This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].
In November 2024, China introduced a series of laws, regulations, and policies focusing on key areas such as personal information protection, data resource development, and data security. These measures aim to continuously strengthen the protection of personal information rights, promote the development of the digital economy, and enhance data security management:
Follow the links below to view the official policy documents or public announcements.
1. NPC revised the anti-money laundering law, specifying the obligation requirements for data security and personal information protection (9 November)
The NPC revised the Anti-Money Laundering Law of the People’s Republic of China, aiming to further regulate anti-money laundering work and enhance the development of the rule of law for finance. The revisions introduce or specify several obligations for financial institutions concerning data security and personal information protection. For instance, the retention period for client’s identity materials has been extended from the previous minimum of five years to at least ten years. Additionally, institutions providing anti-money laundering services must process the data and information collected through their services in accordance with laws and ensure the security of such data. This law will come into force on 1 January 2025, marking a significant step forward in reinforcing personal information protection within the anti-money laundering area and maintaining the financial order.
The National Technical Committee 260 on Cybersecurity of Standardization Administration of China (“TC260”) issued the Cybersecurity Standards Practice Guide—Requirements for Cross-Border Processing and Protection of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong), aiming to promote safe and orderly cross-border flow of personal information. This document, which takes into account the legal frameworks of both Mainland China and Hong Kong, outlines the basic principles for cross-border personal data transfers within the GBA (Mainland, Hong Kong) through a “Mutual Recognition of Security” framework. This document clarifies requirements for processing when providing or receiving personal information across borders, as well as ensuring the protection of individuals’ personal information rights and interests. The release of this guideline further demonstrates the collaborative efforts between the mainland and Hong Kong in data protection, and it will help promote further cooperation in other areas.
3. National Data Bureau released an action plan, guiding and supporting the development of trusted data spaces (23 November)
The National Data Bureau released the Action Plan for the Development of Trusted Data Spaces (2024-2028), aiming to guide and support the development of trusted data spaces and promote the circulation and sharing of data elements. The action plan sets a target to establish over 100 trusted data spaces by 2028, creating a network of data spaces that are interconnected, resource-aggregated, and well-governed. Additionally, the action plan also emphasises strengthening the capabilities in trustworthy data control, resource interaction, and value co-creation, promoting the construction of trusted data spaces across enterprises, industries, cities and individuals, exploring cross-border data flows and international cooperation, and facilitating the secure and efficient sharing of data resources.
Several industry associations, including the China Communications Enterprise Association, jointly released the Compliance Guidelines for Data Security in the Field of Industry and Information Technology, aiming to guide data processors in the industrial and information technology field to standardise data processing activities and strengthen data security management. These guidelines specify the basic methods for data classification and grading, requiring enterprises to establish a comprehensive data security management system and enhance risk prevention and control in the processes of data collection, storage, transmission, and destruction. Additionally, it emphasises the need for enterprises to strengthen data security risk monitoring and assessment, as well as to improve emergency response mechanisms. For key scenarios such as data transactions and cross-border data transfers, this document also clarifies relevant data security management requirements to ensure the security and compliance during the data circulation process.
5. MIIT opened a second public consultation on an industry standard, advancing the standardization of important data identification in the industrial sector (11 November)
The MIIT opened the second public consultation on the Guidelines for Identifying Important Data in the Industrial Sector, aiming to further standardise and optimise the identification and security management of important data in the industrial field. These guidelines outline the basic principles and processes for identifying important data and provide guidance for enterprises to conduct data identification from multiple perspectives, including national security, industry development safety, and industry-specific characteristics. The document is also intended to serve as a reference for industry regulators in establishing a catalogue of important data for the industrial sector.
6. Shanghai issued interim measures to promote intellectual property registration and preservation for data products (14 November)
The Shanghai Intellectual Property Administration and the Shanghai Data Bureau jointly released the Interim Measures for the Registration and Preservation of Intellectual Property for Data Products, aimed at strengthening the protection of intellectual property for data products, accumulating pioneering experience, and promoting the development of the digital economy. The measures clarify the process for registering and preserving intellectual property for data products, requiring all registration and changes to be conducted through the Shanghai Data Product Intellectual Property Management Platform. The Shanghai Intellectual Property Administration will oversee the review, supervision, and management of the intellectual property registrations of data products, ensuring the legal protection of intellectual property for enterprises and individuals.
7. Shanghai CAC issued compliance guidelines to require online platforms to fulfil obligations for the protection of minors in cyberspace(28 November)
At the Event of “Clear and Bright Pujiang 2024” – The Internet Ecological Governance Summary, the Shanghai CAC released the Compliance Guidelines for Local Online Platforms in Shanghai to Fulfil the Obligations for the Protection of Minors in Cyberspace (Trial), aiming to implement responsibilities of local online platforms and strengthen the protection of minors in cyberspace. These guidelines clarify the specific obligations for online platform service providers, including using minor mode, assessing the impact of the protection of minors in cyberspace, and establishing comprehensive compliance systems. It also requires online platforms to take effective measures to prevent minor’s addiction to the Internet, regulate online information content, and regularly release special reports on social responsibility for the protection of minors in cyberspace to facilitate public supervision. The guidelines will be trialled across 20 local online platforms in Shanghai from the date of issuance, providing guidance on how they can meet their obligations to protect minors in cyberspace.
8. Shandong Provincial Big Data Bureau planned to formulate management measures to regulate public data authorized operations (7 November)
The Shandong Provincial Big Data Bureau opened a public consultation for the Measures for the Management of Authorized Operations of Public Data Resources in Shandong Province, aimed at standardising and promoting the authorised operation of public data resources and advancing the development and utilisation of public data. The measures require industry regulatory authorities to compile categories, consolidate resources, and oversee data governance to ensure data supply. According to the implementation plan and legal procedures, authorities must sign agreements with authorised operation agencies for the management and operation of public data. The measures also mandate that both implementing and operating agencies establish strict data protection measures to ensure data security.
9. Internet technology company penalised for failing to timely address illegal content and implement a teen mode (22 November)
The public security authorities imposed an administrative penalty on an internet technology company for failing to promptly address illegal content on its short video platform, particularly for not effectively implementing a “teen mode”. This failure led to the spread of harmful content, endangering the physical and mental health of minors. Following an investigation, the authorities issued a warning under the Cybersecurity Law and ordered the company to comprehensively remove illegal content, implement the teen mode, and take actions against violating accounts. The authorities urge other internet platforms to take this as a cautionary example, strengthen cybersecurity management, and prevent harmful content from negatively affecting minors.
10. MIIT reported 27 Apps and SDKs violating user rights and interests, including illegal activities such as unauthorized collection of personal information (13 November)
The MIIT reported 27 Apps and SDKs that were found to violate user rights and interests. The reported issues include the illegal or excessive collection of personal information, forced permission requests, and inadequate disclosure of SDK information. The MIIT is continuing its efforts to address violations of user rights and interests by Apps and has ordered these Apps and SDKs to rectify the issues in accordance with relevant regulations. Platforms that fail to make timely improvements will face further legal action.
11. Shanghai Communications Administration reported 36 privacy-violating Apps and mini-programs (15 November)
The Shanghai Communications Administration issued a notice regarding 36 Apps and mini-programs that were found to violate user rights. Through random checks of mobile internet applications in Shanghai, the administration identifies issues such as the illegal collection of personal information and the failure to clearly disclose personal information processing rules. The notice requires these Apps and mini-programs to make timely corrections within a specified deadline in accordance with relevant regulations. A warning is also issued that failure to adequately rectify the issues will result in legal and regulatory actions.
The Hunan CAC imposed an administrative penalty on an information technology company for failing to fulfil its data security protection obligations. An investigation reveals that the company’s systems do not implement effective technical and management measures to safeguard data security, leaving unauthorised access vulnerabilities that resulted in multiple data leaks, seriously compromising data security. According to the Data Security Law and other relevant regulations, the Hunan CAC ordered the company to make corrections, issued a warning, and imposed fines. The company, its responsible personnel, and the individuals directly accountable for the violations are fined ¥200,000, ¥30,000, and ¥20,000, respectively.
13. National Computer Virus Emergency Response Centre reported 13 privacy-violating Apps, mainly in e-commerce and other sectors (11 November)
The National Computer Virus Emergency Response Centre reported that 13 Apps were found to have privacy compliance issues. These issues primarily include the failure to clearly prompt users to read the privacy policy upon first use, insufficient details on the purpose and methods of personal information collection and usage in the privacy policy, and the provision of personal data to third parties without user consent. Additionally, some Apps lack easy access for users to correct or delete their personal information and fail to establish and publicise channels for complaints or reports regarding personal data security, and do not provide users with a way to withdraw consent. The centre advises users to be cautious when downloading and using non-compliant Apps, to carefully read privacy policies, and to take steps to protect their personal privacy information.
The Beijing CAC, the Beijing Municipal Bureau of Economy and Information Technology, and the Beijing Communications Administration jointly issued a notice requiring automotive data controllers in the Beijing area to submit reports on their 2024 automotive data security management. The notice specifies that automotive data controllers include entities such as automobile manufacturers, parts and software suppliers, and mobility service providers. The reporting content includes a report on automotive data security management, a risk assessment report, and information on automotive data controllers processing important automotive data.
15. Guangdong Communications Administration reported 10 Apps failing to complete privacy compliance and data security rectifications (28 November)
During a special campaign targeting App privacy compliance and data security, the Guangdong Communications Administration publicly reported 10 Apps that failed to complete the required rectifications. These Apps had previously been ordered to rectify their violations within a set deadline, but they did not meet the required standards by the due date. The Guangdong Communications Administration urges these 10 Apps to promptly make the required corrections within the specified timeframe, warning that failure to do so will result in further legal and regulatory actions.
16. National Data Bureau planned to release guidelines to advance the construction of data infrastructure and facilitate the development and application of data (22 November)
The National Data Bureau released the Guidelines for the Construction of National Data Infrastructure (Draft for Public Comment), aimed at advancing the construction of data infrastructure and promoting the creation of a horizontally interconnected and vertically integrated national data infrastructure framework. These guidelines provide the development vision and overall functions of data infrastructure, and set a goal for the basic completion of the national data infrastructure framework by 2029. In terms of system development, the guidelines emphasise building a foundation for data circulation and utilisation, optimising the efficient supply of data, and establishing a trustworthy data circulation system to support the development of the digital economy and the construction of digital China. These guidelines are expected to further drive the development of national data infrastructure.
17. State Council issued opinions to promote the reform and innovation of digital trade development (28 November)
The General Office of the Communist Party of China Central Committee and the General Office of the State Council issued the Opinions on the Reform and Innovation of Digital Trade Development, aiming to promote the reform and innovation of digital trade in China and gradually establish an orderly, secure, and efficient governance system. The opinions emphasise the need to cultivate and expand the business entities in digital trade, encouraging enterprises to actively develop trade in areas such as digital technologies, digital services, and digital ordering. It also calls for advancing the institutional opening of digital trade, relaxing market access, and encouraging foreign investment in the digital sector, with the goal of creating high-level open platforms for digital trade. The document stresses strengthening the governance of digital trade, participating in the formulation of international rules, and building a system of digital trust and security, with the aim of enhancing China’s international influence in digital trade.
The Hainan Province issued the Regulations on the Development of International Data Centres in Hainan Free Trade Port, aimed at promoting the development of international data centres in the region. The regulations support both domestic and foreign enterprises in establishing international data centres in the Hainan Free Trade Port, outlining specific pathways for facilitating regional international data cross-border flow. A negative list management system for data exports will also be implemented. Additionally, the regulations require strengthening network and data security, establishing a security system involving relevant authorities, basic telecommunications operators, and related operators to ensure the safe and orderly flow of cross-border data.
19. CAC issued an initiative calling for global cooperation on cross-border data flow, promoting trade facilitation and accelerating industrial digital transformation (20 November)
The CAC released the Global Cross-Border Data Flow Cooperation Initiative, calling on all countries to promote global data cross-border flow cooperation while safeguarding national security, protecting public interests, and respecting personal privacy. The initiative emphasises that countries should adhere to the principles of openness, inclusiveness, security, cooperation, and non-discrimination, respect the regulatory differences of various countries and regions, and encourage cross-border data flows needed for commercial and social activities, thereby facilitating cross-border data transmission. The initiative also supports the participation of developing countries in digital economy growth and advocates for strengthened international cooperation to enhance transparency in data flow and technological capabilities.
The TC260 held a launch meeting for the pilot program of the national standard Data Security Technology - Requirements for Personal Information Protection Compliance Audits in Beijing, aiming to verify the scientific, rational, and practical applicability of the standard, as well as to accumulate typical cases and experiences in personal information protection compliance audits. It also will provide support for the promotion and application of the standard. The pilot program will involve 36 organisations selected from sectors such as the Internet, finance, transportation, healthcare, and telecommunications, and will be carried out in an orderly manner according to the outlined plan to further advance personal information protection compliance audits.
21. National Data Bureau planned to release an implementation plan to promote the marketization and valuation of data elements (29 November)
The National Data Bureau opened a public consultation for the Implementation Plan for Improving Data Flow Security Governance and Better Promoting the Marketization and Valuation of Data Elements, aimed at facilitating the compliant and efficient circulation and use of data elements. The plan requires enterprises to establish rules for the secure data circulation, strengthen the management of public data flow, ensure the protection of personal information, improve mechanisms for defining responsibilities in data flow security, promote the application of data security technologies, and expand the supply of data security services. The plan also emphasises the need to prevent data misuse risks and foster a positive interaction between high-quality data development and safety. It aims to establish a fundamentally complete data flow security governance system by the end of 2027.
22. 2024 World Internet Conference provided clearer guidance on cross-border flow of financial data (22 November)
At the 2024 World Internet Conference, the People’s Bank of China issued a statement that the Compliance Guidelines for Promoting and Regulating the Cross-Border Flow of Financial Data are being finalised. The guidelines aim to provide clear rules and guidance to facilitate the cross-border flow of financial data. Meanwhile, the CAC highlights that following the implementation of the Regulations on Promoting and Regulating Cross-Border Data Flow, the time required for data export security assessments has been significantly shortened to less than 30 working days. All parties emphasise the need to continue improving the cross-border data management system, balancing data flow with security, and supporting the global development of enterprises.
The National Data Bureau and relevant departments held a meeting on the construction of Digital China, reviewing the progress made in 2024 and deploying the future works. The meeting emphasises that local governments and departments shall actively promote the market-oriented allocation of data elements and improve the organisational mechanisms for the construction of Digital China. It also stresses the importance of fulfilling primary responsibilities and prioritising digital development in regional agendas. Furthermore, the meeting highlights the need to identify typical cases, organise major events such as the Digital China Summit, and foster broad consensus on development.
24. Hunan Province issued a work plan, strengthening data asset management and promoting the recording of enterprise data assets (14 November)
Hunan Province released the Work Plan for Hunan Province to Strengthen Data Asset Management, aimed at exploring a practical model for managing public data assets. The work plan outlines a unified provincial deployment of pilot programs for data asset management and sets a target for 100 enterprises to complete the recording of their data assets by the end of 2026. The plan emphasises the establishment of mechanisms for data asset registration, information enrichment, usage management, and value assessment. It also promotes the recording of enterprises data assets and the distribution of stakeholder while exploring data asset disposal and risk prevention measures. The document proposes to drive the development and utilisation of data assets through means such as authorised operations, data transactions and circulation, and data integration applications.
The China Consumers Association(“CCA”) issued an initiative addressing consumer issues related to suspicious links. The CCA points out that some shopping applications excessively request personal information and force consumers to accept personalised services, thereby narrowing and labelling the pushed information. Such practices constitute the abuse of consumer personal information and restrict consumers’ right to free choice. The CCA suggests that businesses shall adhere to ethical standards and protect consumers’ legal rights and interests. It also calls for proactive enforcement actions by regulators. Additionally, consumers are advised to be vigilant when encountering suspicious links, protecting their personal information.
26. CAC released an infographic on data export, providing a comprehensive overview of China’s data compliance requirements (19 November)
The CAC released an infographic titled Compliance Guidelines for Data Exports from China, aimed at simplifying the complex compliance process and providing clear guidance on China’s data export activities. The infographic provides the definition of data export behaviours and specifies that important data and personal information are the primary subjects of data export security management. It also outlines the content related to the scope of application, list of submission materials, and procedures for data export security assessments and the filing of standard contracts for exporting personal information. Additionally, the infographic provides contact details for provincial-level CAC offices to offer guidance and assistance to data processors involved in data exports.