[DSL (Data Security Law / 数据安全法)](/knowledge/glossary/dsl/), effective 1 September 2021, establishes China's data classification and protection regime. Where [PIPL](/knowledge/china-compliance/pipl/) governs personal information specifically and the [Cybersecurity Law (CSL) / MLPS](/knowledge/china-compliance/mlps/) governs information-system protection, DSL governs **all data** — personal and non-personal — through a classification-and-protection regime. For connected-product operators, the most consequential DSL concept is **Important Data (重要数据)** — a category that triggers heightened protection requirements, mandatory risk assessment, and explicit approval for cross-border transfer. ## DSL's data-classification framework DSL operates through a tiered classification regime: - **General data** — baseline protection requirements per general DSL provisions - **Important Data (重要数据)** — heightened protection requirements, mandatory periodic risk assessment, explicit cross-border-transfer approval - **National core data** (核心数据) — the strictest category, reserved for data relating to national security, the lifelines of the national economy, important aspects of citizens' livelihoods, and major public interests The classification is sector-specific and determined through a combination of national-level catalogs, industry-specific guidance, and case-by-case assessment. ## What qualifies as Important Data Important Data is defined as data that, if leaked or misused, could harm: - National security - The legitimate rights and interests of individuals or organizations - Public interest The definition is intentionally framework-level — operational meaning is provided through sector-specific catalogs and industry guidance. Sector regulators publish or update Important Data identification catalogs for industries under their oversight. Important Data categories common across sectors include: - Large-scale aggregated personal information (volumes typically defined by sector guidance) - Data with national-security implications (defense, critical infrastructure operational data, certain geospatial data) - Sector-specific operational data (automotive operational data, energy infrastructure, financial transaction-volume data) ### Automotive Important Data For connected vehicles, the *Provisions on Several Issues concerning the Security Management of Automotive Data* and supporting guidance identify automotive Important Data categories that include: - Geographic data of important sensitive areas - Personal information involving more than 100,000 individuals - Vehicle exterior video and image data - Operational data of charging networks - Other categories specified in sector guidance Automotive operators handling these categories trigger DSL Important Data obligations regardless of other classification status. ### IoT and SaaS Important Data For general IoT and SaaS, Important Data classification depends on: - **Volume thresholds** — data sets above specified volume typically trigger consideration - **Sensitivity** — data sets containing categories like biometric, health, or financial information have lower volume thresholds for Important Data classification - **Aggregation potential** — data sets that could be combined to enable surveillance or systemic harm The case-by-case nature of IoT and SaaS Important Data classification makes it one of the higher-uncertainty DSL compliance areas — operators often need to assess each major data category against current sector guidance. ## DSL obligations for Important Data processors Operators processing Important Data face additional obligations: - **Designated person/department responsible** for data security - **Periodic risk assessment** of data security posture, with results submitted to the relevant authority - **Mandatory cross-border-transfer security assessment** before any Important Data leaves PRC territory - **Incident reporting obligations** with accelerated timelines compared to general data incidents - **Enhanced access-control and audit** measures aligned to the classification level ## DSL interaction with PIPL and MLPS DSL's Important Data regime interacts with the other two China compliance pillars: - **PIPL × DSL**: Personal information is one category of data covered by DSL; PIPL provides the detailed personal-information protection requirements within the DSL framework. Important Data can include personal information, in which case both PIPL and DSL Important Data obligations apply. - **MLPS × DSL**: MLPS classified systems often process Important Data; DSL Important Data obligations are layered on top of the MLPS technical baseline. The two are not substitutes. ## Cross-border transfer of Important Data Cross-border transfer of Important Data **always requires CAC Security Assessment** — there is no SCC or certification alternative for Important Data transfer (unlike for non-Important personal information where SCC and certification mechanisms exist). The CAC Security Assessment process for Important Data transfer is materially more rigorous than for personal-information-only transfer — assessment of the receiving party, the legal environment of the receiving jurisdiction, the necessity and proportionality of the transfer, and the security measures in place. ## Frequently asked questions ### How do we know if our data qualifies as Important Data? In order of preference: 1. Consult the current sector-specific Important Data identification catalog published by your industry regulator 2. Consult the national-level Important Data identification guide (published by CAC) 3. Apply the framework-level definition — would leak or misuse harm national security, individuals' rights, or public interest For operators in sectors without published Important Data catalogs, case-by-case assessment with China-licensed legal counsel is typical. ### Does aggregating non-Important data create Important Data? It can. Volume-based classification and aggregation-potential classification mean that data sets that individually do not qualify as Important Data may qualify in aggregate. Operators with large-scale data processing should periodically re-assess classification as data volumes grow. ### Can we use SCC for cross-border transfer of Important Data? No. Cross-border transfer of Important Data requires CAC Security Assessment. SCC and certification mechanisms apply only to personal-information transfer below the Important Data threshold. ### Are research and development data Important Data? It depends on the research domain. R&D data in defense, advanced manufacturing, critical-infrastructure-relevant sectors often qualifies. R&D data in consumer-product domains typically does not, unless it includes large-scale aggregated personal information or other sector-flagged categories. ### How do we coordinate DSL compliance with our PIPL compliance work? Parallel-tracked. DSL applies to all data; PIPL applies to personal information specifically. Operations that touch personal information have PIPL obligations layered on the broader DSL obligations. The technical controls overlap; the governance documentation is distinct per framework. ### Related - [What is DSL?](/knowledge/glossary/dsl/) - [PIPL pillar](/knowledge/china-compliance/pipl/) (companion framework) - [MLPS pillar](/knowledge/china-compliance/mlps/) (companion framework) - [Cross-Border Data Transfer pillar](/knowledge/china-compliance/cross-border-data-transfer/) - [PIPL consent vs CAC assessment — FAQ](/knowledge/faq/pipl-consent-vs-cac-assessment/) --- *Placeholder — pending founder + China-licensed legal review. Sector-specific catalog references and threshold values must be verified against current CAC and sector-regulator publications before publication.*