[co-author: Joanna Wong]*
On 30 September 2024, the State Council of the People's Republic of China published the Network Data Security Management Regulations (the “Regulations”).1 These Regulations finalise the Draft Regulations released for public comment in 2021 (see our IP & TMT Quarterly Review in the Fourth Quarter of 2021: China issues Draft Network Security Management Regulations) The Regulations will come into force on 1 January 2025.
The Regulations, issued pursuant to the Cybersecurity Law (“CSL”), the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”), provide more clarity on the key network data security requirements under these laws. They also reflect the latest development in the data regulatory landscape in China, especially given the recent efforts of the regulator to address concerns regarding difficulties in complying with the strict data regulations in China.
In this article we look at the key requirements under the finalised Regulations and highlight relevant considerations for businesses to look out for.
APPLICATION AND EXTRATERRITORIAL EFFECT
The definition of “Network Data” under the Regulations covers all electronic data processed and generated over a computer network and is not limited to personal information and/or “important data”.2 This echoes the scope of "data" under the DSL and suggests that the Regulations widely apply to processing activities of different categories of data (e.g., financial, market and operational data).3
Mirroring the extraterritorial reach of the PIPL and DSL, the Regulations explicitly confirm that their scope extends to any network data processing activities performed outside China, provided such activities are:4
- for the purpose of providing products or services to individuals located in China;
- for the purpose of analysing or assessing the activities of individuals located in China; or
- fall within any other circumstances specified under local laws or regulations.
Businesses should also note that the Regulations regulate extraterritorial network data processing activities that harm national security, public interest, or the lawful rights and interests of Chinese citizens and organizations. Moreover, foreign network data controllers which are required under PIPL5 to establish a dedicated agency or appoint a representative in China, should note that apart from having reporting obligations to the relevant personal information protection departments, they shall also report the name of the relevant agency or the representative and their contact information to the local cyberspace administration at the districted city level.6
INCIDENT REPORTING REQUIREMENTS
While the Draft Regulations required incident reports to be notified to affected parties within three working days7, the Regulations now remove the proposed timeframe and require network data controllers that discover any security risk or network vulnerability to take remedial measures immediately, notify users in a timely manner, and also notify the relevant regulator in accordance with the relevant regulations.8 It appears that these changes may have been motivated by the release of the Draft Measures for Cybersecurity Incident Reporting on 8 December 2023 (the “Draft Measures”),9 which proposed a stricter one-hour reporting requirement for some serious security incidents. That said, if a security risk has resulted in harm to national security or public interest, it must be reported to the relevant regulator within 24 hours.10 Network data controllers should also keep an eye out for the developments regarding the Draft Measures which may provide further clarifications on incident reporting obligations.
DATA PORTABILITY
Under the PIPL, data subjects have the right to data portability and may request data controllers to transfer their personal information to a designated data controller so long as the transfer meets conditions to be set by regulators.11
For the first time, the Regulations make clear the conditions under which a data subject can ask a network data controller to allow any other network data controller designated by the data subject to access and acquire his or her personal information. These conditions are where:12
- the real identity of the data subject that requests the transfer can be verified;
- personal information to be transferred has been provided or collected based on consent or a contract;
- the requested transfer is technically feasible; and
- such transfer will not prejudice the lawful rights and interests of others.
The Regulations also provide that network data controllers may charge necessary fees based on the transfer cost, if the number of such requests is manifestly excessive.13
PROCESSING IMPORTANT DATA
The Regulations are consistent with the Provisions on Regulating and Promoting Cross-Border Data Transfers (“CBDT Provisions”) released in March 2024, specifying that data will only be identified as “important data” if it is included in an important data catalogue, or otherwise explicitly designated as such by regulators or local authorities.14
The Draft Regulations provide that network data controllers processing personal information of more than a certain number are subject to some of the same requirements that are imposed on network data controllers that process important data (the “Important Data Controller”).15 In the Regulations, this threshold has been raised by a significant margin – from 1 million to 10 million people16 – representing a relaxation of the regulatory stance.
Important Data Controllers are also required to comply with, among others, the following obligations:
- Appointing an officer responsible for network data security and establishing a network data security management agency;17
- Conducting security background review of the responsible person for network data security and other key personnel if they will have access to "important data" of specific types and scale;18
- Conducting a risk assessment under the Regulations and other laws and regulations before providing, entrusting others the data for processing, or jointly processing important data, except when performing legal duties or obligations;19
- Taking measures to ensure the security of important data and providing important data disposal plan to the relevant regulators in the event of any potential impact on important data due to merger, division, dissolution, or bankruptcy of Important Data Controllers; and20
- Conducting annual risk assessments, and submitting the risk assessment reports with the required information (e.g., information of the network data controller, network data security management rules, risks discovered, cross border transfer of data, etc.) to the regulators at the provincial level or above.21
CROSS-BORDER DATA TRANSFERS
Following the release of CBDT Provisions in March 2024 which eased certain stringent requirements for cross border transfer of personal information, the Regulations further provide that apart from the existing cross-border data transfers mechanisms (i.e., the Security Assessment, Certification, and Standard Contract (together, the “Cross-Border Data Transfer Mechanisms”), cross border transfer of data will also be permissible under the following circumstances:
- Cross-border data transfer which is necessary for concluding or performing a contract to which the data subject is a party;22
- Employee data that is necessary for human resources (HR) management in accordance with legally formulated labour policies or collective employment contracts;23
- Cross-border data transfers that are necessary for performing the statutory duties or legal obligations;24 and
- Cross-border data transfers that are necessary for protecting the health and safety of a natural person in an emergency.25
The Regulations include some of the existing exemptions to Cross-Border Data Transfer Mechanisms provided under the CBDT Provisions (i.e., (1), (2), and (4) above) and which were previously absent in the Draft Regulations. On the other hand, the Regulations introduce (3) above as a new exemption, which appears to be easing the compliance burden for companies that transfer data outside China to meet certain requirements such as under sector or industry-specific regulations. However, this exemption is still subject to further clarification, as it is unclear whether it allows cross-border transfer of data to overseas governmental bodies or regulators for meeting regulations under foreign laws.
OTHER KEY CHANGES
The Draft Regulations previously extended the security review requirement to network data controllers which (1) process personal information of more than 1 million people and are seeking to list on a stock exchange outside China, and (2) are seeking to list on a stock exchange in Hong Kong which affects or may affect national security.26 The Regulations now remove these conditions and only specify that network data processing activities that affect or may affect national security will require a national security review.27This will no doubt bring some relief to companies wishing to list publicly abroad or in Hong Kong. That said, large network platforms which have more than 50 million registered users or 10 million monthly active users may still be subject to various obligations (e.g., publishing an annual report on personal information protection).28
The Draft Regulations previously required network data controllers to delete or anonymize unnecessary personal information within 15 working days in circumstances where it is not possible to avoid the collection of such data because of the use of automated collection technology.29 The finalised Regulations now remove the 15-working-day timeline,30 which will significantly reduce the compliance burden for AI developers relying on data scraping. That said, businesses training AI models with data scraping tools should exercise caution in processing any personal information and ensure unnecessary data is deleted or anonymized in a timely and proper manner.
The Regulations also reiterate the obligations imposed on network data controllers that provide Generative AI services to take measures to ensure the security of training data.31 This aligns with the requirement under China’s first regulations on generative AI services.32
TAKEAWAY
The Regulations bring more clarity to the requirements under the CSL, DSL and PIPL and generally reflect a relaxation of the regulators’ stance in China since the first release of the Draft Regulations in 2021. Companies should pay close attention to future enforcement actions and review their current network data security policies and practices to ensure full compliance with the Regulations in order to avoid potential regulatory scrutiny.
The authors would like to thank Roslie Liu, Intellectual Property Officer at Mayer Brown, for her assistance with this article.
1 Original texts can be found here: https://www.gov.cn/zhengce/content/202409/content_6977766.htm
2 Article 62 (1), the Regulations
3 Article 3, the DSL
4 Article 2, the Regulations
5 Article 53, the PIPL
6 Article 26, the Regulations
7 Article 11, the Draft Regulations
8 Article 11, the Regulations
9 Original texts can be found here: https://www.cac.gov.cn/2023-12/08/c_1703609634347501.htm
10 Article 10, the Regulations
11 Article 45, the PIPL
12 Article 25, the Regulations
13 Article 25, the Regulations
14 Article 29, the Regulations
15 Article 26, the Draft Regulations
16 Article 28, the Regulations
17 Article 30, the Regulations
18 Article 30, the Regulations
19 Article 31, the Regulations
20 Article 32, the Regulations
21 Article 33, the Regulations
22 Article 35 (4), the Regulations
23 Article 35 (5), the Regulations
24 Article 35 (6), the Regulations
25 Article 35 (7), the Regulations
26 Article 13, the Draft Regulations
27 Article 13, the Regulations
28 Articles 44, 45, 46 and 62 (8), the Regulations
29 Article 22 (4), the Draft Regulations
30 Article 24, the Regulations
31 Article 19, the Regulations
32 See the Measures for the Management of Generative Artificial Intelligence Services, effective on 15 August 2023
*Legal Assistant
[View source.]