After years of development, People’s Republic of China (“China”) has established a data security legal framework centered on the “Cybersecurity Law”, “Data Security Law”, and “Personal Information Protection Law” (PIPL). The issuance of the “Network Data Security Management Regulation” (“the Regulation”) by the State Council coordinates the implementation of the data security management requirements stipulated by these three higher-level laws through an administrative regulation.

Objectives of the Network Data Security Management Regulation

The Regulation, which will take effect on Jan. 1, 2025, aims to regulate network data processing activities, protect the legitimate interests and rights of individuals and organizations, and safeguard national security and public interests. It puts forward general requirements and provisions for network data security, further specifies rules concerning personal information protection, and enhances mechanisms for the management of important data. The Regulation also strengthens the framework for cross-border security of network data, clarifying the conditions under which network data controllers may transfer personal information to overseas parties. In addition, the Regulation also stipulates the obligations for internet platform service providers, specifying data protection requirements for entities such as third-party service and product providers.

Personal Information Protection Provisions under the Regulation

Derived from the PIPL, the Regulation provides further clarification on personal information protection. It elaborates on certain articles of the PIPL, focusing on safeguarding individual rights and outlining clearer obligations for organizations.

Article 20 of the Regulation details the methods and content requirements for privacy policies. This provision addresses the prevailing issue where “service agreement” and “privacy policies” related to information collection are often lengthy and difficult to comprehend. By requiring the clear listing of each feature’s data collection purpose and use, this measure ensures that users can easily understand the information without having to sift through dense text.

Under the “informed consent” principle stipulated by the PIPL, the Regulation reiterates and further refines the consent requirements for various circumstances. On this basis, it also clearly defines and excludes situations that cannot be considered as valid consent (such as those obtained through misleading, fraudulent, or coercive means). Article 22 of the Regulation aligns with GB/T 35273-2020, “Information Security Technology – Personal Information Security Specification”, and stipulates that consent shall not be repeatedly sought after an individual has explicitly expressed refusal to the processing of their personal information.

It is worth noting that the Regulation provides flexibility regarding the retention period of personal information, stating that “If the retention period cannot be easily determined, the criteria for determining the retention period should be specified” in Article 24.  It can be understood that this, to some extent, reflects the cyberspace authorities’ recognition of the special business circumstances of controllers in recent years. This is particularly relevant in the context of compliance declarations for cross-border data transfer. Many enterprises, due to customized multi-party data storage services or specific policies of overseas recipients, find it difficult to specify a clear retention period for personal information, which has resulted in challenges when revising the notice content of personal information processing rules. We understand that Regulation provides leniency for situations where it is difficult to specify a concrete retention period for personal information, taking into account the actual business needs of enterprises and reducing the compliance burden for businesses.

Although Article 45 of the PIPL explicitly grants individuals the right to „request the transmission of their personal information to a designated controller“ — commonly referred to as the „right to data portability“ — this right has not been practically implementable due to the lack of specific regulations that meet the conditions set forth by the national cyberspace administration. Article 25 of the Regulation is the first to clarify the specific rules for responding to the right to data portability from a legislative perspective, thereby making the right to data portability practically enforceable in China.

Conclusion

As a critical complement to the Cybersecurity Law, Data Security Law, and Personal Information Protection Law, the Network Data Security Management Regulation enhances and refines many of the rules set forth by these three laws. It introduces important improvements by further clarifying and detailing the regulatory requirements, particularly in areas such as data security and personal information protection.

Overall, the Regulation reflects China’s accumulated experience and advancements in data compliance oversight in recent years. It standardizes key supervisory practices, including detailed rules for privacy policies – such as the specific listing of personal information uses – and formalizes the process for exercising the „right to data portability.“ These measures offer a more comprehensive and enforceable framework for network data security.

For organizations operating in China, the period leading up to January 1, 2025, presents a valuable opportunity to evaluate and adapt their data management practices. By proactively addressing compliance obligations and aligning with the new regulatory requirements, businesses can reduce risks and build trust with consumers and regulatory authorities alike.