On September 24, China’s State Council released finalized Regulations on Network Data Security Management, which took effect on January 1, 2025.
The Regulations provide important new guidance on PIPL compliance, the developing regulatory structures around Important Data, and the oversight of cross-border data transfers.
On September 24, China’s State Council, the chief administrative authority of the PRC, promulgated new Regulations on Network Data Security Management. The Regulations, which apply to network data handlers (i.e., any individual or organization that independently sets the purposes or methods of data handling), implement aspects of China’s Cybersecurity Law (CSL), Personal Information Protection Law (PIPL), and Data Security Law (DSL). Though the Regulations largely formalize Rules that have already been in effect from the Cybersecurity Administration of China (CAC), they also provide important additional clarifications and guidance as China moves toward fuller implementation of these laws. The Regulations took effect on January 1, 2025.
Protection of Personal Information (PI)
Some of the most important new guidance in the Regulations relates to the implementation of key PIPL provisions.
Notification Requirements. The Regulations provide that notices must be displayed prominently and be easily accessible. The purpose, method, and type of PI collection, as well as information regarding any other network data processor to which PI is provided, must be in list or similar form. The method and channels for individuals to exercise their rights must also be clear and accessible.
Consents. The Regulations defined “separate consent” as “a specific and explicit consent specifically given by an individual to the handling of his or her PI for a particular purpose.” They also provide multiple requirements applicable when consent is the legal basis for handling PI, including that PI handling be limited to only what is necessary to provide products or services, that consent be voluntary, that a network data handler may not frequently request consent after individuals have explicitly expressed their refusal to handling of their PI, that handling of sensitive PI requires separate consent, that PI for which consent has not been obtained in accordance with law be deleted or anonymized, and that reconsent is required when the purpose, method, or type of PI handling changes.
Local Representatives. The Regulations reiterate the expectation that those located outside of the PRC who handle PI of individuals within the PRC must establish an agency or appoint a representative within the PRC to handle matters related to protection of PI. The Regulations add, however, that the name of the agency or name and contact information of the representative must be submitted to the municipal cybersecurity administration department where they are located.
PI Rights Requests. The Regulations provide for the first time conditions that an individual requesting to access or transfer their PI must satisfy in order for the data handler to be obligated to do so, including that the request be verifiably from the requester, that it regards PI provided by that individual or collected based on a contract, that it is technically feasible to transfer the PI, and that the request not harm the legitimate rights or interests of others. It also provides that the handler may charge necessary fees if the number of requests from a particular individual becomes unreasonable.
PI Threshold for Additional Security. The Regulations provide that network data handlers that handle the PI of more than 10 million individuals must comply also with two key requirements related to handling “Important Data.” First, the handler must appoint a person and organization to be responsible for network data security.Second, in the event of merger, division, dissolution, bankruptcy, or similar circumstances that may affect the security of the Important Data, the network data handler must implement security measures and report the data disposal plan to authorities. This threshold is a significant increase from the threshold of one million noted in the draft of the Regulations released for discussion in 2021.
Clarifications on “Important Data”
The Regulations also provide clarifications about what constitutes “Important Data” and the compliance obligations for the network data handlers that handle Important Data. The Data Security Law designated Important Data as an intermediate category of data between General Data, which poses only a general risk should its security be compromised, and Core Data, which receives the greatest protection because its compromise would pose the most serious hazards. Those who handle Important Data are required to comply with heightened security standards, including appointing a person and organization responsible for network data security, conducting detailed risk assessments before sharing, and conducting annual risk assessments of their data handling activities that must be submitted to designated authorities.
Definition of “Important Data.” The Regulations provide the first statutory definition of “Important Data,” defining it as “data covering specific fields, specific groups, or specific regions, or with certain level of precision and scale, where, if tampered with, destroyed, leaked, or illegally obtained or used, it may directly endanger national security, economic operations, social stability, or public health and safety.”
Regional Administration. The Regulations provide that regions and departments will develop catalogs of information that will be deemed Important Data within their jurisdiction. These authorities, in turn, are mandated to focus their efforts on protecting the information listed in those catalogs.
Obligation to Identify and Report. In addition to developing the catalogs of Important Data, relevant regions and departments are required to promptly notify network data handlers of data classified as Important Data. Network data handlers will have an obligation to identify the data classified as Important Data and report it to the relevant region or department. Until the data has appeared in a catalog of Important Data or network data handlers have received notice that their data is deemed Important Data, network data handlers may proceed without reporting to the relevant region or department or conducting security assessments.
Cross-Border Data Flow Security
The Regulations provide additional guidance on the requirements for cross-border data transfers.
Transfers of PI. The Regulations add one additional category of exemption to the stringent requirements for cross-border transfers of PI. PIPL Article 38 requires that cross-border transfers of PI must pass a CAC-led security assessment, obtain a PI protection certification, or execute PIPL Standard Contractual Clauses, but the Measures on Facilitating Cross-Border Data Flows provided exemptions for contractual necessity, human resources management, and protection of life, health, and property. The Regulations now provide that transfers of PI may also take place where it is necessary to provide the PI “to perform statutory duties or obligations.” While this condition has not yet been defined and it is unclear whether these statutory duties and obligations are limited to Chinese laws, it represents an additional step toward making compliance with multiple obligations more practicable.
Transfers of Important Data. For Important Data, the Regulations reiterate that network data handlers who identify and report their Important Data may continue to rely on the guidance in the Measures on Facilitating Cross-Border Data Flows that indicates they do not need to conduct security assessment unless they receive confirmation that it is Important Data through either the publication of a catalog or direct notification by a relevant authority.
Relevance to Institutions of Higher Education
Because these Regulations move the PRC along the way toward fuller implementation of PIPL, DSL, and CSL, it is important for institutions of higher education to take stock of their current compliance practices and to inventory the data they handle that might trigger new compliance obligations with further updates.
Institutions should review PIPL notices, consents, and related data management practices for PI and sensitive PI for ongoing compliance.
Institutions without a presence in the PRC should assess whether they handle the PI of individuals within the PRCand the scale of the PI handled to determine whether they might be required to appoint an agency or representative within the PRC, or report to designated authorities under certain circumstances.
Institutions should watch for the catalogues or notifications that data an institution might handle, including in its research programs, might be labeled as Important Data.