Key takeaways for PRC Data Handlers
As part of an ongoing effort to strengthen data security in the digital age, the “Network Data Security Management Regulations” (the “Regulations”) as published by the State Council finally became effective on 1 January 2025. The Regulations have undergone a considerable journey since the publication of the draft regulations back in 2021.
While the Regulations repeat many of the obligations already set out under the existing Cybersecurity Law, Data Security Law and the Personal Information Protection Law (“PIPL”) and their related regulations, the Regulations provide a number of important guidance and additional requirements on data handlers operating in Mainland China. We discuss below the key takeaways from the Regulations.
Measures on “network data handlers”
The Regulations formally defines a new term “network data handler” to cover an individual or organisation which independently determines the purposes and methods of processing in conducting network data processing activities. It includes “personal data handlers” and “important data handlers” under the PIPL but also extends to all electronic data created or processed via a network.
Network data handlers are required to supervise and manage their data security obligations, including the need to strengthen its cybersecurity by adopting encryption, back-up, access control and security authentication technologies. Network data handlers are also required to comply with various ongoing compliance obligations with respect to, among other things, national security, recording, AI training and social responsibility, and establish an emergency response plan for any data security incidents. A failure to comply with these compliance obligations may result in warnings or fines for the breaching corporation and the relevant person(s) in charge.
In the event of a data security incident, network data handlers are required to immediately implement its emergency response plan and “promptly” notify affected data subjects of the incident, consequences, and remedial measures taken. Interestingly, the Regulations overturn the proposed notification timeframes in the 2021 draft of 3 working days for data breaches and 8 hours for breaches involving important data or affecting 100,000 or more individuals. However, it is clarified that incidents giving rise to harm to national security or public interest must be reported within 24 hours. Further, it remains to be seen whether the Draft Measures for Cybersecurity Incident Reporting will impose the 1-hour reporting requirement for major or significant cybersecurity incidents.
Measures on Personal Data and Important Data
The Regulations expand upon the PIPL with respect to the requirements for processing personal data. Particularly, network data handlers are required to centrally, openly, and prominently display certain information relating to the data handler and the data processing before they may process any personal data. When providing personal data to third-party data handlers, the Regulations also require network data handlers to list out the purpose, method, categories of personal data provided, and information related to the third-party data handlers. This requirement draws on the Ministry of Industry and Information Technology (MIIT)’s regulation of APP operators, which mandates the establishment of a “List of Collected Personal Information” and a “List of Personal Information Shared with Third Parties” (collectively referred to as the “Double List”). Furthermore, the Regulations set out a number of rules that data handlers must comply with when their processing of personal data is based on consent of the data subject, which often is the primary legal basis for personal data processing in Mainland China. Network data handlers in Mainland China are recommended to conduct a review of their privacy policy to ensure compliance with the new requirements.
The Regulations require personal data handlers processing the personal data of more than 10 million individuals (an increase from the 1 million threshold in the previous 2021 draft) to comply with additional internal governance and external monitoring requirements which are otherwise imposed on handlers of important data. This includes the need to identify a person in charge of data security and a data security management team responsible for various network data security obligations such as regularly organising network data security risk monitoring, risk assessments, emergency drills, and educational trainings. A failure to comply with these data security obligations may attract warnings and fines for the breaching corporation and the relevant person(s) in charge.
Handlers of important data should also be aware that risk assessments in relation to their network data processing activities should be conducted on a yearly basis, as well as before providing, entrusting or jointly processing important data with third parties. In particular, the annual risk assessment report must be submitted to the relevant provincial authority.
Large network platforms, which are defined as platforms with over 50 million registered users or 10 million monthly active users with a complex business and whose data processing has a significant impact on national safety and the economy, are additionally required to publish a personal data protection social responsibility report on an annual basis (providing additional clarification to the reference to “on a regular basis” under Article 58 of the PIPL). The Regulations also specifically prohibit large network platforms against using network data, algorithms or rules to fraudulently or unfairly treat theirs users.
Cross-border transfers
The Regulations further expand upon the list of applicable circumstances for cross-border data transfer compared to Article 38 of the PIPL and the Provisions on Promoting and Regulating Cross-Border Data Flow published in March 2024. In particular, cross-border data transfer is now also permitted for “compliance with legal duties or obligations”. Importantly, however, the Regulations do not clarify whether the scope of “legal duties or obligations” here includes duties or obligations imposed by foreign law. As such, subject to further official clarification, businesses should exercise caution in relying on this ground in conducting cross-border data transfers.
Overseas personal data handler subject to the extra-territorial effect of the PIPL must also designate an onshore agency or representative to handle affairs relating to its offshore data processing. The Regulations clarify that the name and contact information of such onshore agency or representative should be filed with the local municipal-level CAC, who shall then promptly notify the appropriate department at the same level.
Conclusions
The Regulations reflect China’s ongoing commitment to balancing the need to ensure data security in the digital age against the practical commercial costs and burden which organisations need to bear. The gradual relaxation of certain data security requirements (e.g., expanding the scope for permissible cross-border data transfers and relaxing the numerical threshold for compliance with “important data processing” obligations) is surely a welcoming sign for businesses operating in China.