CHINA: Enhanced and clarified data compliance obligations on handlers of “network data”, covering personal information and important data, and operators of online platforms from 1 January 2025

By Carolyn Bigg, Amanda Ge, Venus Cheung & Qiuyang Zhao on October 16, 2024

Posted in Compliance programs and policies, Cyber security, Data security and breaches

Additional and clarified data compliance obligations will soon come into force under the long-awaited Network Data Security Management Regulation (“Regulation“), which was released on 30 September 2024. The Regulation is formulated under the existing data protection framework pillars of the Cyber Security Law, the Data Security Law and the Personal Information Protection Law (“PIPL“), and provides practical implementation requirements and guidance on various aspects of data compliance, covering both personal information and certain non-personal information categories. The Regulation will take effect from 1 January 2025.

Scope

The Regulation governs “network data”, and the compliance obligations primarily apply to “network data handlers”.

Network data: the Regulation governs electronic data processed and generated via networks (“network data“) and applies to all the processing of network data within Mainland China. A “network” means a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures. So, in practice, this captures all electronic data processed or generated online (including personal information and non-personal information).
Network data handler: a “network data handler” refers to the party that autonomously determines the purposes and means of processing network data. That is akin to a data controller when it comes to personal information. In practice, this would include communication network operators, online service providers and users.

The Regulation has extra-territorial effect. This means that, if a foreign entity processes personal information of Mainland China residents outside of Mainland China, the requirements of the Regulation and the PIPL will apply if the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour.

As has become common with China data regulations, if a foreign (non-Chinese) entity’s processing of network data outside of Mainland China may harm China’s national security, public interests, or the legitimate rights and interests of Chinese citizens or organizations, the Regulation restates Chinese authorities’ power to hold the foreign entity liable in accordance with other applicable laws. It remains unclear how these powers may be enforced in practice against non-Chinese entities without a presence in Mainland China.

Key Compliance Obligations

The Regulation focuses on four key areas:

personal information privacy: enhancements and clarifications to the existing China personal information protection framework as it pertains to “network data”;
“large scale” personal information handlers: introduces additional reporting obligations on data controllers of large volumes of personal information;
important data: imposes significant additional governance obligations to the existing “important data” compliance framework, and clarifies how organisations can assess whether or not they handle important data; and
online platform operators: extends existing compliance obligations to manufacturers of smart terminal devices with pre-installed applications, and imposes additional reporting and governance obligations on “large-scale network platforms”.

Impact on Data Privacy Compliance

Key developments as regards network data handlers processing personal information include:

Security defects, threats and risks: the timescale for network data handlers to report data incidents (i.e. security defects, threats or risks involving its products or services) is reduced, so that an incident must be reported within 24 hours of identification if it could harm national security or public interests. However, the Regulation does not specify what defects, threats or risks could harm national security or the public interest or provide any assessment methods.
Data processing agreements (“DPAs”) and record-keeping: the obligation on network data handlers to enter into a DPA with each third party to which it transfers personal information is clarified now to include C2C (controller to controller) transfers as well as C2P (controller to processor) transfers. The DPA and relevant processing records must be kept for at least three years. This obligation is also now clarified to extend to the sharing of important data with third parties, not just personal information.
Data portability: the PIPL gives data subjects the right to data portability (although it is little used in practice by data subjects in China). The Regulation now sets out the conditions that must be met to exercise such right, namely: (i) verifying the true identity of the data subject; (ii) the legal basis for processing the concerned personal information must either be consent or contract necessity; (iii) the transfer is technically feasible; and (iv) the transfer will not harm the legitimate rights and interests of others. Further, it is now clarified that, if the number of requests significantly exceeds a reasonable range, the network data handler may charge necessary costs of fulfilling the request. Please note that the right to data portability still only covers personal information. Unlike the EU Data Act, the portability of other non-personal business or operation data is not addressed under the Regulation.
Foreign entities keeping and reporting institutions/representatives in China: The Regulation clarifies the procedure for complying with the PIPL requirement for foreign entities processing the personal information of Mainland China residents outside of Mainland China to establish a dedicated institution or designate a representative within Mainland China for personal information protection and to report the name and contact information of such institution/representative, where the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour. According to the Regulation, such information should be reported to the municipal-level data authority, which will then forward it to other relevant regulators at the same level. However, foreign entities still need to watch out for further clarifications regarding other aspects of this requirement such as the reporting timeframe.

Obligations re Important Data

Defining/identifying important data: the Regulation follows the current approach whereby industry regulators have been tasked to formulate (and some have already formulated) important data catalogues, setting out what will be deemed to be “important data” in their industry sector. However, unfortunately the Regulation seems to indicate that such important data catalogues will not be an exhaustive list of important data, and instead they should be treated more as industry guidelines to help organisations classify whether data constitutes important data, and then report it to the industry regulators as required under existing reporting/monitoring rules. Therefore, unfortunately, the most critical question, i.e. what constitutes important data, is still not clearly answered. We now face the situation of, instead of waiting for important data catalogues to be published, rather unhelpfully network data handlers operating in sensitive industries may need to be prepared to identify and report its own important data based on the guidelines given by the authorities.
DPA: it is now clear that network data handlers must enter into a DPA with each third party to which it transfers important data, and that each such DPA must be kept for at least three years. This is a unique requirement for Mainland China, and means that organisations will potentially need to extend their template DPAs to cover important data as well as personal information.
Network data security officer appointment: a network data handler that handles important data must appoint a “network data security officer” (who shall be a member of senior management) and establish a “network data security management department”. They shall be responsible for: formulating network data protection policies and procedures; organizing training and drills; monitoring daily data processing activities; and handling claims, investigations and other data protection related matters pertaining to important data. This is in addition to existing obligations to appoint a DPO, DSO and CSO.
Transfer assessment: an important data handler must conduct a risk assessment before transferring important data to any third party, including in the case of entrusted or joint processing (except where the transfer concerned is mandatorily required by law). The assessment should include, inter alia, the data recipient’s data protection capabilities and overall compliance status; and the effectiveness of the contract with the data recipient to comply with relevant data protection obligations. This appears to be closer to a PIIA for personal information than an EU-style DPIA or TIA, but we await a template assessment form or further guidance from the regulators on this.
Reporting during M&A and corporate reorganisations, etc.: if the security of important data may be affected by an important data handler’s M&A, corporate reorganization, dissolution, bankruptcy or other similar events, the handler must take measures to ensure data security, and report information regarding the data recipients and related matters to the relevant industry regulator and/or data authority at provincial level or above.
Annual assessment report: an important data handler must carry out a risk assessment of its data processing activities once a year, and submit the assessment report to the relevant industry regulator at provincial level or above. Details of what these annual reports must include, and how to submit them, have not yet been published; and it is also unclear how these align with the proposed mandatory data compliance audits recently proposed by the China data protection authorities.

Obligations on “Large Scale” Personal Information Handlers

The Regulation requires a network data handler who processes personal information of more than 10 million data subjects to comply with the “network security officer appointment” and “reporting during M&A and corporate reorganisations etc.” obligations (discussed above) in the same way as an important data handler. However, the Regulation does not address whether the personal information of more than 10 million data subjects per se constitutes important data.

Obligations on Online Platform Operators

The Regulation emphasizes existing obligations on online platform operators (that is, operators of websites, mobile apps, etc.) to monitor and supervise data processing activities carried out by the users or third parties via their platforms. For example:

platform operators must formulate rules and put in place effective contracts with third parties residing on the platform to clarify data protection obligations and responsibilities; and
app store operators must conduct security assessments of the applications distributed via their stores, and remove non-compliant applications if the compliance gaps cannot be effectively remediated.

Notably, the Regulation now extends the definition of online platform operators to manufacturers of smart terminal devices with pre-installed applications (such as mobile phone and smart home product manufacturers), and requires them to comply with online platform operators’ obligations in addition to hardware manufacturers’ obligations.

The Regulation also introduces a definition of “large scale network platforms” as online platforms which have more than 50 million registered users or more than 10 million monthly active users, offer complex types of services, and may have significant impact on national security, economy and people’s livelihood. The Regulation further provides that large scale network platform operators are subject to additional obligations such as publishing an annual social responsibility report discussing how personal information protection matters are handled, and implementing measures to prevent unfair competition conducted via the platforms, etc.

Next Steps

The Regulation adds to, rather than replaces, the existing – complex and ever-evolving – China data protection framework, and requires organisations handling China data to update their China data compliance obligations to prepare for these additional compliance obligations before the start of 2025.

Further, as indicated by the Regulation, data incident reporting, DPAs, record-keeping and compliance assessments/reporting will likely become the new compliance focus of the China data authorities in 2025.

Online platform operators’ responsibilities of monitoring in-platform data processing activities will still be an enforcement focus. Meanwhile, smart device manufacturers – who will now be regulated as online platform operators – will face a new set of complex obligations, and so are recommended to familiarize themselves with the requirements and upgrade their compliance programmes before the end of the year.