What You Need to Know about Chinas Regulations on the Management of Network Data Security Clyde Co

pGlobal Practice AreasppProductsppIs your business prepared for climate changeppClick each term for related articlesppClyde Co LLP is a limited liability partnership registered in England and Wales Authorised and regulated by the Solicitors Regulation Authority
Clyde Co LLP ppclydecocomppAsia PacificppRegulatory riskppThe new Regulations on the Management of Network Data Security 网络数据安全管理条例 1 the Regulations were issued by the State Council of the Peoples Republic of China China on 24 September 2024 and will come into force on 1 January 2025 With a focus on network data 2 the Regulations supplemented and provided further guidance on Chinas data security regulatory regime 3 clarified what important data is and refined the protection of personal information and the rules and regulations on crossborder data transfer

In this newsletter we set out the 8 key takeaways of the Regulations ppThe Regulations will apply to the supervision and management of network data processing activities within China and those personal information processing activities outside China that are subject to the China Personal Information Protection Law PIPL ie overseas personal information processing activities which are conducted for the purpose of providing products or services to individuals in China or which involves analysing and evaluating behaviours of individuals in China  ppThe Regulations further provide that anyone who carries out network data processing activities outside China to the detriment of national security public interest or the lawful rights and interests of citizens or organisations of China shall be held legally liable in accordance with the lawppWith technological advancement the Regulations will have a farreaching effect to entities in China as most data these days are commonly processed or handled through networks ppChina having one of the largest population of netizens in the world means vast amount of personal information will be collected handled and processed on a daily basis The Regulations largely follow the PIPL but clarify and supplement on the following major aspectsppDefinition important data refers to data in specific field specific group specific regions or reaching certain accuracy and scale which if tampered with destroyed leaked or illegally obtained or used may directly endanger national security economic operation social stability public health and safety4ppEven though this definition is still quite general it shows that the identification of important data is not based solely on the inherent characteristics of the data but also requires comprehensive assessment of factors such as the business sector region and the specific nature of the data involved5ppUnder the Regulations a national data security coordination mechanism will be implemented and regional and industrial regulators will establish catalogues in identifying and safeguarding important data Network data handlers would have to identify and report important data pursuant to those national standards in the applicable catalogues to fulfil their data security obligations
 ppWhat are the additional compliance obligations for handling important data ppOther than the abovementioned requirements of setting up a dedicated network data security management body and appointing of an officer who will be responsible for network data security6 network data handlers will also need toppThe Regulations have introduced relaxation to the existing rules on crossborder data transfersppLargeScale Network Platform is singled out under the Regulations and they are defined as online platforms with over 50 million registered users or over 10 million monthly active users with complex and diverse types of businesses whose network data handling activities will significantly impact on Chinas national security economic operations or public welfareppLargeScale Network Platform service providers are required to perform additional obligations such asppThe penalties for noncompliance are generally consistent with those set out in the PIPL CSL and DSL Penalties under the Regulations range from the issuance of fines warnings suspending network data handlers operations or revocation of business licence Senior management and persons in charge could potentially be exposed to personal liability That said the Regulations provide a comparatively more lenient treatment to network data handlers for example administrative punishments may be mitigated or waived for firsttime offenders who address and rectify minor breaches in a timely manner or timely rectification without causing harmful consequences
 ppUnder the Regulations network data handlers who are also important data handlers may be required to report their data disposal plan and data recipient information regarding important data to relevant authorities in a corporate transaction especially when the transaction may materially affect the security of important data This is because in such corporate transactions parties will inevitably share confidential information including important data with external third parties such as during the due diligence process in a merger leaving important data vulnerable With such reporting obligation in place companies should adopt safeguarding measures during data disposaltransfer deals by using stronger encryption methods employing access control and monitoring user activities from time to timeppThe good news to network data handlers in corporate transactions is that the Regulations adopted a less restrictive approach on what is considered as important data As mentioned above the Regulations clarified that companies do not need to treat their data as important data unless such data is officially recognised by the relevant regions or authorities or classified as important data Hence no further action is required when handling such data in corporate transactions until regulators notifies otherwiseppThe Regulations will work handinhand with CSL DSL PIPL and other relevant laws and regulations Whilst the Regulations adopt a more business friendly approach they have provided practical guidance and clarifications on data compliance regime hence the Chinese regulators and authorities may take more negative view on any noncompliance or breachppAs the Regulations will be in force shortly on 1 January 2025 network data handlers need to ensure their respective internal data policy and documentations including privacy policy consent form from data subjects crossborder data transfer agreements and data processing procedures are in full compliance before the effective date For companies based overseas that do not have any China presence it will be prudent for them to consider whether it is necessary to set up an organisation or appoint a representative in China if it falls within the extraterritorial application scope of the Regulationspp pp1  httpswwwgovcnzhengcecontent202409content6977766htm China issues regulations on network data security management wwwgovcnpp2network data 网络数据 refers to all electronic data including without limitation personal information processed handled and generated through the network and network data handler 网络数据处理者  is defined under the Regulations as a person or organization who decides on the purpose and methods of network data processing activities 网络数据处理活动 which include the collection storage use processing transmission provision disclosure and deletion of network datapp3 The Regulations are formulated on the basis of three main cyberregulatory framework of Cybersecurity Law CSL Data Security Law DSL and Personal Information Protection Law as well as other lawspp4 In general data will be treated as nonimportant data if a data not designated as important data by the Chinese regulators relevant departments or regions or b during selfassessments the data is not classified as important datapp5 Client should also make reference to the 2024 edition of the Negative List for Data Export in the China Beijing Pilot Free Trade Zone Negative List collectively issued by the Beijing Municipal Internet Information Office Beijing Municipal Bureau of Commerce and Beijing Municipal Administration of Municipal Affairs Services and Data Administration Although the Negative List will only apply to one free trade zone in China it sets out the criteria for identifying important data across various industries and provisions for exporting such datapp6 Please refer to Q3 processing personal information of 10 million or more individualsppEndppShareppPartnerppSenior AssociateppSenior Associate Westlink PartnershipppSign up to receive email updates straight to your inbox ppClyde Co LLP is a limited liability partnership registered in England and Wales Authorised and regulated by the Solicitors Regulation Authority
Clyde Co LLP ppclydecocomp