On September 30, 2024, China announced the new Network Data Security Management Regulations, effective January 1, 2025, aimed at enhancing data security and privacy while establishing compliance requirements for both domestic and international entities. These regulations will significantly impact how businesses handle data, with stricter guidelines for personal information protection and cross-border transfers, ultimately providing individuals with greater control over their data rights
(China Briefing) On September 30, 2024, China’s State Council introduced the new Network Data Security Management Regulations, which will come into effect on January 1, 2025.
According to law firm Dezan Shira & Associates, “These new rules aim to address the growing challenges of data security in today's digital age by providing a legal framework for managing data processing activities on the Web.”
As China continues to expand its digital economy, these regulations are poised to play a pivotal role in shaping the future of data governance both within China and on the global stage.
GettyImages
The regulations apply to both domestic and international entities involved in data processing activities within China. For foreign-based entities, the regulations extend to those processing data related to individuals or organizations in China, particularly when offering products or services, analyzing or evaluating behavior within the country, or handling ‘important’ domestic data.
The regulations indeed establish a comprehensive framework for the management and protection of important data. While a specific definition is not provided, the regulations detail essential responsibilities for data processors handling such data.
Identification and classification
A national data security coordination mechanism is responsible for creating a catalog of important data, which will enhance protection efforts across different regions and sectors.
According to the regulations, local authorities and industries must develop specific directories to classify and safeguard this data effectively. Data processors are obligated to identify and report any data classified as important based on national guidelines.
While the regulations set these requirements, it remains to be seen whether these measures have been fully implemented in practice.
Responsibilities of data processors
Data processors handling important data, especially those processing personal information of more than 10 million individuals, must designate a person responsible for data security and establish a dedicated management agency. These officials are accountable for:
Formulating and implementing security protocols: Developing comprehensive data security management systems and incident response plans to address potential threats.
Conducting risk monitoring and assessment: Regularly organizing risk evaluations, emergency drills, and training to prepare for and mitigate security incidents.
Handling security complaints and reports: Addressing complaints related to data security breaches or vulnerabilities.
Moreover, before providing, entrusting, or jointly processing important data, data processors must conduct thorough risk assessments. These evaluations must address the legality and necessity of the data processing purposes, potential risks of data breaches, and the integrity of the data recipient.
Additionally, if significant organizational changes, such as mergers or bankruptcies, may impact the security of important data, processors must report their security measures and data disposal plans to the relevant state authorities.
What do the regulations require for data security?
The regulations require data processors to enhance their network data security by implementing comprehensive protection measures. These include encryption, data backups, access controls, security authentication, and other technical safeguards to prevent data from being tampered with, destroyed, disclosed, or illegally accessed and used.
Data processors must ensure their products and services adhere to national security standards and take corrective actions immediately if security flaws, vulnerabilities, or risks are identified. They must inform users and report to relevant authorities promptly in such cases.
According to Dezan Shira & Associates, "Additionally, data processors are obligated to develop and improve emergency response plans for handling data security incidents. In cases where such incidents compromise the rights or interests of individuals or organizations, data processors are required to notify the affected parties, providing details on the incident, the risks involved, and the corrective actions taken. This notification can be made through various means, such as phone, text, email, or public announcements, except in cases where legal exceptions apply."
When sharing personal information or important data with third parties, data processors must agree on the specific purpose, methods, scope, and security obligations through contractual or other arrangements and ensure compliance through ongoing oversight. Records of personal information and important data processing must be retained for a minimum of three years.
The regulations also clarify that when multiple data processors jointly manage personal information or important data, they must clearly define their respective rights and responsibilities through mutual agreements.
What do the regulations mandate regarding personal information processing?
According to the new regulations, data processors must provide clear and accessible information before processing personal information. This information should be prominently displayed and include:
Data processor information: The name and contact details of the data processor.
Processing details: The purpose, method, type of processing, necessity for handling sensitive personal information, and the potential impact on individuals’ rights and interests.
Retention and disposal: The duration for which personal information will be stored and the procedures for handling data after the retention period expires.
User rights: Information on how individuals can review, copy, transfer, correct, supplement, delete, restrict processing, cancel accounts, or withdraw consent regarding their personal information.
When processing is based on consent, data processors are also required to:
Avoid collecting personal information beyond what is explicitly stated and refrain from obtaining consent through misleading practices, fraud, or coercion.
Secure separate consent for processing sensitive personal information, including biometric data, health information, financial details, and location data.
Obtain consent from parents or guardians for processing the personal information of minors under the age of 14.
Limit processing to the specific purpose, method, type, and retention period agreed upon by the individual.
Avoid repeatedly seeking consent from individuals who have previously declined.
Re-obtain consent if there are changes to the purpose, method, or type of processing.
When individuals request the transfer of their personal information, data processors must facilitate access for other designated data processors by verifying the applicant’s identity and providing information on:
The personal information being transferred and whether it was requested with the individual’s consent or through a contract.
The technical feasibility of transferring the personal information.
Ensuring that the transfer does not infringe on the rights and interests of others.
If the data transfer request is deemed excessive, data processors may impose a fee.
How do the regulations govern the transfer of data?
The new regulations establish specific guidelines for data processors wishing to transfer personal information overseas. These regulations stipulate several conditions that must be met to ensure compliance and protect individual rights, including:
Outbound security assessment: Data processors must conduct an outbound security assessment to evaluate the risks associated with the international transfer of personal information. This assessment is a critical step in safeguarding data privacy and security.
Standard contract compliance: When transferring personal information abroad, data processors must adhere to the provisions outlined in a standard contract for the export of personal information. This contract serves to clarify the responsibilities of all parties involved in the data transfer.
Contractual necessity: Personal information may be transferred overseas if it is necessary to fulfill a contract to which the individual is a party. This provision ensures that data transfers related to contractual obligations are permitted.
Human resources management: Data processors may transfer personal information overseas as part of cross-border human resources management, provided that such actions comply with relevant labor rules, regulations, and collective contracts. This is essential for organizations with international operations.
Legal obligations: In instances where it is necessary to fulfill legal duties or obligations, data processors are permitted to transfer personal information internationally.
Emergency situations: In emergencies where the life, health, or property safety of individuals is at stake, data processors can transfer personal information overseas to ensure prompt protection and assistance.
Legal provisions: Data processors must also comply with any additional conditions stipulated by law regarding the international transfer of data.
For the transfer of important data, data processors are required to undergo a data security export assessment. This further emphasizes the importance of safeguarding sensitive information during cross-border transfers, ensuring that adequate measures are in place to protect data integrity and confidentiality.
These regulations reflect China’s commitment to enhancing data protection while enabling necessary data transfers for business operations and legal compliance.
Penalties for non-compliance
The new regulations outline specific compliance obligations for data processors, along with corresponding penalties for violations. There are various categories of penalties for violations of data protection regulations, as illustrated in the table below.
Source: China Issues New Regulations on Network Data Security Management, Effective January 1, 2025 - Credit China Briefing
In addition, non-compliance may also trigger civil liability, administrative penalties under the Public Security Bureau, or even criminal charges if actions constitute a criminal offense.
The regulations, however, allow for reduced penalties if data processors actively mitigate the consequences of their violations, promptly rectify minor infractions, or demonstrate no harm from initial breaches.
Expected impact on businesses and individuals
The new regulations are poised to significantly affect both businesses and individuals in their approach to data handling and security. For businesses, particularly those managing substantial volumes of data, the new compliance requirements introduce a series of challenges that demand immediate attention.
Companies will need to undertake comprehensive data security audits and implement system updates to align with the updated standards. Staff training will also be critical, as employees must be equipped with the knowledge and skills to navigate the complexities of the new regulatory landscape.
Multinational corporations operating within China are expected to face additional scrutiny, especially concerning cross-border data transfers. The regulations emphasize the need for strict compliance, and any missteps could result in hefty penalties.
As such, businesses are encouraged to maintain open lines of communication with local cybersecurity departments and consider consulting with third-party agencies to ensure compliance and mitigate risks effectively.
For individuals, the new regulations herald a stronger commitment to the protection of personal data. With enhanced privacy rights, individuals will have greater control over their personal information and the ability to seek recourse in cases of data misuse or breaches. This shift is likely to foster a heightened awareness among the public regarding their rights and the measures being implemented to safeguard their data.
Comments