IDC Names Securiti a Worldwide Leader in Data Privacy


China’s Administrative Regulations on Network Data Security

Published November 30, 2021 / Updated November 21, 2023

Listen to the content

China has been active in putting the final touches on the implementation of its data protection and data security laws in the form of CSL, DSL, and the PIPL. Hence, the Cyberspace Administration of China (CAC) has now released a draft of the Administration of Network Data Security. The Administrative Regulations on Network Data Security Management (Draft Regulation) is open to public comments until the 13th December 2021.

There is no clear timeline on when it comes into effect and when the final draft will be ready. Here are some of the key takeaways to know about the latest draft:

Applicable Scope of the Draft Regulation:

The Draft Regulation will apply to the use of the internet to carry out data processing activities and the supervision and management of network data security within the territory of China. The GDPR, considered a benchmark when it comes to data protection regulations, applies to all companies that deal with data collected within the EU and the UK, regardless of whether the company is based in the EU or the UK. The latest Draft Regulation carries the same provisions with all companies coming under its scope, even if the data processing and collection is done outside China, provided the following conditions are met:

  • The data handler collecting data outside China has a product/service on offer in China;
  • The data handler collecting data outside China means to use the collected data to evaluate behavior and related patterns of individuals and organizations in China;
  • The data handler is collecting data outside China which is deemed as “important data” inside China; or
  • Special circumstances and requests made by data protection agencies inside China.

Security Incidents Notifications:

Under the Draft Regulations, data handlers are required to establish a data security emergency response mechanism. If the data handler is a target of a security incident such as a data breach that compromises the collected data of their customers, they must take the proper measures to notify the concerned authorities within 72 hours. Furthermore, if the security incident results in a suspected crime, the police must additionally be notified. The Draft Regulation also provides the notification content details and mediums for notifying the concerned stakeholders.

Lastly, if the security incident compromises the data of more than 100,000 individuals, the municipal division of the CAC must be notified within 8 hours of the breach’s occurrence.  A written incident report will also need to be submitted within five working days. he CAC has the discretion to direct that individual notifications do not need to be given if a data handler has successfully contained the incident to avoid harm.

Privacy Policy Requirement:

Privacy policy is subject to extensive attention in the new Draft Regulation. Such a level of attention highlights how crucial it will be for companies to maintain a robust and rigorously updated privacy policy. Some important facets that the privacy policy will have to cover include:

  • The kind of personal data they collect on their users with a detailed description of why the data is necessary to collect;
  • All cookies, plug-ins, and extensions offered to users in a centralized list format;
  • The security risks faced by them in addition to the relevant counter-measures in place to prevent any data leaks or breaches;
  • Who to contact for more information on the company’s data protection mechanisms or data collection practices in general.

Under the Draft Regulation, the data handlers would have to prove that whatever data they’ve collected on their customers or visitors to their site was obtained with proper consent. It is yet to be seen how the Draft  Regulation defines “consent” but for now, the burden to prove that all data was procured with consent will remain on the data handlers. The Draft Regulation also provides several conditions where consent is mandatory for the processing of the personal data of individuals.

Data Subject Requests Requirements:

In case an individual or an entity lodges a request to copy, supplement, restrict, withdraw, or erase their personal data from the company’s position, their request must be entertained within 15 days of the initial request. In case further deliberation is required, the data handler must inform the individual or entity making the request within the same time frame.

Data Transfers Requirements:

If, for any reason whatsoever, the data handlers need to share personal data collection with parties outside China, they must have an annual data export security assessment. This report must have all the relevant information properly documented and reported to the municipal division of the CAC by 31st January of every year.

Furthermore, the Chinese government will also implement a security gateway through which all data being transferred out of China will have to pass.

Important Data Processing Requirements:

The Draft Regulation also provides the details of what constitutes “important data” and stricter requirements for its processing. Organisations that process the personal data of more than a million people will be deemed to be subject to the “important data” processing requirements. Data handlers will have to report to the provincial-level CAC within 15 working days of identifying what “important data” they hold.

Cybersecurity and Audit Review:

This is arguably the most important take-away from this draft. Under the Draft Regulation, , companies or Data handlers as they’re referred to, will be required to have a complete cybersecurity audit and review of their practices under these circumstances:

  • If a company handling significant tranches of data such as Internet platforms plan to merge, reorganize, sell, or divest in any form;
  • If a company with access to data of more than 1 million individuals plans to list itself for business in a foreign state;
  • If a company requests plans to extend its business to Hong Kong;
  • If a company’s data handling practices are deemed important to national security by the relevant authorities.

Companies listed in foreign markets will be required to submit annual data security assessments to the provincial-level CAC by the end of January each year.

Muhammad Faisal Sattar

Authored by Muhammad Faisal Sattar

Muhammad Faisal Sattar is a Certified Information Privacy Professional (Asia) and Certified Information Privacy Manager (CIPM), known for his expertise in global privacy laws, AI governance, and corporate compliance. He is a McCall MacBain Scholar at McGill University. As a privacy lawyer, Faisal provides advisory services related to customized privacy solutions on global privacy developments, AI risk assessments, and privacy assessments.

His interests particularly center on the complex interplay between technology, law, and privacy, with a strong focus on policy matters. His legal expertise and industry experience make him a reliable source for his insights on legal developments in data privacy laws, and privacy assessments.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend