Home

Internal

Deutsch|English

Insights "Quantitative Advisory – Your caring partner for complex valuation challenges" » |

Worldwide

China’s new regulation on network data security management

published on 11 November 2024 | reading time approx. 9 minutes

On 24 September 2024, China's State Council issued a new regulation on network data security management, which will take effect on 1 January 2025. This regulation is part of China's efforts to regulate data security more comprehensively and complements existing laws such as the Cybersecurity Law (CSL), the Data Security Law (DSL) and the Personal Information Protection Law (PIPL).

It affects all businesses that process electronic data, whether over the Internet or internal networks. The new regulations are also relevant to small and medium-sized enterprises (SMEs), as internal data processing in ERP systems may already be covered.

The Regulation may require companies to review and update their internal data protection policies and technical security measures. This will include adapting data protection agreements with external partners, carrying out compliance checks and stepping up preparations for potential audits. In particular, data-intensive companies will have to carry out annual risk assessments and submit them to the relevant authorities. There is a particular focus on the protection of personal and sensitive data, with new requirements for data portability and consent.

Network platform providers and large data processors – such as social networks or app store operators – will be required to strengthen their security measures and produce annual reports on their data protection efforts. These measures are designed to minimise the risk of unlawful data processing and ensure the security of important data.

We have summarised the main changes:

What's new in personal data protection? »
What's new regarding the protection of important data? »
What's new regarding cross-border data flows? »
What's new about the obligations of network platform providers? »
Recommendations »

What's new in personal data protection?

Network data

Refers to all kind of electronic data processed and generated through a network. Such processing and generating includes for example electronic data processed and generated through a network, which in this case could include both the Internet and local area networks (LANs) by companies, network platforms, application service providers and other subjects involved in network data processing, such as:

External personal information collected and processed by product and service providers, including social media on the Internet
Internal data input and processing in ERP systems of an enterprise

Why is the Regulation potentially relevant to all companies, including to SMEs?

Besides certain other cases, any internal data input and processing in an ERP system may fall under and trigger the Regulation
The protection of the company’s network data security may need to be strengthened
The company’s network data management regulations, relevant internal management rules including employee handbooks, privacy policies or personal information processing rules, may all need to be updated, as well necessary technical measures taken
Data protection agreements between the company and external cooperation partners may need to be set-up or updated and regularly supervised
The company’s personal information protection impact assessment may need to be updated
The company’s preparation for potential personal information protection compliance audits may need to be improved

What is the background of the Regulation?

In recent years, with the convergence and integration of information technology, data processing activities have become complex. Data security risks increasingly focus on network data. Illegal network data processing activities may occur from time to time, posing serious challenges to economic and social development and national security. The Cybersecurity Law (“CSL”), Data Security Law (“DSL”), and the Personal Information Protection Law (“PIPL”) set out the basic provisions on data security and personal information protection systems. The Regulation is an important part in the administrative regulatory framework supporting these three laws.

What is new regarding protection of personal information?

The Regulation focuses on refining especially the provisions of PIPL regarding notification, consent, and exercise of individual rights.

Formulation of Rules

In certain cases, data processors need to formulate rules on the processing of personal information. This is for example the privacy policy or privacy notice in case of online service provider via Internet or Apps which explains what personal information will be collected and how the personal information will be processed in detail. It can also be an employee handbook or other company-internal rules containing data processing aspects of employee personal information. In order to meet the requirements for proper notification, these rules must include the following content:

The name or names and contact information of the network data processor
The purpose, manner, and type of processing of personal information, the necessity for processing sensitive personal information, and the impact on the rights and interests of individuals
The period of retention of personal information and the manner of processing after expiry; if the period of retention is difficult to determine, the method of determining the period of retention shall be specified, the retention period could e.g. be subject to expiry of certain contract or completion of certain contractual or legal obligations
The methods and means for individuals to access, copy, transfer, correct, supplement, delete and restrict the processing of personal information, as well as the methods and means for cancellation of accounts and the withdrawal of consent

Automated Data Collection

In case of personal information collection when using automated collection techniques, etc., it may be unavoidable to collect personal information or personal information without obtaining the consent of the individual in accordance with the law. This is for example the case where Internet-connected cars collect personal information of people outside the cars, such as facial images, voice or videos etc.

The network data processor must then delete the collected personal information or anonymize it. The same applies when the individual logs out of his or her account.

Data Portability

To ensure the individual’s right to data portability, the network data processor shall provide a means for other network data processors designated by the individual to access and obtain the personal information in question under the following conditions:

The processor must be able to verify the true identity of the requestor (individual)
The request for transfer is for personal information (i) which the individual has agreed to provide or (ii) which has been collected based on a contract
The transfer of personal information is technically feasible
The transfer of personal information does not harm the legitimate rights and interests of others.

Where the number of requests for the transfer of personal information, etc., exceeds a reasonable range, the network data processor may charge the necessary fees based on the cost of transferring the personal information.

Compliance Audits

Network data processors shall periodically conduct compliance audits, either on their own or by commissioning professional organizations, of their handling of personal information in compliance with laws and administrative regulations. However, the frequency of the compliance audits is not defined yet in the Regulation. A discission draft for Management Measures for Compliance Audit of Personal Information Protection provides at least one compliance audit every year for enterprise processing personal information of 1,000,000 people and for at least one compliance audit every two years for other enterprises.

Special Obligations for Large Data Processors

The Regulation clarify the special obligations for network data processors handling personal information of more than 10 million people.

Processors must identify the person responsible for network data security and the network data security management organization.
Where a processor may affect the security of important data as a result of merger, separation, dissolution, bankruptcy, etc., it shall take measures to safeguard the security of network data and report to the relevant competent department on the disposal plan for important data, the name or names and contact details of the recipients, etc.

What's new regarding the protection of important data?

Important Data Catalogues

The Regulation specifies the requirements for the formulation of an important data catalogue and stipulate the obligations of network data processors to identify and declare important data.

In case of data exports, network data processors may need to identify and declare important data in accordance with relevant national regulations. If the data is not defined or publicly released as “important data” by the relevant regions or departments, a network data processor is not required to declare the data as important data for data export security assessment. This means that the burden is on the governmental authorities to first define and publicly release which kind of data is “important data”.

Responsible Person/Organization

The Regulation stipulates the responsibilities of the person in charge of network data security and the network data security management organization.

Risk Assessments

Required is a risk assessment before providing, entrusting processing and co-processing important data. The following key points shall be checked during such risk assessment:

Whether the provision, entrusted processing, or joint processing of network data, as well as the purpose, manner, and scope of network data processing by the recipient of network data, are lawful, legitimate, and necessary
The risk of the network data provided, entrusted for processing, or jointly processed being tampered with, destroyed, leaked or illegally accessed or illegally utilized, as well as the risk posed to national security, public interests or the legitimate rights and interests of individuals or organizations
The integrity and compliance of the network data recipient
Whether the requirements on network data security in the relevant contract (proposed to be) concluded with the recipient of network data can effectively bind the recipient of network data to fulfil its obligations on network data security protection
Whether the technical and management measures (to be) adopted can effectively prevent the risks of network data being tampered with, damaged, leaked or illegally acquired or illegally utilized
Other assessment contents stipulated by relevant competent authorities

Processors of important data shall carry out an annual risk assessment of their network data processing activities and submit a risk assessment report to the relevant competent industry sector authority at the province level which shall share this with the CAC and public security authority at the same level. The risk assessment report shall include the following content:

Basic information on network data processors, information on network data security management organizations, and the name and contact information of the person in charge of network data security
The purpose, type, quantity, mode, scope, storage period, storage location, etc., of processing important data, and the circumstances of carrying out network data processing activities, excluding the content of network data itself
Network data security management system and its implementation, encryption, backup, labelling and identification, access control, security authentication and other technical measures and other necessary measures and their effectiveness
Network data security risks discovered, network data security incidents occurred and their disposition
Risk assessment of the provision, entrusted processing, and co-processing of important data
The situation of network data exit
Other report contents stipulated by relevant competent authorities

What's new regarding cross-border data flows?

As stated above, network data processors may need to identify and declare the export of important data in accordance with relevant national regulations.

Under the PIPL and the Regulations on Promoting and Regulating Cross-Border Data of March 22, 2024, the export of personal information requires either

a governmental security assessment, or
concluding a standard contract and providing related information to the government during filing, or
a personal information protection certification

Exempted from the above is for example

providing personal information outside the country for the purpose of concluding and performing a contract to which an individual is a party, or
the provision of personal information of employees outside the country is necessary for the implementation of cross-border human resources management in accordance with the relevant labor rules and regulations

More details are found in our article Cross-border data transfer from China: New simplifications.

The Regulation provides for a further exemption:

If the provision of personal information outside China is necessary for the fulfilment of statutory duties or obligations, this is also allowed. However, it is still necessary to await the regulatory requirements of the competent authorities in practice with regard to the term “fulfilment of statutory duties or obligations”.

What's new about the obligations of network platform providers?

The Regulation stipulates the network data security protection obligations of network platform service providers such as social media and service apps and producers of smart terminals such as mobile phones or tablet computers and other devices with pre-installed applications. Network platform service providers such as mobile app stores providing application distribution services must establish application verification rules and carry out network data security-related verification to make sure that such applications conform to statutory rules or national standards in terms of cybersecurity and data security before they are distributed to the market.

In response to certain problems such as the difficulty of closing customized recommendation services pushed through automatic decision-making, etc., network platform service providers must set up easy-to-understand, easy-to-access, and easy-to-operate customized recommendation closure options, and provide users with the functions of refusing to receive pushed information, and deleting user labels targeting their personal characteristics.

The Regulation states the requirements for Large-scale Network Platform Service Providers to issue annual social responsibility reports on personal information protection. Large-scale Network Platforms refer to those with more than fifty million registered users or more than ten million monthly active users, complex business types, and network data processing activities that have an important impact on national security, economic operations, and the national economy and people's livelihood. In China, this includes for example WeChat, TikTok, Little Red Book, TaoBao, JingDong etc.

Recommendations

The Regulation provides more detailed and practical rules to implement the relevant regulations in the CSL, DSL and PIPL. Companies should take proactive measures to check their current data security rules and implement necessary improvements.

China has formulated and implemented national standards such as data classification and grading rules and personal information security norms. A number of standards are under development in such areas as the safe management of important data and the protection of sensitive personal information. Data security management methods or data classification and grading rules formulated in various industry fields are expected to provide guidance on data security and the protection of personal information. It is important that companies continue to stay alert about relevant changes.

Risk assessments, compliance audits and annual reporting are important tools for network data processors to fulfil their network data security management responsibilities as well as to improve their own network data security management capabilities. At the same time, the related documentations serve as important evidence for a company’s attempt to achieve compliance in the complex field of China’s data protection laws and regulations.