a “Serious Hazard” and a “General Hazard” for each impact target.
Implications for U.S. Higher Education Institutions
U.S. higher education institutions, when acting as data handlers subject to the Data Security Law and/or PIPL, should take the following measures now:
Conduct data mapping exercises to identify the data assets that are subject to the Data Security Law and/or PIPL and need to be classified and graded;
Establish internal policies and procedures for documenting data classification and grading, categorizing all data as general data unless and until it has been designated as important data by Chinese regulatory authorities, either through direct notification to the data handler or through the publication of catalogs;
Apply the policies and procedures to categorize the data as core data, important data, or general data;
As needed, implement processes to comply with existing laws and regulations governing the protection of core data, important data, and general data; and
Review and understand the Rules to anticipate the types of data that Chinese regulatory authorities may eventually designate as core data or important data and prepare to comply with applicable laws and regulations governing the protection of such data (e.g., prepare to complete a security assessment if transferring data from China that is likely to be categorized as important data).
As Chinese regulatory authorities develop catalogs categorizing data, institutions should regularly review and update their internal rules for data classification and grading.