People’s Republic Of China announces finalised network data regulation
The data cybersecurity landscape in the People’s Republic of China (PRC) has evolved significantly in recent years, driven by rapid technological advancements and increasing concerns over data privacy and national security. Central to this transformation is the government’s commitment to establishing a robust regulatory framework that balances economic growth with the protection of personal and sensitive data.
Key developments include the implementation of the Cybersecurity Law of the People’s Republic of China 《中华人民共和国网络安全法》in 2017, which laid the groundwork for data protection and cybersecurity obligations for network operators. This was followed by the Data Security Law 《中华人民共和国数据安全法》and the Personal Information Protection Law (PIPL) 《中华人民共和国个人信息保护法》, both enacted in 2021, which further delineate data handling practices and enhance individuals’ rights regarding their personal information.
To reflect PRC’s proactive approach to establishing a resilient data protection environment in an increasingly digital world, China’s State Council announced on 30 September 2024 the finalised Regulation for the Administration of Network Data Security 《网络数据安全管理条例》(“Network Data Regulation”), which will take effect on 1 January 2025. This regulation aims to enhance data security and privacy in the context of rapidly advancing technologies, particularly in the digital landscape. This regulation provides a framework for personal information protection, cross-border data transfers, network data security management and the responsibilities of internet platform providers.
The key areas of the Network Data Regulation include:
Data security responsibilities
The Network Data Regulation covers not only personal data but also nonpersonal data, such as business, financial and industry data. It confirms that businesses may treat data they collect or process as nonimportant data unless it is explicitly included in a published important data catalogue or specifically notified by Chinese regulators. This approach has been welcomed by businesses, as it, to some extent, reduces the compliance uncertainty and associated risks. Organisations are required to implement data security measures, conduct risk assessments, and establish data security management systems. A data processor is also required to develop and improve emergency response plans for handling data security incidents. Comprehensive protection measures including encryption, data backups, access controls are needed to safeguard data from being tampered with. The Network Data Regulation also clearly sets out the conditions to personal information transfer including verification, obtaining of consent and protection of individual rights.
Personal data protection for critical information infrastructure
The regulation emphasizes the protection of critical information infrastructure and requires organisations to report data breaches. Similar to the proposed amendments to the Hong Kong Personal Data (Privacy) Ordinance, the Network Data Regulation implemented a retention mechanism where a personal data retention period is to be imposed with a mandatory privacy statement stipulating information on how individuals can exercise their individual rights to review, transfer and use their personal information.
Cross-border data transfers
The Network Data Regulation provides additional exemptions where personal information can be transferred cross-border without government filing/assessment (including performing statutory duties or obligations involving providing personal information overseas and for the purpose of protecting the life, health, and property safety of natural persons in an emergency).
Conclusion
The finalised Network Data Regulation represents a critical advancement in China’s efforts to create a comprehensive data protection framework. It not only reinforces the obligations of organisations regarding data security and personal information management but also establishes clear guidelines for cross-border data transfers. By addressing both personal and nonpersonal data, the regulation claims to enhance compliance certainty for businesses while prioritising individual rights and national security.
With thanks to Anson Cheung for their contribution to this article.