Clyde & Co write:
The new Regulations on the Management of Network Data Security (《网络数据安全管理条例》) [1] (the “Regulations”) were issued by the State Council of the People’s Republic of China (“China”) on 24 September 2024 and will come into force on 1 January 2025. With a focus on network data [2], the Regulations supplemented and provided further guidance on China’s data security regulatory regime [3]; clarified what “important data” is, and refined the protection of personal information and the rules and regulations on cross-border data transfer. In this newsletter, we set out the 8 key takeaways of the Regulations.
General provisions under the Regulations
- What kind of data processing activities will be covered by the Regulations?
The Regulations will apply to the supervision and management of network data processing activities within China, and those personal information processing activities outside China that are subject to the China Personal Information Protection Law (“PIPL”) (i.e., overseas personal information processing activities which are conducted for the purpose of providing products or services to individuals in China or which involves analysing and evaluating behaviours of individuals in China).
The Regulations further provide that anyone who carries out network data processing activities outside China to the detriment of national security, public interest or the lawful rights and interests of citizens or organisations of China shall be held legally liable in accordance with the law.
With technological advancement, the Regulations will have a far-reaching effect to entities in China as most data these days are commonly processed or handled through networks.
Read more at Clyde & Co.