China has officially published the finalized Regulation for the Administration of Network Data Security (Network Data Regulation), which will take effect on January 1, 2025. Key highlights include stricter informed consent requirements, clearer definitions and obligations regarding "important data," and expanded contractual requirements for data sharing between data handlers. Cross-border data transfer exemptions have also been introduced, making certain transfers possible without government assessment under specific emergency or statutory circumstances.
Businesses should act now to update their privacy policies, data handling agreements, and internal processes to comply with these new rules, especially in the areas of risk assessments, cross-border transfers, and network data security management. Companies failing to comply are urged to promptly rectify issues, as proactive compliance measures may reduce or eliminate penalties for minor violations.
From the perspective of personal information protection, the Network Data Regulation largely follows the tracks of the Personal Information Protection Law (PIPL) but provides detailed explanations and implementing rules.
The Network Data Regulation emphasizes and supplements the informed consent requirements in the PIPL. It also provides detailed provisions that should be included in the informed consent form before the network data handler handles personal information.
Article 12 provides that “where a network data handler provides or entrusts the processing of personal information and important data to other network data handlers/processors, it shall, through a contract or the like, agree with the recipient of the network data on the purpose, manner and scope of the processing, as well as the obligations of security protection, and shall supervise the fulfillment of the obligations by the recipient of the network data.” The PIPL only requires that the parties sign a contract when the data controller engages entrusted parties to process personal information. However, this provision requires that the contract also be signed when a data controller provides personal information to other data controllers.
The Network Data Regulation provides additional requirements on important data handlers.
Definition of ‘important data’
The Network Data Regulation deleted examples of it in the exposure draft, but does state that “important data” refers to data within specific fields, groups, or regions, or data that has reached a certain level of accuracy and scale, and may directly endanger national security, economic operations, social stability, public health, and safety if tampered with, destroyed, leaked, or illegally obtained or used.
Although this definition is quite general, the Network Data Regulation provides that the business operators have the obligations to identify and report the potential important data to the authorities, who will then notify the business operators as to whether such data constitutes “important data.”
Will personal information constitute important data? According to Article 28, a network data handler handling personal information of more than 10 million individuals must comply with some of the requirements for important data handlers. By contrast, the draft version of the regulation set the threshold at 1 million individuals’ personal information.
Risk Assessments
The Network Data Regulation provides both the routine assessment and annual assessment obligations on the handler of the important data.
Article 31 requires that the handler of the important data conduct a risk assessment before providing, entrusting, or joint handling important data.
Article 33 also requires that the handler of the important data conduct the annual risk assessment for their data handling activities and file the risk assessment report with the competent authorities at the provincial level or above. The competent authorities shall inform the cybersecurity administration authority and the public security authority. The risk assessment report shall cover the following aspects:
In addition to the contents mentioned above, the Network Data Regulation also provides that the risk assessment report submitted by a large-scale network platform service provider handling important data shall fully explain the security of network data in its key businesses and the supply chain.
Large-scale network platforms refer to those with more than 50 million registered users or more than 10 million monthly active users, complex business types, and network data handling activities that significantly impact national security, economic operations, people's livelihoods, and other aspects.
The Network Data Regulation provides the following additional exemptions where personal information can be cross-border transferred without going through government filing/assessment, in addition to the exemptions provided under the Provisions on Promoting and Regulating Cross-border Data Flows:
The Network Data Regulation imposes additional obligations on the network platform service providers.
According to Article 40, network platform service providers shall clarify the network data security protection obligations of third-party product and service providers accessing their platforms through platform rules or contracts, etc., and urge third-party product and service providers to strengthen network data security management.
Furthermore, according to Article 44, large-scale network platform service providers shall annually publish a personal protection social responsibility report. This report should include, but is not limited to, personal information protection measures and results, the acceptance of applications for the exercise of rights by individuals, and the performance of duties by the personal information protection supervisory agency, which is primarily composed of external members.
Given that the Network Data Regulation requires more details for the privacy policy, companies need to review their privacy policies posted on the website to reconcile with the new requirements.
Companies should sign contracts (e.g., data processing agreement, data transfer agreement) when they provide or entrust the processing of personal information and important data to other network data handlers/processors.
Although the law provides that the authorities will notify and publish the determination of the important data, companies are still obligated to identify and report the potential cases of important data for the authorities’ confirmation.
Companies in non-compliance status are advised to promptly rectify the non-compliance status and seek mitigations. According to Article 59 of the Network Data Regulation, if a network data handler takes the initiative to eliminate or reduce the harmful consequences of a minor violation and promptly corrects it, and if it causes no significant harm, or if it is a first minor violation corrected quickly, the administrative punishment may be reduced, mitigated, or not imposed, as per the Administrative Punishments Law of the People's Republic of China.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: