After nearly three years of discussion and revision, China has officially released the finalised Network Data Security Management Regulations (Regulations), set to come into effect on 1 January 2025. The Regulations enhance and add to existing data protection laws and provide more comprehensive advice on how network data processors should handle personal information and important data, introducing stricter duties and penalties for non-compliance. In this bulletin, we provide an overview of the general rules applicable to all network data processors and the specific requirements for particular types.

Scope of Application

The Regulations apply to network data processing activities and their security management and supervision conducted within China. "Network Data" is defined as all types of electronic data managed and produced via networks. Traditional physical media, such as paper records, are not subject to the Regulations. However, given that most data is handled via networks these days, the Regulations will have wide application and be relevant to most business enterprises in China.

One of the most significant aspects of the Regulations, however, is their extra-territorial reach which aligns with the governance principles established under China's Data Security Law (DSL) and Personal Information Protection Law (PIPL). Enterprises outside China may also be subject to the Regulations if they process the personal information of individuals in China for the purpose of (1) providing products or services to the individuals in China or (2) analysing and evaluating the individuals' activities as stipulated in the PIPL. The Regulations will also apply if the data processing activities outside China harm the national security, public interests, or legitimate rights and interests of Chinese citizens or organizations. International enterprises, regardless of the location of their headquarters, will need to comply with the Regulations if their activities fall within the application scope.

application to All Network Data Processors

While the Regulations reiterate requirements under the Cyber Security Law, DSL, and PIPL, they introduce several detailed provisions that require network data processors to review their data practices.

"Network Data Processors" refer to individuals or organizations that independently decide the purpose and method of processing in network data activities.

Proper implementation of the Regulations is crucial, requiring, among other thing, the following:

Compliance AuditS

Article 27 of the Regulations outlines specific obligations on Network Data Processors of personal information to conduct regular compliance audits. These audits can be conducted internally or by an external professional institution. The draft Administrative Measures for Personal Information Protection Compliance Audits provide a comprehensive framework and detailed guidelines for enterprises to prepare for personal information protection compliance audits.

Responding to Personal Information Portability RequestS

Article 25 of the Regulations sets out specific obligations for Network Data Processors in relation to personal information transfer requests. It requires Network Data Processors to provide a pathway for an individual's designated Network Data Processor to access and obtain the relevant personal information, provided that the personal information transfer request meets the following conditions:

This supplements and clarifies the data portability rights in the PIPL. In practice, this means that enterprises must have mechanisms in place to facilitate such requests. This could involve providing users with a copy of their data in a structured, commonly used, and machine-readable format, or transferring the data directly to another provider, where technically feasible.

Overseas Network Data Processors

Overseas Network Data Processors required by the PIPL to establish a specific institution or appoint a representative in China must report the name and contact details of the relevant institution or representative to the personal information protection authority. The Regulations re-confirm that the relevant authority to report this to is the cyberspace administration department at the city district level where the agency or representative is located.

Using Automated Tools to Access and Collect Network Data

Article 18 of the Regulations mandates that Network Data Processors using automated tools for accessing and collecting Network Data must evaluate the impact on network services and must not unlawfully intrude into other networks or disrupt normal network service operations. Article 24 also requires that if unnecessary personal information is inevitably collected through automated technologies, or if personal information is obtained without proper consent, Network Data Processors are required to delete or anonymize such information. The evolution of generative artificial intelligence depends significantly on web scraping technology, which introduces potential data security risks. The Regulations now enforce data protection measures for the use of web scraping technology.

Additionally, the Regulations reinforce that Network Data Processors providing generative artificial intelligence services should enhance the security management of training data and data processing activities. Effective measures must be adopted to prevent and handle potential cybersecurity risks.

Cross-Border Transfer of Personal Information

Under the Provisions on Facilitating and Regulating Cross-border Data Flow (Please refer to our previous articles for further details on the provisions: 2024/03/28 - CAC Revises Cross-Border Data Transfer Measures to Facilitate Data Export from Mainland China), none of the three mechanisms for cross-border data transfer would be required in the following scenarios:

Article 35 of the Regulations introduces a new exemption, namely for the purpose of performing legal duties or obligations.

Network Data Processors Handling Personal Information of More Than 10 Million individuals

Network Data Processors handling personal information of more than 10 million individuals are required to comply with Articles 30 and 32 of the Regulations regarding handling important data. These provisions set out requirements to establish data security management personnel and internal department and implement of security assessments (see below).

Processing Important Data

The Provisions on Facilitating and Regulating Cross-border Data Flow state that security assessments are unnecessary for data that has not been designated as important data by relevant departments or regions, or publicly disclosed as such. Article 37 of the Regulations reinforces this point. Nevertheless, according to Article 29, Network Data Processor are required to make an initial evaluation and determine if the data being processed is important data and report any determined important data to the competent authorities. If it is confirmed as important data, relevant departments and regions should promptly notify Network Data Processors or make a public announcement.

Important data processors are subject to several obligations to ensure the security and integrity of the data they handle. These are outlined as follows:

Network Platform Service Providers

The Regulations mandate new duties for network platform service providers. They are required to specify data security obligations for third-party providers via platform rules or contracts and ensure such providers enhance their data security measures.

Additional obligations are imposed on large-scale network platforms, defined as those with 50 million+ registered users, 10 million+ monthly active users, diverse business operations, and significant impacts on national security, economy, and public welfare. Large-scale network platforms shall publish an annual social responsibility report on personal information protection, which shall include, but is not limited to, the personal information protection measures and their outcomes, the handling of users' requests for exercising their rights, and the performance of duties by internal personal information protection supervisory bodies primarily composed of external members.

Large-scale providers are specifically prohibited from engaging in the following:

Conclusion

The Regulations establish stringent legal standards for network data compliance, introducing a series of new requirements that extend beyond the existing data protection laws in China. The Regulations reinforce current obligations under the DSL and PIPL, signaling a likely increase in regulatory scrutiny across these domains.

Businesses are urged to meticulously review the Regulations and take proactive steps to ensure full compliance well ahead of the enforcement date at the beginning of 2025. Given the heightened regulatory expectations, companies must not only achieve initial compliance but also sustain vigilant adherence to these standards over time.

By preparing early and maintaining robust compliance measures, enterprises can navigate the complexities of the new regulatory environment, thereby safeguarding their operations and fostering trust among users and stakeholders.