After a long wait, on September 30, 2024, China released the "Network Data Security Management Regulations" ("Regulations"). These regulations help clarify requirements under China's Cyber Security Law ("CSL"), the Data Security Law ("DSL"), and the Personal Information Protection Law ("PIPL"). These three (3) laws make up China's data privacy and security framework under which the regulations fall. The regulations present a somewhat less restrictive approach toward data privacy and security.
A few important aspects of the regulations that might affect your business are the following:
- Companies must make sure that their privacy policy lists the type of personal data collected, the purpose of its use, and if data is shared with third parties, the identity of the third parties receiving data.
- The right of data portability can be exercised if the data subject's identity can be verified, the data portability is technically feasible, it will not harm the legal interests of others, and the personal data has been collected based on consent or contract.
- The requirement that individuals be notified of data breaches within three (3) working days has been removed. Keep in mind, however, if the data breach would endanger national security and public interest, notification must be made within twenty-four (24) hours.
- Most companies will not have to be concerned about compliance obligations for "large network platforms," as such platforms are defined as having more than 50 million registered users or more than 10 million monthly active users.
- "Important Data" is defined as data in specific fields, for specific groups, from specific regions, or that reaches a certain scale or precision, which, if compromised, could directly threaten national security, economic stability, social order, or public health and safety. Data that is not "important data" does not require a security assessment prior to cross-border transfer. An additional exemption is that cross-border data transfer mechanisms are also not required if the transfer is necessary to fulfill legal duties or obligations; however, the definition of legal duties or obligations is still somewhat unclear.
- Keep in mind that the new regulations regarding cross border data transfers do not change the exemptions for outbound transfers of specific types of data, which were issued on March 22, 2024 ("Regulations on Cross-Border Data Flows"). The exemptions provide that the transfer of non-sensitive personal information of less than 100,000 individuals, other than by critical information infrastructure operators, does not require Standard Contractual Clauses, a personal information protection assessment, or a data security assessment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.