On September 30, 2024, the State Council of China published the Regulations on Administration of Network Data Security (the “Regulations”), which will take effect on January 1, 2025. The Regulations cover multiple dimensions of network data security, including personal information protection, security of important data, cross-border transfers, network platform service providers’ obligations, and regulatory supervision and administration. Certain of the key provisions are summarized below. In general, most of the provisions under the Regulations can be found in other existing laws and regulations of China.
Scope of Applicability
The Regulations apply to “network data handlers,” defined as individuals and organizations that autonomously decide on the purpose and the manner of processing in network data processing activities. All network data processing activities, regulatory supervision and administration activities are subject to the Regulations.
Additionally, activities outside of China involving the processing of personal information of individuals in China are subject to the Regulations, i.e., data handlers subject to the extra-territorial jurisdiction of the Personal Information Protection Law (“PIPL”).
General Provisions
The Regulations include the following general obligations:
- Technical measures: network data handlers should implement multiple levels of cybersecurity protection, including measures such as encryption, back-ups, access control, security certification, and other necessary measures to protect data security.
- Data breach reporting: network handlers are subject to certain data breach reporting requirements both with respect to competent authorities and impacted individuals and organizations.
- Entrusted processing: network data handlers should supervise fulfillment of obligations by the entrusted parties (e.g., by vendors). Records of processing of personal information and important data related to the entrusted parties shall be retained for at least three years.
Protection of Personal Information
The Regulations contain specific provisions regarding personal information, including:
- Processing rules: the Regulations provide the required content for data processing rules that should include the purpose and means of processing, and the categories of personal information collected and provided to other network data handlers, as well as data recipients.
- Data portability: compliance with the right of data portability is subject to certain conditions, including verification of the identity of the data subject who submits the request, the transfer of personal information being technically feasible, and the transfer of personal information not jeopardizing the legitimate rights and interests of others.
- Representative: foreign network data handlers subject to the extra-territorial jurisdiction of the PIPL should establish a special agency or appoint a representative in China and report the name of the agency or representative and contact information to the district-level cyberspace administration office.
- Process data of more than 10 million individuals: processing personal information of more than 10 million individuals is considered as processing important data.
- Compliance audit: network data handlers should conduct regular compliance audits. Such an audit can be conducted by the network data handler itself or by a third party on its behalf.
Important Data
According to the Regulations, important data refers to data in a specific field, a specific group, a specific region, or of a certain precision and scale, which, once tampered with, damaged, leaked, or illegally accessed or illegally utilized, may directly jeopardize national security, economic operation, social stability, or public health and safety.
In addition, the Regulations provide that different regions and different industrial regulators of China may define their own catalogues of important data.
Cross-Border Transfer
The Regulations list eight conditions for cross-border transfer (most of which are found in other existing laws and regulations of China):
- passing the security assessment conducted by the Cyberspace Administration of China (“CAC”);
- certification by a professional organization for personal information protection in accordance with the regulations of the CAC;
- conducting filing of the standard contract of cross-border transfer of personal information;
- necessity to provide personal information outside of China for the purpose of concluding and fulfilling a contract to which the individual is a party;
- implementing cross-border human resources management in accordance with labor rules formulated and collective contracts signed in accordance with applicable laws, and there is a genuine need to provide employees’ personal information outside of China;
- the provision of personal information outside the country is necessary for the fulfillment of legal duties or legal obligations (e.g., KYC checks, overseas IPO, etc.). This specific condition is notable as it is new;
- necessity to transfer personal information outside of China in order to protect the life, health and property safety of natural persons in case of emergency; or
- other conditions stipulated by applicable laws, administrative regulations or the CAC.
Obligations of Network Platform Service Providers
The Regulations include specific obligations applicable to network platform service providers. These include, for example, managing the third-party product and service providers that have access to the network platform service provider’s platform, and publishing annually a personal information protection social liability report.
The Regulations also provide stricter requirements for large-scale network platform service providers. Large-scale network platforms are those with more than 50 million registered users or more than 10 million monthly active users, complex business types, and network data processing activities that have an important impact on national security, economic operation, and the national economy and people’s livelihood.
Regulatory Supervision and Administration
The Regulations allow the competent regulator to take the following measures in conducting cybersecurity inspections of a network data handler:
- requesting explanations and information on matters subject to administration and inspection;
- reviewing and copying documents and records related to network data security;
- inspecting the operation of network data security measures;
- inspecting devices and articles related to network data processing activities; and
- other necessary measures prescribed by other laws.
The CAC in conjunction with the competent authorities concerned may take the necessary measures in accordance with the law if an overseas organization or individual engages in network data processing activities that endanger the national security or public interests of China or infringe upon the personal information rights and interests of citizens of China.
Enforcement
There are three levels of enforcement for violations of the Regulations including violations of protection of data security, violations of national security, and violations of important data security related rules. Enforcement actions under the Regulations vary depending on the provision violated. They may include:
- suspension of the relevant business;
- revocation of a permit or business license;
- financial penalty on the network data handler of between RMB 1 million and RMB 10 million; and
- financial penalty on person(s) directly responsible of between RMB 10,000 and RMB 1 million
An administrative penalty may be reduced or exempted if: (1) the network data handler eliminates or mitigates the harmful consequences of the relevant violation; (2) the violation is minor and corrected in a timely manner and does not cause harmful consequences; or (3) the network data handler violates the Regulations for the first time and the harmful consequences are minor and corrected in a timely manner.