On September 24, 2024, the State Council released the Regulations on the Management of Network Data Security (《网络数据安全管理条例》) ("Regulations").1 The Regulations focus on prominent issues related to Personal Information (PI), Important Data, and cross-border data transfers. The Regulations provide further detail and guidance on implementation concerning the Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL), China's principal laws governing data security. The Regulations will take effect on January 1, 2025.
Compared to the draft released for public comment three years ago,2 the final Regulations relax some compliance requirements, offering more practical and manageable guidelines for businesses operating in China. We summarize below the key points of the Regulations as follows:
Personal Information Protection
The Regulations elaborate on several aspects of the PIPL regarding notification, consent, and the exercise of personal rights:
- Notification Requirements: The Regulations outline specific content and format requirements for fulfilling the obligation to inform PI subjects. This includes prominently displaying clear and accessible information on topics such as the purpose, methods, and types of PI being processed, especially Personal Sensitive Information (PSI), as well as how individuals can exercise their rights to access, correct, delete, and transfer their data (Art. 21).
- Consent for PI Processing: The Regulations emphasize basic requirements when obtaining personal consent, including prohibiting collection of PI through misleading, fraudulent, or coercive measures. Specific consent is required for processing such PSI as biometrics or health data, and for handling the data of minors under the age of 14 for which parental or guardian consent is mandatory (Art. 22).
- Exercise of Personal Rights: Individuals may request access, correction, deletion, or restriction of their PI. Network data processors must promptly comply with such requests and may not impose unreasonable conditions (Art. 23).
- Automatic PI Collection: In cases where automated technologies inadvertently collect unnecessary PI, or where user consent has not been obtained, the data must either be deleted or anonymized. If legal or regulatory data retention periods have yet to expire, the data processor must suspend all processing activity except for storage and necessary security measures (Art. 24).
- Dedicated Domestic Organizations or Representatives for Overseas Data Processing: For foreign data processors processing PI of individuals in China, the Regulations require the establishment of a dedicated institution or designated representative in China. The contact information for such dedicated institution or representative must be submitted to the cyberspace administration at the municipal level (Art. 26).
- Regular Compliance Audits: Network data processors are required to conduct regular compliance audits, either internally or through the professional organizations of which they are a member, to ensure their PI handling practices comply with relevant laws and regulations.
- Threshold for Important Data Processors: The threshold for considering a data processor as handling "Important Data" has been raised from PI of 1 million individuals to 10 million individuals (Art. 28). This adjustment reduces the burden on companies and narrows the scope of entities subject to stricter data protection rules, easing compliance requirements for businesses as well as for the authorities in a nation of 1.4 billion people. Network data processors handling PI exceeding the above threshold will be classified as "Important Data" processors and must meet additional compliance obligations. These include appointing a network data security officer, establishing a dedicated data security management organization, and fulfilling extra reporting requirements in cases of merger, division, dissolution, or bankruptcy that could significantly affect data security.
Important Data
The Regulations for the first time provide for a clear definition of "Important Data". The Regulations also provide more detail on compliance requirements for processors of Important Data, including identifying and reporting Important Data pursuant to the applicable Important Data catalogue, if any, appointment of a network data security officer and establishment of a data security management organization, conducting risk assessments when providing and sharing Important Data with other parties, and undertaking annual risk assessments.
- Definition of Important Data: The Regulations
defines "Important Data" as "data in specific
fields, for specific groups, from specific regions or that reaches
a certain scale or precision, which if compromised, could directly
threaten national security, economic stability, social order, or
public health and safety." The threatened fields may be
defined quite broadly, but the threat thereto must be direct.
Although several regulations, such as the Provisions on Automobile Data Security Management (for trial implementation) and the Measures for Data Export Security Assessment, along with certain national standards, have referenced what might constitute Important Data, neither the CSL nor the DSL provided a clear definition. The Regulations mark significant progress by offering a clear definition of Important Data, emphasizing that its identification is not based solely on its inherent characteristics but also requires a careful evaluation of such factors as the business sector, region, and the specific nature of the data involved.
- Important Data Classification: A National Data Security Coordination Mechanism will be established to work with relevant authorities to establish catalogues of Important Data. Regional and industrial regulators will be responsible for identifying and safeguarding Important Data within their jurisdictions. Network data processors must identify and report Important Data in accordance with national standards. Relevant authorities will notify or publish data identified as Important Data, and processors will be required to fulfill their data security obligations (Art. 29).
- Appointment of a Data Security Officer and
Establishment of a Data Security Management Organization:
All processors of Important Data will be required to appoint a
network data security officer and establish a data security
management organization to perform the following responsibilities:
implementing network data security management systems and emergency
response plans; conducting regular monitoring, risk assessments,
emergency drills, and staff training; and handling complaints and
reports related to network data security.
The network data security officer must have relevant expertise and experience and must be a member of the processor's senior management, with the authority to report directly to regulatory authorities (Art. 30).
- Mandatory Risk Assessment Requirements for Data
Outsourcing and Sharing: Under the Regulations, processors
of Important Data must conduct a risk assessment before providing,
commissioning, or jointly processing Important Data with other
parties. Such assessment shall encompass several key factors: the
legality, necessity, and appropriateness of the data processing
activity; the risks of tampering, destruction, leakage, or
unauthorized access, along with potential impacts on national
security, the public interest, and individual rights; the integrity
and legal compliance of the recipient; contractual safeguards
ensuring the recipient's adherence to data security
requirements; and the effectiveness of technical and management
measures designed to prevent data breaches (Art. 31).
In a significant change from the draft version, the final Regulations constitute significant progress from the previous draft by allowing companies more flexibility in conducting risk self-assessments, removing the requirement for prior approval from the regulatory authority.
- Reporting Obligations in Case of Mergers, Divisions and Dissolutions: If a processor of Important Data undergoes a merger, division, dissolution, or bankruptcy that could materially affect data security, it must report the situation to the relevant provincial authority and submit a data disposition plan, including the name and contact information of the recipient of the Important Data (Art. 32).
- Annual Risk Assessment and Reporting Obligations: Processors of Important Data must conduct an annual risk assessment of their network data processing activity and submit a risk assessment report to the relevant provincial-level regulator which will share the report with the provincial-level cyberspace administration and public security bureau. Such report must include such information as basic information on the processor and its network data security management organization; the name and contact information of the network data security officer; the purpose, types, quantity, methods, scope, storage duration, and location of the Important Data; the implementation of network data security measures, such as encryption, backups, labeling, access controls, and certifications; identified data security risks and incidents, together with responsive measures which have been adopted; risk assessments for outsourced or joint processing activity; as well as details on any cross-border data transfers (Art. 33).
Cross-Border Data Transfer
The Regulations aim to provide more guidance to streamline cross-border data transfers based on CAC's existing regulations including the Measures for Data Export Security Assessment and the Standard Contract Measures for Outbound Transfer of Personal Information, as well as Provisions on the Promotion and Regulation of Cross-Border Data Flows.3 The Regulations specify the conditions under which network data processors can share PI with overseas entities, noting that data not designated as Important Data by the relevant authorities does not require a security assessment. After completing outbound transfer assessment, data processors must comply with the defined purposes, methods, scope, types, and scale for data export.
- Conditions for Outbound Data Transfer: Network
data processors may share personal information with overseas
entities if they meet any of the following conditions: (i) they
have completed a data export security assessment led by CAC; (ii)
they have received PI protection certification from an approved
professional institution; (iii) they completed the standard
contract filing for transferring PI abroad; (iv) sharing PI is
necessary for performing a contract involving the individual; (v)
they have a need to provide employee PI for cross-border human
resources management, pursuant to labor regulations and collective
contracts; (vi) sharing PI is essential to meet legal
responsibilities and obligations; (vii) sharing PI is necessary to
protect individuals' life, health, and property in emergencies;
or (viii) other conditions set by laws and regulations (Art.
35).
A significant addition to the conditions for outbound PI transfer under the Regulations is the stipulation that such transfers may occur "to meet legal responsibilities and obligations." Although it is still unclear whether these legal responsibilities and obligations are limited to Chinese law, this provision provides data processors with greater flexibility to transfer PI out of China to meet their legal obligations, in contrast to the conditions outlined in Article 38 of the PIPL.
- Outbound Transfer of Important Data: Network
data processors which collect Important Data in China and wish to
share this data overseas must undergo a data export security
assessment. They are required to identify and declare Important
Data in accordance with national regulations. However, data that
has not been officially recognized as Important Data by the
relevant authority does not need to be classified for purposes of a
data export security assessment (Art. 37).
An important clarification is that the Regulations once again confirm that companies do not need to treat their data as Important Data unless such data is officially recognized by authorities as Important Data. This principle is consistent with CAC's Provisions on the Promotion and Regulation of Cross-Border Data Flows.
Obligations of Network Platform Service Providers
The Regulations impose additional compliance obligations on network platform service provides. For example, the Regulations define "Large Network Platforms" as "platforms with over 50 million registered users or more than 10 million monthly active users, with complex business types whose network data processing activity significantly impacts national security, economic operations, or public welfare."
Large network platform service providers are required to conduct annual network risk assessments and are prohibited from using network data, algorithms, and platform rules to engage in any of the following activities: processing user-generated network data through misleading, fraudulent, or coercive means; unjustifiably restricting users' access to or use of their network data generated on the platform; imposing unreasonable differential treatment on users, harming their legitimate rights and interests; or engaging in other activities prohibited by laws and administrative regulations.
Penalties
The Regulations generally align with the penalty clauses outlined in the PIPL, CSL, and DSL but provide more specific penalties for certain violations within the network data sector. They also include provisions for "leniency" regarding minor or corrected violations with limited consequences. For instance, Article 59 states that if a network data processor actively eliminates or mitigates the harmful effects of illegal activities, addresses minor violations promptly without causing harm, or commits a first offense with minor consequences that are quickly corrected, they may be eligible for reduction, mitigation, or waiver of administrative penalties in accordance with the Administrative Penalty Law.4
Free Trade Zone Data Export Negative List
The Beijing Commerce Bureau, in collaboration with the Beijing Cyberspace Administration and the Beijing Data Management Bureau, recently issued the 2024 edition of the Negative List for Data Export Management in the China (Beijing) Pilot Free Trade Zone ("Negative List").5
This is the first such list and sets out the criteria for identifying Important Data across various industries, including automotive, pharmaceuticals, civil aviation, retail, modern services, and artificial intelligence training data. The list provides unified standards for identifying Important Data, such as PI of more than 10 million individuals (excluding SPI), SPI of more than 1 million individuals, and SPI related to financial accounts, healthcare records, or other categories impacting more than 100,000 people.
Moreover, the Negative List provides clear guidance on the types of data subject to outbound data security assessments, filing of standard contracts, and PI certification.
For example, in the healthcare industry, "medical treatment, health conditions of large-scale groups, medical emergency data, and data related to specific drug trials" are considered Important Data. The threshold for "large-scale" is further clarified as "medical data involving 100,000 or more cases, images, pathology, blood tests, genetic tests, and other medical diagnostic data related to public health and safety, as well as electronic medical record databases, health archives of more than 100,000 individuals, and analytical results of such data."
In the aviation sector, "Important Data" encompasses "flight data recorder information related to civil aircraft accidents, cockpit voice recorder data, and health monitoring data for civil aircraft involved in accidents." Furthermore, specific thresholds for outbound security assessments are established based on different business scenarios. For example, in customer service scenarios—such as agent/distributor management, customer support, membership management, partnerships, and collaborations between airlines and non-airline entities—an outbound security assessment is required only when the cumulative amount of PI (other than SPI) provided abroad exceeds 5 million individuals, or when SPI provided abroad exceeds 100,000 individuals since January 1 of that year.
This Negative List offers more detailed provisions and enhances the existing legal framework for data exports. It significantly increases the thresholds for data export volumes and clarifies regulatory requirements for different industrial sectors. While the business community will welcome the introduction of this first Negative List, its application is limited to the data export activity of companies established within one free trade zone. Furthermore, the list does not provide specific guidance for data export activity in sectors other than automotive, pharmaceuticals, civil aviation, retail, modern services, and artificial intelligence training data. Nonetheless, the issuance of the Negative List constitutes a significant step forward in alleviating data export compliance obligations for companies within such free trade zone.
Footnotes
1 https://www.gov.cn/zhengce/content/202409/content_6977766.htm
2 https://www.cac.gov.cn/2021-11/14/c_1638501991577898.htm
3 https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm
4 https://www.gov.cn/xinwen/2021-01/23/content_5582030.htm
5 https://sw.beijing.gov.cn/tzgg/202408/t20240830_3785174.html
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.