On September 30, 2024, China’s State Council issued the Regulations on Network Data Security Management 2024 (hereinafter referred to as the “Regulations”), which will take effect on January 1, 2025. As a critical part of China’s cybersecurity and data protection framework, these Regulations provide detailed guidelines for implementing key laws, including the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law (PIPL). Reflecting four years of legislative work beginning in 2020, the final version of the Regulations marks a shift towards balancing data security with economic development. In contrast to the 2021 draft released for public consultation, the final version of the Regulations eases certain compliance requirements for data and personal information processors, signaling China’s intent to reduce regulatory burdens on businesses. Comprising nine chapters and 64 articles, the Regulations address areas such as personal information protection, key data security, cross-border data transfer, and obligations for internet platform service providers. Key highlights for foreign stakeholders are summarized below.
Key data. Earlier drafts of the Regulations imposed extensive responsibilities on businesses, including requirements for approvals and registrations, which have been removed. This adjustment underscores the government’s position that safeguarding key data is primarily a state responsibility, as the main objectives are to protect national security and public interests.
Personal information protection. The Regulations do not introduce major innovations but focus on refining and clarifying the PIPL, particularly in terms of notification, consent, and individual rights. A significant requirement is that companies processing personal data of more than 10 million individuals must meet additional compliance obligations outlined in Articles 30 and 32 on key data management. Importantly, this does not mean that large-scale personal data automatically qualifies as “key data.” However, due to its sensitive nature, such data warrants increased oversight, making compliance essential for businesses handling significant volumes of personal information.
Cross-border Data Transfer. The Regulations align with existing regulations on cross-border data flows, such as the Provisions on Promoting and Regulating Cross-border Data Flows. The national authority, in collaboration with relevant departments, establishes mechanisms for managing cross-border data transfers and developing associated policies. While personal data may be transferred abroad under certain conditions, data not identified or officially classified as key data by relevant regions or departments is exempt from security assessment.
Compliance Considerations for Foreign Stakeholders. While the Regulations offer positive signals regarding China’s regulatory approach, foreign businesses operating in China should carefully analyze them and maintain open communication with authorities to ensure compliance. A notable challenge lies in the evolving regulatory environment, which is moving from results-based to process-based requirements. The Regulations now prescribe specific compliance measures, limiting the flexibility previously available to enterprises.
Furthermore, the national standard 20240405-T-469 Data Security Technology — Requirements for Data Security Protection is still under development, alongside various industry-specific standards that provide guidance on data classification and management. Foreign stakeholders with a legal presence in China should closely monitor these developments and industry-specific guidelines issued by associations or regulatory bodies. Noteworthy examples include the GB/T 42447-2023 Information Security Technology—Data Security Guidelines for the Telecom Sector and the Data Security Compliance Guidelines for the Industrial and Information Technology Sectors (Draft for Comment). Staying updated on these evolving standards will be essential for maintaining compliance and navigating China’s complex regulatory landscape.
