An In-depth Analysis of China’s Network Data Security Regime - Part II: Detailed Look at Data Protection Requirements

In late September 2024, the State Counsel published the Administrative Regulation on Network Data Security (“Regulation”), which came into effect on 1 January 2025. The Regulation establishes a comprehensive framework governing the security of a wide range of data, including personal information (“PI”) and important data. It also introduces a series of obligations for network data processors and strengthens regulatory oversight.

This is the second article of our series. In this article, we outline the key provisions of the Regulation, with a particular focus on the differentiated requirements for various categories of data, and share our observations on its potential implications.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.

BACKGROUND

China’s data protection framework is structured around three fundamental pillars: the Cybersecurity Law (“CSL”, 2017), the Data Security Law (“DSL”, 2021), and the Personal Information Protection Law (“PIPL”, 2021). While these laws overlap in certain areas, each focuses on a distinct dimension of data governance.

The CSL primarily regulates the security of networks and information systems. At the time of its enactment, in the absence of a dedicated important data and PI protection law, it also contained some initial provisions on PI protection and mentioned important data. The DSL provides a general regulatory framework for all types of data but places particular emphasis on safeguarding national security and public interests. The PIPL, which came into force most recently, establishes a comprehensive regime for the protection of PI and serves as China’s equivalent to the GDPR.

Although these three laws are interconnected, their respective areas of focus are distinct. The Regulation aims to consolidate and refine the rules set out in these foundational laws in the specific context of network data. It provides greater clarity by addressing the differentiated requirements for general network data, PI, and important data, thereby further strengthening China’s data governance regime.

The Regulation sets out comprehensive obligations for network data processors across three key areas - general network data, PI, and important data. It outlines baseline security and compliance requirements applicable to all data, establishes dedicated rules for PI processing, and introduces enhanced protections for important data with national security implications. In the following sections, we examine these requirements in greater detail.

KEY PROVISIONS AND OBSERVATIOINS

I. General obligations of network data processors

Chapter II of the Regulation outlines the general provisions applicable to all network data processing activities, regardless of the type of data involved. In contrast to the more specific requirements for PI and important data under Chapters III and IV, the provisions under Chapter II establish baseline security and compliance standards for all network data processors. As mentioned in the first article of this series, the definitions of network data and network data processing activities are very broad, so the scope of application of Chapter II is also extensive. The general obligations can be summarized as follows:

1. Prohibition of Using Network Data for Illegal Activities

Network data processors must not use network data to engage in illegal activities. They should not illegally steal or obtain network data, nor illegally sell or provide network data to others. Additionally, no individual or organization may provide programs, tools, technical support, advertising, payment settlement, or other assistance for such illegal activities.

The draft version of Regulation provided a detailed enumeration of specific types of illegal activities. However, in the enacted version, the exhaustive list of illegal activity types was not retained. Instead, the prohibition of illegal activities is articulated in more general terms. This change may have been made in consideration of the fact that, as technology evolves, the forms of illegal activities are likely to become more diverse.

Furthermore, the Regulation clarifies that prohibited technical support for illegal activities includes internet access, server hosting, network storage, and communication transmission, extending the obligations to certain technical service providers.

2. Network Security Responsibility

The Regulation requires network data processors to bear the primary responsibility for network data security, strengthening the security protection of network data through institutional and technical measures on the foundation of multi-level network security protection. If network data needs to be transferred due to mergers, divisions, dissolution, or bankruptcy, the receiving party must continue to fulfil the obligations of network data protection and bear the primary security responsibility.

In addition, network data processors must also pay attention to the following obligations related to network data security:

• Security of Network Products and Services: The network products and services provided by network data processors must comply with the requirements of mandatory national standards. If any security defect or vulnerability is discovered in the network product or service, network data processors should take remedial measures immediately and inform the relevant regulatory authority. If national security or public interests are at risk, the relevant authority must be notified within 24 hours. It is important to note that, according to the Regulations on the Management of Security Vulnerabilities in Network Products issued in 2021, network product providers must report relevant vulnerability information to the Official Platform operated by the Ministry of Industry and Information Technology within 2 days. It seems that the Regulation further shortens the notification time for security vulnerabilities that endanger national security or public interests.
• Network Data Security Incident Plans and Response: Network data processors must establish emergency responding plans for network security incidents in advance. When a network security incident occurs, the plan must be activated immediately, and measures must be taken to prevent the harm from expanding. Unless otherwise stipulated by laws and regulations, information about the security incident must be notified to the relevant authorities and affected subjects (including individuals and organizations).
• Data Provision, Entrusted Processing and Joint Processing: If network data processors provide or entrust the processing of PI and important data to other network data processors, they must enter into a data processing agreement (DPA) with the receiving party and retain records of the processing of PI and important data for at least three years. Additionally, where two or more network data processors jointly determine the purpose and method of processing PI and important data, they must agree on their respective rights and obligations.

  Notably, compared to the DSL and the PIPL, the Regulation introduces several new requirements: (i) it explicitly mandates the execution of a DPA for the provision, entrusted processing, and joint processing of important data, which is not required under the DSL; (ii) it requires a DPA to be signed when providing PI to another processor, a requirement not clearly stipulated under the PIPL; and (iii) it emphasizes the obligation to retain records of the processing of PI and important data for at least 3 years. While this requirement exists under Article 55 of the PIPL, it has not been effectively implemented in practice, as Article 55 primarily focuses on conducting PI protection impact assessments rather than on record-keeping.

• National Security Review: If network data processors engage in network data processing activities that affect or may affect national security, they must undergo a national security review in accordance with relevant national regulations. According to the Measures for Cybersecurity Review, critical information infrastructure operators purchasing network products and services, and network platform operators conducting data processing activities that affect or may affect national security, must undergo a cybersecurity review.
• Automation and Artificial Intelligence Services: The Regulation requires that network data processors using automated tools to access or collect network data should assess the impact on network services, and must not illegally intrude into others’ networks or interfere with the normal operation of network services. This imposes certain restrictions on the use of web crawlers by some companies to obtain network data. Additionally, the Regulation stipulates that network data processors providing generative artificial intelligence services must strengthen the security management of training data and training data processing activities.
• Providing Services to State Agencies, etc.: When network data processors provide services to state agencies or critical information infrastructure operators, or participate in the construction, operation, or maintenance of other public infrastructure or public service systems, they should not access, obtain, retain, use, disclose, or provide network data to others without the consent of the entrusting party, nor may they conduct associative analysis on network data, in addition to fulfilling specific network data security protection obligations.

II. PI protection

The Regulation provides more detailed guidance on PI protection based on the requirements set forth by the PIPL, mainly focusing on notification, consent, data subject rights, and data retention.

1. Notification

With respect to the notification requirements, before processing PI, network data processors must develop and publicly display PI processing rules that are easily accessible, prominently positioned, and clearly written. These rules must include at least the following:

• The processor’s name and contact information;
• the purposes, methods, and types of PI to be processed, the necessity of processing sensitive PI, and its potential impact on individual rights;
• the retention period of PI and the method of handling data upon expiration; and
• the methods and procedures for individuals to exercise their rights, such as accessing, copying, transferring, rectifying, supplementing, deleting, restricting processing, withdrawing consent, and account cancellation.

Compared with the PIPL’s requirements, the Regulation further emphasizes that if the retention period is difficult to determine, the method for determining the retention period should be clearly indicated.

To ensure individuals can clearly understand the details of processing activities, the Regulation also requires network data processors to list the details of the processing and collection in the form of a checklist or similar format.

Note: Network data processors are advised to provide clear lists of the types of PI collected and the lists of third parties, including Software Development Kits (SDK) providers, with whom such information is shared. 

2. Consent

Consent is the most important and commonly used legal basis in China. The Regulation, addressing this important legal basis for data processing under the PIPL, further clarifies the following:

• General Consent: Network data processors must ensure that PI is collected only to the extent necessary for providing products or services, and must not engage in excessive data collection or obtain consent through misleading, fraudulent, or coercive means. Furthermore, they must not continue to seek consent repeatedly after an individual has clearly refused. Where there is any change to the processing purpose, method, type, or retention period of PI, fresh consent must be obtained.
• Separate Consent for Sensitive PI Processing: The processing of sensitive PI—such as biometric data, religious beliefs, specific identity information, medical and health data, financial account information, and location tracking data—requires separate consent. Notably, the categories listed in the Regulation align with the Cybersecurity Standards Practice Guide – Guidelines for the Identification of Sensitive PI published in 2024. This guide removed certain data types, such as ID numbers and passport numbers (previously deemed sensitive under the national standard PI Security Specification), while retaining others like ID photos. Given that the PI Security Specification may undergo further revisions, the precise scope of sensitive PI will need to be closely monitored.
• Consent for Processing Minors’ PI: The Regulation requires that, for the processing of PI of minors under the age of 14, the consent of the minor’s parents or other guardians must be obtained. However, it does not explicitly require separate consent. Considering that PI of minors under 14 is classified as sensitive PI under the PIPL, the processing of which needs separate consent, whether separate consent from parents or guardians is also required remains an open question that may necessitate further clarification.

3. Data Subject Rights

To ensure users can conveniently exercise their rights related to PI as stipulated by the PIPL, the Regulation requires network data processors to promptly handle requests and provide convenient methods and channels to support individuals in exercising their rights. Unreasonable conditions that restrict legitimate requests from individuals should not be imposed.

Specifically, for right to data portability, network data processors should provide access and retrieval methods for the PI to the other network data processors designated by the individual, if the following conditions are met: (1) The requester's true identity can be verified; (2) The information to be transferred is either provided with the individual's consent or collected based on a contract; (3) The transfer of PI is technically feasible; (4) The transfer of PI does not harm the legitimate rights and interests of others.

4. Other important issues

The PIPL remains silent on the methods and channels for reporting the contact information of local representatives designated by foreign PI processors under its extraterritorial effect. While the Regulation also do not establish such a channel, it indicates that the contact details of the local representatives should be provided to the municipal-level CAC.

Based on a risk-based approach, network data processors handling PI of over 10 million individuals must also comply with certain provisions of the Regulation applicable to processors of important data. This includes designating a person responsible for network data security and establishing a dedicated network data security management agency. They must fulfil relevant network data security protection responsibilities and report important data handling plans to provincial-level or higher authorities, especially in cases of mergers, splits, dissolution, or bankruptcy that may affect data security.

III. Important data protection

Chapter IV of the Regulation outlines the provisions that network data processors processing important data, or important data processors, must comply with. As mentioned in the first article of this series, the important data is defined under the Regulation as data that (i) if modified without permission, destroyed, leaked, or illegally acquired or used, may directly harm national security, economic operation, social stability, and public health and safety and (ii) within specific sectors, groups or regions or reaching a certain level of precision or scale.

The obligations that important data processors must comply with can be summarized as follows:

1. Identification and declaration of important data

For a long time, identifying important data has been a significant challenge for enterprises. To tackle this issue, Article 29 of the Regulation introduces a three-step mechanism:

• Step 1: sectoral regulators and regional authorities are obligated to create their own catalogues of important data;
• Step 2: network data processors must identify and declare important data in line with regulations;
• Step 3: once the competent authorities confirm the data is important data, they should notify the network data processors or publicly announce it.

However, to date, most sectoral regulators and regional authorities have not released catalogues or identification rules for important data^[1], nor have they provided detailed procedures for the declaration of important data. (Please see the first article of this series for more information about the definition of important data) Therefore, although the Regulation clearly mandates that network data processors must identify and declare important data, the specific implementation details still await further clarification from competent authorities.

2. Implementing important data security measures

The Regulation requires that important data processors must designate a network data security officer and establish a network data security management institution. Additionally, in cases of mergers, splits, dissolutions, or bankruptcies, they must report the important data disposal plan to the competent authorities.

• Network data security management institution: The Regulation specifies the responsibilities of the network data security management institution, which include:
  • formulating and implementing network data security management policies, operating procedures, and emergency response plans for network data security incidents;
  • regularly organizing activities such as network data security risk monitoring, risk assessments, emergency drills, and awareness training;
  • promptly addressing network data security risks and incidents; and
  • handling network data security complaints and reports.

• Network data security officer: The Regulation requires that important data processors must appoint a member of their management team with professional knowledge of network data security and relevant management experience as the network data security officer. If the important data processor processes specific types or scales of important data, the network data security officer must undergo a security background check. The specific “scale” or “types” have not been clarified yet.

• Important data disposal plan: If the important data processor undergoes mergers, splits, dissolutions, or bankruptcies that may affect the security of important data, it must take measures to ensure network data security and report the important data disposal plan, including the name or contact information of the recipient, to the competent authorities.

3. Conducting important data risk assessments

The Regulation requires that important data processors must conduct (1) annual risk assessments of their network data processing activities and (2) risk assessments before providing, entrusting, or jointly processing important data. The focus of these two types of assessments differs.

• Annual risk assessment: The Regulation mandates that important data processors conduct annual risk assessments of their network data processing activities and submit risk assessment reports to the competent authorities. The assessment should include:
  • basic information about the network data processor, information about the network data security management institution, and the name and contact information of the network data security officer;
  • the purpose, types, quantity, methods, scope, storage duration, and storage location of the important data being processed, as well as the activities carried out in network data processing, excluding the content of the data itself;
  • the network data security management policies and its implementation, including technical measures such as encryption, backup, labelling, access control, and security certification, as well as other necessary measures and their effectiveness;
  • identified network data security risks, incidents that have occurred, and their handling;
  • risk assessments for providing, entrusting, or jointly processing important data;
  • the situation of cross border data transfer;
  • other contents specified by the competent authorities;
  • for large network platform service providers, the risk assessment report should also fully explain the security of key business and supply chain network data.
• Risk assessment before providing, entrusting, or jointly processing important data: Before providing, entrusting, or jointly processing important data, processors must conduct a risk assessment, except when fulfilling statutory duties or obligations.

Unlike the annual risk assessment, the Regulation does not require this type of assessment to be submitted to competent authorities. Additionally, this assessment focuses more on evaluating the legality, legitimacy, necessity, associated risks, and security measures of the provision, entrustment, or joint processing of important data, as well as assessing the integrity and lawfulness of the data recipient.

CONCLUSION AND RECOMMENDATION

The Regulation marks a significant step forward in China’s data governance landscape by refining the protection of PI and important data. It strengthens the enforcement of existing laws by clarifying network data processors’ obligations in areas such as consent management, individual rights protection, and security requirements. Notably, for important data, the Regulation establishes a basic regulatory framework.

From a compliance perspective, enterprises should revisit their existing PI protection programs, even if they have already implemented measures under the PIPL. The Regulation imposes additional requirements in areas such as obtaining valid consent, responding to data subject rights requests, executing DPAs for PI provision, and retaining records of PI transfers. Companies should carefully review these new obligations to identify any compliance gaps and make targeted adjustments.

With respect to important data, although the Regulation outlines a preliminary governance structure, many industries have yet to publish detailed important data catalogues or sector-specific regulatory rules. In light of this, enterprises are advised to closely monitor future developments within their respective industries and regulatory sectors and to prepare for compliance efforts once further guidance is issued.

^[1] Currently, only a few sectoral regulators and regional authorities have issued catalogues or identification rules for important data. For example, the free trade zones in Beijing, Shanghai, Tianjin, and Fujian have released some negative lists or general data lists for cross-border data transfer, which include catalogues for identifying important data. Additionally, the automotive sector regulators have issued the rules for identifying important data in the automotive sector.