DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
Back
§ 008 · IMPORTANT-DATA

How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan

Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data.

DCC Editorial SOURCE · ZH .MD ↓

Editor’s Note — DCC.

“Important data” (重要数据) is a uniquely Chinese legal concept that overseas compliance teams stub their toes on more often than any other piece of vocabulary in the regime. Wang Qinglan — legal-tech PhD, post-doctoral computer scientist, head of compliance at a Chinese data exchange — wrote this piece as a deliberately plain-language explainer. The 邪修 (“unorthodox”) shortcut in her title is the part most compliance practitioners will find immediately useful: a thought experiment that captures the regulatory intent better than any of the formal definitions. We summarize her argument with DCC framing for overseas counsel, including the international comparison and the identification method — but the metaphor at the heart of this piece is hers.

What “important data” is — and isn’t

Wang frames important data as the VIP tier of the Chinese data classification regime. Two attributes define it:

  • Importance — the data relates to a specific sector (e.g., finance, telecom, healthcare), a specific population (e.g., military, government), or a specific geography (e.g., classified locations); or it has unusual precision (e.g., high-precision maps); or it has unusual scale (e.g., statistics on 10 million people).
  • Harm severity — if the data were tampered with, damaged, leaked, unlawfully acquired, or misused, the consequence could threaten national security, disrupt economic order, undermine social stability, or affect the health and safety of the population.

The DSL formalized a three-tier classification in 2021: general data (一般数据), important data (重要数据), and core data (核心数据). Important data and core data are the protected tiers. Core data is the VVIP — data so important that its compromise would cause “major trouble” for the state.

Why China created the category — and why no one else has

Wang’s historical note: “important data” first appeared in Article 37 of the Cybersecurity Law (2016), which required Critical Information Infrastructure Operators to store important data domestically and run a security assessment before any cross-border transfer. The Data Security Law (2021) then built out the classification-and-grading regime and the important-data protection framework. China is, by Wang’s reading, the first major jurisdiction in the world to make “important data” a defined legal concept.

The point of the category, Wang argues, is proactive perimeter-drawing. Western jurisdictions tend toward reactive mechanisms: national security review of specific transactions, export controls on specific items, CFIUS-style screening for specific deals. China codifies the perimeter up front: a defined category of data, with mandatory localization and pre-export assessment, regardless of who is moving it or why.

She compares the four major non-Chinese approaches:

  • United States — Controlled Unclassified Information (CUI). Created by Executive Order 13556 (2010). Covers law-enforcement information, personal privacy, trade secrets, and national-security-adjacent sensitive data. But: CUI only governs data held by federal agencies, not the private sector’s own data. Cross-border CUI transfer is restricted through a patchwork — Export Control Reform Act for military and dual-use tech; CFIUS review for transactional risk; intelligence-sharing agreements; sector-specific health-data and financial-data rules. There is no single CUI cross-border regime.
  • European Union — GDPR adequacy. GDPR contains no “important data” category and no “national security data” category. Its cross-border regime is centered on individual privacy: data may flow to a third country if the European Commission has issued an “adequacy decision” recognizing that country’s protection level (Japan, Korea, the UK, etc. have it; the U.S. operates through the Data Privacy Framework). Where adequacy is absent, transfer requires Standard Contractual Clauses, Binding Corporate Rules, or another safeguard. National security exceptions exist at member-state level (France and Germany invoke them for defense and CII data) but there is no EU-wide important data concept. The Data Act and Data Governance Act protect non-personal data through trade-secrecy and access-restriction routes, not through a defined sensitivity category.
  • Japan — APPI plus CII Security Law. Japan secured EU adequacy in 2019 (first Asian country to do so). Its APPI requires consent or contractual safeguards for cross-border PI transfer. The CII Security Law layers security obligations onto operators of critical systems. No explicit “important data” catalogue — instead, guidance and industry standards identify “important personal information” or “sensitive information” requiring additional protection. The Japan model: high PI protection + sector security law, in exchange for international data flow.
  • Korea — PIPA plus security legislation. Korea earned EU adequacy in 2021 (second in Asia). PIPA restricts cross-border PI transfer absent consent or comparable safeguards. Defense and intelligence-sector data is restricted by special legislation. Korea trades off slightly more openness against China’s more closed approach to participate in the global digital economy.

The closest international parallel to “important data,” Wang notes, is Vietnam, which has adopted a similar concept but has not yet promulgated implementation rules.

Why cross-border is the choke point

The reason important data attracts so much attention, Wang argues, is that the cross-border vector is where the national-security risk crystallizes. Domestic mishandling of important data is an internal problem; cross-border mishandling becomes a potential weapon in the hands of a foreign actor.

The Chinese cross-border important-data regime:

  • Default localization. Important data, as a rule, must be stored within China (DSL + CSL).
  • Pre-export security assessment. Cross-border transfer requires a security assessment under the Measures for the Security Assessment of Data Export (2022). CIIO transferors must run the assessment for any important data; other transferors must run it for important data they transfer.
  • No alternative path. Unlike personal information — which has three cross-border pathways (security assessment / standard contract / certification) — important data has only one path: security assessment. There is no SCC or certification shortcut.
  • The 2024 exemption. The Provisions on Promoting and Regulating Cross-Border Data Flow (March 2024) introduced a critical practical relief: if no regulator or sectoral catalogue has notified you that your data is “important data,” you are not required to declare it as such. The data transfer will not be deemed unlawful for failure to treat it as important data. This shifts the identification burden away from a pure self-assessment posture and toward a regulator-led notification model.

Three methods to identify important data in practice

This is the operationally useful core of Wang’s piece. Three identification methods, applied in sequence:

Method 1 — Sectoral catalogue or guideline

“Whoever supervises is responsible for identifying” (谁主管谁负责). Each sector regulator is expected to publish its own important-data catalogue and identification rules. Some examples:

  • Geographic / surveying data — Ministry of Natural Resources.
  • Financial data — People’s Bank of China + financial-sector regulators.
  • Automotive dataAutomotive Data Security Management Provisions (Trial) (2021) listed vehicle traffic data and charging-network operational data as important data. The Automotive Data Export Security Guide (2026 Edition) (8 ministries, Jan 2026) added 27 categories / 51 important data items across R&D, manufacturing, autonomous driving, OTA, and connected-operations scenarios — the first sector-level “full catalogue” published.
  • Telecom / industrial data — MIIT-led, with sector standards still developing.

For sectors with published catalogues, identification is a checklist exercise.

Method 2 — National standard reference

Where no sectoral catalogue exists, the operational reference is GB/T 43697-2024 (Data Security Technology — Rules for Data Classification and Grading) and its Annex G — Important Data Identification Guide. Annex G provides identification dimensions (sector / population / geography / aggregation effect / precision) that compliance teams can apply to their own data sets.

This is still a self-assessment posture — but anchored to a national standard rather than free-form judgment.

Method 3 — The “unorthodox” thought experiment

Wang’s contribution to the operational literature is what she calls the 邪修 (“unorthodox”) method: a plain-language thought experiment that captures the regulator’s underlying intent.

“If a hostile foreign actor obtained this data, could they use it to cause trouble for China — politically, economically, socially, or for public health and safety?”

If the answer is probably yes — treat it as important data, regardless of whether any sectoral catalogue has named it.

Her illustrative example: a data exchange’s subsidiary aggregated bulk transaction data and sold it to a foreign institution. The aggregated data was then used in foreign analyses framing the Chinese economy as collapsing — which the regulator viewed as a national-security harm. The company was sanctioned. The thought experiment, applied prospectively, would have caught this.

Wang’s framing: this is not a substitute for the formal identification methods, but a cross-check. When the catalogue says no but the thought experiment says yes — escalate. When the thought experiment says no — most ordinary business data will not become important data merely through aggregation.

Free-trade-zone negative lists (regional supplement)

Beyond the three sector-and-national methods, Free Trade Zones (FTZs) have been permitted to publish their own data-export negative lists. Data on the negative list is “important” within the FTZ — needing security assessment for export. Data off the list flows freely.

FTZ negative lists currently published include Tianjin, Beijing (the 2025 version expanded to all of Beijing with 9 sectors / 67 scenarios / 612 fields), Shanghai, and Guangxi. The negative-list mechanism is the most practical operational tool overseas teams can leverage when transferring data through these regions.

What Wang’s piece tells overseas compliance teams

The piece reads as a primer for a Chinese audience, but four implications matter operationally for overseas counsel:

  • You probably aren’t holding important data by accident. The 2024 CBDF Provisions Article 3 / 4 exemption — “if no regulator has notified you and your data isn’t on any published catalogue, you don’t need to declare it as important data” — is the most important practical relief in this regime. For most ordinary business data, a documented self-assessment showing the absence of catalogue inclusion is sufficient.
  • Sector catalogues are the dominant identification vector going forward. The 2026 automotive guide is the template. Compliance teams in finance, healthcare, telecom, geographic / surveying, and AI sectors should expect to operate against published catalogues within 12–24 months. Build the classification framework against an evolving catalogue, not against a static one.
  • Aggregation is the most common failure mode. Wang’s case — bulk transaction data + foreign sale + adverse analytical use — is the canonical important-data failure pattern. Compliance teams should pay particular attention to the aggregation step, not just the source data classification.
  • FTZs are the operational lever. If a multinational has operations in Beijing, Shanghai, Tianjin, or other FTZ-hosting zones, the negative-list mechanism is the cleanest way to operate cross-border. Map flows to negative lists where possible; flows outside the list move under the standard exemption.

The deeper point in Wang’s piece is that the Chinese important-data regime is a different architecture of cross-border data control, not a more or less strict version of the GDPR-style adequacy regime. Overseas teams that internalize the Subject × Object framework (see DCC’s Overview page) and the sector-catalogue identification pattern will operate the regime efficiently. Teams that try to retrofit the Chinese regime into Western analogies will spend the next few years frustrated.

— Wang Qinglan (王青兰), 重要数据咋判断?这招”邪修”办法,小白也能看懂! (How to Identify Important Data? An Unorthodox Method Even Beginners Can Understand), 青兰数据观察 WeChat Official Account, October 16, 2025. Original article (Chinese).

Not legal advice. The above is DCC’s structured summary of Wang’s commentary; not a verbatim translation. The author’s views are her own and do not represent her employer.

FILED UNDER

— Not legal advice.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.