After nearly three years of discussion and revision, China has officially released the finalised Network Data Security Management Regulations (Regulations), set to come into effect on 1 January 2025. The Regulations enhance and add to existing data protection laws and provide more comprehensive advice on how network data processors should handle personal information and important data, introducing stricter duties and penalties for non-compliance. In this bulletin, we provide an overview of the general rules applicable to all network data processors and the specific requirements for particular types.
Scope of Application
The Regulations apply to network data processing activities and their security management and supervision conducted within China. "Network Data" is defined as all types of electronic data managed and produced via networks. Traditional physical media, such as paper records, are not subject to the Regulations. However, given that most data is handled via networks these days, the Regulations will have wide application and be relevant to most business enterprises in China.
One of the most significant aspects of the Regulations, however, is their extra-territorial reach which aligns with the governance principles established under China's Data Security Law (DSL) and Personal Information Protection Law (PIPL). Enterprises outside China may also be subject to the Regulations if they process the personal information of individuals in China for the purpose of (1) providing products or services to the individuals in China or (2) analysing and evaluating the individuals' activities as stipulated in the PIPL. The Regulations will also apply if the data processing activities outside China harm the national security, public interests, or legitimate rights and interests of Chinese citizens or organizations. International enterprises, regardless of the location of their headquarters, will need to comply with the Regulations if their activities fall within the application scope.
application to All Network Data Processors
While the Regulations reiterate requirements under the Cyber Security Law, DSL, and PIPL, they introduce several detailed provisions that require network data processors to review their data practices.
"Network Data Processors" refer to individuals or organizations that independently decide the purpose and method of processing in network data activities.
Proper implementation of the Regulations is crucial, requiring, among other thing, the following:
- Network Data Processors must ensure that they have sufficient technical and other necessary measures in place for network data security protection. This includes adopting measures such as encryption, backup, access control, and security authentication, as well as taking additional necessary steps to protect against tampering, destruction, leakage, or illegal acquisition and use of Network Data.
- When Network Data Processors provide or entrust the processing of personal information and important data to other Network Data Processors, they must clearly establish the processing purpose, method, scope, and security protection obligations with the network data recipient through contracts or other means, and supervise the network data recipient's fulfilment of these obligations. Records of such provision and entrustment must be kept for at least three years. When two or more Network Data Processors jointly determine the processing purpose and method, they must clearly define their respective rights and obligations to ensure compliance and accountability.
- Network Data Processors must have strong procedures in place for handling, reporting, notifying, and filing reports of data security incidents.
Compliance AuditS
Article 27 of the Regulations outlines specific obligations on Network Data Processors of personal information to conduct regular compliance audits. These audits can be conducted internally or by an external professional institution. The draft Administrative Measures for Personal Information Protection Compliance Audits provide a comprehensive framework and detailed guidelines for enterprises to prepare for personal information protection compliance audits.
Responding to Personal Information Portability RequestS
Article 25 of the Regulations sets out specific obligations for Network Data Processors in relation to personal information transfer requests. It requires Network Data Processors to provide a pathway for an individual's designated Network Data Processor to access and obtain the relevant personal information, provided that the personal information transfer request meets the following conditions:
- Verification of identity: The identity of the person making the request can be verified.
- Consent or contractual basis: The personal information to be transferred was provided with the individual's consent or collected based on a contract.
- Technical feasibility: The transfer of personal information is technically feasible.
- No harm to others' rights: The transfer of personal information does not harm the lawful rights and interests of others.
This supplements and clarifies the data portability rights in the PIPL. In practice, this means that enterprises must have mechanisms in place to facilitate such requests. This could involve providing users with a copy of their data in a structured, commonly used, and machine-readable format, or transferring the data directly to another provider, where technically feasible.
Overseas Network Data Processors
Overseas Network Data Processors required by the PIPL to establish a specific institution or appoint a representative in China must report the name and contact details of the relevant institution or representative to the personal information protection authority. The Regulations re-confirm that the relevant authority to report this to is the cyberspace administration department at the city district level where the agency or representative is located.
Using Automated Tools to Access and Collect Network Data
Article 18 of the Regulations mandates that Network Data Processors using automated tools for accessing and collecting Network Data must evaluate the impact on network services and must not unlawfully intrude into other networks or disrupt normal network service operations. Article 24 also requires that if unnecessary personal information is inevitably collected through automated technologies, or if personal information is obtained without proper consent, Network Data Processors are required to delete or anonymize such information. The evolution of generative artificial intelligence depends significantly on web scraping technology, which introduces potential data security risks. The Regulations now enforce data protection measures for the use of web scraping technology.
Additionally, the Regulations reinforce that Network Data Processors providing generative artificial intelligence services should enhance the security management of training data and data processing activities. Effective measures must be adopted to prevent and handle potential cybersecurity risks.
Cross-Border Transfer of Personal Information
Under the Provisions on Facilitating and Regulating Cross-border Data Flow (Please refer to our previous articles for further details on the provisions: 2024/03/28 – CAC Revises Cross-Border Data Transfer Measures to Facilitate Data Export from Mainland China), none of the three mechanisms for cross-border data transfer would be required in the following scenarios:
- For the purpose of entering into and performing a contract to which the individual is a party, such as for cross-border shopping, cross-border remittances, air ticket and hotel reservations, or visa processing;
- To implement human resources management in accordance with labour rules and regulations or any collective contract signed in accordance with the law; and
- To protect the life, health, and property safety of natural persons in emergencies.
Article 35 of the Regulations introduces a new exemption, namely for the purpose of performing legal duties or obligations.
Network Data Processors Handling Personal Information of More Than 10 Million individuals
Network Data Processors handling personal information of more than 10 million individuals are required to comply with Articles 30 and 32 of the Regulations regarding handling important data. These provisions set out requirements to establish data security management personnel and internal department and implement of security assessments (see below).
Processing Important Data
The Provisions on Facilitating and Regulating Cross-border Data Flow state that security assessments are unnecessary for data that has not been designated as important data by relevant departments or regions, or publicly disclosed as such. Article 37 of the Regulations reinforces this point. Nevertheless, according to Article 29, Network Data Processor are required to make an initial evaluation and determine if the data being processed is important data and report any determined important data to the competent authorities. If it is confirmed as important data, relevant departments and regions should promptly notify Network Data Processors or make a public announcement.
Important data processors are subject to several obligations to ensure the security and integrity of the data they handle. These are outlined as follows:
- Establishment of management personnel and internal department: Important data processors are required to clearly define the roles of data security management personnel and internal department. The internal department is responsible for creating and enforcing rules, procedures, and emergency plans for network data security incidents; regularly conducting risk monitoring, assessments, emergency drills, and training to promptly address and respond to network data security risks and incidents; and handling complaints and reports related to network data security, ensuring comprehensive protection and swift resolution of any issues.
- Implementation of security assessment: Prior to providing, entrusting, or jointly processing important data, important data processors must conduct a risk assessment, focusing on legality, risk of tampering, and potential impacts on national security, public interest or legal rights.
- Obligations in relation to merger and dissolution of the data processor: During mergers, divisions, dissolutions, or bankruptcies, important data processors must ensure data security is maintained and report plans and recipient details to the provincial or higher authorities.
- Annual review: Important data processors must annually assess and report on data processing risks, including the purpose, type, quantity, method, scope, storage, security measures and incidents to the provincial or higher authorities.
Network Platform Service Providers
The Regulations mandate new duties for network platform service providers. They are required to specify data security obligations for third-party providers via platform rules or contracts and ensure such providers enhance their data security measures.
Additional obligations are imposed on large-scale network platforms, defined as those with 50 million+ registered users, 10 million+ monthly active users, diverse business operations, and significant impacts on national security, economy, and public welfare. Large-scale network platforms shall publish an annual social responsibility report on personal information protection, which shall include, but is not limited to, the personal information protection measures and their outcomes, the handling of users' requests for exercising their rights, and the performance of duties by internal personal information protection supervisory bodies primarily composed of external members.
Large-scale providers are specifically prohibited from engaging in the following:
- Processing user data through deceit, fraud, or coercion;
- Unjustifiably restricting user access to platform-generated data;
- Discriminating against users, infringing on their lawful rights;
- Engaging in activities banned by laws and regulations.
Conclusion
The Regulations establish stringent legal standards for network data compliance, introducing a series of new requirements that extend beyond the existing data protection laws in China. The Regulations reinforce current obligations under the DSL and PIPL, signaling a likely increase in regulatory scrutiny across these domains.
Businesses are urged to meticulously review the Regulations and take proactive steps to ensure full compliance well ahead of the enforcement date at the beginning of 2025. Given the heightened regulatory expectations, companies must not only achieve initial compliance but also sustain vigilant adherence to these standards over time.
By preparing early and maintaining robust compliance measures, enterprises can navigate the complexities of the new regulatory environment, thereby safeguarding their operations and fostering trust among users and stakeholders.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.