China’s State Council introduced the Network Data Security Management Regulation (Network Data Regulation) on September 30, 2024, which went into effect on January 1, 2025. The regulation is aimed at protecting individuals’ data and their rights through a comprehensive set of guidelines related to personal data protection, consent, cross-border data transfer, and data subject rights.
Applicable Scope of the Draft Regulation:
The Draft Regulation applies to the use of internet-connected systems to carry out data processing activities and the supervision and management of network data security within the territory of China. The GDPR, considered a benchmark when it comes to data protection regulations, applies to all companies that deal with data collected within the EU and the UK, regardless of whether the company is based in the EU. The latest Draft Regulation has extraterritorial scope to ensure that organizations outside China are covered by the regulation , provided the following conditions are met:
- The data handler collecting data outside China has a product/service on offer in China;
- The data handler collecting data outside China means to use the collected data to evaluate behavior and related patterns of individuals and organizations in China;
- The data handler is collecting data outside China which is deemed as “important data” inside China; or
- Special circumstances and requests made by data protection agencies inside China.
Security Incidents Notifications:
Under the Draft Regulations, data handlers are required to establish a data security emergency response mechanism. If the data handler is a target of a security incident such as a data breach that compromises the collected data of their customers, they must take the proper measures to notify the concerned authorities within 72 hours. Furthermore, if the security incident results in a suspected crime, the police must be notified. The Draft Regulation also provides the notification content details and ways tor notify the concerned stakeholders.
Lastly, if the security incident compromises the data of more than 100,000 individuals, the municipal division of the CAC must be notified within 8 hours of the breach’s occurrence. A written incident report will also need to be submitted within five working days. The CAC has the discretion to direct that individual notifications do not need to be given if a data handler has successfully contained the incident to avoid harm.
Privacy Policy Requirement:
Privacy policy is subject to extensive attention in the new Draft Regulation. Such a level of attention highlights how crucial it will be for companies to maintain a robust and rigorously updated privacy policy. Some important facets that the privacy policy will have to cover include:
- The kind of personal data they collect on their users with a detailed description of why the collection is necessary;
- All cookies, plug-ins, and extensions offered to users in a centralized list format;
- The security risks faced by them in addition to the relevant counter-measures in place to prevent any data leaks or breaches;
- Who to contact for more information on the company’s data protection mechanisms or data collection practices in general.
Consent Obligations:
Under the Draft Regulation, the data handlers would have to prove that whatever data they’ve collected on their customers or visitors to their site was obtained with proper consent. It is yet to be seen how the Draft Regulation defines “consent” but the burden to prove that all data was procured with consent will remain on the data handlers. The Draft Regulation also provides several conditions where consent is mandatory for the processing of the personal data of individuals.
Data Subject Requests Requirements:
In case an individual or an entity lodges a request to copy, supplement, restrict, withdraw, or erase their personal data from the company’s position, their request must be initiated within 15 days of the initial request. In case further deliberation is required, the data handler must inform the individual or entity making the request within the same time frame.
Data Transfers Requirements:
If, for any reason whatsoever, the data handlersshare personal data collection with parties outside China, they must have an annual data export security assessment. This report must have all the relevant information properly documented and reported to the municipal division of the CAC by 31st January of every year.
Furthermore, the Chinese government will also implement a security gateway through which all data being transferred inside of China will have to pass. This will prevent the spread of “illegal” information in China from overseas. No entities or individuals will be allowed to provide tools or services to circumvent such security gateways.
For detailed understanding of cross border data transfer requirements, please also refer to our blog: China Stresses for Data Exit Security Evaluation of Firms Seeking to Trade User Data.
Important Data Processing Requirements:
The Draft Regulation also provides the details of what constitutes “important data” and stricter requirements for its processing. Organisations that process the personal data of more than a million people will be deemed to be subject to the “important data” processing requirements. Data handlers will have to report to the provincial-level CAC within 15 working days of identifying what “important data” they hold.
Cybersecurity and Audit Review:
This is arguably the most important take-away from this draft. Under the Draft Regulation, , companies or Data handlers as they’re referred to, will be required to have a complete cybersecurity audit and review of their practices under these circumstances:
- If a company handling significant tranches of data such as Internet platforms plan to merge, reorganize, sell, or divest in any form;
- If a company with access to data of more than 1 million individuals plans to list itself for business in a foreign state;
- If a company requests plans to extend its business to Hong Kong;
- If a company’s data handling practices are deemed important to national security by the relevant authorities.
Companies listed in foriegn markets will be required to submit annual data security assessments to the provincial-level CAC by the end of January each year.
