An In-depth Analysis of China’s Network Data Security Regime - Part I: An Overview of the Regulatory Framework

In late September 2024, the State Council published the Administrative Regulation on Network Data Security (“Regulation”), which took effect on 1 January 2025. This Regulation establishes a regime that regulates the security of a wide range of data and outlines a comprehensive set of requirements.

We are publishing a series of articles to explore the key aspects of the Regulation, covering various topics including the overall landscape, the core obligations related to data protection, and the specific duties concerning data export and platform scenarios. As the first instalment, this article will provide an overview of the Regulation’s framework. 

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

BACKGROUND

Promulgated in June 2021, the Data Security Law (“DSL”) proposes to establish a data security administration regime, centred around a so-called data categorisation and classification scheme. In essence, the regime provides for special categories and classes of data, namely important data and core data, and requires data processors to identify the data and afford an appropriate level of protection to the data, particularly important data and core data. 

However, the DSL does not provide detailed information about the scheme, even failing to define exactly what constitutes important data. The scope of these newly-created categories of data is unknown under the law, according to which sectoral regulators and local governments will publish catalogues of the important data. Regarding the core data, again the DSL does not provide any detail about how to identify the core data. 

As such, the Regulation is required to implement the scheme and provide guidance to the sectoral regulators, local governments as well as organisations and individuals as to how to comply with the DSL. 

The central government’s attempt to implement the scheme dates back to May 2019, when the Cyberspace Administration of China (“CAC”) released draft Administrative Measures on Data Security two years before the DSL was promulgated. The topic resurfaced with the enactment of the DSL in June 2021, and subsequently in November 2021, the CAC released the draft Regulation for public consultation. However, for almost three years there had been no progress until recently. 

It should be emphasised that, unlike the numerous regulatory rules issued by the CAC, which are departmental regulations, this Regulation is an administrative regulation issued by the State Council. In terms of legal authority, it ranks just below laws such as the DSL and PIPL, thereby granting it universal applicability across regions and industries. The enactment of the Regulation indicates that the central government may now recognise data security as one of its priorities in the coming years. 

KEY PROVISIONS AND OBSERVATIONS

I. Scope of the Regulation

Processing of network data

The Regulation regulates “activities processing network data”. Network data is defined as any electronic data being processed and generated using a network. 

The Regulation does not define “network”, which could have the same meaning as defined under the Cyber Security Law (“CSL”), i.e. information processing systems consisting of computers or other information terminals or equipment that collect, store, transfer, exchange and process information pursuant to rules and programs. Accordingly, the Regulation applies to the processing of electronically recorded information using a network. Therefore, any processing of data without using the network will not fall under the Regulation. 

Whilst neither the Personal Information Protection Law (“PIPL”) nor the DSL restricts its jurisdiction to data processing using networks, there is no clear reason why the Regulation should do so. One possible explanation is that with the prevalence of modern information technologies being used in processing data the government might be less concerned about the processing of information taking place offline. However, the question is whether this might produce a loophole for circumventing the data security requirements thereunder.

Narrowed extraterritorial effect

The extraterritorial effect of the Regulation is generally in line with that of the PIPL and the DSL. It is worth noting that compared with the draft the Regulation has narrowed the extraterritorial scope by excluding general processing of important data outside China. 

Specifically, the Regulation applies to (i) processing of personal information outside of China that (a) is for the purpose of providing products or services in China or (ii) involves analysing or evaluating the behaviours of natural persons in China; and (ii) processing of Network Data outside China that harms the national security, public interest or legal rights and interests of Chinese citizens or organisations. 

Interestingly, while the Regulation applies to the processing of Network Data only, contradictorily its extraterritorial effect relevant to PI does not seem to be restricted to processing on the network only. It appears to be an unintended effect of the current draft, which may extend the Regulation to cover extraterritorial processing of PI off the network. We hope this could be clarified by the CAC when implementing it. 

Core Data excluded

Unlike the previous draft, the Regulation does not attempt to further define core data and excludes from its scope processing of core data. Apparently, the government will issue separate legal documents to regulate core data. 

II. Key definitions

Network Data Processor

Under the Regulation, the primary subject of core obligations is the Network Data Processor, defined as an individual or organisation that autonomously determines both the purpose and method of data processing in network data activities. This definition closely follows the approach of the PIPL that defines the “personal information processor”, but it has been extended to apply to the broader category of network data. In contrast, while the DSL introduces the concept of a “data processor”, it does not provide a specific definition, leaving this term somewhat open to interpretation. As such, the Regulation, by its very definition, enhances the enforceability of the obligations set out in the DSL in the network data aspect.

A key point of clarification lies in the use of “autonomously (自主)” in both definitions under the Regulation and the PIPL. While the term “autonomously (自主)” might be translated as “independently” in Chinese, we believe it conveys a deeper meaning emphasising that the Network Data Processor should have full control and self-management over its decisions, free from external interference. However, this “autonomy” does not exclude the possibility of joint controllership. A Network Data Processor may still work with others to jointly decide on the purpose and method of data processing, as outlined in Articles 12 and 31 of the Regulation.

Besides, the terms “determine”, “purpose”, and “method” in the Regulation share similar concepts in the GDPR, creating a consistent framework that facilitates cooperation on a global scale. 

Important Data

The Regulation is the first formal legislative document where the central government defines important data, over three years after the enactment of the DSL. Under the Regulation, important data means data that (i) if modified without permission, destroyed, leaked, or illegally acquired or used, may directly harm national security, economic operation, social stability, and public health and safety and (ii) within specific sectors, groups or regions or reaching a certain level of precision or scale.

Before the Regulation, we have seen several versions of proposed definitions of important data. Compared with the previous versions, the Regulation retains the element that the misuse of the data could cause harmful effects on the state and general public but refrains from setting out a detailed list of sectors, regions, or data types. Instead, it stipulates that important data should only exist in certain sectors, groups, or regions or reach a certain designated level of precision or scale.

The way that important data is defined paves the way for the Regulation to delegate the task of scoping important data to the ministries and local governments. In fact, the Regulation obligates sectoral regulators and regional authorities to create their own catalogues of important data. A data security work group will be set up at the central level to coordinate the creation of important data catalogues. One important deviation from the DSL is that the workgroup may not create a general catalogue at the central level. 

This arrangement is apparently based on the view that the sectoral regulators and regional authorities are better positioned to determine what important data is in their specific sectors and regions. On the other hand, the lack of a central catalogue could generate a vacuum of guidance that may be filled by national standards.

III. Regulatory authorities

The CAC retains its position as a coordinator of network security regulation. The public security and state security authorities will be responsible for tackling criminal activities involving network data security. The newly established National Data Administration is also given a role in network data security protection, although the Regulation falls short of giving more details. Sectoral regulators and local governments are responsible for security of network data of their own departments.

The regulatory authorities are given a range of investigative powers regarding the network data processors, including making inquiries about  their personnel and checking relevant documents and records, security measures, equipment and materials. The Regulation nonetheless requires the authorities to act in a fair and objective manner in exercising these powers and to keep the information confidential. 

IV. Liability

The penalties under the Regulation vary depending on the nature and severity of the violation. For less serious infractions, authorities may require corrective actions, issue warnings, and confiscate any illegal gains. In more severe cases, penalties can include the suspension of business activities for rectification, revocation of relevant business licences or operating permits, and substantial fines. In instances where the Administrative Penalty Law or the Criminal Law is violated, the violating party may also face corresponding liability under applicable legal provisions.

Besides, as with the PIPL and the DSL, the Regulation holds both entities and individuals liable for breaches. For companies, fines can reach up to RMB 10 million, while individuals responsible for the violation can face fines of up to RMB 1 million. 

Moreover, the Regulation grants enforcement authority to a range of agencies, including the CAC, telecommunications authorities, the Ministry of Public Security, and national security agencies, among others. This list is not exhaustive, as other relevant ministries or regulatory bodies may also impose penalties within their areas of jurisdiction.

Finally, in accordance with the Administrative Penalty Law, the Regulation allows for discretionary enforcement. Where a data processor takes proactive steps to eliminate or mitigate the harm caused by a violation, or where the violation is minor and rectified promptly without resulting in substantial harm, regulatory authorities may reduce or waive penalties.

CONCLUSION

The Regulation provides a detailed and comprehensive framework for the processing of Network Data and serves as an extension of China’s three pillars of cybersecurity legislation, i.e., the Cybersecurity Law, DSL, and PIPL. It refines and fills the gaps in the existing legal framework, and provides a clearer, more enforceable basis for Network Data governance. This article has introduced the scope, key definitions, and law enforcement framework outlined under the Regulation, and the following two articles will delve into the core obligations and specific requirements in specialised scenarios. 

While the Regulation takes significant steps towards enhancing the governance of Network Data, ongoing assessment and adaptation will be necessary to address emerging challenges. As such, we recommend that businesses closely monitor the Regulation’s requirements and its implementation, particularly those provisions that further clarify and expand upon the rules established by the PIPL and DSL, to ensure full compliance with regulatory standards.