New Implementation Rules for PRC Data Protection

16.01.2025

China has recently published the Regulations on Network Data Security Management, which will enter into force on January 1, 2025, refining the existing data protection requirements. In this article, we provide highlights of the notable requirements provided in the new rules and also share our insights and recommendations for your reference.

On September 30, 2024, the State Council, after a lengthy drafting process that began in November 2021, formally published the Regulations on Network Data Security Management (the “Regulations”), which will enter into force on January 1, 2025, with an aim to implement the three-pillar laws of data protection framework - the Cybersecurity Law of the People’s Republic of China (the “CSL”), the Data Security Law of the People’s Republic of China (the “DSL”), and the Personal Information Protection Law of the People’s Republic of China (the “PIPL”).

The Regulations reiterate and refine the existing requirements in the CSL, DSL, and PIPL by providing guidance on certain provisions relating to processing of personal information (“PI”) and important data.  While the Provisions primarily target network data, which refers to electronic data processed or generated through the Internet, it theoretically excludes data on tangible media such as paper.  Nevertheless, given the extensive digital transformation in most businesses, the Regulations are relevant to the data processing practices of most enterprises.

In this article, we provide highlights of the notable requirements provided in the Regulations (mainly summarized below) and also share our insights and recommendations for your reference.  Namely, the Regulations:

(a) Refine the requirements for privacy notices and clarify the criteria of separate consent.
(b) Introduce a new exemption from fulfilling data export safeguard procedures.
(c) Define the prerequisites for exercising the right to data portability.
(d) Specify the requirement for offshore PI handlers to report contact information of PRC entity or representative as required.
(e) Require PI handlers that process PI of more than 10 million individuals to fulfill certain obligations akin to those of important data handlers.

 

1. PI PROTECTION

In terms of PI protection, the Regulations primarily detail the provisions of the PIPL regarding transparency, consent, and the exercise of PI rights, specifically:

1.1 PRIVACY NOTICE

In accordance with the transparency principle of the PIPL, PI handlers are obligated to inform relevant individuals of the essential details of the handler, PI processing activities, and methods and procedures for PI subjects to exercise their rights under the PIPL, in the form of privacy notices or equivalent documents.
The Regulations require further elaboration on the specifics that should be included in such documents.

Notably, they mandate the disclosure, in checklist form or a similar format, of the details of PI collection and sharing (commonly referred to as a “double list”).  Although the double-list requirement is newly introduced in the form of regulations, it has been imposed on app-based data processing in practice.

Accordingly, it is advisable for business operators to regularly review their privacy notices to ensure they are consistent with current data processing practices and meet the latest regulatory standard, as privacy notices are typically the primary compliance documents scrutinized by regulatory authorities.

1.2 SEPARATE CONSENT

The Regulations clarify that separate consent refers to the specific, explicit consent given by an individual for the specific processing of their personal information.  In other words, a valid separate consent does not encompass a one-time consent given for multiple purposes or methods of PI processing activities, which were previously outlined in a voluntary national standard.

To date, the criteria for obtaining separate consent have been clearly articulated within the regulatory framework.  Therefore, we recommend business operators to review current consent practice to ensure compliance with the current requirements.

1.3 DATA EXPORT

The Regulations restate the legal framework that enables data handlers to lawfully transfer PI outside of China.  Among those, beyond the well-established safeguard procedures  and exemption circumstances  previously outlined in the Provisions on Promoting and Regulating Cross-Border Data Flows (the “New Provisions”), the Regulations extend the exemption to the scenario where a PI export is for the purpose of fulfilling legal duties or obligations.

However, it remains to be seen in practice whether this new exemption could apply to situations where data export is mandated by foreign legal obligations or regulations, such as when Chinese companies listed abroad export PI to meet the disclosure requirements set by the SEC, or when foreign drug marketing authorization holders collect and monitor information on adverse drug reactions within China in accordance with relevant laws.

1.4 RIGHT TO DATA PORTABILITY

Under the PIPL, individuals are entitled to request the transfer of their PI to a third party, provided that the conditions set forth by the CAC are met.  The Regulations further define these conditions for the exercise of the right to data portability, with a key stipulation that the subject PI must have been collected based on consent or on a contract, akin to provisions under the GDPR.  Consequently, business operators may refuse to respond to requests for transferring PI collected on other legal bases.

1.5 REPORTING REQUIREMENT FOR OFFSHORE PI HANDLERS

Offshore PI handlers which are subject to the extraterritorial effect of the PIPL should set up a dedicated entity or appoint a representative in China to be responsible for PI protection matters.  According to the Regulations, the subject offshore PI handlers should report the name and contact details of such entity or representative to municipal-level CAC.  However, the Regulations keep silent on the reporting requirements of the PI protection officer of domestic PI handlers.

We anticipate that with the enforcement of reporting requirements, relevant authorities are likely to seek information regarding the PI protection practices of offshore PI handlers.  Presumably, there may be an increase in enforcement actions pertaining to the extraterritorial application of the PIPL.

 

2. REGULATION OF IMPORTANT DATA

The Regulations reiterate the identification methods  for important data as stipulated in the DSL and the New Provisions, and refines the obligations for processing important data as outlined in the DSL, including:

(a) designating a person and establishing a dedicated management department responsible for data security;
(b) conducting risk assessments for certain processing activities; and
(c) reporting to competent authorities when significant organizational changes (e.g., mergers) occur.

It is worth noting that the Regulations explicitly state that PI handlers processing PI of more than 10 million individuals should also comply with some of the abovementioned obligations for important data handlers, for example, designating an appropriate person and department responsible for data security.  B2C business operators should therefore be vigilant and ensure compliance with this new requirement if they meet this threshold.

 

3. CYBERSECURITY MANAGEMENT

With focus on PI protection and important data regulations, the Regulations also touch upon cybersecurity issue, including restating the requirements for the multi-level protection scheme (“MLPS”), management of network product defects and vulnerabilities, as well as cybersecurity incident response.
Notable, the Regulations do not specify the detailed reporting requirements for cybersecurity incidents as that in its first draft, considering the CAC is formulating the specific rules to address cybersecurity incident reporting issues.

 

4. OBSERVATIONS AND RECOMMENDATIONS

In general, we view the Regulations do not impose additional requirements on business operators, but rather refine the existing obligations.  This refinement is based on the authorities’ practical experience in implementing other data regulations.  In the meantime, the Regulations also provide flexibility for the ongoing development of implementation rules for specific requirements, such as compliance audits and the reporting of cybersecurity incidents.

During the transition period before the Regulations take effect, it is advisable for business operators to review current data processing practices, including content of privacy notices, methods of obtaining consent, data governance structures, etc., to ensure complying with the detailed requirements stipulated in the Regulations.

Please also note, China is formulating several implementation rules for the PIPL which may be formally released in the coming months, including the Measures for Administration of Personal Information Protection Compliance Audit (Draft for Comment), the Measures for the Administration of Cybersecurity Incident Reporting (Draft for Comments).  We also recommend closely monitoring developments in PIPL implementation and administrative rulemakings, preparing necessary compliance documentation, and modifying the current data processing practices as needed.

 

Article provided by INPLP member: David Tang (Han Kun, China)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.