Beijing’s Latest Data Security Regulations Create Framework for Broad Domestic and Extraterritorial Supervision
By:
Executive Summary:
- The State Council-approved “Network Data Security Management Regulations” impose stringent compliance requirements on data processors and platform service providers to safeguard personal information, important data, and cross-border data. The “Regulations” signal continued efforts by the People’s Republic of China (PRC) to assert control over data management and security both within and beyond its borders.
- The “Regulations” place a heavy emphasis on adherence to the Chinese Communist Party’s (CCP) leadership in data security management, reflecting the PRC’s “comprehensive national security concept.” Overseen by the Cyberspace Administration of China and the Party’s multi-faceted security apparatus, they emphasize national security, mandate strict reporting and risk assessments, and extend their reach to foreign entities processing PRC citizens’ data.
- The “Regulations” mandate the creation of a National Data Security Coordination Mechanism to supervise protection measures and data catalogues at both national and local levels. Cross-border data transfers of important data and personal information must comply with the PRC’s broadly defined security and individual data rights norms, and companies face potential legal consequences if they process data in a way that harms the PRC’s national security or state interests.
The State Council of the People’s Republic of China (PRC) has introduced a new set of “Network Data Security Management Regulations (网络数据安全管理条例).” The “Regulations,” which will take effect on January 1, 2025, were signed into law by Premier Li Qiang (李强) on September 30 (People’s Daily, October 10). These stringent new requirements represent a significant regulatory development in the Party-state’s effort to control and secure personal information, important data, and cross-border data transfers. Overall, the regulations signal the PRC’s continued efforts to assert control over data management and security both within and beyond its borders.
The “Regulations” introduce a comprehensive framework for ensuring the security of personal information, important data, and cross-border data that imposes heavy compliance burdens on all network data processors and network platform service providers. These obligations are imposed on entities regardless of the scale of data they collect, generate, or use in their transactions. Overseen by the Cyberspace Administration of China (CAC)—the “front office” of the Party’s Central Cybersecurity and Informationization Commission—along with public security authorities, and state security authorities, the overarching purpose of this framework is to ensure that the Party’s increasingly expansive definitions of “national security,” “political security,” “economic security,” and “legal rights and interests” of the state are enforced across the data domain.
The “Regulations” are notable for providing a definition of “important data (重要数据)” which, though still vague, improves on those given in the PRC’s 2016 Cybersecurity Law (网络安全法) and 2021 Data Security Law (数据安全法) (China Brief, December 21, 2015; November 20, 2023). They define important data as:
“Data from specific sectors, communities, or regions, or which has reached a certain precision or scale which, if tampered with, destroyed, leaked, illegally obtained, or illegally used, may directly jeopardize national security, economic operation, social stability, and public health and safety (特定领域、特定群体、特定区域或者达到一定精度和规模,一旦遭到篡改、破坏、泄露或者非法获取、非法利用,可能直接危害国家安全、经济运行、社会稳定、公共健康和安全的数据)” (Article 62).
To further define and protect important data the “Regulations” mandate the establishment of a “National Data Security Coordination Mechanism (国家数据安全工作协调机制)” to provide “overall coordination (统筹协调)” for other departments and local governments which, in turn, are charged with establishing catalogues of important data and related protection measures (Article 29).
As indicated by earlier drafts, the “Regulations” signal increased scrutiny of data collection and processing activities inside and outside of the PRC’s borders (China Brief Notes, September 10). They require all network data processors to strengthen data security protection capabilities (Article 9), and to adhere to CCP leadership and implement the PRC’s “total national security concept (总体国家安全观)” in data security management work (Article 3). Institutions and businesses processing important data under the “Regulations” are responsible for:
- Correctly classifying, and reporting, the important data they collect or possess.
- Creating compliant internal data security management structures, risk assessments, and reporting processes, including disclosure of encryption measures and vulnerabilities.
- Submitting to national security reviews for all network processing activities that affect or “may affect (可能影响)” national security.
- Accepting “social supervision (社会监督)” for any products or services provided to the public.
Additional requirements are imposed on “large network platforms (大型网络平台服务)” [1] engaged in complex transactions and whose data processing activities may impact PRC national security or economic development. These include annual “information protection social responsibility (信息保护社会责任)” reports (Article 44) and enhanced cross-border security measures (Article 45).
Legal observers have expressed optimism concerning the apparent loosening of cross-border data transfer (CBDT) restraints on multinationals, noting that the “Regulations” build on the CAC’s March 2024 “Regulations to Promote and Regulate Data Cross-Border Flows (促进和规范数据跨境流动规定).” These exempted certain types of CBDT from security assessment provided that the data did not meet important data or protected personal data thresholds (CAC, March 22).
This assessment, however, runs up against two features of the framework created by the “Network Data Security Management Regulations” that point toward increasing risk—its extraterritorial reach and its ambiguity concerning individual control over personal data.
While the CAC has formally adopted a marginally less stringent position on CBDT regulation, the “Regulations” seek to establish that data transferred outside of the PRC must still be processed according to PRC security laws. They state:
“[Anyone] carrying out network data processing outside the PRC who harms the national security of the PRC, the public interest, or the lawful rights of [its] citizens and organizations, shall be investigated for legal responsibility in accordance with the law (在中华人民共和国境外开展网络数据处理活动,损害中华人民共和国国家安全、公共利益或者公民、组织合法权益的,依法追究法律责任)” (Article 2).
Additionally, the “Regulations” apply this same logic to personal information processing activities outside of the PRC that involve provision of products or services to individuals inside the country, or “analyze and evaluate (分析、评估)” their behavior according to Article 3 of the 2021 Personal Information Protection Law (个人信息保护法) (Xinhua, August 20, 2021).
Companies engaged in personal information transfer and processing have also proven vulnerable to litigation based on the Personal Information Law’s requirement that network data processors seek individual “consent (同意)” before processing their personal data—a requirement elaborated under the “Network Data Security Management Regulations” (Articles 21–25). In a case titled (2022) Yue 0192 Min Chu 6486, the Guangzhou Internet Court clarified that individuals can directly sue companies if they believe their privacy rights have been violated, such as through unauthorized data processing (DSN Group, September 13). Like the Personal Information Law, the “Regulations” impose a complex, multi-step compliance regime which exposes foreign data processors and service providers to potential legal risks related to the collection, storage, transfer, and use of PRC citizens’ data.
Notes
[1] Large network platforms are defined as those with more than 50 million registered users or more than 10 million monthly active users.
