原标题:Navigating China’s New Regulations for the Administration of Network Data Security(first published on China Law & Practice, www.chinalawandpractice.com. on October 14, 2024)
●Newly administrative regulations are set to streamline and strengthen China’s regulation of data security
●The regulations have evolved significantly since they were released in draft form with a number of requirements removed and others amended
●The Regulations cover all network data processing activities within China
●Companies will need to proactively take steps to comply, including by implementing data governance, real-time monitoring, cross-border transfer controls, and regular risk assessments
After being approved at the State Council’s 40th executive meeting, the full text of the final version of the Regulations for the Administration of Network Data Security (网络数据安全管理条例,the “Regulations”) was published on September 30, 2024. With these Regulations set to take effect on January 1, 2025, China continues to bolster its legal framework surrounding data security protection and governance. In the field of data security regulation, these Regulations can be regarded as the most important regulatory document following the Data Security Law (数据安全法) and cover many aspects related to network data , including the general obligations of network data handlers, the obligations related to the processing of personal information, the security management mechanism for important data, the regulation of cross-border flow of data, and the obligations of operators of network platforms. etc.
1►
More Streamlined and Pragmatic
Compared to the draft of these Regulations released for public consultation by the CAC in November 2021, the final version of these Regulations reflects a more streamlined and pragmatic regulatory framework. The final version consolidates advancements in the data security regulatory framework over the past few years and places greater emphasis on aligning with existing legal and regulatory structures. This alignment is particularly evident in the adjustments made to the provisions regarding cross-border data security management.
(1)Key changes made
Several provisions in the draft, which were considered burdensome or controversial for companies engaging in network data processing activities, have been significantly revised or removed in the final version. Notable changes include:
a.The requirement for systems processing important data to comply with level three or higher cybersecurity classification protection standards and critical information infrastructure security requirements has been eliminated.
b.The final version no longer lists "listing in Hong Kong" as a trigger event for cybersecurity reviews. Instead, it emphasizes that “any network data processing activity that affects or may affect national security” must undergo a national security review.
c.The requirement for network data handlers to report and handle incidents involving the personal information of over 100,000 individuals has been replaced. The new rule mandates reporting to relevant authorities within 24 hours for incidents that “threaten national security or public interests”.
d.The provision requiring important data handlers to prioritize the purchase of “secure and trustable” products and services has been removed.
e.The obligation for important data handlers and those listing overseas to conduct an annual “data security review” has been replaced. Now, important data handlers are only required to perform “annual risk assessments” and submit reports. Furthermore, this requirement no longer applies to data handlers that list overseas.
f.The requirement for obtaining approval from regulatory authorities for “sharing, trading, or entrusting” the processing of important data has been removed. Currently, a “risk assessment” must be conducted before “providing, entrusting” the processing of important data or “jointly processing” important data.
g.Compared to the draft, the threshold of network data handers that are subject to additional security obligations by reference to important data handlers has been raised from more than 1 million to more than 10 million; furthermore, they are no longer required to fulfill all obligations applicable to important data handlers but only two additional obligations are imposed.
h.The obligation for network handlers to prepare and submit an annual cross-border data transfer security report has also been removed from the final version.
i.The provision concerning establishment of a cross-border security gateway has been deleted. In the final version, it is stipulated in principle that the State may prevent and dispose of cross-border security risks of network data.
(2)New principles and compliance obligations added
While the final version simplifies certain provisions, it also introduces new principles and compliance requirements:
a.Article 3 of the Regulations now states that “network data security management” must adhere to the leadership of the Communist Party of China and emphasizes the importance of implementing the overarching national security strategy.
b.Article 10 adds that network products and services provided by network data handlers must comply with mandatory national standards.
c.Article 19 introduces obligations for providers of Artificial Intelligence-Generated Content (“AIGC”), focusing on the security of training data and the data processing activities involved in AI model development.
d.Article 29 imposes an obligation on network data handlers to “identify and report important data” and requires relevant regional authorities to promptly inform handlers of the designation of important data or publish this information.
e.Article 30 mandates that the data security responsible person must be a member of the network data handler’s management team. It also requires background checks for the security officer and key personnel responsible for handling specific categories or scales of important data.
f.Article 33 requires large network platform providers that handle important data to provide detailed explanations of “key business operations”, “supply chain network security”, and other critical aspects as part of their annual data security assessment report.
This final version of the Regulations reflects a balanced approach by removing overly stringent or controversial provisions, while reinforcing other key areas to ensure national security and data protection. The result is a more feasible and well-aligned set of requirements for network data handlers, allowing for smoother implementation across various industries.
2►
Applicable Scope and Definitions under the Regulations
The Regulations encompass “all network data processing activities” within China’s borders. Additionally, these regulations extend to foreign entities’ overseas processing personal information of individuals within China’s border under Article 3(2) of the Personal Information Protection Law (个人信息保护法, “PIPL”). In addition, if foreign entities process data that impacts Chinese nationals or national interests, the Regulations are also applicable. This broad scope ensures that any company, regardless of its geographical location, must comply if its activities involve Chinese data.
The Regulation define several important terms and these definitions are intended to delineate the boundaries and scope of those to whom these regulations apply:
“network data”: all electronic data processed or generated through networks, covering a vast spectrum from personal information to critical government or corporate data.
“network data handlers”: are individuals and organizations that independently decide on the purpose of processing and the way of processing in network data processing activities.
“entrusted processing”: refers to network data handlers entrusting individuals and organizations to carry out network data processing activities in accordance with the agreed purposes and methods.
“important data”: refers to data for a specific field, a specific group, a specific area, or to a certain precision and scale, which, once tampered with, destroyed, leaked or illegally accessed or illegally utilized, may directly jeopardize national security, economic operation, social stability, public health and safety.
“separate consent”: which refers to specific and explicit consent given by an individual specifically for the specific processing of his/her personal information.
“large-scale network platform”: means a network platform with more than 50 million registered users or more than 10 million monthly active users, with complex types of business, and with network data processing activities that have an important impact on national security, economic operation, and the national economy and people’s livelihood.
3►
General Requirements for Network Data Handlers
Chapter 2 of the Regulations outlines general provisions applicable to all network data handlers, mainly including:
(1)Prohibition on Illegal Data Activities
Any individuals or organizations are prohibited from engaging in illegal activities by leveraging network data. Stealing or unlawfully obtaining network data, illegally selling or providing network data to third parties are clearly prohibited.
More importantly, the development or provision of tools specifically for conducting illegal data activities is prohibited, providing “technical support”, such as network storage or internet access, to individuals or organizations known to be involved in illegal data activities are also prohibited.
(2)Implementing Data Security Management Systems
Network data handlers are required to implement data security management systems in accordance with laws and mandatory national standards. They are also held “responsible for the security of the data” they process and must adopt preventative measures against illegal activities that may target network data.
(3)Product and Service Compliance
All network products and services provided by data handlers must comply with “mandatory requirements” of national security standards. If security vulnerabilities or defects are discovered in these products, the data handlers must (i) take immediate steps to fix these issues; (ii) notify users of the vulnerabilities; and (iii) report the defects to the relevant authorities within 24 hours if they pose a risk to national security or public interest.
(4)Emergency Response Mechanism
Network data handlers must establish emergency response plans for handling network data security incidents. In the event of a security incident, handlers should: (i) immediately implement the emergency response plan to contain the risk; (ii) notify the relevant authorities; and (iii) inform affected individuals and organizations.
The Regulations also require that any discovery of “criminal activities” during the handling of a security incident must be reported to law enforcement agencies, including public security organs and national security organs.
(5)Data Sharing and Entrusting Controls
When a network data handler shares or entrusts the processing of personal or important data to another handler, they must: (i) define the purpose, scope, and security obligations in a contract with the recipient; (ii) supervise the recipient’s compliance with the agreed-upon obligations; and (iii) maintain records of such data sharing and entrusting activities for at least three years.
Both the original handler and the recipient must fulfill their respective data security obligations and must clearly define their rights and responsibilities if both parties jointly control data processing activities.
(6)National Security Review
Any data processing activities that “affect or could potentially affect national security” must undergo a “national security review” in accordance with relevant regulations. This ensures that data processing activities do not compromise national interests.
(7)Data Transfer and Continuity
If network data is transferred due to mergers, splits, dissolution, or bankruptcy, the recipient of the data must continue to meet the same security obligations as the original handler.
(8)Government and Public Services Data Handling
When government entities entrust the handling of “e-government systems” or public infrastructure data to third-party service providers, these providers must adhere to strict data security protocols. This includes: (i) following government-approved procedures for handling sensitive government data; and (ii) maintaining confidentiality and not misusing or unlawfully sharing the data.
Network data handlers involved in “public infrastructure, critical information infrastructure, or public services” must maintain the security, stability, and continuity of their services, and ensure no unauthorized access or use of data without prior consent.
(9)Automated Data Collection
Network data handlers using automated tools such as “network crawlers” for collecting data must ensure that their tools do not (i) Illegally intrude into others’ networks, or (ii) disrupt the normal functioning of network services.
Handlers are required to evaluate the impact of their automated tools on network services and take steps to avoid negative consequences.
4►
Specific Obligations for Personal Information Processing
The Regulations also reiterate robust rules for processing personal information, aligning with the rules set forth by the PIPL and the relevant implementing regulations. The Regulations emphasize transparency and the protection of personal data by establishing strict rules around consent, data subject rights, and the responsibilities of network data handlers. Key obligations include:
(1)Disclosure and Clear Personal Information Processing Rules
Network data handlers are required to provide clear and accessible personal information processing rules to the individuals whose data they handle. These rules must be easy to understand and must contain the required information. Particularly, detailed information regarding the purpose, manner and type of personal information collected as well as information on network data recipients, should be set out in the form of a list or similar means.
(2)Obtaining Informed Consent and the Minimization Principle
If consent is relied upon as the legal basis of processing, network data handlers must ensure that individuals provide explicit consent before their personal information is collected or processed. This is particularly relevant when handling sensitive personal information, such as financial or biometric information. In addition, only the minimum amount of personal data necessary for a particular service or operation should be collected.
(3)Response to Data Subject Rights Requests
Network data handlers must provide convenient ways for individuals to exercise these rights in relation to their personal information and must not impose unreasonable restrictions on legitimate requests.
(4)Deletion and Anonymization of Personal Information
If personal information is collected unintentionally or without consent, network data handlers are required to delete or anonymize such information. Furthermore, when an individual requests to have their information deleted or upon account cancellation, the deletion or the anonymization also must be implemented.
(5)Data Transfer Requests
Network data handlers must allow individuals to transfer their personal information to another data handler upon request, provided the request is legitimate, technically feasible, and does not infringe on others’ rights.
(6)Compliance Audits
Network data handlers are required to regularly conduct or commission compliance audits to ensure that they are processing personal information according to legal and regulatory requirements. Considering that the Administrative Measures for Compliance Audit of Personal Information Protection(个人信息保护合规审计管理办法)will be issued and come into effect soon, companies concerned need to prepare for the conduct of personal protection audits as soon as possible.
(7)Additional Requirements for Large-Scale Personal Information Processing:
Network data handlers processing personal information of over 10 million individuals are subject to additional obligations, including to follow two specific provisions (Article 30 and Article 32) applicable to important data handlers, mainly including “designation of data security officer and organization” and “reporting data transfers during corporate changes”.
5►
Security Requirements for Important Data and the Handlers of Important Data
Chapter 4 of the Regulations outlines the requirements for the security management of important data, focusing on ensuring its protection and minimizing risks. It emphasizes strict risk assessment and reporting obligations for handlers of important data, requiring them to establish comprehensive security frameworks to protect important data and ensure compliance with national security protocols. Regular reporting and risk assessments are central to ensuring that important data is managed securely and transparently. The key requirements are as follows:
(1)Formulation of Important Data Catalogs
The “national data security coordination mechanism” will work with relevant authorities to formulate important data Catalogs. And each region and department are responsible for determining the specific catalog of important data for their area or sector based on the classification and grading protection system.
Network data handlers must identify and report important data according to those rules. Relevant authorities must notify or publicly release the status of the data once it is confirmed as important.
(2)Designation of Data Security Officer and Organization
Handlers of important data must designate a data security officer and establish a data security management organization. The responsibilities of the data security management organizations are: (i) formulating and implementing data security management systems; (ii) carrying out regular risk monitoring, risk assessments, and emergency drills; and (iii) handling data security complaints and incident reports.
The security officer must have relevant knowledge and experience and should be a member of the handler’s management team, empowered to report directly to the relevant supervisory departments.
(3)Mandatory Risk Assessments
Before sharing, entrusting processing, or joint-processing important data, the data handler must conduct a “risk assessment” unless legally exempted.
The risk assessment must evaluate (i) the legitimacy and necessity of providing, entrusting, or joint-processing the important data; (ii) potential risks of tampering, destruction, leakage, or illegal access to the data, and the consequences on national security, public interests, or individual rights; (iii) the reputation and compliance record of the data recipient; (iv) whether the security measures outlined in contracts effectively bind the data recipient to comply with security obligations.
(4)Reporting Data Transfers During Corporate Changes
If important data is transferred due to corporate changes (e.g., mergers, splits, dissolutions or bankruptcies), the handler must take steps to ensure data security and notify the relevant authorities at provincial level about the details of the transfer and the recipient’s information.
(5)Annual Risk Assessments
Handlers of important data must conduct annual risk assessments on their data processing activities and submit a risk assessment report to supervisory authorities.
Large network platform service providers processing important data must also provide detailed information about the security of their key business operations and supply chain networks.
6►
Cross-Border Data Transfer Requirements
The Regulations’ provisions on cross-border data transfers controls can be regarded as a summary and integration of the regulatory framework for cross-border data transfers that has been established by the major regulations and policies introduced over the past three years, namely the Measures for Data Export Security Assessment (数据出境安全评估办法), the Measures for the Standard Contract for Cross-border Transfer of Personal Information (个人信息出境标准合同办法), and the Provisions on Promoting and Regulating Cross-border Data Flows (促进和规范数据跨境流动规定).
(1)Establishment of National Coordination for Cross-Border Data Security
CAC will coordinate with other departments to establish a special mechanism for managing cross-border data security. This mechanism is responsible for formulating policies related to cross-border data security management and for handling significant cross-border data security issues.
(2)Conditions for Cross-Border Personal Information Transfers
On top of Article 38 of PIPL, the Regulations provide that network data handlers may transfer personal information outside of China if they meet one of the eight conditions: (i) passing the data export security assessment organized by the CAC; (ii) obtaining -personal information protection certification from a professional institution recognized by the CAC; (iii) signing a standard contract formulated by the CAC; (iv) the transfer is necessary for contract fulfillment where an individual is a party to the contract; (v) the transfer is necessary for cross-border human resources management, according to legally implemented labor rules or collective contracts; (vi) the transfer is required for the fulfillment of legal duties or legal obligations; (vii) in emergency situations, where it is necessary to protect the life, health, or property of individuals; or (viii) any other conditions stipulated by laws, administrative regulations, or the CAC.
(3)Important Data Transfers
Network data handlers wishing to transfer important data collected within China to foreign entities must undergo a data export security assessment organized by the CAC. However, the cross-border transfer of data that has not been identified or published as important is not required to pass the data export security assessment.
(4)Prohibition Against Undermining Cross-Border Data Security
Individuals and organizations are prohibited from providing tools, programs, or support designed to circumvent data security measures implemented for cross-border transfers. Entities involved in disrupting or bypassing technical measures that protect cross-border data transfers may face penalties. This provision is still regarded as the legal basis for the Chinese government to penalize the attempting of “Fanqiang”, i.e., to access websites or applications that are blocked by China’s state-managed firewall.
7►
Obligations for Platform Operators
The Regulations also establish the responsibilities and obligations of “network platform service providers”, with a focus on ensuring data security across their platforms, monitoring third-party service providers, and safeguarding user rights. The emphasis on personalization control, third-party monitoring, and annual transparency reports showcases China’s intent to foster a more accountable and secure data environment for both platform operators and users.
(1)Third-Party Product and Service Provider Obligations
Network platform providers must define the data security obligations of third-party product and service providers that access their platform, either through platform rules or contractual agreements. In addition, the platform must ensure that third-party providers implement adequate data security measures.
It is noteworthy that the above obligations also apply to smart device manufacturers which allow third-party applications pre-installed in their devices.
(2)Application Verification and Security
Providers of application distribution services must establish verification rules and conduct checks to ensure the security of applications distributed via their platforms. If an application violates laws, regulations, or mandatory national standards, the platform must take appropriate measures, such as warnings, suspension, or termination of distribution.
(3)Automated Decision-Making and Personalization Controls
Platforms that use automated decision-making to deliver personalized recommendations must offer users clear, easily accessible options to opt out of personalized content. Users should also be able to delete personal tags used for recommendation purposes. This requirement aligns with the requirements provided by the Provisions for the Administration of Algorithmic Recommendations in Internet Information Services (互联网信息服务算法推荐管理规定).
(4)National Network Identity Authentication
The Regulations encourage platforms to support the National Network Identity Authentication service, allowing users to register and verify their real identities using government-approved systems.
(5)Special Obligations for Large Platform Operators
a.Large platform operators must publish an annual Personal Information Protection Social Responsibility Report, detailing the measures taken to protect personal information, user requests for exercising rights, and the actions of external personal information protection bodies.
b.Large platforms must comply with cross-border data transfer security management requirements, ensuring that appropriate technical and management measures are in place to mitigate security risks related to international data transfers.
c.Large Platforms are prohibited from engaging in deceptive, fraudulent, or coercive activities related to user data. Additionally, large platforms must not unfairly restrict users from accessing or using their own data generated on the platform.
8►
Regulatory Oversight and Responsibilities
The Regulations designate the CAC as the lead authority responsible for overseeing network data security. The CAC, along with other government agencies such as the Ministry of Public Security and Ministry of National Security, is tasked with: (i) conducting checks and ensuring compliance with data security regulations; (ii) overseeing cross-border data transfers and conducting national security reviews; and (iii) investigating data breaches and enforcing corrective measures for non-compliant companies.
Local and other sectoral regulatory authorities also play a role in monitoring companies’ data security practices and are empowered to request documents, inspect systems, and even suspend services in cases of non-compliance.
Conclusion
The Regulations represent a critical component of China’s growing regulatory landscape aimed at protecting important data, national security, and personal information. For companies, the key to compliance lies in a proactive approach that integrates strong data governance, real-time monitoring, cross-border transfer controls, and regular risk assessments. The high penalties and strict enforcement mechanisms underscore the importance of prioritizing data security as an integral part of business strategy.
The new Regulations are a clear signal of China’s commitment to data sovereignty, by understanding and adhering to these requirements, companies operating in or interacting with the Chinese market can not only avoid legal pitfalls but also strengthen their position as trusted entities in a rapidly evolving digital environment that is placing ever greater importance on data security and privacy.
