Introduction
On 30 September, the State Council of China officially released the Regulations on Network Data Security Management (Data Security Regulations), effective January 1, 2025. This marks the end of a three-year consultation process involving various stakeholders since the initial draft was introduced in 2021. It is a key national-level framework that plays a crucial role in implementing China’s Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL).
Key Compliance Measures for Businesses
- Foreign companies must determine if their activities fall under the Data Security Regulations and appoint a local representative if needed.
- Comply with the self-assessment requirement for important data.
- Review strategies for cross-border data transfers, leveraging newly introduced compliance pathways.
- Revise privacy policies, consent forms, data subject request forms, processing agreements, and cross-border transfer agreements.
- Strengthen security measures for AI, automated data crawling, critical data processing, and large network platforms.
For a detailed understanding of the Data Security Regulations, go through the information provided below.
Scope of Application
The Data Security Regulations apply to data processing activities conducted within China. Additionally, they extend to certain data processing activities outside China under specific circumstances. These include cases where a foreign business:
- Collects personal data from China to offer products or services to the Chinese market.
- Analyzes or tracks the behavior of individuals located in China.
- Engages in data processing outside China that threatens national security, public interest, or the legal rights of Chinese citizens or entities.
The Data Security Regulations require foreign data handlers to establish a designated organization or appoint a representative in China. The names and contact details of these representatives must be reported to the local Cyberspace Administration of China (CAC) authority. This requirement signals China’s intent to strengthen oversight of data collection and processing activities conducted outside its borders.
Important Data
The concept of important data is a critical element of China's data laws, as entities handling such data are subject to significantly stricter compliance obligations. However, defining what constitutes ‘important data’ has remained challenging due to the broad and general nature of China’s data laws.
To provide clarity, the Cyberspace Administration of China (CAC) issued the Provisions on Promoting and Regulating Outward Data Flow in March 2024. These provisions establish that businesses may treat the data they collect or process as non-important data unless:
- It is explicitly listed in an officially published important data catalog, or
- Chinese regulators specifically notify the business that the data qualifies as important data.
Businesses have welcomed this clarification, as it reduces compliance uncertainty and mitigates associated regulatory risks.
Important Data under Data Security Regulations
A. Self-Assessment
Consistent with the Provisions on Promoting and Regulating Outward Data Flow, the Data Security Regulations confirm that businesses should determine whether the data they process qualifies as important data by referring to published important data catalogs and conducting self-assessments. Unless regulators specify otherwise, businesses may assume they are not handling important data.
B. Relaxed Threshold
Under the PIPL and previous regulations, personal data exceeding one million individuals was considered important data. However, free trade zones in Beijing and Tianjin increased this threshold tenfold, classifying personal data as important data only when it exceeds 10 million individuals. The Data Security Regulations adopt a similarly relaxed approach at the national level. However, companies processing the personal data of more than 10 million individuals must:
- Establish a dedicated data security department and appoint a senior executive responsible for data security.
- Report the names and contact details of the responsible personnel to the relevant regulators.
- In cases of merger, acquisition, spin-off, or insolvency that may affect data security, submit a data disposal plan to regulators to ensure the protection of important data.
Cross-Border Data Transfer
China’s legal framework for cross-border data transfers imposes stricter regulatory controls. Under the CSL, DSL, and PIPL, data transfers out of China must comply with one of three primary legal mechanisms:
- CAC-led security assessments
- Chinese Standard Contractual Clauses (SCCs)
- Security certification by qualified third parties
For CAC-led security assessments and Chinese SCCs, the data exporter in China and the overseas recipient must compile extensive documentation, conduct an impact assessment, and submit the required materials for regulatory approval or filing. Recognizing the compliance burden associated with these requirements, the CAC introduced targeted relaxations in the Provisions on Promoting and Regulating Outward Data Flow. These provisions allow certain qualified businesses to either:
- Be exempt from the full cross-border data transfer regime, or
- Opt for a less restrictive legal mechanism.
Relaxed Requirements Under Data Security Regulations
The Data Security Regulations expand on these relaxations by introducing additional legal bases for cross-border data transfers. In addition to the existing three mechanisms, businesses may now rely on the following additional justifications:
- Transfers necessary for contract signing or performance,
- Transfers of employee data necessary for cross-border human resources management,
- Emergency situations.
- Transfers necessary for performing mandatory duties, or
- Transfers permitted under other laws and regulations.
The inclusion of “necessity for performing mandatory duties” as a legal basis is a notable addition, as it does not appear in the PIPL or prior regulations. While its interpretation remains uncertain, it is expected to potentially allow regulated industries to transfer data to comply with legal obligations.
Enhanced Data Protection Practices
To enhance regulatory oversight of data processing activities, the Data Security Regulations impose specific requirements and best practices concerning the following:
- Privacy policies,
- Separate consent forms,
- Contractual arrangements for data sharing with third parties, and
- Procedures for facilitating data subjects' rights.
The Data Security Regulations require businesses to review and update their privacy policies or personal information collection statements to ensure compliance with these new obligations.
Data Portability
Under the Data Security Regulations, a data subject must meet the following conditions before exercising the right to data portability:
- The data subject’s real identity must be verifiable;
- The data to be ported must consist of personal information collected based on the subject's consent or contractual agreement;
- The portability of the data must be technically feasible; and
- The personal data portability must not infringe upon the legal interests of others.
While the PIPL establishes overarching principles for personal data portability, the Data Security Regulations represent the first set of detailed rules in China addressing the practical implementation of data portability.
Automation and Emerging Technologies
The Data Security Regulations address new technologies such as AI and web scraping, requiring companies to delete or anonymize unintentionally collected personal data promptly.
Breach Notification
The Data Security Regulations underscore the importance of preventing data breaches and enhancing cyber incident response procedures. Notably, the requirement to notify affected data subjects within three working days, along with providing detailed information on the breach and remedial actions, has been omitted in the final version.
However, the obligation to notify within 24 hours remains in place for significant data breaches that could jeopardize national security or public interest in China. The specific criteria for defining such a breach, though, have yet to be clarified.
Under the Data Security Regulations, Large network platforms with over 50 million registered users or 10 million active users face special compliance obligations, including:
- the prohibition of data blocking or discriminatory practices, and
- the requirement to publish an annual social responsibility report on personal data.
Penalties
The Data Security Regulations are enforceable and carry significant legal consequences for non-compliance. Violations can result in a range of enforcement actions by regulators, including warnings, administrative orders for rectification, suspension of business operations, revocation of licenses or permits, confiscation of illicit gains, and substantial monetary fines. Senior executives and responsible individuals may also face personal liability.
It is important to note that breaching the Data Security Regulations may also constitute violations of other laws, such as the CSL, the Data Security Law, and the PIPL. As a result, violators could face enhanced penalties, including fines of up to RMB 50 million or 5% of the previous year’s turnover, whichever is higher, and in extreme cases, criminal liability.
