What You Need to Know about China’s Regulations on the Management of Network Data Security

The new Regulations on the Management of Network Data Security (《网络数据安全管理条例》) [1] (the “Regulations”) were issued by the State Council of the People’s Republic of China (“China”) on 24 September 2024 and will come into force on 1 January 2025. With a focus on network data [2], the Regulations supplemented and provided further guidance on China’s data security regulatory regime [3]; clarified what “important data” is, and refined the protection of personal information and the rules and regulations on cross-border data transfer. In this newsletter, we set out the 8 key takeaways of the Regulations.

General provisions under the Regulations

1. What kind of data processing activities will be covered by the Regulations?

The Regulations will apply to the supervision and management of network data processing activities within China, and those personal information processing activities outside China that are subject to the China Personal Information Protection Law (“PIPL”) (i.e., overseas personal information processing activities which are conducted for the purpose of providing products or services to individuals in China or which involves analysing and evaluating behaviours of individuals in China).  

The Regulations further provide that anyone who carries out network data processing activities outside China to the detriment of national security, public interest or the lawful rights and interests of citizens or organisations of China shall be held legally liable in accordance with the law.

With technological advancement, the Regulations will have a far-reaching effect to entities in China as most data these days are commonly processed or handled through networks.

2. Any reporting, record retention or security review requirements under the Regulations?

• Reporting obligation to the authorities: the Regulations impose an obligation to notify relevant authorities within 24 hours when network data handlers notice any incidents (such as security flaws, or vulnerabilities, or other risks of the network products or services) that may endanger China's national security and public interest.
   
• Retention period of records: network data handlers who provide or entrust personal information and “important data” to other network data recipient are required to keep such records for at least three years.
   
• National security review: network data handler shall carry out a national security review in accordance with relevant state provisions in China for any network data handling activities that might directly or indirectly impact national security.

Supplemental rules to protection of personal information

3. How do the Regulations supplement the PIPL?

China, having one of the largest population of netizens in the world means vast amount of personal information will be collected, handled and processed on a daily basis. The Regulations largely follow the PIPL but clarify and supplement on the following major aspects:

• Notification obligations: network data handlers are required to establish data policies in relation to their processing of personal information and shall include the following information to fulfil their notification obligations to data subjects, such as the name and contact information of the network data handler; the purpose, manner and type of handling of personal information, the necessity of handling sensitive personal information and the impact on the rights and interests of individuals; the methods and means for individuals to access, copy, transfer, correct, supplement, delete, restrict the handling of personal information, as well as cancellation of accounts and withdrawal of consent.
   
• Representatives for overseas network data handlers: foreign network data handlers who process personal information of individuals in China (for the purpose of providing products or services to individuals in China or analysing and evaluating behaviours of individuals in China) are required to establish China-based specialised institution or designate a representative in China when handling personal information of individuals in China. The name and contact details for such dedicated institution or representative must be submitted to the local cyberspace administration department at the municipal level.
   
• Data portability: under the Regulations, individuals may require the network data handler to transfer their personal information to another network data handler if the following requirements are met: (a) the identity of the requestor can be verified, (b) data transfer is technically feasible, (c) personal information to be transferred was collected based on consent or contract, and (d) the transfer of personal information does not harm the legitimate rights and interests of others.
   
• Processing personal information of 10 million or more individuals: network data handlers who handles/processes personal information of 10 million individuals or more will be deemed as “important data handlers” and are required to comply with the additional obligations including (a) setting up a dedicated network data security management body and appointing an officer who will be responsible for network data security, and (b) in the event of a merger, dissolution, or bankruptcy that may have an impact on data security, the network data handler is required to submit a ‘data disposal plan’ to the relevant regulators to ensure they are able to safeguard such “important data”, and the name and contact details of the recipient of “important data”.
   

Supplemental rules to Important Data

4. What does “Important Data” mean?

Definition: “important data” refers to data in specific field, specific group, specific regions or reaching certain accuracy and scale, which if tampered with, destroyed, leaked or illegally obtained or used may directly endanger national security, economic operation, social stability, public health and safety^[4].

Even though this definition is still quite general, it shows that the identification of “important data” is not based solely on the inherent characteristics of the data, but also requires comprehensive assessment of factors such as the business sector, region and the specific nature of the data involved^[5].

Under the Regulations, a national data security coordination mechanism will be implemented, and regional and industrial regulators will establish catalogues in identifying and safeguarding “important data”. Network data handlers would have to identify and report “important data” pursuant to those national standards in the applicable catalogues to fulfil their data security obligations.
 

5. What are the additional compliance obligations for handling “important data”?

Other than the abovementioned requirements of setting up a dedicated network data security management body and appointing of an officer who will be responsible for network data security^[6], network data handlers will also need to:

• Conduct risk assessments before any data outsourcing/sharing: unless such network processing activities are required for the performance of legal duties or obligations, prior to providing, commissioning, or jointly processing “important data” with other parties, “important data handlers” are required to conduct a risk assessment, focusing on the legality and necessity, risks of tampering, leakage of data, unauthorised access, and potential impacts on national security, public interest or legal rights of individuals.
   
• Conduct annual risk assessment: “important data handlers” are required to conduct an annual risk assessment on their network data handling activities and submit a risk assessment report to relevant authorities, who will then share the report with the provincial-level cyberspace administration and public security departments.
   

Cross-Border Transfer of Network Data

6. How network data be transferred outside China?

The Regulations have introduced relaxation to the existing rules on cross-border data transfers.

• Transfer of personal information:  On top of the usual passing of a security assessment, security certification from qualified third party, and entering to a standard contract, network data handlers are allowed to transfer/share personal information overseas if it is to (a) perform statutory duties or obligations, (b) necessary for the performance of or completing a contract, (c) transfer of employee data which is necessary for cross-border human resources management, (d) during emergency situations (e.g. to protect the life, health, and property of an individual), and (e) any transfers permitted under other laws and regulations.  
   
• Transfer of “important data”: any transfer of “important data” outside China will require the passing of a data export security assessment. While network data handlers are required to identify and notify “important data” in accordance with the relevant national standards, the Regulations clarify that companies do not need to treat their data as “important data” unless such data is officially recognised by the relevant regions or authorities as “important data”. 

Large-Scale Network Platforms

7. What are the obligations of Large-Scale Network Platform service providers under the Regulations?

“Large-Scale Network Platform” is singled out under the Regulations, and they are defined as online platforms with over 50 million registered users, or over 10 million monthly active users, with complex and diverse types of businesses whose network data handling activities will significantly impact on China’s national security, economic operations, or public welfare.

Large-Scale Network Platform service providers are required to perform additional obligations, such as:

• Encouraging the use of national network identity authentication public service to register and verify identity of individuals;
   
• Publishing annual social responsibility report on personal information protection, the contents of which should contain details on measures and effectiveness of personal information protection; and
   
• Not using network data, algorithms, and platform rules to process user-generated network data through misleading, fraudulent, or coercive means, or unjustifiably restricting users’ access to or use of their platform generated data, or imposing unreasonable differential treatment on users, infringing their legitimate rights and interests, or engaging in other activities prohibited by laws and regulations.

Others

8. What are the penalties for non-compliance of the Regulations?

The penalties for non-compliance are generally consistent with those set out in the PIPL, CSL, and DSL. Penalties under the Regulations range from the issuance of fines, warnings, suspending network data handler’s operations, or revocation of business licence. Senior management and persons in charge could potentially be exposed to personal liability. That said, the Regulations provide a comparatively more lenient treatment to network data handlers, for example, administrative punishments may be mitigated or waived for first-time offenders who address and rectify minor breaches in a timely manner or timely rectification without causing harmful consequences.
 

Conclusion

Under the Regulations, network data handlers who are also “important data handlers” may be required to report their ‘data disposal plan’ and data recipient information regarding “important data” to relevant authorities in a corporate transaction, especially when the transaction may materially affect the security of “important data”. This is because in such corporate transactions, parties will inevitably share confidential information (including “important data”) with external third parties, such as during the due diligence process in a merger, leaving “important data” vulnerable. With such reporting obligation in place, companies should adopt safeguarding measures during data disposal/transfer deals, by using stronger encryption methods, employing access control and monitoring user activities from time to time.

The good news to network data handlers in corporate transactions is that the Regulations adopted a less restrictive approach on what is considered as “important data”. As mentioned above, the Regulations clarified that companies do not need to treat their data as “important data” unless such data is officially recognised by the relevant regions or authorities or classified as “important data”. Hence no further action is required when handling such data in corporate transactions until regulators notifies otherwise.

The Regulations will work hand-in-hand with CSL, DSL, PIPL and other relevant laws and regulations. Whilst the Regulations adopt a more business friendly approach, they have provided practical guidance and clarifications on data compliance regime, hence the Chinese regulators and authorities may take more negative view on any non-compliance or breach.

As the Regulations will be in force shortly on 1 January 2025, network data handlers need to ensure their respective internal data policy and documentations, including privacy policy, consent form from data subjects, cross-border data transfer agreements and data processing procedures are in full compliance before the effective date. For companies based overseas that do not have any China presence, it will be prudent for them to consider whether it is necessary to set up an organisation or appoint a representative in China if it falls within the extra-territorial application scope of the Regulations.