On September 30, 2024, the China State Council released the Regulation on Network Data Security Management (“New Regulation”), which will come into effect on January 1, 2025. It effectively connects and integrates the understanding and application of related data rules from different regulatory dimensions, conveying a signal that the burden on enterprises is being reduced.
Three years ago, the initial draft was first unveiled for comments. At that time, the three key frameworks in the field of data security regulation in China — the Cybersecurity Law (“CSL”), Data Security Law (“DSL”), and Personal Information Protection Law (“PIPL”) — had successively taken into effect. The New Regulation mainly aims to supplement and refine details based on these laws.
During those three years, there has been a flurry of legislative and enforcement activities associated with China's data regulation. Regulations have emerged and over time became well established and well followed. The newest regulation is much more relaxed in tone from the original draft and covers almost all data processing activities relating to China. There are a number of key elements that are addressed:
A. Personal information
(1) Adjustments to the disclosure requirements
Instead of adding many additional disclosure items as was set out in the draft, the New Regulation only follows PIPL. It emphasizes that the methods and means for account cancellation and withdrawal of consent should be disclosed. It also permits the use of retention period calculation standards instead of dictating specific retention periods.
In addition, the New Regulation optimizes the disclosure method, requiring a centralized public display for external reference. The New Regulation also adopts the “double-list” requirement specifically for APPs to display privacy policies. That is, no matter what form of data processing activities takes place, the personal information collection and sharing should be disclosed in the form of a list.
(2) Clarification on the right to portability
The right to portability can further safeguard one’s right to control personal information. The New Regulation fills in the gaps for when and how to exercise it. It allows the transfer of personal information collected based on consent or necessity of the contract performance, so long as the identity can be verified, the rights of others are not infringed, and it is technically feasible, and allowing the collection of necessary fees when the requests exceed a reasonable range.
(3) Cancellation of response time limit
Compared to its draft, New Regulation removes the 15-day limit for responding to personal information requests, allowing enterprises more flexibility to balance compliance with business needs. Especially when individuals intend to exercise the right to delete. The New Regulation no longer requires that deletion/anonymization operations to be completed within 15 days, nor is it required to explain to individuals when deletion is unable to be finished.
(4) Ongoing personal information compliance audits
Since 2023, China has been developing regulations and standards for personal information protection audits, reflecting a legislative push towards ensuring the security of general processing activities through ongoing self-regulation. The New Regulation limits the scope to personal information processing activities.
B. Important data
(1) Integration identification and declaration rules for important data
The New Regulation provides clarity on the definition of "important data" and a systematic approach to its identification and subsequent management, with the final decision based on notices or public lists from relevant authorities.
(2) Internal Security Management Requirements
Building on DSL, the New Regulation outlines detailed requirements for data security management for personnel, including professional knowledge, work experience, position level, authority, etc. It is worth noting that the New Regulation requires members of the management layer (not the decision-making layer) to serve as the one responsible who should have the right to directly report network data security situations to the relevant authorities.
(3) Coordination and integration of important data risk assessment mechanisms
The New Regulation calls for the avoidance of unnecessary inspections and promotes the coordination and mutual recognition of risk assessment mechanisms, categorizing them into annual and ad-hoc assessments.
(4) Adding a new M&A data disposal reporting obligation
The New Regulation introduces an obligation to report data disposal plans, recipient information, etc., when mergers, splits, dissolutions, bankruptcies, etc., may affect the security of important data.
C. Data other than personal data or important data
For other data that is neither personal information nor important data, the New Regulation sets general security obligations based on CSL, DSL and PIPL, etc. For example, for network equipment or service providers, data incidents that may affect national security should be reported to authorities within 24 hours.
Moreover, similar to the practices in certain sectors (i.e., vehicles) and certain regions (i.e., the Beijing Free Trade Zone), the New Regulation also intends to break the wall between personal information and important data. Although personal information of 10 million individuals is not exactly the same as important data, processing personal information at that level needs to comply with certain obligations of important data processors.
The New Regulation focuses on setting higher compliance obligations for high-risk scenarios such as sharing, entrusting processing, joint processing, M&A transactions and cross-border transfer.
(1) Supervising the recipient of personal information and important data
Aligning with the PIPL provisions regarding entrusted processing, the New Regulation requires that those who provide personal information externally should sign the data processing agreements stipulating the processing purpose, method, scope, and security protection obligations, and the provider should supervise the recipient. In addition, the New Regulation requires a 3-year retention period for records of the above activities. The New Regulation removes the requirement to obtain administrative approval when sharing, trading, and entrusted processing of important data.
(2) Implementation of important data risk assessment mechanism
As mentioned, the New Regulation reorganizes the important data risk assessment mechanism. Among them, those who share, entrust processing, or jointly process important data, except when fulfilling legal duties and obligations, should carry out ad-hoc risk assessments. Among them, exporting important data applies to the rules of data cross-border security assessment.
(3) Continuation of promoting orderly cross-border data flow
On March 22, 2024, the Cyberspace Administration of China issued the Provisions on Promoting and Regulating Cross-Border Data Flow, starting a new stage of easing government approval burdens for cross-border data flows. The New Regulation continues this trend, recognizing the existing legal basis and adding legal duty fulfillment as a new one. In terms of exporting data according to international treaties, China has carried out international cooperation involving data cross-border flow with Hong Kong, Macao, Germany and the European Union.
In addition, since PIPL also applies to the situation where foreign entities directly collect personal information from China, the New Regulation sets out details on the obligation to designates a special institution or representative in China and report relevant information to the cyber administration department.
(1) The platform's dominant position in maintaining a fair and open environment
The New Regulation imposes obligations of network platform service providers to manage third parties and bear responsibilities for breaches. It also outlines annual social responsibility reporting requirement and absorbs algorithm governance and anti-competition requirements related to data security. For large platforms with over 50 million users or 10 million monthly active users, with complex business types, and network data processing activities that have an important impact on national security, economic operations, and one’s livelihoods, the New Regulation requires an explanation of network data security situation of key business and supply chain in annual risk assessment.
(2) Adding the obligation to delete personal tags in the context of automated information push
The New Regulation supports users' requests to delete user tags targeting their personal characteristics in the context of the obligation to close personalized information push function.
(3) Providing a compliance solution for unnecessary collection due to automated technology
The New Regulation provides a more practicable interpretation of the "minimum necessary principle". It provides compliance solutions for unnecessary collections due to automated technology, allowing a "collect first, delete later" approach. Such new clauses could be interpreted to be beneficial to the AI industry, especially for AI training and AI learning through data obtained by crawler technology.
It is observed that the New Regulation does not address much new topics or contents, but mainly refines the existing Cybersecurity Law, Data Security Law and Personal Information Protection Law. It integrates various departmental rules, policies and standards at different levels. At the same time, it is also a summary of the supervision and legal enforcement since the three laws came into effect in the field of network security data. The New Regulation’s release marks the gradual maturity of China's network security and data compliance enforcement. It also means the authorities have a more detailed and feasible legal basis for future enforcement activities.
Given its higher legal compulsory force and the detailed stipulations, the New Regulation will become an important tool for future regulatory enforcement. The transition period is less than 3 months. The following compliance self-checks are suggested:
If you want more information on any issues raised in this article, please get in touch with the team: rousedigitalservicesteam@rouse.com
This Alert is written by the Data team of Rouse and Lusheng Law Firm (Strategic Partner of Rouse).
Authors: Sunny Su, Laura Cao