On November 23, the Ministry of Industry and Information Technology (MIIT) released the Guidelines for Discretion in Data Security Administrative Penalties in the Field of Industry and Information Technology (for Trial Implementation) (Draft for Comment) (the "Draft"), which is currently open for public feedback until December 23, 2023.

The Draft consists of the main body and attachment, covering general provisions, jurisdiction of administrative discretion, situations triggering administrative penalties, rules for the application of discretion in administrative penalties, and discretionary criteria for administrative penalties. Regarding situations triggering administrative penalties, the Draft, firstly, establishes criteria based on the Data Security Law of the People's Republic of China, outlining three types of violations that will lead to administrative penalties: failure to fulfill data security protection obligations, illicit provision of data overseas, and non-cooperation with supervision. Secondly, it categorizes the severity of data security violations into levels such as "mild," "serious," and "severe," taking into account factors such as data classification and volume, duration of harm to public interest, direct economic losses, and the scope of impact.

(Source: Ministry of Industry and Information Technology of China)