China: Introduced Draft Regulations on the Administration of Network Data Security including data protection requirements

Description

Introduced Draft Regulations on the Administration of Network Data Security including data protection requirements

On 14 November 2021, the Draft Regulations on the Administration of Network Data Security have been introduced. The draft law in question is intended to implement and further specify the details of the (i) Cybersecurity Law, (ii) Data Security Law and the (iii) Personal Information Protection Law (PIPL). As the draft provides, data shall be classified and thus fall under the categories of (a) general data, (b) important data and (c) core data. The state would focus on the protection of personal information and important data and would strictly protect core data. Further data protection obligations are also being specified and added in the Regulations on the Administration of Network Data Security. Moreover, in case data processors process the data of more than one million people, chapter 4 of the Regulations on the Administration of Network Data Security foresees additional data protection requirements: Thus, for example, a data security management agency has to be established within the company. Furthermore, in order to share or trade important data, as well as to entrust the processing of important data third parties, a governmental consent is required.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Data protection regulation
Regulated Economic Activity
cross-cutting
Implementation Level
national
Government Branch
executive
Government Body
other regulatory body

Complete timeline of this policy change

Hide details
2021-11-14
under deliberation

On 14 November 2021, the Draft Regulations on the Administration of Network Data Security have been…

2021-11-14
in consultation

On 14 November 2021, the public consultation opened for the Draft Regulations on the Administration…

2021-12-13
processing consultation

On 13 December 2021, the public consultation opened for the Draft Regulations on the Administration…

2024-08-30
adopted

On 30 August 2024, the State Council of China approved the Network Data Security Management Regulat…

2025-01-01
in force

On 1 January 2025, the Network Data Security Management Regulation enters into force. The Regulatio…

Key regulatory dimensions

Regulated subjects

The businesses, government agencies or individuals affected by this policy or regulatory change.
producer / supplier
1
Type Private organisation
Economic activity cross-cutting
Category All
2
Type Private organisation
Economic activity cross-cutting
Category All
3
Type Other corporate representative
Economic activity cross-cutting
Category All
4
Type Private organisation
Economic activity platform intermediary: user-generated content
Category All
5
Type Private organisation
Economic activity platform intermediary: user-generated content
Category All

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.
personal data (all forms): data collection
Regulatory tool
Preventive security requirement
Responsive security requirement
Regulator notification requirement
Risk or other impact assessment requirement
User consent: Other requirement
User right to withdraw consent
User right to deletion of personal data
User right to access personal data
Sanctions
Fine
Disgorgement
Regulated subjects
1 2
Regulatory tool
Regulator disclosure requirement
User consent: Permit user opt-out
Sanctions
Restitution of damages
Fine
Regulated subjects
4 5
Regulatory tool
Designation of responsible employee
Creation of enforcement authority
TBR - Pre-approval
Sanctions
Regulated subjects
2
Regulatory tool
Sanctions
Suspension of business
Termination of business license
Termination of business
Regulated subjects
1 2 4 5
Regulatory tool
Sanctions
Fine
Occupational ban
Regulated subjects
3
personal data (all forms): storage (any form)
Regulatory tool
Preventive security requirement
Responsive security requirement
Regulator notification requirement
Risk or other impact assessment requirement
User consent: Other requirement
User right to withdraw consent
User right to deletion of personal data
User right to access personal data
Sanctions
Fine
Disgorgement
Regulated subjects
1 2
Regulatory tool
Regulator disclosure requirement
User consent: Permit user opt-out
Sanctions
Restitution of damages
Fine
Regulated subjects
4 5
Regulatory tool
Designation of responsible employee
Creation of enforcement authority
TBR - Pre-approval
Sanctions
Regulated subjects
2
Regulatory tool
Regulator reporting requirement
Sanctions
Regulated subjects
2 5
Regulatory tool
Sanctions
Suspension of business
Termination of business license
Termination of business
Regulated subjects
1 2 4 5
Regulatory tool
Sanctions
Fine
Occupational ban
Regulated subjects
3
personal data (all forms): sale
Regulatory tool
Preventive security requirement
Responsive security requirement
Regulator notification requirement
Risk or other impact assessment requirement
User consent: Other requirement
User right to withdraw consent
User right to deletion of personal data
User right to access personal data
Sanctions
Fine
Disgorgement
Regulated subjects
1 2
Regulatory tool
Regulator disclosure requirement
User consent: Permit user opt-out
Sanctions
Restitution of damages
Fine
Regulated subjects
4 5
Regulatory tool
Designation of responsible employee
Creation of enforcement authority
TBR - Pre-approval
Sanctions
Regulated subjects
2
Regulatory tool
Regulator reporting requirement
Sanctions
Regulated subjects
2 5
Regulatory tool
Sanctions
Suspension of business
Termination of business license
Termination of business
Regulated subjects
1 2 4 5
Regulatory tool
Sanctions
Fine
Occupational ban
Regulated subjects
3
personal data (all forms): data processing
Regulatory tool
Sanctions
Fine
Disgorgement
Regulated subjects
1 2
Regulatory tool
Sanctions
Suspension of business
Termination of business license
Termination of business
Regulated subjects
1 2 4 5
Regulatory tool
Sanctions
Fine
Occupational ban
Regulated subjects
3
Regulatory tool
Sanctions
Restitution of damages
Fine
Regulated subjects
4 5

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.

personal data (all forms): data collection

personal data (all forms): storage (any form)

personal data (all forms): sale

personal data (all forms): data processing

We use cookies and other technologies to perform analytics on our website. By opting in, you consent to the use by us and our third-party partners of cookies and data gathered from your use of our platform. See our Privacy Policy to learn more about the use of data and your rights.