On September 30, 2024, China’s State Council released the Network Data Security Management Regulations, which will enter into force on January 1, 2025. The regulations apply to “electronic data processed and generated through the network” (covering personal information, “important data” and all other types of electronic data) and provide implementing rules concerning the requirements for personal information and “important data” imposed under China’s Cybersecurity Law, Data Security Law and the Personal Information Protection Law (PIPL).
Key takeaways
Personal information protection
Notice and consent
To implement and supplement the requirements for notice and consent under the PIPL, the regulations specifically require network data handlers – i.e., organizations determining network data processing methods and purposes, which refer to the network data handlers under the PIPL in the context of personal information processing – to clearly specify the processing purposes, methods, categories of personal information and information about personal information recipients (where personal information will be shared with other network data handlers) in the form of lists/tables in their privacy policies. Where consent is relied on as the legal basis for personal information processing, the regulations emphasize that such consent shall not be obtained through misleading, fraudulent, or coercive means and the personal information shall only be collected to the extent necessary for providing products and services.
Right to portability
As clarified under the regulations, individuals may exercise their right to portability if the following conditions are met:
- The identity of the individual can be verified.
- The personal information concerned was provided by individuals or was collected based on a contract.
- The transfer of personal information is technically feasible.
- The transfer of personal information does not harm the legitimate rights and interests of others.
Important data protection
Scope of ‘important data’
The regulations define “important data” as “data in specific fields, specific groups, specific regions or reaching certain accuracy and scale, which if tampered with, destroyed, leaked or illegally obtained or used may directly endanger national security, economic operation, social stability, public health and safety.” For the specific scope of “important data,” the regulations call for the National Data Security Coordination Mechanism to coordinate with relevant authorities to issue catalogues of “important data” in relevant regions and sectors. Network data handlers must identify and report the “important data” processed by them to competent authorities, who will, in a timely manner, notify network data handlers or publish the “important data” identified by the authorities to the public.
Obligations of entities processing ‘important data’
The regulations create a set of compliance obligations on network data handlers that process “important data,” including but not limited to:
- Appoint a network data security officer and establish an internal data security management organization.
- Carry out a risk assessment prior to any sharing, entrusting vendors for processing or jointly processing of “important data,” unless the above processing activities are necessary for fulfilling legal duties or obligations.
- Report the data disposition plan (including the name and contact information of the recipient of the “important data” to competent provincial authority (or the provincial level Data Security Coordination Mechanism where competent authority is unclear) before a merger, division, dissolution, or bankruptcy that could materially affect data security.
- Conduct an annual risk assessment of network data processing activities and submit a risk assessment report to the competent provincial authority which will then share the report with the provincial branch of the Cyberspace Administration of China (CAC) and the public security authority.
Cross-border data transfer
In addition to the exemptions for adopting a mechanism for cross-border transfer of personal information – i.e., undergoing a security assessment, signing and filing a standard contract, and obtaining a certificate – as introduced under the regulations released by the CAC in March 2024, the regulations set out that network data handlers do not need to adopt any cross-border data transfer mechanism if the transfer is necessary to “fulfill legal duties or obligations.” It is currently unclear if such legal duties or obligations are limited to those under Chinese laws.
Obligations of network platform service providers
The regulations also impose additional obligations on “network platform service providers” (undefined under the regulations). Notably, network platforms that “have more than 50 million registered users or more than 10 million monthly active users, with complex business types whose processing activities may have an important impact on national security, economic operations, national economy and people’s livelihood” are categorized as “large network platforms,” which are subject to heightened compliance obligations. For example, large network platform service providers must publish an annual personal information protection social responsibility report and not impose unreasonable differential treatment on users.
Penalties and enforcement
The penalties for violations under the regulations are generally consistent with those under the Cybersecurity Law, Data Security Law and PIPL. In particular, the regulations state that if overseas organizations or individuals’ data processing activities may endanger China’s national security or public interests or infringe Chinese citizens’ personal information rights and interests, the CAC, with the other competent authorities, has the power to take “corresponding necessary measures.”
Cooley LLP is not licensed to practice the law of the People’s Republic of China (PRC), and nothing herein constitutes an opinion or legal advice by Cooley with respect to PRC laws or otherwise. This blog may not be relied upon, construed as or used as an opinion, interpretation of or legal advice in any respect relating to or arising out of PRC laws or otherwise. This blog, and our review of the information referenced in this blog, is based solely upon our general familiarity with matters of the type referenced in this blog and the consultation with PRC counsel with respect to certain matters of PRC law or practice, as referenced in the blog, provided that notwithstanding such consultation, no opinions or legal advice with respect to PRC law are made herein. Any analysis, conclusion, advice or opinion with regard to PRC laws, or otherwise with regard to any of the matters referenced in this blog, must be obtained from PRC local counsel.
