News
New Implementation Rules for PRC Data Protection
China has recently published the Regulations on Network Data Security Management, which will enter into force on January 1, 2025, refining the existing data protection requirements. In this article, we provide highlights of the notable requirements provided in the new rules and also share our insights and recommendations for your reference.
On September 30, 2024, the State Council, after a lengthy drafting process that began in November 2021, formally published the Regulations on Network Data Security Management (the “Regulations”), which will enter into force on January 1, 2025, with an aim to implement the three-pillar laws of data protection framework - the Cybersecurity Law of the People’s Republic of China (the “CSL”), the Data Security Law of the People’s Republic of China (the “DSL”), and the Personal Information Protection Law of the People’s Republic of China (the “PIPL”).
The Regulations reiterate and refine the existing requirements in the CSL, DSL, and PIPL by providing guidance on certain provisions relating to processing of personal information (“PI”) and important data. While the Provisions primarily target network data, which refers to electronic data processed or generated through the Internet, it theoretically excludes data on tangible media such as paper. Nevertheless, given the extensive digital transformation in most businesses, the Regulations are relevant to the data processing practices of most enterprises.
In this article, we provide highlights of the notable requirements provided in the Regulations (mainly summarized below) and also share our insights and recommendations for your reference. Namely, the Regulations:
(a) Refine the requirements for privacy notices and clarify the criteria of separate consent.
(b) Introduce a new exemption from fulfilling data export safeguard procedures.
(c) Define the prerequisites for exercising the right to data portability.
(d) Specify the requirement for offshore PI handlers to report contact information of PRC entity or representative as required.
(e) Require PI handlers that process PI of more than 10 million individuals to fulfill certain obligations akin to those of important data handlers.
1. PI PROTECTION
In terms of PI protection, the Regulations primarily detail the provisions of the PIPL regarding transparency, consent, and the exercise of PI rights, specifically:
1.1 PRIVACY NOTICE
In accordance with the transparency principle of the PIPL, PI handlers are obligated to inform relevant individuals of the essential details of the handler, PI processing activities, and methods and procedures for PI subjects to exercise their rights under the PIPL, in the form of privacy notices or equivalent documents.
The Regulations require further elaboration on the specifics that should be included in such documents.
Notably, they mandate the disclosure, in checklist form or a similar format, of the details of PI collection and sharing (commonly referred to as a “double list”). Although the double-list requirement is newly introduced in the form of regulations, it has been imposed on app-based data processing in practice.
Accordingly, it is advisable for business operators to regularly review their privacy notices to ensure they are consistent with current data processing practices and meet the latest regulatory standard, as privacy notices are typically the primary compliance documents scrutinized by regulatory authorities.
1.2 SEPARATE CONSENT
The Regulations clarify that separate consent refers to the specific, explicit consent given by an individual for the specific processing of their personal information. In other words, a valid separate consent does not encompass a one-time consent given for multiple purposes or methods of PI processing activities, which were previously outlined in a voluntary national standard.
To date, the criteria for obtaining separate consent have been clearly articulated within the regulatory framework. Therefore, we recommend business operators to review current consent practice to ensure compliance with the current requirements.
1.3 DATA EXPORT
The Regulations restate the legal framework that enables data handlers to lawfully transfer PI outside of China. Among those, beyond the well-established safeguard procedures and exemption circumstances previously outlined in the Provisions on Promoting and Regulating Cross-Border Data Flows (the “New Provisions”), the Regulations extend the exemption to the scenario where a PI export is for the purpose of fulfilling legal duties or obligations.
However, it remains to be seen in practice whether this new exemption could apply to situations where data export is mandated by foreign legal obligations or regulations, such as when Chinese companies listed abroad export PI to meet the disclosure requirements set by the SEC, or when foreign drug marketing authorization holders collect and monitor information on adverse drug reactions within China in accordance with relevant laws.
1.4 RIGHT TO DATA PORTABILITY
Under the PIPL, individuals are entitled to request the transfer of their PI to a third party, provided that the conditions set forth by the CAC are met. The Regulations further define these conditions for the exercise of the right to data portability, with a key stipulation that the subject PI must have been collected based on consent or on a contract, akin to provisions under the GDPR. Consequently, business operators may refuse to respond to requests for transferring PI collected on other legal bases.
1.5 REPORTING REQUIREMENT FOR OFFSHORE PI HANDLERS
Offshore PI handlers which are subject to the extraterritorial effect of the PIPL should set up a dedicated entity or appoint a representative in China to be responsible for PI protection matters. According to the Regulations, the subject offshore PI handlers should report the name and contact details of such entity or representative to municipal-level CAC. However, the Regulations keep silent on the reporting requirements of the PI protection officer of domestic PI handlers.
We anticipate that with the enforcement of reporting requirements, relevant authorities are likely to seek information regarding the PI protection practices of offshore PI handlers. Presumably, there may be an increase in enforcement actions pertaining to the extraterritorial application of the PIPL.
2. REGULATION OF IMPORTANT DATA
The Regulations reiterate the identification methods for important data as stipulated in the DSL and the New Provisions, and refines the obligations for processing important data as outlined in the DSL, including:
(a) designating a person and establishing a dedicated management department responsible for data security;
(b) conducting risk assessments for certain processing activities; and
(c) reporting to competent authorities when significant organizational changes (e.g., mergers) occur.
It is worth noting that the Regulations explicitly state that PI handlers processing PI of more than 10 million individuals should also comply with some of the abovementioned obligations for important data handlers, for example, designating an appropriate person and department responsible for data security. B2C business operators should therefore be vigilant and ensure compliance with this new requirement if they meet this threshold.
3. CYBERSECURITY MANAGEMENT
With focus on PI protection and important data regulations, the Regulations also touch upon cybersecurity issue, including restating the requirements for the multi-level protection scheme (“MLPS”), management of network product defects and vulnerabilities, as well as cybersecurity incident response.
Notable, the Regulations do not specify the detailed reporting requirements for cybersecurity incidents as that in its first draft, considering the CAC is formulating the specific rules to address cybersecurity incident reporting issues.
4. OBSERVATIONS AND RECOMMENDATIONS
In general, we view the Regulations do not impose additional requirements on business operators, but rather refine the existing obligations. This refinement is based on the authorities’ practical experience in implementing other data regulations. In the meantime, the Regulations also provide flexibility for the ongoing development of implementation rules for specific requirements, such as compliance audits and the reporting of cybersecurity incidents.
During the transition period before the Regulations take effect, it is advisable for business operators to review current data processing practices, including content of privacy notices, methods of obtaining consent, data governance structures, etc., to ensure complying with the detailed requirements stipulated in the Regulations.
Please also note, China is formulating several implementation rules for the PIPL which may be formally released in the coming months, including the Measures for Administration of Personal Information Protection Compliance Audit (Draft for Comment), the Measures for the Administration of Cybersecurity Incident Reporting (Draft for Comments). We also recommend closely monitoring developments in PIPL implementation and administrative rulemakings, preparing necessary compliance documentation, and modifying the current data processing practices as needed.
Article provided by INPLP member: David Tang (Han Kun, China)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Jänner 2025
- Dezember 2024
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010