On 13 December 2021, the public consultation opened for the Draft Regulations on the Administration of Network Data Security. The draft in question is intended to implement and further specify the details of the (i) Cybersecurity Law, (ii) Data Security Law and the (iii) Personal Information Protection Law (PIPL). As the draft provides, data shall be classified and thus fall under the categories of (a) general data, (b) important data and (c) core data. The state would focus on the protection of personal information and important data and would strictly protect core data. Further data protection obligations are also added in the Draft Regulations on the Administration of Network Data Security. Moreover, in case data processors process the data of more than one million people, chapter 4 of the Regulations on the Administration of Network Data Security provides for additional data protection requirements: For example, a data security management agency has to be established as part of the company. Furthermore, in order to share or trade important data, as well as to entrust the processing of important data third parties, a governmental consent is required.
Original source