Based on the official statistics, during 2024, the CAC interviewed 11,159 website platforms, imposed warnings or fines on 4,046 website platforms, ordered 585 websites to suspend or update relevant functions, took down 200 Apps and took administrative actions on 40 mini-programs. The CAC also conducted joint enforcement actions together with the Ministry of Industry and Information Technology and revoked the licenses or shut down 10,946 websites and closed 107,802 accounts.

The following violations are of particular concern to these enforcement activities:

• Failure to maintain relevant network logs as required by law or to promptly address security risks (such as system vulnerabilities), resulting in illegal and regulatory issues such as system attacks, tampering, and data leaks;
  
• Failure to clearly display privacy notices in Apps, obtain necessary consent to process personal data, or provide convenient methods to opt out or de-register accounts;
  
• Failure to conduct required recordal or filing for AI models or features built into Apps or mini-apps; and
  
• Unreasonably requiring consumers to scan QR codes or perform facial recognition that is not necessary to provide the underlying services.

Around the same time, the National Computer Virus Emergency Response Center, which is an institution responsible for detecting and handling computer virus outbreaks and cyber attacks under the supervision of the Ministry of Public Security, published a list Apps that violated the personal data protection laws in the following areas:

• Failure to provide data subjects with all the required information about the processing (e.g. name and contact details of the controller, categories of personal data processed, purposes of the processing, retention period, etc.) in a prominent place and in clear and understandable language; in particular, failure to provide such information about any third party SDK or plugin is also considered a breach of the law;
  
• Failure to provide data subjects with the required details about any separate controller (e.g. name, contact information, categories of personal data processed, processing purposes, etc.) or to obtain the separate consent of data subjects before sharing their personal data with the separate controller;
• Failure to obtain the separate consent of data subjects before processing their sensitive personal data;
  
• Failure to provide users with the App functions to delete personal data or de-register accounts, or to complete the deletion or deregistration within 15 business days; or setting unreasonable conditions for users to de-register accounts;
  
• Failure to formulate special rules for processing the personal data of minors (under the age of 14) or to obtain parental consent before processing the personal data of minors; and
  
• Failure to take appropriate encryption, de-identification and other security measures, taking into account the nature of the processing and its impact on the rights and interests of data subjects.

The above enforcement focuses are also consistent with the audit points highlighted in the newly released personal data protection audit rules (see our article here). We expect the same enforcement trend to continue into 2025. Companies that process personal data in China or in connection with business in China are advised to review their compliance status with the requirements of Chinese law and take remedial action in a timely manner.

The Measures outline the requirements and procedures for both self-initiated and regulator-requested compliance audits.

(Interestingly, they also clarify some other PIPL obligations, such as the data volume threshold for appointing a DPO as well as the necessity of separate consent for some processing activities.)

Who must conduct data protection compliance audits, and when?

The Measures require a data controller processing personal data of more than 10 million individuals to conduct a self-initiatedcompliance audit of its personal data processing activities (“Self-Initiated Audits“) at least once every two years. 

Data controllers below this volume threshold should still conduct Self-Initiated Audits on a regular basis as is already prescribed under the PIPL, as a matter of good governance.

In addition, the CAC or other data regulators may instruct any data controller to conduct an audit (“Regulator-Requested Audits“):

1. when personal data processing activities are found to involve significant risks, including serious impact on individuals’ rights and interests or a serious lack of security measures;
   
2. when processing activities may infringe upon the rights and interests of a large number of individuals; or
   
3. following a data security incident involving the leakage, tampering, loss, or damage of personal information of one million or more individuals, or sensitive personal information of 100,000 or more individuals.

The audit report for Regulator-Requested Audits must be submitted to the regulator. The regulator may request data controllers to undertake rectification steps, and a subsequent rectification report must be provided to the regulator within 15 business days of competing the rectification steps.

Data controllers may, if they wish or when requested by the regulator, engage an accredited third party to conduct the audit (but the third party and its affiliates must not conduct more than three such audits in total for the same organisation).  

DPOs of data controllers processing personal data of more than one million individuals are responsible for overseeing the audit activities.

Key elements to be audited

The Measures outline a detailed set of key elements to be audited, which offer valuable insights into the detailed compliance steps expected from controllers for compliance with PIPL obligations, and will help organisations to scope their audits. Unsurprisingly, these elements cover every facet of PIPL compliance, spanning the whole data lifecycle. They include: lawful bases, notice and consent, joint controllership, sharing or disclosing personal data, cross-border data transfers, automated decision-making, image collection/identification equipment, processing publicly available personal data, processing sensitive personal data, retention and deletion, data subject right requests, internal data governance, data incident response, privacy training, Important Platform Providers’ platform rules and CSR reports, etc.

On 3 January 2025, the Cyberspace Administration of China (“CAC“) released for public consultation the draft Measures for Certification of Personal Information Protection for Cross-Border Transfer of Personal Information (“Draft Measures“). This regulation represents the final piece in the CAC’s regulatory framework for the three routes to legitimize cross-border transfers of personal data outside of China (“CBDTs“).

To recap, Chinese law requires data controllers to take one of the following three routes to legitimize CBDTs, unless they qualify for specific exemptions under the Provisions on Promoting and Regulating Cross-Border Data Flows (click here for our summary, “Provisions“) or local rules:

• CAC security assessment;
• Standard Contractual Clauses (“SCCs“) filing; or
• CAC-accredited certification.

If enacted, the Draft Measures will provide significant clarity regarding the certification route, offering data controllers both within and outside of China a viable option for compliance of CBDTs. Below is a practical guide to the key provisions of the Draft Measures, along with our recommendations for data controllers engaged in CBDTs in light of this new regulation.

Who can utilise the certification route?

Data controllers in China: In alignment with the conditions outlined in the Provisions, the Draft Measures reiterate that a data controller in China may pursue the certification route if:

• the data controller is not a critical information infrastructure operator (“CIIO“);
• no important data is transferred outside of China; and
• it has cumulatively transferred non-sensitive personal data of 100,000-1,000,000 individuals or sensitive personal data of less than 10,000 individuals outside of China since the beginning of the year.

It is worth noting that these conditions are the same as those for taking the SCCs filing route, making the certification route an effective alternative to the SCCs filing route for data controllers in China.

Overseas data controllers: The certification route is also available to data controllers outside of China that fall under the extraterritorial jurisdiction of the Personal Information Protection Law (“PIPL“), i.e. those processing personal data of residents in China to provide products or services to them or analyze or evaluate their behavior.

The Draft Measures do not specify the volume threshold or other conditions for overseas data controllers to take the certification route. It remains to be clarified whether overseas data controllers with a limited scope of CBDTs (e.g. those not reaching the volume threshold for data controllers in China as outlined above) can be exempted from obtaining certification or following the other legitimizing routes.

From which certification bodies can a data controller obtain the certification?

Certification bodies that have received approval from the State Administration for Market Regulation (“SAMR“) and have completed a filing process with the CAC are qualified to issue the CBDT certification.

What are the evaluation criteria for the certification?

The evaluation for the certification will focus on the following aspects:

• the legality, legitimacy and necessity of the purposes, scope and methods of the CBDT;
• the impact of the personal data protection laws and policies and network and data security environment of the country/region where the overseas data controller/recipient is located on the security of the transferred personal data;
• whether the overseas data controller/recipient’s level of personal data protection meets the requirements under Chinese laws, regulations and mandatory national standards;
• whether the legally binding agreement between the data controller and the overseas data recipient imposes obligations for personal data protection;
• whether the organizational structure, management system, and technical measures of the data controller and the overseas data recipient can adequately and effectively ensure data security and protect individuals’ rights and interests regarding their personal data; and
• other aspects deemed necessary by certification bodies according to relevant standards for personal information protection certification.

Are there special requirements for overseas data controllers pursuing certification?

Yes. An overseas data controller governed by the PIPL seeking certification must submit the application with the assistance of its dedicated institution or designated representative located in China (the presence of which is a requirement under the PIPL).

The Draft Measures also make it clear that overseas data controllers must, like data controllers in China, assume legal responsibilities associated with certification processes, undertake to comply with relevant Chinese data protection laws and regulations, and be subject to the supervision by Chinese regulators and certification bodies.

How are certification processes and results supervised?

The Draft Measures grant supervisory powers to both the SAMR and the CAC. They can conduct random checks on certification processes and results; and evaluate certification bodies. Certified data controllers will also be under continuous supervision by their certification bodies.

If a certified data controller is found to no longer meet the certification requirements (e.g. the actual scope of the CBDT is inconsistent with that specified in the certification), the certification will be suspended or revoked, which action will be made public. 

Are there ancillary rules and standards on the horizon?

Probably yes. The Draft Measures indicate that the CAC will collaborate with relevant regulators to formulate standards, technical regulations, and conformity assessment procedures for CBDT certification and work alongside the SAMR to develop implementation rules and unified certificates and marks for CBDT certification.

Is the certification likely to be recognised in other jurisdictions?

Probably yes. According to the Draft Measures, China will facilitate mutual recognition of personal information protection certification with other countries, regions, and international organizations.

Recommendations

As discussed, the Draft Measures make available a tangible certification route to legitimize CBDTs for data controllers both within and outside of China. Data controllers should carefully evaluate and choose between the three legitimizing routes when engaging in CBDTs, considering their respective pros and cons and suitability for the controllers’ specific patterns of CBDTs. For example, the certification route may be advantageous for complex CBDTs among multiple parties where signing of SCCs is challenging. To make well-informed decisions, data controllers engaged in CBDTs are recommended to closely monitor developments related to the Draft Measures in the months following the conclusion of the public consultation period on 3 February 2025, and remain vigilant for any release of ancillary rules and standards. This is particularly necessary because some important details about the certification route, such as the validity period of the certification and any thresholds for overseas data controllers to take the certification route, remain unclear.

Overseas data controllers processing personal data of residents in China should also be aware of the Draft Measures, as they specifically outline the certification route. This represents a further enhancement of Chinese regulations governing overseas data controllers, following clarifications regarding the procedure for reporting dedicated institutions or designated representatives of overseas data controllers under the Network Data Security Management Regulation that took effect on 1 January 2025 (click here for our summary). Given this trend, overseas data controllers processing personal data of residents in China should consider assessing whether they fall under the extraterritorial jurisdiction of Chinese data protection laws and, if so, evaluating the practical risks of non-compliance with such laws (e.g. the impact of potential service disruptions or access restrictions). If compliance with Chinese data protection laws turns out to be necessary, it is advisable to implement a comprehensive program to navigate how China’s CBDT restrictions and, more broadly, its complex data regulatory framework may apply to the overseas data controller and devise compliance strategies.

It is also important to remember that the legitimizing routes are not the sole requirement for CBDTs under Chinese law. Regardless of the chosen route, data controllers must implement other compliance measures for CBDTs, including obtaining separate consent from data subjects, conducting personal information impact assessments, and maintaining records of processing activities.

Scope

The Regulation governs “network data”, and the compliance obligations primarily apply to “network data handlers”.

• Network data: the Regulation governs electronic data processed and generated via networks (“network data“) and applies to all the processing of network data within Mainland China. A “network” means a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures. So, in practice, this captures all electronic data processed or generated online (including personal information and non-personal information).
  
• Network data handler: a “network data handler” refers to the party that autonomously determines the purposes and means of processing network data. That is akin to a data controller when it comes to personal information. In practice, this would include communication network operators, online service providers and users.

The Regulation has extra-territorial effect. This means that, if a foreign entity processes personal information of Mainland China residents outside of Mainland China, the requirements of the Regulation and the PIPL will apply if the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour.

As has become common with China data regulations, if a foreign (non-Chinese) entity’s processing of network data outside of Mainland China may harm China’s national security, public interests, or the legitimate rights and interests of Chinese citizens or organizations, the Regulation restates Chinese authorities’ power to hold the foreign entity liable in accordance with other applicable laws. It remains unclear how these powers may be enforced in practice against non-Chinese entities without a presence in Mainland China.  

Key Compliance Obligations

The Regulation focuses on four key areas:

• personal information privacy: enhancements and clarifications to the existing China personal information protection framework as it pertains to “network data”;
  
• “large scale” personal information handlers: introduces additional reporting obligations on data controllers of large volumes of personal information;
  
• important data: imposes significant additional governance obligations to the existing “important data” compliance framework, and clarifies how organisations can assess whether or not they handle important data; and
  
• online platform operators: extends existing compliance obligations to manufacturers of smart terminal devices with pre-installed applications, and imposes additional reporting and governance obligations on “large-scale network platforms”. 

Impact on Data Privacy Compliance

Key developments as regards network data handlers processing personal information include:   

• Security defects, threats and risks: the timescale for network data handlers to report data incidents (i.e. security defects, threats or risks involving its products or services) is reduced, so that an incident must be reported within 24 hours of identification if it could harm national security or public interests. However, the Regulation does not specify what defects, threats or risks could harm national security or the public interest or provide any assessment methods.
  
• Data processing agreements (“DPAs”) and record-keeping: the obligation on network data handlers to enter into a DPA with each third party to which it transfers personal information is clarified now to include C2C (controller to controller) transfers as well as C2P (controller to processor) transfers. The DPA and relevant processing records must be kept for at least three years. This obligation is also now clarified to extend to the sharing of important data with third parties, not just personal information.
  
• Data portability: the PIPL gives data subjects the right to data portability (although it is little used in practice by data subjects in China). The Regulation now sets out the conditions that must be met to exercise such right, namely: (i) verifying the true identity of the data subject; (ii) the legal basis for processing the concerned personal information must either be consent or contract necessity; (iii) the transfer is technically feasible; and (iv) the transfer will not harm the legitimate rights and interests of others. Further, it is now clarified that, if the number of requests significantly exceeds a reasonable range, the network data handler may charge necessary costs of fulfilling the request. Please note that the right to data portability still only covers personal information. Unlike the EU Data Act, the portability of other non-personal business or operation data is not addressed under the Regulation.
  
• Foreign entities keeping and reporting institutions/representatives in China: The Regulation clarifies the procedure for complying with the PIPL requirement for foreign entities processing the personal information of Mainland China residents outside of Mainland China to establish a dedicated institution or designate a representative within Mainland China for personal information protection and to report the name and contact information of such institution/representative, where the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour. According to the Regulation, such information should be reported to the municipal-level data authority, which will then forward it to other relevant regulators at the same level. However, foreign entities still need to watch out for further clarifications regarding other aspects of this requirement such as the reporting timeframe.

Obligations re Important Data

• Defining/identifying important data: the Regulation follows the current approach whereby industry regulators have been tasked to formulate (and some have already formulated) important data catalogues, setting out what will be deemed to be “important data” in their industry sector. However, unfortunately the Regulation seems to indicate that such important data catalogues will not be an exhaustive list of important data, and instead they should be treated more as industry guidelines to help organisations classify whether data constitutes important data, and then report it to the industry regulators as required under existing reporting/monitoring rules. Therefore, unfortunately, the most critical question, i.e. what constitutes important data, is still not clearly answered. We now face the situation of, instead of waiting for important data catalogues to be published, rather unhelpfully network data handlers operating in sensitive industries may need to be prepared to identify and report its own important data based on the guidelines given by the authorities.  
  
• DPA: it is now clear that network data handlers must enter into a DPA with each third party to which it transfers important data, and that each such DPA must be kept for at least three years. This is a unique requirement for Mainland China, and means that organisations will potentially need to extend their template DPAs to cover important data as well as personal information.
  
• Network data security officer appointment: a network data handler that handles important data must appoint a “network data security officer” (who shall be a member of senior management) and establish a “network data security management department”. They shall be responsible for: formulating network data protection policies and procedures; organizing training and drills; monitoring daily data processing activities; and handling claims, investigations and other data protection related matters pertaining to important data. This is in addition to existing obligations to appoint a DPO, DSO and CSO.  
  
• Transfer assessment: an important data handler must conduct a risk assessment before transferring important data to any third party, including in the case of entrusted or joint processing (except where the transfer concerned is mandatorily required by law). The assessment should include, inter alia, the data recipient’s data protection capabilities and overall compliance status; and the effectiveness of the contract with the data recipient to comply with relevant data protection obligations. This appears to be closer to a PIIA for personal information than an EU-style DPIA or TIA, but we await a template assessment form or further guidance from the regulators on this.
  
• Reporting during M&A and corporate reorganisations, etc.: if the security of important data may be affected by an important data handler’s M&A, corporate reorganization, dissolution, bankruptcy or other similar events, the handler must take measures to ensure data security, and report information regarding the data recipients and related matters to the relevant industry regulator and/or data authority at provincial level or above.
  
• Annual assessment report: an important data handler must carry out a risk assessment of its data processing activities once a year, and submit the assessment report to the relevant industry regulator at provincial level or above. Details of what these annual reports must include, and how to submit them, have not yet been published; and it is also unclear how these align with the proposed mandatory data compliance audits recently proposed by the China data protection authorities.

Obligations on “Large Scale” Personal Information Handlers

The Regulation requires a network data handler who processes personal information of more than 10 million data subjects to comply with the “network security officer appointment” and “reporting during M&A and corporate reorganisations etc.” obligations (discussed above) in the same way as an important data handler. However, the Regulation does not address whether the personal information of more than 10 million data subjects per se constitutes important data.

Obligations on Online Platform Operators

The Regulation emphasizes existing obligations on online platform operators (that is, operators of websites, mobile apps, etc.) to monitor and supervise data processing activities carried out by the users or third parties via their platforms. For example:

• platform operators must formulate rules and put in place effective contracts with third parties residing on the platform to clarify data protection obligations and responsibilities; and
  
• app store operators must conduct security assessments of the applications distributed via their stores, and remove non-compliant applications if the compliance gaps cannot be effectively remediated.

Notably, the Regulation now extends the definition of online platform operators to manufacturers of smart terminal devices with pre-installed applications (such as mobile phone and smart home product manufacturers), and requires them to comply with online platform operators’ obligations in addition to hardware manufacturers’ obligations.

The Regulation also introduces a definition of “large scale network platforms” as online platforms which have more than 50 million registered users or more than 10 million monthly active users, offer complex types of services, and may have significant impact on national security, economy and people’s livelihood. The Regulation further provides that large scale network platform operators are subject to additional obligations such as publishing an annual social responsibility report discussing how personal information protection matters are handled, and implementing measures to prevent unfair competition conducted via the platforms, etc.

Next Steps

The Regulation adds to, rather than replaces, the existing – complex and ever-evolving – China data protection framework, and requires organisations handling China data to update their China data compliance obligations to prepare for these additional compliance obligations before the start of 2025.

Further, as indicated by the Regulation, data incident reporting, DPAs, record-keeping and compliance assessments/reporting will likely become the new compliance focus of the China data authorities in 2025.

Online platform operators’ responsibilities of monitoring in-platform data processing activities will still be an enforcement focus. Meanwhile, smart device manufacturers – who will now be regulated as online platform operators – will face a new set of complex obligations, and so are recommended to familiarize themselves with the requirements and upgrade their compliance programmes before the end of the year.

The final Guide largely aligns with the June draft, incorporating only a few changes in wording. However, it introduces several business-friendly clarifications to the list of common examples of sensitive personal information therein (“Examples List“) that help limit the scope of sensitive personal information, including:

• Location Access Methods: The issued Guide differentiates between location access methods used by mobile applications. It specifies that approximate location data derived from IP addresses is not classified as sensitive personal information, whereas precise mobile positioning data is considered sensitive.

• Whereabouts/Tracking Information: The “whereabouts/tracking information” category of sensitive personal information has been clarified to encompass only data that indicates a “continuous track” of movements over a period of time, rather than including any data pertaining to locations of a person as in the June draft. Along the same line of reasoning, flight and high-speed train travel records have been removed from examples of this category.

• Medical Device Data: According to the final Guide, not all data produced by medical devices during healthcare services will be classified as sensitive personal information; only examination and testing data during healthcare services risks falling under such classification.

Notably, the final Guide, in line with existing laws and standards, includes a new explanatory note highlighting the primacy of the “risk of harm” test over the Examples List. The note stipulates that data covered by the Examples List may not qualify as sensitive personal information if there is substantial evidence and justification showing that it fails to pass the “risk of harm” test as outlined in the Guide. This gives organisations greater scope to self-assess whether or not data qualifies as sensitive personal information based on risk of harm rather than just a prescriptive list.

The extent to which the Guide will be relied on by the regulator or courts remains to be seen. However, organizations are encouraged to refer to the Guide alongside existing laws and standards when identifying the sensitive personal information. In particular, as noted above and in our previous article, it is crucial for organizations to focus on the “risk of harm” test when identifying Mainland China sensitive personal information.

In July 2024, a draft recommended national standard Personal Information Protection Compliance Audit Requirements (“Draft Standard“) was issued for public consultation, which sets out comprehensive audit requirements and procedures. To be specific:

• The Draft Standard includes in its Schedule C a list of 37 groups of specific processing operations that must be checked in an audit, as well as the relevant PIPL requirements. The requirements cover the full life cycle of personal data processing, and concern areas such as lawful bases of processing, necessity and data minimization principles, disclosure of necessary processing details to data subjects, sharing of personal data with third parties, automated decision making, public disclosure of personal data, CCTV, sensitive personal data and minor data protection, cross-border data transfers, data subjects’ rights, internal data protection policies and procedures, technical and organizational measures, DPO, personal data protection impact assessments, data incidents, etc.

• The Draft Standard also outlines the general procedures of an audit, and sample lists the documents and materials which must be reviewed during an audit.

• In addition, the Draft Standard emphasizes the importance of internal governance. It requires a data controller to establish a compliance audit management system and formulate audit rules and procedures. The data controller’s Board of Directors, DPO and/or Legal Representative must take ultimate responsibility for the establishment of audit system and implementation of audits within the organization. The data controller must also allocate sufficient finance and suitable human resources to audit related work. Personnel being appointed to handle audits related works must have suitable knowledge and experience, and ideally hold qualification certificates.

• The Draft Standard does not prescribe when or how often a data controller must conduct an audit. In the Measures for the Management of Compliance Audits on the Protection of Personal Information (Draft for Comments) (“Draft Measures“), which was issued in September 2023 for public consultation, it is stated that a data controller which processes more than one million individuals’ personal data must conduct Self-supervision Audits at least once a year. Other data controllers must conduct Self-supervision Audits at least once every two years.

• The Draft Measures require data controllers to submit the audit reports of Regulator Requested Audits, take necessary remediation actions, and then submit the post-remediation reports.

As of the date of this article, neither the Draft Standard nor the Draft Measures have been finalized. But there are rumours indicating that both will be finalized before the end of 2024. An increasingly common understanding in the market is that personal data compliance audits will become the next regulatory focus of the data regulator.

Regardless of the status of these drafts, a data controller has an obligation under the PIPL to conduct Self-supervision Audits periodically. It is, thus, recommended to take note of the requirements under the Draft Standard, consider establishing an internal audit management framework and complete at least one Self-supervsion Audit within a reasonable time.

Under China’s data protection law, if a data controller processes any sensitive personal information, it will be subject to stricter obligations. For example, it must obtain the individuals’ separate consent. It must take enhanced technical and organizational measures. More importantly, under the new Chinese regulation governing the cross-border transfer of personal information (see our article here for details), if it transfers even one individual’s sensitive personal information outside China, it will need to file the transfer with the Chinese data regulator. Thus, the accurate identification of sensitive personal information has become increasingly important, and will become more so under proposed new data audit regulations.

The China Personal Information Protection Law (“PIPL“) defines sensitive personal information as any personal information that, once leaked or misused used, may easily lead to the infringement of an individual’s personal dignity or harm to personal or property safety.

The PIPL offers a few samples of sensitive personal information (e.g. biometrics, religious beliefs, medical health, financial accounts, whereabouts, and any personal information relating to minors under the age of fourteen). Recommended national standards such as GB/T 35273-2020 Personal Information Security Specifications (“Specifications“) and GB/T 43697-2024 Rules for Data Classification and Grading (“Rules“) also include non-exhaustive sample lists. During the past years, the identification of sensitive personal information in the market has relied heavily on such samples and lists.

In June 2024, a new Draft Guide for Sensitive Personal Information Identification (“Draft Guide“) was issued for public consultation, which proposes a different approach to identifying sensitive personal information. For example:  

• Facial recognition data: Under the Specifications and the Rules, only facial feature extraction or faceprint constitutes sensitive personal information. The Draft Guide now proposes to expand the scope to cover face images also, based on the rationale that facial feature extraction or faceprint may be generated from face images.

• Health data: Under the Specifications and the Rules, food allergy related data is specifically identified as sensitive personal information, which (unreasonably) subject many restaurants and catering companies to stricter data protection obligations. The Draft Guide now proposes to limit the scope of health data to disease, illness, disabilities and diagnosis- and treatment-related data.

• Finance data: Under the Specification and the Rules, transaction and expense records are identified as sensitive personal information, which may lead to an extreme conclusion that all the shops and malls keeping consumers’ purchase records process sensitive personal information. Under the Draft Guide, transaction and expense records would be removed from the list. Instead, sensitive personal finance information would be limited to bank, securities and fund account or card numbers and passwords, as well as token information and income details related to each specific account or card.

• Other data: The Draft Guide proposes removing communications records and web browsing records from the sensitive personal list, which is helpful especially for companies that monitor and record employees’ work-related emails and messages. The Draft Guide also clarifies that flight and high-speed train travel records fall into the scope of “whereabouts” data and thus constitutes sensitive personal information, whether in a consumer or potentially even employee-travel context.

It is uncertain when the Draft Guide will be finalized, and indeed how much it would be relied upon by the Chinese data regulator considering it would only constitute non-binding recommended guidance. Nonetheless, it is clear that identifying sensitive personal information is no longer a straightforward question, and the context under which personal information is processed will be critical to the assessment. To be fair, the focus on “risk of harm” has always been a key component of defining sensitive personal information in China. Therefore, going forward organisations looking to identify its sensitive personal information should place more focus on the consequences and potential harm to the data subjects if the data in question is breached or misused. A case by case and context-specific analysis will likely be required.

Basic rules

As a general principle, sectoral authorities shall publish categories and guidelines to set out the sector-specific data classification and grading frameworks. Data handlers’ internal data classification and grading work shall be conducted under the relevant sectoral framework.

To be specific, a data handler shall first conduct data classification by identifying the sectors in which the data is processed, and classifying data as industrial data, telecom data, financial data, energy data, traffic and transportation data, natural resources data, health data, education data, science data, etc.

The data handler shall further classify the data in each sector by considering factors such as the objects described (e.g. user data, business data, operation data and system maintenance data, etc.), the business processes concerned (e.g. R&D, manufacturing, distribution, after-sales services, etc.), and the processing purposes (e.g. interna management, supplier management, marketing, etc.). Where personal data is involved, the existing personal data classification requirements (which is summarized in Schedule B of the new standard) must be reflected.  

Under the new standard, data is graded as core data, important data and regular data. The grading should be based on the significance of the data to economic and social development, as well as its impact on national security, public interests and the legitimate rights and interests of individuals and organizations that could result from tampering, destruction, leakage, unauthorized access, or illegal use of the data.

The following factors may affect the grading: business contexts in which the data is processed; the business objects or personal data subjects that the data describes; the geographic areas the data concerns; the data accuracy; coverage scale and level of details etc. Schedules 3 and 4 of the new standard provide further guidance on how each factor shall be assessed when determining the grading.

Important data

Important data refers to data specific to certain sectors, groups, regions, or has reached a certain level of precision and scale that, once leaked, tampered with, or destroyed, may directly jeopardize national security, economic operations, social stability, public health, and safety. Data that only affect the data handler itself or individual citizens are usually not considered as important data.

The new standard also sets out the factors and standards that sectoral authorities must consider when formulating the important data catalogues. Once such catalogues are published, data handlers must follow the catalogues, identify the important data within their own organizations and prepare their own important data catalogue accordingly.

If a data handler believes that it also processes other important data after considering all the factors provided in the new standard, it can identify such data as important data voluntarily. This is so, even though the data is not included in the sectoral authorities’ important data catalogues. However, only the important data included in sectoral catalogues (rather than the voluntarily identified important data) must go through the special approval processes before it can be transferred overseas.

After finalizing the important data catalogue internally, data handlers shall record their important data catalogues to the sectoral authorities in accordance with the requirements specified in sector-specific guidance. For example, according to the Measures for the Management of Data Security in the Field of Industry and Information Technology (for Trial Implementation), data handlers in the industry and information technology sector shall record their important data catalogues with local sectoral authorities and provide information on: the source; classification; grade; scale; carrier; purpose and method of processing; scope of use; responsible party; external sharing; cross-border transfer; and security protection measures etc. of the important data. The specific data items in the important data catalogue are not required to be provided.

Practical Next Steps

Since the standard has already set out a relatively clear framework and includes reasonable details, sectoral authorities are expected to publish sector-specific guidance and catalogues soon. While following such developments closely, data handlers are recommended to conduct thorough data mapping internally and initiate preliminary data classification and grading work in parallel.

Please contact Carolyn Bigg (Carolyn.Bigg@dlapiper.com), Amanda Ge (Amanda.Ge@dlapiper.com), or Venus Cheung (Venus.Cheung@dlapiper.com) if you would like to discuss what these latest developments mean for your organisation.

With 2023 having come to an end, the fast-paced changes to the China data protection regime throughout the year are continuing well into Q1 2024.

As well as a near finalisation of the different routes to legitimise cross-border data transfers, the Cyberspace Administration of China (“CAC”) has begun to direct its efforts into harmonising its data compliance requirements across regions, as well as other aspects of data compliance.

Most notably, these include:

1. GBA Transfers – Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (“Implementation Guidelines”)

Following from the various cross-border data transfer mechanisms published by the CAC earlier in the year, the CAC and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administration Region (“HKITIB”) jointly issued the Implementation Guidelines, containing the Standard Contract for Cross-boundary Flow of Personal Information within the Greater Bay Area (GBA Standard Contract), on 13 December 2023, to apply with immediate effect.

The GBA Standard Contract seems to be a less stringent version of the China Standard Contractual Clauses (“China SCCs”) route to legitimising cross-border data transfers to Hong Kong, given its limited scope of applicability.

See here for more information on the full China SCCs route.

• Scope of applicability. Under the Implementation Guidelines, personal information controllers and recipients registered or located within the Greater Bay Area (“GBA”) can sign the GBA Standard Contract to transfer personal information (but excluding important data) within the region.

• Key obligations and responsibilities. To rely on the GBA Standard Contract to legitimise cross-border data transfers, data controllers must fulfil the following obligations outlined in the GBA Standard Contract:
  
  
  • Providing notice and obtaining separate consent from data subjects in accordance with the laws and regulations prior to the transfer;
  • Not transfer any personal information outside the Greater Bay Area; and
  • Conducting a personal information protection impact assessment. However, note that there will be no need to file this simpler assessment with the authorities (a less stringent requirement compared with the formal China SCCs route).

• Filing procedure. Data controllers must still make a filing containing the signed GBA Standard Contract, together with other specified documents, with the Guangdong Province CAC or the Office of the Hong Kong Government Chief Information Officer within ten working days from the contract’s effective date.

• Onward transfers are permitted only within the GBA. The GBA Standard Contract must not be abused as a means of leveraging Hong Kong as a safe habour to transfer onwards to jurisdictions outside the GBA, without following the appropriate means of legitimising those cross-border data transfers.

Regardless of the above, the Implementation Guidelines still represent an important first step towards a much-anticipated relaxation of restrictions on personal information flows across the GBA, as seen in the Memorandum of Understanding to Facilitating Cross-boundary Data Flow Within the Guangdong-Hong Kong-Macau Greater Bay Area signed in June 2023.

2. Breach Notification – Draft Administrative Measures for the Reporting of Cybersecurity Incidents (“Draft Measures”)

On 8 December, the CAC – as a response to China’s concern with large-scale data security incidents within its borders – issued Draft Measures aiming to safeguard national cybersecurity via the standardisation of reporting cybersecurity incidents. The Draft Measures closed for public consultation on 7 January 2024.

If passed in its current form, network operators will be mandated to report any network security incident that may cause significant harm to relevant government bodies.

The incident reporting is categorised into different levels, based on the type of network operators.

The Draft Measures provide procedures in making notifications. Most notably, it introduces stringent notification timescales. Those cybersecurity incidents classified as “major”, “significant” or “particularly significant” should be reported within one hour of discovery – with information not then available to be supplemented within 24 hours.

3. Cross-border Data Transfers – CAC Certification route

Following the finalisation of two out of three of the cross-border data transfer mechanisms (CAC Assessment and China SCCs), the CAC now turns to the final route – CAC Certification.

Despite uncertainties around the CAC Certification, developments came to light from 25 December onwards, where the first certifications were granted for notable household names – such as Alipay, JD Technology and the University of Macau.

Most notably, it was reported that in considering the approval of the University of Macau’s certification, various internal governance processes were taken into account. These included but are not limited to: data spatialization, data classification and grading, identity authentication, data subject consent management, personal information impact assessments, data transfer risk assessments etc. – all of which provide a well-rounded governance of the entire lifecycle of data processing.

That said, there is little public information regarding  the basis on which these certifications were approved – in particular, whether the certifications only concern in-country processing of China personal information, or what specific business contexts were involved.

We expect to see more certification approvals during 2024.

See here for a recap on the CAC certification requirements.

Looking ahead – 2024

The China data protection regime is expected to witness more significant changes in the coming year.

Draft measures on important data, as well as compliance audits in the pipeline are indicative of the regulators shifting their focus onto wider data compliance requirements – after the frenzy on cross-border data transfers.  

Given the shift in regulator’s priorities from an external-facing to internal-facing focus of data compliance, it is especially important in the coming months for businesses with a presence in China to focus on formulating a China data compliance programme and remediating any gaps in compliance – now with a focus on internal procedures and governance.

China’s amended Anti-Espionage Law will take effect from 1 July 2023. However, its effects have already been felt by some international businesses. So what should international businesses do to respond to these new risks?

The new law broadens the scope of espionage activities, as well as the power for authorities to carry out anti-espionage investigations by gaining access to data and property.

Following the observation of increased enforcement to target anti-espionage activities, organisations are advised to focus on adopting internal governance mechanisms to ensure compliance with the relevant laws, as well as being ready to react to any potential enforcement action in a responsive manner.

Applicability and extra-territorial effect

The new law applies to a widened scope of espionage activities, and can potentially impact different types of data and activities.

In particular, those organisations dealing with state secrets should be aware of the far-reaching applicability of the new law. Given the uncertainty in what constitutes state secrets, organisations should constantly review, assess risks, and be attentive to the types of data that is processed as part of their business operations.

With this in mind, organisations which deal with more sensitive types of data such as defence and advanced technology should take extra care in remaining compliant with the law (including keeping such data within Mainland China unless relevant approvals are obtained). Additionally, organisations which have contact with national security authorities should ensure all communications and interactions are kept confidential within the organisation.

Notably, the new law does not limit espionage activities to those carried out within China. This said, the focus appears to be on activities that may, in any way, impact national security and public interests of China.

The new law also applies to espionage activities against third countries that are carried out by espionage organisations and their agents within the territory of China or otherwise involve Chinese citizens, organisations, or other conditions, so long such activities endanger the national security of China. Thus, activities not specifically targeting China may also fall into the regulatory scope.

Managing data risks

Both local and foreign organisations should be mindful of the significance of this new law if they have China-related business activities or connections.

One of the key internal data governance actions that an organisation should prioritise in connection with compliance with this new law is to conduct data mapping and classification in order to maintain an accurate data inventory and to ensure there is clear understanding of its data flows and processing activities. As noted above, this is particularly important with regard state secrets and “important data”. Data compliance programmes should extend beyond just personal data to cover these other China data categories; and should include education on such restrictions and sensitivities beyond just China personnel.

Authorities’ powers

During the course of carrying out anti-espionage investigations, national security authorities are now granted the power to access official buildings and factories, requisition transportation and communication tools, check personal IDs and belongings, examine and seal up electronic devices, review and obtain documents and materials, summon and interview relevant stakeholders, freeze and seize properties, impose border entry and exit restrictions, and shut down websites and networks.

What to do in the event of regulatory investigations / dawn raid

In the event of regulatory investigations, representatives of organisations should:

• first ensure investigators have due authority and due procedures are followed;
• refer to internal investigation/dawn raid guidelines, and follow the detailed step-by-step guidance on dealing with authorities’ enquiries or investigations. In particular, follow proper internal reporting and escalation procedures in case of dawn raids; and
• keep records of the data and information provided to regulators as part of the dawn raid.