The Cyberspace Administration of China (“CAC”) on November 14, 2021 published the draft Regulations on the Administration of Network Data Security (“Draft Regulations”) for comment through December 13, 2021.1 The Draft Regulations set forth in comprehensive detail provisions to regulate data processing activities in order to implement the Cybersecurity Law (“CSL”), the Data Security Law (“DSL”), and the Personal Information Protection Law (“PIPL”), key provisions of which are reflected in the Draft Regulations. The Draft Regulations contain 75 articles in nine chapters that would provide for personal information (“PI”) protection, the security of “Important Data,” rules on cross-border data transfers, obligations on Internet platform operators, provisions on government administration and legal liability, and definitions of key terms, including what constitutes “Important Data.”

The Draft Regulations have extraterritorial effect, inasmuch as they would apply not only to data processing activities inside China,2 but also to the processing outside of China of data of persons and organizations inside China if (i) for the purpose of providing products or services to China; (ii) for analyzing or assessing the behaviors of persons and organizations inside China;3 (iii) in connection with the processing of domestic Important Data; or (iv) in other legally required circumstances (Article 2). Processing activity conducted outside of China which harms China’s national security, public interest, or the legal interests of citizens or organizations is punishable under the Draft Regulations (Article 72).