Skip to content
Melina Security

DSL and Important Data — China's Data Security Framework for Connected Systems

Practical DSL compliance guide focusing on the Important Data classification regime — what qualifies as Important Data, sector-specific catalogs

By Tatiana K.

DSL (Data Security Law / 数据安全法), effective 1 September 2021, establishes China’s data classification and protection regime. Where PIPL governs personal information specifically and the Cybersecurity Law (CSL) / MLPS governs information-system protection, DSL governs all data — personal and non-personal — through a classification-and-protection regime.

For connected-product operators, the most consequential DSL concept is Important Data (重要数据) — a category that triggers heightened protection requirements, mandatory risk assessment, and explicit approval for cross-border transfer.

DSL’s data-classification framework

DSL operates through a tiered classification regime:

  • General data — baseline protection requirements per general DSL provisions
  • Important Data (重要数据) — heightened protection requirements, mandatory periodic risk assessment, explicit cross-border-transfer approval
  • National core data (核心数据) — the strictest category, reserved for data relating to national security, the lifelines of the national economy, important aspects of citizens’ livelihoods, and major public interests

The classification is sector-specific and determined through a combination of national-level catalogs, industry-specific guidance, and case-by-case assessment.

What qualifies as Important Data

Important Data is defined as data that, if leaked or misused, could harm:

  • National security
  • The legitimate rights and interests of individuals or organizations
  • Public interest

The definition is intentionally framework-level — operational meaning is provided through sector-specific catalogs and industry guidance. Sector regulators publish or update Important Data identification catalogs for industries under their oversight.

Important Data categories common across sectors include:

  • Large-scale aggregated personal information (volumes typically defined by sector guidance)
  • Data with national-security implications (defense, critical infrastructure operational data, certain geospatial data)
  • Sector-specific operational data (automotive operational data, energy infrastructure, financial transaction-volume data)

Automotive Important Data

For connected vehicles, the Provisions on Several Issues concerning the Security Management of Automotive Data and supporting guidance identify automotive Important Data categories that include:

  • Geographic data of important sensitive areas
  • Personal information involving more than 100,000 individuals
  • Vehicle exterior video and image data
  • Operational data of charging networks
  • Other categories specified in sector guidance

Automotive operators handling these categories trigger DSL Important Data obligations regardless of other classification status.

IoT and SaaS Important Data

For general IoT and SaaS, Important Data classification depends on:

  • Volume thresholds — data sets above specified volume typically trigger consideration
  • Sensitivity — data sets containing categories like biometric, health, or financial information have lower volume thresholds for Important Data classification
  • Aggregation potential — data sets that could be combined to enable surveillance or systemic harm

The case-by-case nature of IoT and SaaS Important Data classification makes it one of the higher-uncertainty DSL compliance areas — operators often need to assess each major data category against current sector guidance.

DSL obligations for Important Data processors

Operators processing Important Data face additional obligations:

  • Designated person/department responsible for data security
  • Periodic risk assessment of data security posture, with results submitted to the relevant authority
  • Mandatory cross-border-transfer security assessment before any Important Data leaves PRC territory
  • Incident reporting obligations with accelerated timelines compared to general data incidents
  • Enhanced access-control and audit measures aligned to the classification level

DSL interaction with PIPL and MLPS

DSL’s Important Data regime interacts with the other two China compliance pillars:

  • PIPL × DSL: Personal information is one category of data covered by DSL; PIPL provides the detailed personal-information protection requirements within the DSL framework. Important Data can include personal information, in which case both PIPL and DSL Important Data obligations apply.
  • MLPS × DSL: MLPS classified systems often process Important Data; DSL Important Data obligations are layered on top of the MLPS technical baseline. The two are not substitutes.

Cross-border transfer of Important Data

Cross-border transfer of Important Data always requires CAC Security Assessment — there is no SCC or certification alternative for Important Data transfer (unlike for non-Important personal information where SCC and certification mechanisms exist).

The CAC Security Assessment process for Important Data transfer is materially more rigorous than for personal-information-only transfer — assessment of the receiving party, the legal environment of the receiving jurisdiction, the necessity and proportionality of the transfer, and the security measures in place.

Frequently asked questions

How do we know if our data qualifies as Important Data?

In order of preference:

  1. Consult the current sector-specific Important Data identification catalog published by your industry regulator
  2. Consult the national-level Important Data identification guide (published by CAC)
  3. Apply the framework-level definition — would leak or misuse harm national security, individuals’ rights, or public interest

For operators in sectors without published Important Data catalogs, case-by-case assessment with China-licensed legal counsel is typical.

Does aggregating non-Important data create Important Data?

It can. Volume-based classification and aggregation-potential classification mean that data sets that individually do not qualify as Important Data may qualify in aggregate. Operators with large-scale data processing should periodically re-assess classification as data volumes grow.

Can we use SCC for cross-border transfer of Important Data?

No. Cross-border transfer of Important Data requires CAC Security Assessment. SCC and certification mechanisms apply only to personal-information transfer below the Important Data threshold.

Are research and development data Important Data?

It depends on the research domain. R&D data in defense, advanced manufacturing, critical-infrastructure-relevant sectors often qualifies. R&D data in consumer-product domains typically does not, unless it includes large-scale aggregated personal information or other sector-flagged categories.

How do we coordinate DSL compliance with our PIPL compliance work?

Parallel-tracked. DSL applies to all data; PIPL applies to personal information specifically. Operations that touch personal information have PIPL obligations layered on the broader DSL obligations. The technical controls overlap; the governance documentation is distinct per framework.

Placeholder — pending founder + China-licensed legal review. Sector-specific catalog references and threshold values must be verified against current CAC and sector-regulator publications before publication.