On September 30, 2024, the China State Council released the Regulation on Network Data Security Management (“New Regulation”), which will come into effect on January 1, 2025. It effectively connects and integrates the understanding and application of related data rules from different regulatory dimensions, conveying a signal that the burden on enterprises is being reduced.

Three years ago, the initial draft was first unveiled for comments. At that time, the three key frameworks in the field of data security regulation in China — the Cybersecurity Law (“CSL”), Data Security Law (“DSL”), and Personal Information Protection Law (“PIPL”) — had successively taken into effect. The New Regulation mainly aims to supplement and refine details based on these laws.

During those three years, there has been a flurry of legislative and enforcement activities associated with China's data regulation. Regulations have emerged and over time became well established and well followed. The newest regulation is much more relaxed in tone from the original draft and covers almost all data processing activities relating to China. There are a number of key elements that are addressed:

Highlight 1: Data is Categorized into Personal Information, Important Data and Other Data for Management

A. Personal information

(1) Adjustments to the disclosure requirements

Instead of adding many additional disclosure items as was set out in the draft, the New Regulation only follows PIPL. It emphasizes that the methods and means for account cancellation and withdrawal of consent should be disclosed. It also permits the use of retention period calculation standards instead of dictating specific retention periods.

In addition, the New Regulation optimizes the disclosure method, requiring a centralized public display for external reference. The New Regulation also adopts the “double-list” requirement specifically for APPs to display privacy policies. That is, no matter what form of data processing activities takes place, the personal information collection and sharing should be disclosed in the form of a list.

(2) Clarification on the right to portability

The right to portability can further safeguard one’s right to control personal information. The New Regulation fills in the gaps for when and how to exercise it. It allows the transfer of personal information collected based on consent or necessity of the contract performance, so long as the identity can be verified, the rights of others are not infringed, and it is technically feasible, and allowing the collection of necessary fees when the requests exceed a reasonable range.

(3) Cancellation of response time limit

Compared to its draft, New Regulation removes the 15-day limit for responding to personal information requests, allowing enterprises more flexibility to balance compliance with business needs. Especially when individuals intend to exercise the right to delete. The New Regulation no longer requires that deletion/anonymization operations to be completed within 15 days, nor is it required to explain to individuals when deletion is unable to be finished.

(4) Ongoing personal information compliance audits

Since 2023, China has been developing regulations and standards for personal information protection audits, reflecting a legislative push towards ensuring the security of general processing activities through ongoing self-regulation. The New Regulation limits the scope to personal information processing activities.

B. Important data

(1) Integration identification and declaration rules for important data

The New Regulation provides clarity on the definition of "important data" and a systematic approach to its identification and subsequent management, with the final decision based on notices or public lists from relevant authorities.

(2) Internal Security Management Requirements

Building on DSL, the New Regulation outlines detailed requirements for data security management for personnel, including professional knowledge, work experience, position level, authority, etc. It is worth noting that the New Regulation requires members of the management layer (not the decision-making layer) to serve as the one responsible who should have the right to directly report network data security situations to the relevant authorities.

(3) Coordination and integration of important data risk assessment mechanisms

The New Regulation calls for the avoidance of unnecessary inspections and promotes the coordination and mutual recognition of risk assessment mechanisms, categorizing them into annual and ad-hoc assessments.

(4) Adding a new M&A data disposal reporting obligation

The New Regulation introduces an obligation to report data disposal plans, recipient information, etc., when mergers, splits, dissolutions, bankruptcies, etc., may affect the security of important data.

C. Data other than personal data or important data

For other data that is neither personal information nor important data, the New Regulation sets general security obligations based on CSL, DSL and PIPL, etc. For example, for network equipment or service providers, data incidents that may affect national security should be reported to authorities within 24 hours.

Moreover, similar to the practices in certain sectors (i.e., vehicles) and certain regions (i.e., the Beijing Free Trade Zone), the New Regulation also intends to break the wall between personal information and important data. Although personal information of 10 million individuals is not exactly the same as important data, processing personal information at that level needs to comply with certain obligations of important data processors.

Highlight 2: Focusing on High-Risk Data Processing Activities

The New Regulation focuses on setting higher compliance obligations for high-risk scenarios such as sharing, entrusting processing, joint processing, M&A transactions and cross-border transfer.

(1) Supervising the recipient of personal information and important data

Aligning with the PIPL provisions regarding entrusted processing, the New Regulation requires that those who provide personal information externally should sign the data processing agreements stipulating the processing purpose, method, scope, and security protection obligations, and the provider should supervise the recipient. In addition, the New Regulation requires a 3-year retention period for records of the above activities. The New Regulation removes the requirement to obtain administrative approval when sharing, trading, and entrusted processing of important data.

(2) Implementation of important data risk assessment mechanism

As mentioned, the New Regulation reorganizes the important data risk assessment mechanism. Among them, those who share, entrust processing, or jointly process important data, except when fulfilling legal duties and obligations, should carry out ad-hoc risk assessments. Among them, exporting important data applies to the rules of data cross-border security assessment.

(3) Continuation of promoting orderly cross-border data flow

On March 22, 2024, the Cyberspace Administration of China issued the Provisions on Promoting and Regulating Cross-Border Data Flow, starting a new stage of easing government approval burdens for cross-border data flows. The New Regulation continues this trend, recognizing the existing legal basis and adding legal duty fulfillment as a new one. In terms of exporting data according to international treaties, China has carried out international cooperation involving data cross-border flow with Hong Kong, Macao, Germany and the European Union.

In addition, since PIPL also applies to the situation where foreign entities directly collect personal information from China, the New Regulation sets out details on the obligation to designates a special institution or representative in China and report relevant information to the cyber administration department.

Highlight 3: Balancing Emerging Technologies with Existing Rules

(1) The platform's dominant position in maintaining a fair and open environment

The New Regulation imposes obligations of network platform service providers to manage third parties and bear responsibilities for breaches. It also outlines annual social responsibility reporting requirement and absorbs algorithm governance and anti-competition requirements related to data security. For large platforms with over 50 million users or 10 million monthly active users, with complex business types, and network data processing activities that have an important impact on national security, economic operations, and one’s livelihoods, the New Regulation requires an explanation of network data security situation of key business and supply chain in annual risk assessment.

(2) Adding the obligation to delete personal tags in the context of automated information push

The New Regulation supports users' requests to delete user tags targeting their personal characteristics in the context of the obligation to close personalized information push function.

(3) Providing a compliance solution for unnecessary collection due to automated technology

The New Regulation provides a more practicable interpretation of the "minimum necessary principle". It provides compliance solutions for unnecessary collections due to automated technology, allowing a "collect first, delete later" approach. Such new clauses could be interpreted to be beneficial to the AI industry, especially for AI training and AI learning through data obtained by crawler technology.

Compliance Suggestions:

It is observed that the New Regulation does not address much new topics or contents, but mainly refines the existing Cybersecurity Law, Data Security Law and Personal Information Protection Law. It integrates various departmental rules, policies and standards at different levels. At the same time, it is also a summary of the supervision and legal enforcement since the three laws came into effect in the field of network security data. The New Regulation’s release marks the gradual maturity of China's network security and data compliance enforcement. It also means the authorities have a more detailed and feasible legal basis for future enforcement activities.

Given its higher legal compulsory force and the detailed stipulations, the New Regulation will become an important tool for future regulatory enforcement. The transition period is less than 3 months. The following compliance self-checks are suggested:

• Systematically revising privacy policies. For MNCs with an existing general privacy policy for global business, a Chinese addendum is necessary for subsidiary in China to bridge any compliance gaps that may arise due to varying jurisdictions.
• Maintaining daily data processing activity records (i.e., the register of activities) under different scenarios, along with supporting documents (i.e., web logs). Preparing templates for data processing agreement with third parties and checklists for subsequent risk assessments and compliance audits, etc.
• Improving the construction of internal safety management institutions and personnel. Foreign enterprises that meet the conditions should establish special institutions or appoint representatives in China as soon as possible and keep watch on the reporting requirements of the local data administration. Professional personnel specialized in Chinese privacy practice should be engaged in handling personal information requests from China, with a new focus on the rights to portability.
• Improving security incident prevention and responding capability. Refining the strategy for incident notification and reporting related to China. Preparing the standardized notice form and streamlining internal and external communication and response.

If you want more information on any issues raised in this article, please get in touch with the team: rousedigitalservicesteam@rouse.com

This Alert is written by the Data team of Rouse and Lusheng Law Firm (Strategic Partner of Rouse).

Authors: Sunny Su, Laura Cao

TAGS

• China
• Data Security