China: Consultation closed for Draft Regulations on the Administration of Network Data Security including data transfer requirements

Description

Consultation closed for Draft Regulations on the Administration of Network Data Security including data transfer requirements

On 13 December 2021, the consultation for the Regulations on the Administration of Network Data Security closed after being opened on 14 November 2021. The draft in question is intended to implement and further specify the details of the (i) Cybersecurity Law, (ii) Data Security Law and the (iii) Personal Information Protection Law (PIPL). As the draft provides, data shall be classified and thus fall under the categories of (a) general data, (b) important data and (c) core data. Chapter 5 of the draft is devoted to the "data cross-border security management", which includes data transfer requirements. Thus, Art. 35 of the draft requires that one of the following four conditions is met: (1) Data export security assessment by the national cybersecurity department is passed; (2) Both, the data processor and the data recipient have passed the personal information protection certification conducted by a professional organization recognized by the national cybersecurity department; (3) Entering into a contract with the overseas data recipient in accordance with the provisions on standard contracts formulated by the national cybersecurity department, stipulating the rights and obligations of both parties; or (4) other conditions stipulated by laws. Furthermore, a data processor, who intends to provide personal information outside the People's Republic of China, shall inform the individual of the name, contact information, processing purpose, processing method, type of personal information and the individual's exercise to the overseas data recipient. Additionally, the individual's consent shall be obtained (see Art. 36). Furthermore, if a data processor falls under certain categories, it must pass the data exit security assessment organized by the cybersecurity and informatization department (Art. 37). These mentioned categories include (i) data containing "important data"; (ii) critical information infrastructure operators and data processors that process the personal information of more than one million people; and (iii) in other circumstances stipulated by the national network information department. Art. 39 consists of further obligations for data processors providing data overseas.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cross-border data transfer regulation
Regulated Economic Activity
cross-cutting
Implementation Level
national
Government Branch
executive
Government Body
other regulatory body

Complete timeline of this policy change

Hide details
2021-11-14
under deliberation

On 14 November 2021, the Draft Regulations on the Administration of Network Data Security have been…

2021-11-14
in consultation

On 14 November 2021, the consultation for the Draft Regulations on the Administration of Network Da…

2021-12-13
processing consultation

On 13 December 2021, the consultation for the Regulations on the Administration of Network Data Sec…

2024-08-30
adopted

On 30 August 2024, the State Council of China approved the Network Data Security Management Regulat…

2025-01-01
in force

On 1 January 2025, the Network Data Security Management Regulation enters into force. The Regulatio…

Key regulatory dimensions

Regulated subjects

The businesses, government agencies or individuals affected by this policy or regulatory change.
producer / supplier
1
Type Private organisation
Economic activity cross-cutting
Category All
2
Type Other corporate representative
Economic activity cross-cutting
Category All

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.
personal data (all forms): transfer: cross-border
Regulatory tool
Regulator reporting requirement
User consent: Other requirement
Regulator notification requirement
Standard contractual clauses requirement
Regulator approval requirement
Adequacy decision requirement
Sanctions
Suspension of business
Termination of business
Fine
Regulated subjects
1
Regulatory tool
Sanctions
Fine
Regulated subjects
2

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.

personal data (all forms): transfer: cross-border

We use cookies and other technologies to perform analytics on our website. By opting in, you consent to the use by us and our third-party partners of cookies and data gathered from your use of our platform. See our Privacy Policy to learn more about the use of data and your rights.