China Releases New Regulations on Network Data Security Management – Observations from the Perspective of Important Data Regulation

Introduction

Following three years of lengthy rule preparation and consultation, China¹ released the version of the Network Data Security Management Regulations ("Network Data Measures") on 30 September 2024.

The legal status of the Network Data Measures is an administrative regulation, which is inferior to the Cybersecurity Law ("CSL"), the Data Security Law and the Personal Information Protection Law ("PIPL") which are primary PRC legislations (collectively, "Primary Legislation"), but superior to the rules issued by the Cyberspace Administration of China ("CAC") in relation to specific regulatory matters, such as the recently released Regulations regarding Promoting and Regulating Cross-border Data Flow ("Data Flow Promotion Rules"), the Measures for the Security Assessment of Outbound Cross-Border Data Transfer, and so on. Notwithstanding this, the Network Data Measures is another patchwork legislation which seeks to address some key issues which remain open under the Primary Legislation, including the classification of "important data" ("Important Data") and the related data protection measures.

Evolution of Proposed Important Data Regulations

The concept of "important data" has evolved over the past few years. Different regulatory approaches have been tested as the PRC legislators formulate rules to regulate this space:

Overly restrictive approach introduced

(i) In 2017, shortly after the promulgation of CSL, a draft consultation paper of National Standards on the Security Assessment Guidelines for Cross-border Transfer of Data was released which sets out a draft catalogue of Important Data across many industries. The catalogue entails specific data types at a granular level. For example, financial transaction information was generally specified as Important Data. Certain public information was also included as Important Data (e.g. court judgements, decisions and judicial enforcement actions).

(ii) The above 2017 consultation paper (together with a draft Security Assessment Measures on the Cross-border Transfer of Personal Data and Important Data) also specified that any contemplated cross-border transfer of data exceeding 1,000 GB in size will trigger security review by PRC authorities. This volume-based approach has caused market concerns.

(iii) These rules remained in draft and unclarity prevailed for a long while. Companies that attempted to conduct self-assessments of data security review faced the dilemma of (1) being exposed to risks of failing to identify any data that may be classified as Important Data; and (2) seeking regulatory guidance which may not be forthcoming on a timely basis, causing delays and disruptions to business decisions.

Less restrictive approach introduced

(i) In 2022, a draft National Guidelines for the Classification of Important Data ("Draft Classification Guidelines") was released by the National Information Security Standardisation Commission. This draft takes a less restrictive approach over the regulation of Important Data. Important Data was defined to be "data related to a specific industry, group, region or reaching a certain degree of precision and scale, the disclosure, alteration or destruction of which may directly endanger national security, economic operation, social stability or public health and safety". The Draft Classification Guidelines further specify that any data which only concerns/affects specific organisations or individuals is generally not considered Important Data.

(ii) Thereafter, several sectoral and regional regulators have expressly exempted commercial/business data generated/processed by companies during their ordinary course of business from cross border data transfer restrictions. For example, the Shanghai government has stated that “…financial Institutions [in the Shanghai Free Trade Zone]… are free to transfer data used for their ordinary business operation to overseas.”² Recently, the CAC also stated that "unless the data processor has been informed by the responsible government agency about the classification of certain data as “Important Data” or such information has been publicised, companies may assume that the data is not (Important Data)."³ This is consistent with China's reiterated opening-up policy to encourage foreign investments and free trades.

(iii) The Draft Classification Guidelines were later consolidated into the National Standards GB/T 43697 2024 on Data Categorization and Classification Rules which were officially issued on 21 March 2024, as well as the Data Flow Promotion Rules dated 22 March 2024.

Less restrictive approach finalised, but rule fragmentation exists

(i) The Network Data Measures largely adopts the definition of Important Data to be "data within any specific sector, group or region, or data that has reached a certain level of granularity and scale, and may directly endanger national security, economic operations, social stability, public health, and safety if tampered with, destroyed, leaked, or illegally obtained or used". It also specifies that the responsibility to prepare Important Data catalogues stay with the sectoral and regional regulators. Any Important Data that has been designated by the sectoral or regional regulators must be promptly publicized or notified to the regulated entities. This appears to be sending a positive signal of regulatory predictability which market participants have long hoped for. That said, there remain to be some unclarities around when the majority of sectoral regulators may release their own designated lists of Important Data, and how such lists may be subject to changes.

(ii) We note that, in line with this approach, certain industry regulators (e.g. automotive industry) and a few Free Trade Zone ("FTZ") municipal/provincial regulators have released their own categorisation of "data negative lists". It is also notable that some "data negative lists" seemingly avoid any direct Important Data specifications. This means that, other than being restricted from cross-border transfers from these specific FTZs, Important Data requirements⁴ may not automatically be triggered. This may or may not be intended.

(iii) Practitioners are also advised to be mindful of rule fragmentations and continue to monitor sectoral and regional rules which may deviate from the Network Data Measures. For example:

(a) whilst the scope of Important Data has not historically explicitly included personal data, Article 28 of the Network Data Measures provides that network data controllers who process personal data of more than 10,000,000 data subjects (uplifted from 1,000,000 as originally drafted) will need to comply with the same cybersecurity requirements and reporting obligations in the event of merger, spin-off, dissolution, insolvency that apply to their counterparts dealing with Important Data;

(b) the Several Provisions on Automotive Data Security Management provides that "important data" in the automotive industry includes personal data of more than 100,000 data subjects. This is a more restrictive requirement than that under the Network Data Measures;

(c) the Measures for the Management of Negative List for Cross-Border Data Transfer in the China (Beijing) Pilot Free Trade Zone provides that "important data" includes sensitive personal information of more than 1 million data subjects.

Outlook

Overall, the Network Data Measures is one of a series of implementation rules recently finalised by CAC with a more pro-business touch, with further clarities still required in future implementation details. Other notable developments under Network Data Measures include the following⁵:

(A) latest exemptions to cross-border data transfer requirements under the PIPL have been strengthened;

(B) removal of direct security review requirement on artificial intelligence-based products and services; and

(C) the one-size-fits-all approach on non-compliance activities is mitigated by a certain degree of tolerance on light and/or timely rectified violations.

The Network Data Measures will take effect on 1 January 2025.