China published the finalized Regulation for the Administration of Network Data Security (Network Data Regulation) on September 30, 2024. This regulation was first released as a draft version dated November 2021. Throughout its 9 chapters and 64 articles, the Network Data Regulation comprehensively covers regulations on network data (electronic data processed and generated through the network), including data security, personal information protection, important data management, cross-border transfer, and obligations of network platform service providers.
The Network Data Regulation will come into effect on January 1, 2025.
This LawFlash details key points of the Network Data Regulation, compared with the existing data protection framework.
THE NETWORK DATA REGULATION VS THE PIPL
From the perspective of personal information protection, the Network Data Regulation largely follows the tracks of the Personal Information Protection Law (PIPL) but provides detailed explanations and implementing rules.
The Network Data Regulation emphasizes and supplements the informed consent requirements in the PIPL. It also provides detailed provisions that should be included in the informed consent form before the network data handler handles personal information.
Article 12 provides that “where a network data handler provides or entrusts the processing of personal information and important data to other network data handlers/processors, it shall, through a contract or the like, agree with the recipient of the network data on the purpose, manner and scope of the processing, as well as the obligations of security protection, and shall supervise the fulfillment of the obligations by the recipient of the network data.” The PIPL only requires that the parties sign a contract when the data controller engages entrusted parties to process personal information. However, this provision requires that the contract also be signed when a data controller provides personal information to other data controllers.
IMPORTANT DATA
The Network Data Regulation provides additional requirements on important data handlers.
Definition of ‘important data’
The Network Data Regulation deleted examples of it in the exposure draft, but does state that “important data” refers to data within specific fields, groups, or regions, or data that has reached a certain level of accuracy and scale, and may directly endanger national security, economic operations, social stability, public health, and safety if tampered with, destroyed, leaked, or illegally obtained or used.
Although this definition is quite general, the Network Data Regulation provides that the business operators have the obligations to identify and report the potential important data to the authorities, who will then notify the business operators as to whether such data constitutes “important data.”
Will personal information constitute important data? According to Article 28, a network data handler handling personal information of more than 10 million individuals must comply with some of the requirements for important data handlers. By contrast, the draft version of the regulation set the threshold at 1 million individuals’ personal information.
Risk Assessments
The Network Data Regulation provides both the routine assessment and annual assessment obligations on the handler of the important data.
Article 31 requires that the handler of the important data conduct a risk assessment before providing, entrusting, or joint handling important data.
Article 33 also requires that the handler of the important data conduct the annual risk assessment for their data handling activities and file the risk assessment report with the competent authorities at the provincial level or above. The competent authorities shall inform the cybersecurity administration authority and the public security authority. The risk assessment report shall cover the following aspects:
- Basic information on the network data handler, information on the network data security management agency, the name and contact information of the person in charge of network data security, etc.
- The purpose, type, quantity, method, scope, storage period, and storage location of important data processed, and the circumstances under which network data processing activities are carried out (excluding the content of the network data)
- The network data security management system and its implementation status, technical measures such as encryption, backup, labeling, access control, security authentication, and other necessary measures and their effectiveness
- Identified network data security risks, network data security incidents that have occurred and the handling of such incidents
- Risk assessments of the provision, entrusted handling, and joint handling of important data
- Cross-border network data transfers
- Other reporting requirements specified by the competent authorities
In addition to the contents mentioned above, the Network Data Regulation also provides that the risk assessment report submitted by a large-scale network platform service provider handling important data shall fully explain the security of network data in its key businesses and the supply chain.
Large-scale network platforms refer to those with more than 50 million registered users or more than 10 million monthly active users, complex business types, and network data handling activities that significantly impact national security, economic operations, people's livelihoods, and other aspects.
CROSS-BORDER TRANSFER
The Network Data Regulation provides the following additional exemptions where personal information can be cross-border transferred without going through government filing/assessment, in addition to the exemptions provided under the Provisions on Promoting and Regulating Cross-border Data Flows:
- To perform statutory duties or obligations, it is necessary to provide personal information overseas.
- To protect the life, health, and property safety of natural persons in an emergency, it is necessary to provide personal information overseas.
NETWORK PLATFORM SERVICE PROVIDERS
The Network Data Regulation imposes additional obligations on the network platform service providers.
According to Article 40, network platform service providers shall clarify the network data security protection obligations of third-party product and service providers accessing their platforms through platform rules or contracts, etc., and urge third-party product and service providers to strengthen network data security management.
Furthermore, according to Article 44, large-scale network platform service providers shall annually publish a personal protection social responsibility report. This report should include, but is not limited to, personal information protection measures and results, the acceptance of applications for the exercise of rights by individuals, and the performance of duties by the personal information protection supervisory agency, which is primarily composed of external members.
OUR OBSERVATIONS
Given that the Network Data Regulation requires more details for the privacy policy, companies need to review their privacy policies posted on the website to reconcile with the new requirements.
Companies should sign contracts (e.g., data processing agreement, data transfer agreement) when they provide or entrust the processing of personal information and important data to other network data handlers/processors.
Although the law provides that the authorities will notify and publish the determination of the important data, companies are still obligated to identify and report the potential cases of important data for the authorities’ confirmation.
Companies in non-compliance status are advised to promptly rectify the non-compliance status and seek mitigations. According to Article 59 of the Network Data Regulation, if a network data handler takes the initiative to eliminate or reduce the harmful consequences of a minor violation and promptly corrects it, and if it causes no significant harm, or if it is a first minor violation corrected quickly, the administrative punishment may be reduced, mitigated, or not imposed, as per the Administrative Punishments Law of the People's Republic of China.
[View source.]
