Linklaters’ Albert Yuen considers the key implications of China’s new Network Data Security Management Regulations and why it is important for risk and compliance managers to understand this new regulation to comply with its data and cybersecurity obligations when operating its China business.
“In recent years, China has implemented a number of new laws regulating data privacy, cybersecurity and network security matters. These new Data Security Regulations are important ancillary rules supplementing the existing China data and cybersecurity law framework comprising the DSL, CSL and provides greater clarification on important compliance requirements for businesses operating in China, but will also be subject to enforcement by the Chinese authorities after a short implementation window.”
Albert Yuen, head of TMT, Hong Kong, Linklaters
On 30 September 2024, China’s State Council released the Regulations on Network Data Security Management (“Data Security Regulations”), following a lengthy multi-year process of discussions and stakeholder and public engagement.
Critically, the Data Security Regulations had a short implementation window and took effect on 1 January 2025.
The Data Security Regulations help implement and provide additional substance to existing rules on data security, cybersecurity and data protection under China’s existing Cybersecurity Law (“CSL”), Data Security Law (“DSL”) and Personal Information Protection Law (“PIPL”) (collectively, “China’s Data Laws”).
Compared to the 2021 draft of the Data Security Regulations, the final version addresses market players’ concerns and relaxes some rules to ease businesses’ compliance costs and burdens.
However, key requirements of the Data Security Regulations have major implications for multinational businesses operating in China.
Risk managers need to understand these new Data Security Regulations and should review and conduct gap analyses of their organisations’ compliance frameworks, and uplift their policies and procedures accordingly to ensure they remain complaint with these new regulations.
Extra-territorial application
Like the PIPL, the Data Security Regulations have extra-territorial application for various activities outside of China with a China-data nexus.
For example, if a foreign business analyses or tracks behaviour of individuals in China or collects personal data from China for selling products or services to the Chinese market or their data handling activities outside of China poses a threat to national security or legal rights of Chinese citizens, Data processors outside of China must establish a specialised agency or appoint an onshore representative.
The Data Security Regulations specify that the contact information of this agency/representative must be reported to the local Cyberspace Administration of China authority.
“Important data” processing requirements
The Data Security Regulations emphasise China’s “tiered” protection of data, including “important data” (which under China’s Data Laws are subject to stricter compliance requirements).
Whilst “important data” is generally defined, network data processors (“Organisations”) should take heed of catalogues and other forms of designation guidance provided by regional and departmental regulators to assess what might be considered important data. A key consideration is whether the data affects national security or the security of others.
The Data Security Regulations have:
- clarified the scope and frequency of risk assessments, which must be conducted at least once a year and reported to the relevant supervisory authority. Organisations shall also conduct assessments on third-party processors. To the extent that the Organisation is a large network platform (“Large Platforms”), there are added requirements. For example, Large Platforms must include detailed explanation of the network data security of its key businesses and supply chains; and
- imposed a new obligation on data processors to notify and submit its important data management plan to its relevant competent department (at or above provincial level) where a merger, division, dissolution or bankruptcy will affect the security of important data.
Additionally, any Organisation processing the data of more than 10 million people must comply with several “important data” obligations, even if there is no important data.
New exemption for cross-border data transfers
The Data Security Regulations introduce a new exemption to cross-border data transfer requirements. The existing cross-border data transfer restrictions (which was already relaxed in March 2024) would not apply if it is necessary to fulfil statutory duties or obligations (“New Exemption”).
The exact scope and interpretation of the New Exemption remains unclear as it has not appeared in previous regulations, but some views have been exposed that this New Exemption could be helpful where cross border data transfers out of China is necessary to meet mandatory requirements under other regulations and laws.
Privacy documentation requirements
The Data Security Regulations provide additional guidance on the contents of privacy documentation such as on privacy notices, consent forms, and third-party contractual arrangements.
For example, it clarifies that a privacy notice needs to display a list detailing the purpose, manner and type of personal data collected in addition to details regarding the processor and relevant third-parties. The list must be in a single, readily accessible and prominent location, the contents of which must be clear, specific and easy to understand.
Additional obligations on Large Platforms
The Data Security Regulations impose additional responsibilities on Large Platforms, defined by user scale and impact of its data processing activities. These platforms must publish annual personal data social responsibility reports, and refrain from practices that adversely affect user rights. This follows the global trend of regulating platforms with significant market share, such as the EU Digital Market Act.
Implications for businesses and risk managers
The priorities of national security and avoiding other macro-level harms is evident through the emphasis on “important data” and Large Platforms.
Non-compliance may result in material penalties including fines up to RMB 10,000,000 (circa USD 1.4 million) for specific offences under the Data Security Regulations.
With the China data security compliance regime becoming clearer and more prescriptive under the Data Security Regulations (supplementing China’s Data Security Laws which have now been in place for some time), there is a risk that Chinese authorities will start taking enforcement steps under the Data Security Regulations soon.
Risk managers therefore need to understand the key granular compliance requirements under these regulations and undertake effective gap analysis to ensure proper compliance measures are implemented and risk mitigation measures are adopted.
Where required, companies also need to review and uplift key data privacy and security artifacts such as various data privacy and cybersecurity policies and procedures.
Albert Yuen is head of Technology, Media and Communications, Hong Kong, at Linklaters.
No comments yet