Your privacy is very important to us.When you visit our website,please agree to the use of all cookies.For more information about personal data processing,please go to Privacy Policy.

Make an Enquiry
Home
About us
News
Services
Our Clients
Insights
Careers
Contact Us

Landmark Policy Unveiled to Safeguard Internet Data Security

2024-10-16

On September 30, 2024, the "Regulations on Internet Data Security Management" (hereinafter referred to as the "Regulations") were officially released. The Regulations aim to balance development with security by not only strengthening the protection of internet data but also encouraging and promoting the lawful, rational, and effective use of such data. They focus on addressing prominent issues related to personal information, critical data, and cross-border data flows by establishing targeted systemic measures. The Regulations are set to take effect on January 1, 2025.


Main Contents of the Regulations

1.General Obligations of Internet Data Processors

The Regulations stipulate that processors of internet data must establish and improve systems for data security management, risk reporting, and incident handling. No individual or organization is allowed to use internet data for illegal activities, nor provide programs or tools specifically designed for such illegal activities. Those who knowingly assist others in illegal activities by providing internet access, server hosting, network storage, communication transmission, or promotional and payment settlement services are also prohibited. Records of processing personal and critical data, provided to or entrusted to other data processors, must be retained for at least three years.

2.Provisions on Personal Information Protection

The Regulations mandate that processors of internet data provide convenient methods and channels for individuals to exercise their rights without imposing unreasonable conditions that limit legitimate requests. In cases where non-essential personal information is collected inadvertently through automated means or without legal consent, or when an individual deactivates their account, the processor must delete or anonymize such information. Overseas processors handling personal data of domestic individuals must establish a dedicated institution or appoint a representative in the country and report the name, contact details, and other relevant information to the local municipal cyber administration department.

3.Critical Data Security Management System

The national data security coordination mechanism, in conjunction with relevant departments, formulates a catalog of critical data to enhance its protection. All regions and departments should identify and protect critical data according to a classified and graded protection system. Those identified as critical data must be promptly notified to or publicly disclosed by the relevant regions and departments. Processors of critical data must appoint a data security officer and establish a management institution. They are also required to conduct an annual risk assessment of their data processing activities and submit reports to the relevant provincial-level authorities.

4.Cross-Border Data Security Management Regulations

The Regulations clarify eight conditions under which personal data can be provided to foreign entities, allowing for such transfers if any one of the conditions is met. Personal data can also be transferred abroad in accordance with international treaties or agreements. Data not identified or publicly declared as critical by relevant regions or departments does not require a security assessment for cross-border data transfers.

5.Obligations of Online Platform Service Providers

The Regulations state that online platform service providers and manufacturers of smart devices with pre-installed applications must define the data security protection obligations of third-party product and service providers accessing their platforms through platform rules or contracts. They must also encourage these third parties to strengthen their data security management. Insurance companies are encouraged to develop liability insurance products for network data damage, and platform providers and device manufacturers are encouraged to take out such insurance. Platforms that use automated decision-making to push information to individuals must provide easy-to-understand, accessible, and operable options to close personalized recommendations, allowing users to refuse push messages and delete user tags based on personal characteristics. Platforms are also encouraged to support users in registering and verifying real identity information through national online identity authentication public services.

6.Division of Responsibilities Among Government Departments

The Regulations clarify that the national cyber administration department is responsible for coordinating and supervising internet data security and related regulatory work. Public security and national security organs shall carry out cyber data security supervision and management within their respective responsibilities, legally preventing and combating illegal and criminal activities that endanger cyber data security. The national data management department shall fulfill corresponding cyber data security duties in the specific management of data. Relevant competent departments shall undertake the supervision and management of cyber data security in their respective industries and fields. The Regulations also set boundaries for regulatory actions by government departments, requiring them not to charge fees during cyber data security inspections and not to access or collect business information unrelated to cyber data security. Departments are required to strengthen coordination and information communication to avoid unnecessary and overlapping inspections.

7.Penalties for Violations

The Regulations establish corresponding penalties for violations, including orders to correct, warnings, confiscation of illegal proceeds, fines, orders to suspend related businesses, business rectification, revocation of business licenses, or revocation of business licenses. The Regulations also provide that if data processors actively eliminate or mitigate the consequences of illegal actions, if the violations are minor and promptly corrected without causing harm, or if it is the first violation with minor consequences and promptly corrected, penalties may be reduced, mitigated, or waived in accordance with the "Administrative Penalty Law of the People's Republic of China."


Impact Analysis

Overall, the Regulations place greater emphasis on connecting with previously issued laws and regulations, making the provisions more explicit, scientific, and rational.

1.More Rational Requirements for Managing Critical Data

The Regulations raise the threshold for triggering critical data management regulations from "processing one million personal data records" in the draft for comments to "processing ten million personal data records," avoiding the expansion of regulatory targets. The Regulations also stipulate that relevant regions and departments must promptly notify or publicly disclose confirmed critical data, reducing the compliance costs for businesses.

2.Emphasis on Compliance Requirements for Critical Data in M&A Activities

The Regulations state that processors of critical data who may affect the security of critical data due to mergers, divisions, dissolutions, or bankruptcies must take measures to ensure the security of network data and report the disposal plan for critical data, as well as the name or contact details of the receiving party, to the relevant provincial-level authorities.

3.Clearer Cross-Border Data Regulations

Building on previous regulations such as the "Regulations on Promoting and Standardizing Cross-Border Data Flows," the Regulations clearly define the eight scenarios under which personal data can be provided to foreign entities, providing clear guidance for businesses on compliance during cross-border data processes.

In accordance with the Regulations, all regions and departments must determine the specific catalog of critical data in their regions, departments, and related industries and fields according to a classified and graded protection system. Businesses should manage the security of critical data based on the specific requirements of their region and industry.


The policy research team at Sinobravo will continue to closely monitor the release of relevant critical data catalogs.


-END-

 


Make an Enquiry
Please fill out the form below and we will respond as soon as we can.
  • Ms.
    Mr.
  • PRC
    Other jurisdictions
  • ODI services
    FDI services
    Fund services
    Tax services
    Foreign exchange services
    Bank services
    Offshore services
    Public Policy services
  • Search engine
    Sinobravo website
    Brochure
    Event
    Recommendation
    Social media
  • Yes,Please
    No,Thanks
  • I have read, acknowledged and understood the《Privacy Statement》,  and agree with the contents thereof.