View PDF
Authored by: Dora Si and Andy Yu
As China’s complex data privacy regime continues to evolve, we summarise the latest developments in data protection and cybersecurity.
Regulations on Network Data Security Management
The “Regulations on Network Data Security Management” (“Regulations”) published by the State Council on 30 September 2024 outline some more detailed obligations applicable to network data handlers when processing of personal information and important data. The Regulations will come into force on 1 January 2025.
Key highlights include:
- Similar to the Personal Information Protection Law (PIPL), the Regulations have extraterritorial effect and apply to overseas network data handlers, who are required (among other obligations) to designate an organization or representative within Mainland China and report the details to the local authorities.
- With respect to outbound data transfer, the Regulations have added a new basis for justification: network data handlers may transfer personal information outside Mainland China for the purpose of performing statutory duties or obligations.
- Processing of the personal information of 10 million or more data subjects (as opposed to 1 million), will require compliance with additional obligations applicable to processing of important data.
- Reiterating the obligations relating to the notifications required prior to processing personal information, including informing data subjects of their rights and the channels to cancel their accounts and withdraw consents. With respect to the data retention period, where such period cannot be ascertained, the manner in which the retention period shall be determined shall be specified.
- Notifications to data subjects regarding the collection of their personal data and provision to third party data handlers should be presented in a list format.
- In addition to PIPL’s requirement that there needs to be a contract when entrusting others to process personal information, the Regulations extend the requirement to where a network data handler provides personal information to other network data handlers. The party offering personal information in these scenarios must supervise the recipient and records of processing activities must be kept for at least 3 years.
Cybersecurity Standard Practice Guidelines – Sensitive Personal Information Identification Guidelines
The National Technical Committee 260 on Cybersecurity (TC260) issued the “Cybersecurity Standard Practice Guidelines – Sensitive Personal Information Identification Guidelines” (“Guidelines”) in September 2024. These provide further guidance on the definition and the types of personal information classified as sensitive personal information.
A welcome change is that certain types of personal information are no longer deemed on a prima facie case as sensitive personal information under the Guidelines, for example:
- Identity documents such as an identity card, passport, driver’s licence, work permit, social security card, residence card, etc subject to certain exceptions such as where the identity in question may be prone to discrimination. However, although e.g. an ID number is no longer deemed as sensitive, a data subject’s picture on his/her proof of identity remains sensitive personal information;
- Internet browsing history;
- Communication records and contents which could include phone and instant messaging records and conversations;
- Transaction and spending records;
- Weight, height, blood type etc of a data subject if such information is irrelevant to his/her illness or medical treatments.
The Guidelines are already in effect.
Businesses are recommended to review their internal personal information processing protocols and privacy policies to ensure alignment with the latest regulatory updates.
Key Contacts