China Issues New Regulations on Network Data Security Management, Effective January 1, 2025

Posted by Written by Giulia Interesse Reading Time: 8 minutes

On September 30, 2024, China announced the new Network Data Security Management Regulations, effective January 1, 2025, aimed at enhancing data security and privacy while establishing compliance requirements for both domestic and international entities. These regulations will significantly impact how businesses handle data, with stricter guidelines for personal information protection and cross-border transfers, ultimately providing individuals with greater control over their data rights.

On September 30, 2024, China’s State Council introduced the new Network Data Security Management Regulations, which will come into effect on January 1, 2025.

These new regulations aim to address the increasing challenges of data security in today’s digital age by providing a legal framework for managing network data processing activities. With a focus on safeguarding the rights of individuals and organizations while ensuring national security and public interests, the regulations set out comprehensive guidelines on personal data protection, cross-border data transfers, and the responsibilities of internet platform providers.

As China continues to expand its digital economy, these regulations are poised to play a pivotal role in shaping the future of data governance both within China and on the global stage. In this article, we examine the key provisions of the regulations, their implications for businesses and individuals, their broader impact on China’s data security landscape, and how these rules align with global trends in data governance.

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

Development of the Network Data Security Management Regulations

The new regulations have undergone a lengthy drafting and deliberation process before reaching their final form. The first draft was published by the Cyberspace Administration of China (CAC) on November 14, 2021, in the form of an Exposure Draft, which invited public feedback until December 13, 2021. This initial draft was built upon China’s existing data protection framework, including laws like the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL). It outlined provisions aimed at managing the security of important data, regulating cross-border data transfers, and ensuring the protection of personal information.

Find Business Support
stay one step ahead of china's rapidly changing regulatory landscape with our business advisory team

Over the next two years, the draft went through extensive review and amendments. Much of the experience gained from implementing other data regulations, such as rules on data classification and cross-border data flows, contributed to revisions in the final regulation.

By August 30, 2024, the State Council officially passed the regulations, with the final version being formally published on September 30, 2024. These regulations will come into force on January 1, 2025.

Although the final text includes new provisions, many of the draft’s key elements—such as the classification of ‘important data’ and the management of cross-border data transfers—had already been adopted in other regulations, making several aspects of the rules effectively in force even before their official release.

Who is subject to the regulations?

The regulations apply to both domestic and international entities involved in data processing activities within China. For foreign-based entities, the regulations extend to those processing data related to individuals or organizations in China, particularly when offering products or services, analyzing or evaluating behavior within the country, or handling ‘important’ domestic data.

Important data generally refers to information that could affect national security, economic stability, technological progress, or impact critical industries such as telecommunications.

How to identify and manage important data?

The regulations indeed establish a comprehensive framework for the management and protection of important data. While a specific definition is not provided, the regulations detail essential responsibilities for data processors handling such data.

Identification and classification

A national data security coordination mechanism is responsible for creating a catalog of important data, which will enhance protection efforts across different regions and sectors.

According to the regulations, local authorities and industries must develop specific directories to classify and safeguard this data effectively. Data processors are obligated to identify and report any data classified as important based on national guidelines.

While the regulations set these requirements, it remains to be seen whether these measures have been fully implemented in practice.

Responsibilities of data processors

Data processors handling important data, especially those processing personal information of more than 10 million individuals, must designate a person responsible for data security and establish a dedicated management agency. These officials are accountable for:

  • Formulating and implementing security protocols: Developing comprehensive data security management systems and incident response plans to address potential threats.
  • Conducting risk monitoring and assessment: Regularly organizing risk evaluations, emergency drills, and training to prepare for and mitigate security incidents.
  • Handling security complaints and reports: Addressing complaints related to data security breaches or vulnerabilities.

Moreover, before providing, entrusting, or jointly processing important data, data processors must conduct thorough risk assessments. These evaluations must address the legality and necessity of the data processing purposes, potential risks of data breaches, and the integrity of the data recipient.

Additionally, if significant organizational changes, such as mergers or bankruptcies, may impact the security of important data, processors must report their security measures and data disposal plans to the relevant state authorities.

What do the regulations require for data security?

The regulations require data processors to enhance their network data security by implementing comprehensive protection measures. These include encryption, data backups, access controls, security authentication, and other technical safeguards to prevent data from being tampered with, destroyed, disclosed, or illegally accessed and used.

Data processors must ensure their products and services adhere to national security standards and take corrective actions immediately if security flaws, vulnerabilities, or risks are identified. They must inform users and report to relevant authorities promptly in such cases.

Find Business Support
Our team of professionals can help you limit risks by assessing the credibility of a supplier, purchaser, or business partner

Additionally, data processors are obligated to develop and improve emergency response plans for handling data security incidents. In cases where such incidents compromise the rights or interests of individuals or organizations, data processors are required to notify the affected parties, providing details on the incident, the risks involved, and the corrective actions taken.

This notification can be made through various means, such as phone, text, email, or public announcements, except in cases where legal exceptions apply.

When sharing personal information or important data with third parties, data processors must agree on the specific purpose, methods, scope, and security obligations through contractual or other arrangements and ensure compliance through ongoing oversight. Records of personal information and important data processing must be retained for a minimum of three years.

The regulations also clarify that when multiple data processors jointly manage personal information or important data, they must clearly define their respective rights and responsibilities through mutual agreements.

What do the regulations mandate regarding personal information processing?

According to the new regulations, data processors must provide clear and accessible information before processing personal information. This information should be prominently displayed and include:

  • Data processor information: The name and contact details of the data processor.
  • Processing details: The purpose, method, type of processing, necessity for handling sensitive personal information, and the potential impact on individuals’ rights and interests.
  • Retention and disposal: The duration for which personal information will be stored and the procedures for handling data after the retention period expires.
  • User rights: Information on how individuals can review, copy, transfer, correct, supplement, delete, restrict processing, cancel accounts, or withdraw consent regarding their personal information.

When processing is based on consent, data processors are also required to:

  • Avoid collecting personal information beyond what is explicitly stated and refrain from obtaining consent through misleading practices, fraud, or coercion.
  • Secure separate consent for processing sensitive personal information, including biometric data, health information, financial details, and location data.
  • Obtain consent from parents or guardians for processing the personal information of minors under the age of 14.
  • Limit processing to the specific purpose, method, type, and retention period agreed upon by the individual.
  • Avoid repeatedly seeking consent from individuals who have previously declined.
  • Re-obtain consent if there are changes to the purpose, method, or type of processing.

For non-essential personal information or data collected without consent, data processors must delete or anonymize the information.

When individuals request the transfer of their personal information, data processors must facilitate access for other designated data processors by verifying the applicant’s identity and providing information on:

  • The personal information being transferred and whether it was requested with the individual’s consent or through a contract.
  • The technical feasibility of transferring the personal information.
  • Ensuring that the transfer does not infringe on the rights and interests of others.

If the data transfer request is deemed excessive, data processors may impose a fee.

How do the regulations govern the transfer of data?

The new regulations establish specific guidelines for data processors wishing to transfer personal information overseas. These regulations stipulate several conditions that must be met to ensure compliance and protect individual rights, including:

  • Outbound security assessment: Data processors must conduct an outbound security assessment to evaluate the risks associated with the international transfer of personal information. This assessment is a critical step in safeguarding data privacy and security.
  • Standard contract compliance: When transferring personal information abroad, data processors must adhere to the provisions outlined in a standard contract for the export of personal information. This contract serves to clarify the responsibilities of all parties involved in the data transfer.
  • Contractual necessity: Personal information may be transferred overseas if it is necessary to fulfill a contract to which the individual is a party. This provision ensures that data transfers related to contractual obligations are permitted.
  • Human resources management: Data processors may transfer personal information overseas as part of cross-border human resources management, provided that such actions comply with relevant labor rules, regulations, and collective contracts. This is essential for organizations with international operations.
  • Legal obligations: In instances where it is necessary to fulfill legal duties or obligations, data processors are permitted to transfer personal information internationally.
  • Emergency situations: In emergencies where the life, health, or property safety of individuals is at stake, data processors can transfer personal information overseas to ensure prompt protection and assistance.
  • Legal provisions: Data processors must also comply with any additional conditions stipulated by law regarding the international transfer of data.

For the transfer of important data, data processors are required to undergo a data security export assessment. This further emphasizes the importance of safeguarding sensitive information during cross-border transfers, ensuring that adequate measures are in place to protect data integrity and confidentiality.

These regulations reflect China’s commitment to enhancing data protection while enabling necessary data transfers for business operations and legal compliance.

Penalties for non-compliance

The new regulations outline specific compliance obligations for data processors, along with corresponding penalties for violations. There are various categories of penalties for violations of data protection regulations, as illustrated in the table below.

Penalties for Non-Compliance with New Regulations on Network Data Security
Type of violation Penalties
General non-compliance
  • For breaches of provisions related to data processing, including Articles 12, 16 to 20, 22, and others, responsible authorities such as CAC and other departments may order rectification, issue warnings, and confiscate illegal gains.
  • In cases of refusal to correct or severe violations, fines can reach up to RMB 1 million (US$142,281.91), and authorities may suspend relevant operations, mandate business closures, or revoke licenses.
  • Responsible personnel may face fines ranging from RMB 10,000 (US$1,422.80) to RMB 100,000 (US$14,228.19).
Specific violations of Article 13
  • Breaches of Article 13 incur more stringent penalties, with fines between RMB 100,000 (US$14,228.19) and RMB 1 million (US$142,281.91), and potential operational suspensions or license revocations for persistent non-compliance.
  • Directly responsible individuals may face fines of RMB 10,000 (US$1,422.84) to RMB 100,000 (US$14,228.19).
Violations of data security
  • Violations concerning data security provisions, such as those outlined in Articles 29 and 31, could result in fines from RMB 50,000 (US$7,114.09) to RMB 200,000 (US$28,456.38), particularly if they lead to significant data breaches. In cases where violations are deemed minor and corrected promptly, lighter penalties may apply.

In addition, non-compliance may also trigger civil liability, administrative penalties under the Public Security Bureau, or even criminal charges if actions constitute a criminal offense.

The regulations, however, allow for reduced penalties if data processors actively mitigate the consequences of their violations, promptly rectify minor infractions, or demonstrate no harm from initial breaches.

Expected impact on businesses and individuals

The new regulations are poised to significantly affect both businesses and individuals in their approach to data handling and security. For businesses, particularly those managing substantial volumes of data, the new compliance requirements introduce a series of challenges that demand immediate attention.

Companies will need to undertake comprehensive data security audits and implement system updates to align with the updated standards. Staff training will also be critical, as employees must be equipped with the knowledge and skills to navigate the complexities of the new regulatory landscape.

Find Business Support
We provide businesses with IT and IS advisory, project management, implementation and configuration, and support services

Multinational corporations operating within China are expected to face additional scrutiny, especially concerning cross-border data transfers. The regulations emphasize the need for strict compliance, and any missteps could result in hefty penalties.

As such, businesses are encouraged to maintain open lines of communication with local cybersecurity departments and consider consulting with third-party agencies to ensure compliance and mitigate risks effectively.

For individuals, the new regulations herald a stronger commitment to the protection of personal data. With enhanced privacy rights, individuals will have greater control over their personal information and the ability to seek recourse in cases of data misuse or breaches. This shift is likely to foster a heightened awareness among the public regarding their rights and the measures being implemented to safeguard their data.

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.