On September 30, 2024, China's State Council released the Regulations on Network Data Security Management 2024 (hereinafter referred to as the Regulations), which will come into effect on January 1, 2025. As a critical part of the cybersecurity and data protection legislation system of China, the regulation aims to provide clearer implementation paths for existing relevant laws, including the Cybersecurity Law (2021), Data Security Law (2021), and the Personal Information Protection Law (2021). 

It has been four years since this legislation project was kicked off in 2020. Compared with the draft for comment released in 2021, the final version has eased the requirements on data/personal information processors as China strive to balance the development and security requirements in terms of data and personal information uses. The Regulations include nine chapters and 64 articles, encompassing requirements on personal information, key data, cross-border data transfer, as well as obligations for internet platform service providers. The following is a summary of key takeaways noteworthy of attention of foreign stakeholders. 

Personal information protection

The Regulation does not introduce many innovative provisions but focuses on refining the Personal Information Protection Law of the People's Republic of China (PIPL) in areas like notification, consent, and individual rights. Additionally, the Regulation requires companies processing personal data of more than 10 million individuals to meet extra compliance obligations, namely adherence to Articles 30 and 32 on critical data processing. It is a signal from government clarifying that personal data at this scale does not automatically qualify as "key data". Nevertheless, its unique nature of personal information at this scale imposes additional requirements. 

Key data security protection

The initial draft of the Regulation placed numerous responsibilities on data processors, such as approval and registration requirements, but these were later removed in the final version. This shift reflects the view that the primary responsibility for protecting critical data lies with the government, not industries, as the goal is to safeguard national security and public interests. 

Cross-border transfer mechanisms

The Regulation aligns closely with previous regulations in area of cross-border transfer, especially the Provisions on Promoting and Regulating Cross-border Data Flow. The Regulations emphasizes that the national cybersecurity authorities are responsible for coordinating with relevant departments to establish a specialized mechanism for managing cross-border data security and formulate related policies. Data processors are permitted to transfer personal information abroad under certain conditions. Specifically, data not identified or publicly declared as key data by relevant regions or departments does not need to undergo a key data security assessment.

Despite positive signals from the Chinese government, foreign stakeholders are encouraged to thoroughly analyze the Regulations and maintain close communication with authorities to ensure compliance. The compliance challenge arises from the evolving regulatory landscape, which is shifting from result-based requirements to process-demanding mandates. The Regulations now specify detailed compliance measures that enterprises must implement, offering limited flexibility in how these requirements are met. Additionally, the primary national standard, 20240405-T-469 Data Security Technology — Requirements for Data Security Protection, is still under development. Meanwhile, various industry-specific standards are rapidly emerging, providing sectoral guidance on data classification and treatment. Foreign stakeholders with a legal presence in China are advised to stay updated on sector-specific guidelines and standards issued by industry associations or relevant authorities. Key references include GB/T 42447-2023 Information Security Technology—Data Security Guidelines for the Telecom Sector and the Data Security Compliance Guidelines for the Industrial and Information Technology Sectors (Draft for Comment). Engaging with these evolving frameworks will be essential for achieving and maintaining compliance.

If you have any question or need further assistance, please reach us at: info@bestao-consulting.com.