On September 30, 2024, the State Council of China published the Regulations on Administration of Network Data Security (the “Regulations”), which will take effect on January 1, 2025. The Regulations cover multiple dimensions of network data security, including personal information protection, security of important data, cross-border transfers, network platform service providers’ obligations, and regulatory supervision and administration. Certain of the key provisions are summarized below. In general, most of the provisions under the Regulations can be found in other existing laws and regulations of China.
Scope of Applicability
The Regulations apply to “network data handlers,” defined as individuals and organizations that autonomously decide on the purpose and the manner of processing in network data processing activities. All network data processing activities, regulatory supervision and administration activities are subject to the Regulations.
Additionally, activities outside of China involving the processing of personal information of individuals in China are subject to the Regulations, i.e., data handlers subject to the extra-territorial jurisdiction of the Personal Information Protection Law (“PIPL”).
General Provisions
The Regulations include the following general obligations:
- Technical measures: network data handlers should implement multiple levels of cybersecurity protection, including measures such as encryption, back-ups, access control, security certification, and other necessary measures to protect data security.
- Data breach reporting: network handlers are subject to certain data breach reporting requirements both with respect to competent authorities and impacted individuals and organizations.
- Entrusted processing: network data handlers should supervise fulfillment of obligations by the entrusted parties (e.g., by vendors). Records of processing of personal information and important data related to the entrusted parties shall be retained for at least three years.
Protection of Personal Information
The Regulations contain specific provisions regarding personal information, including:
- Processing rules: the Regulations provide the required content for data processing rules that should include the purpose and means of processing, and the categories of personal information collected and provided to other network data handlers, as well as data recipients.
- Data portability: compliance with the right of data portability is subject to certain conditions, including verification of the identity of the data subject who submits the request, the transfer of personal information being technically feasible, and the transfer of personal information not jeopardizing the legitimate rights and interests of others.
- Representative: foreign network data handlers subject to the extra-territorial jurisdiction of the PIPL should establish a special agency or appoint a representative in China and report the name of the agency or representative and contact information to the district-level cyberspace administration office.
- Process data of more than 10 million individuals: processing personal information of more than 10 million individuals is considered as processing important data.
- Compliance audit: network data handlers should conduct regular compliance audits. Such an audit can be conducted by the network data handler itself or by a third party on its behalf.
Important Data
According to the Regulations, important data refers to data in a specific field, a specific group, a specific region, or of a certain precision and scale, which, once tampered with, damaged, leaked, or illegally accessed or illegally utilized, may directly jeopardize national security, economic operation, social stability, or public health and safety.
In addition, the Regulations provide that different regions and different industrial regulators of China may define their own catalogues of important data.
Cross-Border Transfer
The Regulations list eight conditions for cross-border transfer (most of which are found in other existing laws and regulations of China):
- passing the security assessment conducted by the Cyberspace Administration of China (“CAC”);
- certification by a professional organization for personal information protection in accordance with the regulations of the CAC;
- conducting filing of the standard contract of cross-border transfer of personal information;
- necessity to provide personal information outside of China for the purpose of concluding and fulfilling a contract to which the individual is a party;
- implementing cross-border human resources management in accordance with labor rules formulated and collective contracts signed in accordance with applicable laws, and there is a genuine need to provide employees’ personal information outside of China;
- the provision of personal information outside the country is necessary for the fulfillment of legal duties or legal obligations (e.g., KYC checks, overseas IPO, etc.). This specific condition is notable as it is new;
- necessity to transfer personal information outside of China in order to protect the life, health and property safety of natural persons in case of emergency; or
- other conditions stipulated by applicable laws, administrative regulations or the CAC.
Obligations of Network Platform Service Providers
The Regulations include specific obligations applicable to network platform service providers. These include, for example, managing the third-party product and service providers that have access to the network platform service provider’s platform, and publishing annually a personal information protection social liability report.
The Regulations also provide stricter requirements for large-scale network platform service providers. Large-scale network platforms are those with more than 50 million registered users or more than 10 million monthly active users, complex business types, and network data processing activities that have an important impact on national security, economic operation, and the national economy and people’s livelihood.
Regulatory Supervision and Administration
The Regulations allow the competent regulator to take the following measures in conducting cybersecurity inspections of a network data handler:
- requesting explanations and information on matters subject to administration and inspection;
- reviewing and copying documents and records related to network data security;
- inspecting the operation of network data security measures;
- inspecting devices and articles related to network data processing activities; and
- other necessary measures prescribed by other laws.
The CAC in conjunction with the competent authorities concerned may take the necessary measures in accordance with the law if an overseas organization or individual engages in network data processing activities that endanger the national security or public interests of China or infringe upon the personal information rights and interests of citizens of China.
Enforcement
There are three levels of enforcement for violations of the Regulations including violations of protection of data security, violations of national security, and violations of important data security related rules. Enforcement actions under the Regulations vary depending on the provision violated. They may include:
- suspension of the relevant business;
- revocation of a permit or business license;
- financial penalty on the network data handler of between RMB 1 million and RMB 10 million; and
- financial penalty on person(s) directly responsible of between RMB 10,000 and RMB 1 million
An administrative penalty may be reduced or exempted if: (1) the network data handler eliminates or mitigates the harmful consequences of the relevant violation; (2) the violation is minor and corrected in a timely manner and does not cause harmful consequences; or (3) the network data handler violates the Regulations for the first time and the harmful consequences are minor and corrected in a timely manner.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code