On 30 September 2024, the State Council of the People’s Republic of China promulgated the Regulations on the Administration of Network Data Security (hereinafter the “New Regulations”). The New Regulations effectively integrate the understanding and application of rules governing relevant data across different regulatory dimensions, sending a positive signal that the compliance burden on enterprises is being eased, and will formally come into force on 1 January 2025.
When the draft for comments was released three years ago, the “three pillars” of China’s network and data security regulatory regime – the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law – had already come into effect. The primary purpose of the New Regulations is to supplement and refine the implementation details of these laws.
Over the past three years, a series of legislative and enforcement activities have emerged in China’s data regulatory field, and the regulatory framework has evolved from non‑existent to existent, and from existent to refined. The New Regulations cover almost all data processing activities involving China. Compared with the draft for comments, the regulatory approach is more relaxed. The key points are summarised below.
Highlight I: Three‑category administration of network data
A. Personal information
(1) Adjustment of disclosure requirements for personal information processing
Compared with the draft for comments, which imposed numerous additional disclosure items, the New Regulations basically follow the Personal Information Protection Law without adding extra requirements, merely emphasising separately that the methods for account cancellation and withdrawal of consent shall be disclosed, and allowing the use of criteria for calculating retention periods in lieu of specifying a concrete retention period where it is difficult to determine the latter. In addition, the New Regulations optimise the means of disclosure. Besides requiring the centralised public display of processing rules for external reference, they also require the general adoption of the “dual‑list” requirement originally designed specifically for the display of APP privacy policies, namely that, regardless of the form of data processing activities, the collection and external provision of personal information shall be disclosed in the form of lists.
(2) Clarification of the preconditions and exercise methods for the right to data portability
The right to data portability can further protect the right to be informed and the right of control over personal information. The New Regulations fill the gap as to when and how the right to data portability may be exercised, allowing the transfer of personal information collected on the basis of consent or as necessary for the performance of a contract, where the data subject’s real identity can be verified, the rights and interests of others are not infringed, and it is technically feasible, and allowing the charging of necessary fees where a request exceeds a reasonable scope.
(3) Removal of the time limit for responding to personal information rights requests
Compared with the draft for comments, the New Regulations remove the requirement to respond to personal information requests within 15 days, enabling enterprises to balance compliance requirements and business needs more flexibly. In particular, when an individual exercises the right to erasure, the New Regulations no longer require completion of erasure/anonymisation within 15 days, nor do they require an explanation to the individual where erasure cannot be completed.
(4) Gradual normalisation of personal information compliance audits
Since 2023, China has been exploring the formulation of regulations and standards relating to personal information protection audits, reflecting the trend that Chinese legislators seek to ensure the security of general processing activities through continuous self‑supervision. The New Regulations limit the scope of audits to personal information processing activities.
B. Important data
(1) Integration of criteria for identifying important data and reporting rules
The New Regulations clarify the definition of “important data” and set out systematic identification methods and management requirements. The final determination of “important data” is subject to the notification by relevant localities or departments to network data processors, or the public release of catalogues or lists of important data.
(2) Refinement of internal security management requirements for important data processors
Based on the Data Security Law, the New Regulations refine the requirements for the data security officers and management bodies of important data processors, including professional knowledge, work experience, position level, authority, etc. It is noteworthy that the New Regulations require that members of the management level (rather than the decision‑making level) serve as the responsible persons, and that they have the authority to report network data security matters directly to the relevant authorities.
(3) Coordination and integration of important data risk assessment mechanisms
The New Regulations require the avoidance of unnecessary overlapping and repetitive inspections, and promote the alignment and mutual recognition of risk assessment mechanisms. At present, risk assessments for important data are mainly divided into annual risk assessments and special risk assessments.
(4) Newly added obligation to report data disposal plans following merger and acquisition transactions
The New Regulations introduce an obligation, in circumstances such as merger, division, dissolution, bankruptcy and other situations that may affect the security of important data, to report data disposal plans, information on recipients, and other relevant matters.
C. Other data
For other data that is neither personal information nor important data, the New Regulations establish general security obligations based on the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law and other instruments. For example, providers of network equipment or services shall report data incidents that may affect national security to the relevant authorities within 24 hours.
In addition, similar to practices in certain industries (such as the automotive industry) and certain regions (such as the Beijing Pilot Free Trade Zone), the New Regulations also seek to break down the conceptual barriers between personal information and important data. Although personal information relating to 10 million individuals does not equate to important data, processing personal information at that scale is still subject to certain obligations applicable to important data processors.
Highlight II: Focus on high‑risk data processing activities
The New Regulations focus on imposing higher compliance obligations on high‑risk scenarios such as external provision, entrusted processing, joint processing, merger and acquisition transactions, and cross‑border flows.
(1) Strengthening supervision of recipients of personal information and important data
Consistent with the provisions of the Personal Information Protection Law on entrusted processing, the New Regulations require entities that provide personal information externally to enter into data processing agreements, stipulating the purposes, methods, scope and security protection obligations of processing, and to supervise the recipients. In addition, the New Regulations require that records of the above activities be retained for three years. The New Regulations do not adopt the requirement in the draft for comments that administrative licences be obtained for the sharing, trading or entrusted processing of important data.
(2) Implementation of important data risk assessment mechanisms
As mentioned above, the New Regulations integrate the risk assessment mechanisms for important data. Among them, where important data is provided externally, entrusted for processing or jointly processed, a special risk assessment shall be conducted unless such activities are necessary for the performance of statutory duties and obligations. In particular, outbound transfers of important data shall be subject to security assessments for cross‑border data transfers.
(3) Continued promotion of the orderly cross‑border flow of data
On 22 March 2024, the Cyberspace Administration of China issued the Provisions on Promoting and Regulating Cross‑border Data Flows, ushering in a new stage of reducing the burden of prior governmental approval for cross‑border data transfers. The New Regulations continue this trend, recognising the existing legal bases for cross‑border data transfers and adding the performance of statutory obligations as a new legal basis. In terms of transferring data overseas pursuant to international treaties, China has already carried out international cooperation involving cross‑border data flows with Hong Kong, Macao, Germany and the European Union respectively.
In addition, since the Personal Information Protection Law also applies to circumstances where overseas entities directly collect personal information from China, the New Regulations refine the obligations of such overseas enterprises to establish dedicated entities or designate representatives in China and to report relevant information to the cyberspace administration authorities.
Highlight III: Balancing emerging technologies with existing rules
(1) The dominant role of platforms in maintaining a fair and open environment
The New Regulations provide that network platform service providers (“platforms”) shall manage third parties accessing the platform and bear corresponding liability when damage is caused to individuals. The New Regulations clarify the requirement for platforms to issue annual social responsibility reports, and incorporate into the data security framework the requirements arising from algorithm governance and anti‑unfair competition. For large platforms with more than 50 million registered users or more than 10 million monthly active users, complex business types, and network data processing activities that have a significant impact on national security, economic operations, or the national economy and people’s livelihood, the New Regulations require that their annual risk assessments explain the network data security status of key businesses and supply chains.
(2) Newly added obligation to delete personal tags related to personalised recommendations
On the basis of the obligation to allow users to turn off personalised recommendations, the New Regulations support users in simultaneously requesting platforms to delete user tags generated based on their personal characteristics.
(3) Providing compliance solutions for unnecessary personal information collection caused by automated technologies
The New Regulations provide an interpretation of the “principle of minimum necessity” that is more aligned with technical realities. They provide a compliance solution for unavoidable, unnecessary collection resulting from automated technologies, allowing a “collect first, delete later” approach. Such provisions may be regarded as a positive signal for the AI industry, particularly with respect to AI training data obtained through web‑crawling technologies.
Compliance recommendations
It is observed that the New Regulations do not involve many entirely new topics or contents, but mainly refine the existing Cybersecurity Law, Data Security Law and Personal Information Protection Law, and integrate rules, policies and standards at different levels. At the same time, they summarise the enforcement practices and achievements since the three laws in the field of network data security came into effect. The promulgation of the New Regulations marks the gradual maturation of cybersecurity and data compliance enforcement in China and provides a more detailed and feasible legal basis for future enforcement activities.
Given their higher legal hierarchy and more detailed provisions, the New Regulations will become an important tool for future regulatory enforcement. The transition period reserved for enterprises is now less than three months. Accordingly, we recommend that enterprises conduct the following compliance self‑checks against the New Regulations:
Systematically revise privacy policies. For multinational companies that have already formulated general privacy policies for their global operations, it is advisable to prepare privacy policy appendices for their Chinese affiliates to bridge potential gaps in compliance requirements arising from differences in jurisdictions.
Maintain records of routine data processing activities in various scenarios (for example, processing record registers) and supporting documentation (for example, network logs). Prepare templates for data processing agreements to be entered into with third parties, as well as lists required for subsequent risk assessments and compliance audits.
Improve internal security management structures and personnel arrangements. Eligible foreign enterprises should establish dedicated entities or designate representatives in China as soon as possible and closely monitor the reporting requirements of local cyberspace administration authorities. Professionals with expertise in Chinese privacy practices should be assigned to handle personal information requests originating from China, particularly with respect to safeguarding the right to data portability.
Enhance capabilities for the prevention of and response to security incidents. Improve incident notification and reporting strategies relating to China. Prepare standardised notification templates and streamline internal and external communication and response procedures.
For further information related to this article, please contact: rousedigitalservicesteam@rouse.com.
This article was jointly prepared by the data team of Lusheng Law Firm and its strategic partner Rouse International
