On 30 September 2024, the State Council of the People's Republic of China published the Network Data Security Management Regulations (the "Regulations"). These Regulations finalise the Draft Regulations released for public comment in 2021 (see our IP & TMT Quarterly Review in the Fourth Quarter of 2021: China issues Draft Network Security Management Regulations) The Regulations will come into force on 1 January 2025.
The Regulations, issued pursuant to the Cybersecurity Law ("CSL"), the Data Security Law ("DSL") and the Personal Information Protection Law ("PIPL"), provide more clarity on the key network data security requirements under these laws. They also reflect the latest development in the data regulatory landscape in China, especially given the recent efforts of the regulator to address concerns regarding difficulties in complying with the strict data regulations in China.
In this article we look at the key requirements under the finalised Regulations and highlight relevant considerations for businesses to look out for.
Application and Extraterritorial Effect
The definition of "Network Data" under the Regulations covers all electronic data processed and generated over a computer network and is not limited to personal information and/or "important data". This echoes the scope of "data" under the DSL and suggests that the Regulations widely apply to processing activities of different categories of data (e.g., financial, market and operational data).
Mirroring the extraterritorial reach of the PIPL and DSL, the Regulations explicitly confirm that their scope extends to any network data processing activities performed outside China, provided such activities are:
Businesses should also note that the Regulations regulate extraterritorial network data processing activities that harm national security, public interest, or the lawful rights and interests of Chinese citizens and organizations. Moreover, foreign network data controllers which are required under PIPL to establish a dedicated agency or appoint a representative in China, should note that apart from having reporting obligations to the relevant personal information protection departments, they shall also report the name of the relevant agency or the representative and their contact information to the local cyberspace administration at the districted city level.
Incident Reporting Requirements
While the Draft Regulations required incident reports to be notified to affected parties within three working days, the Regulations now remove the proposed timeframe and require network data controllers that discover any security risk or network vulnerability to take remedial measures immediately, notify users in a timely manner, and also notify the relevant regulator in accordance with the relevant regulations. It appears that these changes may have been motivated by the release of the Draft Measures for Cybersecurity Incident Reporting on 8 December 2023 (the "Draft Measures"), which proposed a stricter one-hour reporting requirement for some serious security incidents. That said, if a security risk has resulted in harm to national security or public interest, it must be reported to the relevant regulator within 24 hours. Network data controllers should also keep an eye out for the developments regarding the Draft Measures which may provide further clarifications on incident reporting obligations.
Data Portability
Under the PIPL, data subjects have the right to data portability and may request data controllers to transfer their personal information to a designated data controller so long as the transfer meets conditions to be set by regulators.
For the first time, the Regulations make clear the conditions under which a data subject can ask a network data controller to allow any other network data controller designated by the data subject to access and acquire his or her personal information. These conditions are where:
The Regulations also provide that network data controllers may charge necessary fees based on the transfer cost, if the number of such requests is manifestly excessive.
Processing Important Data
The Regulations are consistent with the Provisions on Regulating and Promoting Cross-Border Data Transfers ("CBDT Provisions") released in March 2024, specifying that data will only be identified as "important data" if it is included in an important data catalogue, or otherwise explicitly designated as such by regulators or local authorities.
The Draft Regulations provide that network data controllers processing personal information of more than a certain number are subject to some of the same requirements that are imposed on network data controllers that process important data (the "Important Data Controller"). In the Regulations, this threshold has been raised by a significant margin - from 1 million to 10 million people - representing a relaxation of the regulatory stance.
Important Data Controllers are also required to comply with, among others, the following obligations:
Cross-Border Data Transfers
Following the release of CBDT Provisions in March 2024 which eased certain stringent requirements for cross border transfer of personal information, the Regulations further provide that apart from the existing cross-border data transfers mechanisms (i.e., the Security Assessment, Certification, and Standard Contract (together, the "Cross-Border Data Transfer Mechanisms"), cross border transfer of data will also be permissible under the following circumstances:
The Regulations include some of the existing exemptions to Cross-Border Data Transfer Mechanisms provided under the CBDT Provisions (i.e., (1), (2), and (4) above) and which were previously absent in the Draft Regulations. On the other hand, the Regulations introduce (3) above as a new exemption, which appears to be easing the compliance burden for companies that transfer data outside China to meet certain requirements such as under sector or industry-specific regulations. However, this exemption is still subject to further clarification, as it is unclear whether it allows cross-border transfer of data to overseas governmental bodies or regulators for meeting regulations under foreign laws.
Other Key Changes
The Draft Regulations previously extended the security review requirement to network data controllers which (1) process personal information of more than 1 million people and are seeking to list on a stock exchange outside China, and (2) are seeking to list on a stock exchange in Hong Kong which affects or may affect national security. The Regulations now remove these conditions and only specify that network data processing activities that affect or may affect national security will require a national security review.This will no doubt bring some relief to companies wishing to list publicly abroad or in Hong Kong. That said, large network platforms which have more than 50 million registered users or 10 million monthly active users may still be subject to various obligations (e.g., publishing an annual report on personal information protection).
The Draft Regulations previously required network data controllers to delete or anonymize unnecessary personal information within 15 working days in circumstances where it is not possible to avoid the collection of such data because of the use of automated collection technology. The finalised Regulations now remove the 15-working-day timeline, which will significantly reduce the compliance burden for AI developers relying on data scraping. That said, businesses training AI models with data scraping tools should exercise caution in processing any personal information and ensure unnecessary data is deleted or anonymized in a timely and proper manner.
The Regulations also reiterate the obligations imposed on network data controllers that provide Generative AI services to take measures to ensure the security of training data. This aligns with the requirement under China's first regulations on generative AI services.
Takeaway
The Regulations bring more clarity to the requirements under the CSL, DSL and PIPL and generally reflect a relaxation of the regulators' stance in China since the first release of the Draft Regulations in 2021. Companies should pay close attention to future enforcement actions and review their current network data security policies and practices to ensure full compliance with the Regulations in order to avoid potential regulatory scrutiny.