News & Insights

Keeping up with China’s data privacy regime – recent updates

View PDF

Authored by: Dora Si and Andy Yu

As China’s complex data privacy regime continues to evolve, we summarise the latest developments in data protection and cybersecurity.

Regulations on Network Data Security Management

The “Regulations on Network Data Security Management” (“Regulations”) published by the State Council on 30 September 2024 outline some more detailed obligations applicable to network data handlers when processing of personal information and important data. The Regulations will come into force on 1 January 2025.

Key highlights include:

  • Similar to the Personal Information Protection Law (PIPL), the Regulations have extraterritorial effect and apply to overseas network data handlers, who are required (among other obligations) to designate an organization or representative within Mainland China and report the details to the local authorities.
  • With respect to outbound data transfer, the Regulations have added a new basis for justification: network data handlers may transfer personal information outside Mainland China for the purpose of performing statutory duties or obligations.
  • Processing of the personal information of 10 million or more data subjects (as opposed to 1 million), will require compliance with additional obligations applicable to processing of important data.
  • Reiterating the obligations relating to the notifications required prior to processing personal information, including informing data subjects of their rights and the channels to cancel their accounts and withdraw consents. With respect to the data retention period, where such period cannot be ascertained, the manner in which the retention period shall be determined shall be specified.
  • Notifications to data subjects regarding the collection of their personal data and provision to third party data handlers should be presented in a list format.
  • In addition to PIPL’s requirement that there needs to be a contract when entrusting others to process personal information, the Regulations extend the requirement to where a network data handler provides personal information to other network data handlers. The party offering personal information in these scenarios must supervise the recipient and records of processing activities must be kept for at least 3 years.

Cybersecurity Standard Practice Guidelines – Sensitive Personal Information Identification Guidelines

The National Technical Committee 260 on Cybersecurity (TC260) issued the “Cybersecurity Standard Practice Guidelines – Sensitive Personal Information Identification Guidelines” (“Guidelines”) in September 2024. These provide further guidance on the definition and the types of personal information classified as sensitive personal information.

  • A welcome change is that certain types of personal information are no longer deemed on a prima facie case as sensitive personal information under the Guidelines, for example:

    • Identity documents such as an identity card, passport, driver’s licence, work permit, social security card, residence card, etc subject to certain exceptions such as where the identity in question may be prone to discrimination. However, although e.g. an ID number is no longer deemed as sensitive, a data subject’s picture on his/her proof of identity remains sensitive personal information;

    • Internet browsing history;

    • Communication records and contents which could include phone and instant messaging records and conversations;

    • Transaction and spending records;

    • Weight, height, blood type etc of a data subject if such information is irrelevant to his/her illness or medical treatments.

          The Guidelines are already in effect.

          Businesses are recommended to review their internal personal information processing protocols and privacy policies to ensure alignment with the latest regulatory updates.

          Key Contacts

          Annie Tsoi

          Partner | Intellectual Property

          Email or call +852 2825 9255

          Catherine Zheng

          Partner | Intellectual Property

          Email or call +852 2825 9617

          Dora Si

          Partner | Intellectual Property

          Email or call +852 2826 5394

          Ian Liu

          Partner | Intellectual Property

          Email or call +852 2826 5360

          Tracy Li

          Partner | Intellectual Property

          Email or call +852 2825 9429

          Related Services and Sectors:

          Data Protection and Privacy, Intellectual Property

          Portfolio Builder

          Select the legal services that you would like to download or add to the portfolio

          Download    Add to portfolio   
          Portfolio
          Title Type CV Email

          Remove All

          Download


          Click here to share this shortlist.
          (It will expire after 30 days.)