On 30 Sept., the State Council of China released the Regulations on Network Data Security Management, following three years of discussions involving various stakeholders since the initial consultation draft was made public in 2021. The final version of the regulations will take effect 1 Jan. 2025.
The Data Security Regulations are a crucial set of national-level administrative rules to implement China's Cybersecurity Law, Data Security Law and Personal Information Protection Law. Compared to the 2021 draft, the final version provides much-needed clarity on certain pressing issues raised by businesses and introduces some relaxations to ease compliance costs and burdens. Key provisions of the regulations will have significant implications for multinational corporations operating in China.
Application scope
The Data Security Regulations apply to data handling activities within China and to certain activities outside China if: a foreign business collects personal data from China for selling products or services to the Chinese market; or for analyzing or tracking the behavior of individuals in China; or its data handling activities outside China pose a threat to national security, public interest or the legal rights of Chinese citizens or entities.
While extra-territorial application was already covered by laws like the PIPL, the Data Security Regulations make it clear that foreign data handlers must establish a designated organization or appoint a representative in China, with their names and contact information reported to the local Cyberspace Administration of China authority. This suggests China will likely intensify its scrutiny of data collection and processing activities conducted outside its borders.
Important data
As an essential set of regulations implementing the CSL, DSL and PIPL, the Data Security Regulations cover not only personal data but also nonpersonal data, such as business, financial and industry data.
"Important data" is a key legal concept under China's data laws, as entities collecting important data are subject to significantly stricter compliance requirements. However, determining what constitutes important data has been challenging, as China's data laws contain only generic provisions.
To address this, the CAC issued the Provisions on Promoting and Regulating Outward Data Flow 22 March. These provisions clarify that businesses may treat data they collect or process as nonimportant data unless it is explicitly included in a published important data catalogue or specifically notified by Chinese regulators. This approach has been welcomed by businesses, as it, to some extent, reduces the compliance uncertainty and associated risks.
In line with the CBDT Provisions, the Data Security Regulations confirm that businesses should rely on published important data catalogues and conduct self-assessments to determine whether the data they collect or process falls within important data. Unless otherwise notified by regulators, businesses can assume they do not handle important data.
In the past several months of 2024, several Free Trade Zones in China kicked off regulatory "sandbox" experiments, passing local rules that allowed for more flexibilities. For example, the PIPL and previous laws treated personal data exceeding 1 million individuals as important data, but local rules issued by Beijing and Tianjin Free Trade Zones raised this threshold tenfold to 10 million individuals.
The above relaxed approach is reflected in the Data Security Regulations on a national basis. However, a company processing personal data of more than 10 million individuals is still required to establish a dedicated department and appoint a senior executive responsible for data security, reporting their names and contact information to the appropriate regulators. In the event of a merger, acquisition, spin-off or insolvency affecting data security, the company must also submit a data disposal plan to regulators to safeguard important data.
Cross-border data transfer
China's legal framework for cross-border data transfers is unique and differs significantly from the EU General Data Protection Regulation. Under the CSL, DSL and PIPL, data transfers out of China must follow one of three legal mechanisms: CAC-led security assessments, the Chinese Standard Contractual Clauses, or security certification by qualified third parties.
For the first two mechanisms, the data exporter in China and the recipient outside China must compile extensive information, prepare an impact assessment report, and submit these documents to regulators for approval or filing.
Recognizing the stringent requirements, the CAC introduced relaxations in the CBDT Provisions in March 2024, allowing qualified businesses to either be exempt from the full CBDT regime or opt for a less intrusive legal mechanism.
The Data Security Regulations go a step further by introducing additional relaxations beyond the CBDT Provisions. They expand the permissible cross-border data transfer mechanisms to include: CAC-led security assessments, Chinese SCC, security certification by qualified third parties, transfers necessary for contract signing or performance, transfers of employee data necessary for cross-border human resources management, emergency situations, transfers necessary for performing mandatory duties, and any transfers permitted under other laws and regulations.
The introduction of "necessity for performing mandatory duties" as a legal mechanism is new and has not appeared in the PIPL or other previous regulations. While its exact interpretation remains to be seen, it is expected that pharmaceutical and biotechnology companies may benefit from this relaxation when transferring pharmacovigilance data out of China to meet the mandatory requirements under pharma regulations.
Other major compliance responsibilities
A noticeable aspect of the Data Security Regulations is that China's data regulators aim to strike a proper balance between augmented compliance responsibilities and the promotion of digital economy.
With China having the largest population of netizens in the world, an incredible amount of personal data has been collected and processed on a daily basis. To better regulate the activities in relation to collection and processing of personal data, the Data Security Regulations introduce some requirements and best practices for a privacy policy, separate consent form, what contractual arrangements to put in place for data sharing with a third party, and what procedures to follow to facilitate the data subject's exercise of right.
To give a few examples, a company is required to use a list to illuminate the purpose, manner and type of personal data collected as well as the information of the third-party data recipient, in case of data sharing with such third party. The Data Security Regulations mandate companies to review privacy policies or personal information collection statements to ensure compliance with these new requirements.
While the PIPL lays down high-level principles on personal data portability, the Data Security Regulations are the first Chinese rules to include practical details on how to implement data portability. According to the Data Security Regulations, a data subject must satisfy the following conditions before they can exercise the right of data portability: the requesting data subject's real identity can be verified, the portable data is personal information collected based on consent or contract, data portability is technically feasible, and personal data portability will not harm legal interests of others.
In response to the deployment of new technologies such as AI and data scraping, the Data Security Regulations provide that where a company uses some automation technologies ― for example, web scrawlers or sensors ― to unintentionally collect personal data, it shall take prompt actions to delete or anonymize such personal data.
While the Data Security Regulations stress the importance of preventing data breaches and firming up cyber incident response capabilities, the onerous timeline of notifying affected data subjects with comprehensive information about the breach and mitigation measures within three working days has now been removed from the final version of the Data Security Regulations. However, the obligation to notify within 24 hours in case of significant data breach which endangers China's national security and public interest stays. But what would constitute such a breach remains to be defined.
Large network platforms are singled out under the Data Security Regulations as they are imposed certain special compliance obligations. A "Large network platform" is defined as the network platform which has more than 50 million registered users or more than 10 million monthly active users, handles complex transactions and its network data processing activities may have significant implications for China's national security, economic development or livelihood. It is not clear whether a large network platform is required to satisfy either or all those conditions and regulators are anticipated to provide clarification or guidance after the Data Security Regulations come into effect.
Given the strong bargaining power of large network platforms, the Data Security Regulations provide that a large network platform may not use the data, algorithms or terms of use to block the access or use of data by users or abuse its position to discriminate against users. The large network platform is also required to prepare and publish the personal data social responsibility report on an annual basis.
Liabilities and enforcement
The Data Security Regulations do have "teeth" and violation of the compliance requirements in the Data Security Regulations can lead to serious legal consequences and the regulators have power to take a wide range of enforcement actions ranging from issuing warnings and administrative orders for rectification, to suspension of business operation, revocation of business license and operating permit, confiscation of illegal gains, and imposing monetary fines. Senior executives and persons in charge can be exposed to personal liability. Please do bear in mind that the violation of the Data Security Regulations can trigger the violation of the CSL, DSL and PIPL, and the violators may be subject to more significant penalties which go as high as RMB 50 million or 5% of last year's turn over ― whichever is higher ― and even criminal liability in the worst scenario.
Key takeaways
The Data Security Regulations will take effect 1 Jan. 2025, leaving a short compliance window of less than three months from now.
As one of the most important secondary rules to implement the CSL, DSL and PIPL, the Data Security Regulations introduce some much-needed practical guidance and clarity on many important compliance requirements. With the compliance regime becoming clearer and easier for adoption, it is anticipated that Chinese authorities will take strict enforcement steps under the Data Security Regulations.
Given the new, updated and better-defined compliance requirements under the Data Security Regulations, businesses are advised to make good use of the compliance window and take proper compliance measures as soon as possible:
- Having a proper and accurate understanding of the Data Security Regulations and analyzing the key impacts for their business operations in China.
- The Data Security Regulations expand the relaxations for cross-border data transfer, which is good news for many multinational corporations. It is crucial to review the China data strategy in line with the Data Security Regulations and explore whether and how to benefit from the relaxations.
- The Data Security Regulations clarify multiple important compliance requirements on a more granular level. It is necessary for companies to review and update various data and privacy documentation, including without limitation the privacy policy, consent form, data subject's request form, data processing agreement, cross-border data transfer agreement, and others to ensure those documents are in line with details under the Data Security Regulations.
- Companies are required to adopt augmented organizational and technical measures when using artificial intelligence, data crawling, handling important data, or operating as a large network platform.
- Even if an international business does not have any presence in China, if it collects data from China's market, it is still necessary to analyze whether its data collection or processing activities outside the country fall within the extra-territorial application scope of the Data Security Regulations. If yes, it will need to set up an organization or appoint a representative in China.
Barbara Li, CIPP/E, is a partner at Reed Smith.