China – Nine key points on the new Network Data Security Management Regulations

After a hiatus of almost three years since the original proposal was released, mainland China’s Network Data Security Management Regulations (Regulations) will go live on 1 January 2025.

While the data management storm presented by the draft in 2021 may have turned into more of a brisk breeze with the passage of time, domestic and multinational organisations operating in China (particularly large tech platforms) must make changes to their practices as regulatory enforcement is rising in this increasingly digitalised market. We set out below nine key points to consider:

1. Recycling is good

Though several new key obligations are introduced (see more on these below), the Regulations recycle many requirements from other laws and regulations – approximately half are recycled clauses retaining identical or similar wording to the original provisions.

One of the intentions of the Chinese authorities seems to have been to ensure that various key obligations applicable to businesses which actively process data through computer and other digital systems, are consolidated in one place – thereby seeking to ease the burden of compliance. However, this will apply the same obligations to personal and non-personal information in a number of cases and it is questionable whether this is valid in all instances where regulators are seeking to facilitate a robust but innovation-driving business environment.

As is the trend in other markets, compared to the 2021 draft of the Regulations, some of the Regulations’ new provisions look to guardrail both AI and web scraping to bring the rules’ overall framework in line with recent developments in the tech ecosystem. However, while new to the Regulations, these provisions are not groundbreaking in themselves and rather only emphasise the direction of travel for digital regulation.

2. What is not there

As important as what is there, some market participants will focus on what is not in the Regulations compared with the 2021 draft. There are two key points:

  • Seemingly in response to industry comments levelled at the draft of the Regulations, the final form of the Regulations does not seek to apply on an extraterritorial basis to analysis and assessment of the “behaviour” of mainland Chinese organisations. Seeking to directly regulate cross-border B2B activities in this way would have cast a far wider regulatory net than in most other markets (which focus only on B2C activities) and would have had unforeseen consequences for businesses’ operations.
  • 2021 had also seen the release of the Cybersecurity Review Measures, which startled China tech investors looking to exit China holdings. However, the final form of the new Regulations does not include a separate trigger for a cybersecurity review of a data processor seeking to list in Hong Kong. This should comfort IPO bankers who are already experiencing a somewhat chilly period.
3. Privacy notice enhancements

Many multinationals have been grappling with how to display the identity and other required details of transferees of personal information, whether these parties are other onshore personal information processors (i.e. “controllers”, to use the GDPR parlance) or overseas recipients. Including and updating such a list is operationally burdensome and sometimes contrary to counterparty confidentiality and even to maintaining a competitive advantage.

The Regulations seem to force the hand of those organisations that have – up until now – sat on the fence as to whether to publicise their lists of data recipients, by: (i) explicitly requiring such a list to be disclosed; and (ii) stating that the list must be displayed in a single, readily accessible location. As such, having the list available on request by a data subject, or lying behind a hyperlink in an online or mobile setting, may no longer be a viable compromise for businesses.

4. Contracts all round

The Regulations require a network data processor (essentially any business or individual hooked up to a computer), when sharing personal information or important data with another person, to agree on the purpose, manner, scope, and security protection obligations for the data processing activities being undertaken between them.

Although originated from an obligation under the Personal Information Protection Law (PIPL – see specifically article 21) to impose data management terms on entrusted parties, the Regulations’ article applies to all recipients of these types of data – not only contractors and other service providers. We recommend that organisations review their contractual arrangements with all business counterparties and consider whether to add data processing addenda now and refine template agreements for future and renewed contracts.

Additionally, records of the data processing must be retained for at least three years, in line with the retention period for impact assessment reports and processing records under the PIPL. Archiving systems will need adjustment by back-office teams.

5. New exemption for cross-border data transfers

The Regulations further contribute to the exemptions issued in March 2024 for exports of data from mainland China.

Personal information processors will be exempt from conducting a security assessment, entering a standard contract or obtaining a certification when exporting personal information, on the basis of necessity to provide personal information outside of China to fulfil statutory duties or statutory obligations. This would appear to be a great benefit for financial institutions and other regulated organisations, given the underlying purpose of many of their data exports. However, it remains to be clarified whether the exemption can be applied to satisfy legal obligations that require the disclosure of China-related information to overseas third parties (such as regulators).

6. Important data  

The PRC Data Security Law requires risk assessments to be conducted regularly where businesses process important data. The Regulations mandate that the relevant interval for these impact assessment-type exercises is at least once each year, and that the reports are submitted to (presumably) the organisation’s supervisory regulator, with a notification of the submission being sent to the provincial or higher level branch of the Cybersecurity Administration of China (CAC) and corresponding branch of the Public Security Bureau (i.e. the Chinese internet regulator and police, respectively).

Interestingly, the Regulations also apply these risk assessments to network data processors that process personal information of more than 10 million people. This in effect creates a new numerical threshold – particularly in the tech space, where companies grow quickly – at which businesses will have to deploy stricter data compliance measures, and their investors will have to ask more due diligence questions and seek greater contractual protections from data-driven businesses.

In addition, organisations sharing important data with other onshore persons must conduct assessments similar to those prescribed in relation to exports of important data under the 2022 security measures. The security checks and balances applied to national security-related data leaving the country have seemingly been turned inward on domestic exchanges of such data. The prompt release of important data catalogues to identify what business data is sensitive, and the free trade zones’ white lists and other relaxations in favour of freer data flows from those designated areas, will be all the more appealing to industry.

7. Onshore representatives

Since the launch of the PIPL, multinational organisations have queried whether they must register, and if so how they go about registering, a local representative, where this seminal legislation’s personal information protection obligations apply to those organisations on an extraterritorial basis. However, the channel through which to file this registration in practice has never been publicly opened.

The Regulations clarify that the filing of the name and contact information of the representative should be made to the CAC at the municipal level. The CAC will then notify an organisation’s supervisory authority at the same level.

This designation of part of the CAC as the recipient of these filings suggests that the channel for the required registration may soon become widely operative. Multinational gaming platforms, finance providers and others operating cross-border businesses, should consider their stance, who to appoint as a representative, and be ready to file reports, as necessary.

8. M&A

In M&A deals in Western markets, data separation has grown in prominence in recent years. The Regulations imply that the Chinese authorities want to bring similar practices to the world’s second largest economy, where deals involving massive data sets are naturally common.

Under the Regulations, a party receiving electronic data through a corporate transaction (such as an asset sale, reorganisation, or even company dissolution or bankruptcy) must continue to fulfil the data security obligations of the transferring party. In addition, where important data or more than 10 million individuals’ personal data is involved in the transaction, the transferor must take measures to safeguard the security of that data and file a plan with its supervising authority (at or above the provincial level) on how to properly manage this important data and the names and contact information of the recipients. We have experience of financial services deals involving such interaction with regulators, and expect that this may become more commonplace where larger businesses are involved in M&A. Tech deal teams and their advisors, in particular, should build the necessary steps into deal timetables.

9. Vulnerability reporting

Some tech developers and users have been concerned at the growth in (sometimes conflicting) vulnerability reporting obligations released in markets such as the US and China. One unclear point under the Regulations is whether the obligation to inform users of security defects, loopholes and other risks has been extended from product and service suppliers (as provided under the PRC Cybersecurity Law) to organisations using the products and services.

Indeed, the Regulations go on to require reports to be made within 24 hours to the Chinese authorities where national security or public interest issues arise from these vulnerabilities. No doubt settling on whether tech suppliers or their customers are primarily responsible for reporting vulnerabilities will be a point of contention under supply and service agreements until regulatory clarification is provided.

What’s next?

IT, legal and compliance heads should be factoring this uplift into their 2025 workplan and setting time aside now to coordinate teams to map through the changes required to artifacts and practices in anticipation of the Regulations’ launch.

While the same level of overhaul required to implement the PIPL is not anticipated for the Regulations, there is work to be done by all businesses operating in China – and, in some instances, those businesses located overseas but with counterparties in the Middle Kingdom.

We are already discussing how to practically implement steps for multinational clients and would be more than happy to lend a hand to others.