On November 14, the Cyberspace Administration of China (CAC) issued a draft of the Regulations on Network Data Security (网络数据安全管理条例(征求意见稿) (link in Chinese)). The draft is open to public comments until December 13.

The draft is part of the implementation of the Cybersecurity Law, Data Security Law and Personal Information Protection Law. It has 75 articles in nine chapters, providing specific rules for general data, personal data, and important data. It also establishes rules for internet platform operators and government agencies when dealing with data.

In particular, it requires:

• Data security assessment for the export of important data and large amounts of personal information (more than 1 million people). There can be an exemption from the requirement if provided for by international agreements;
• Cybersecurity review for foreign listing of data processors which process personal information of more than one million people and some public listings of data processors in Hong Kong;
• Data security assessment for cloud computing services purchased by state agencies or critical information infrastructure operators.

In 2019, the CAC issued a draft (link in Chinese) for data security measures (unofficial English translation here). Compared to the older version, the new draft has more extensive and detailed rules, which could be a reflection of newly enacted cyber and data laws.

General rules

The draft will apply to data activities occurring within China that are:

• For the purpose of providing products and services;
• To analyze and evaluate activities of individuals and organizations;
• Involving the processing of domestic important data;
• In other situations provided for by laws and regulations. (Article 2)

It reiterates that the data will be protected in three tiers: ordinary data, important data, and core data, which would be subject to different levels of protection. (Article 5, 9) This is consistent with the requirement to “establish a classification system for data management and protection” in the Data Security Law and follows the same tier design as that in a recent draft governing data in the area of telecommunication and information. The latter document offers some definitions for ordinary data, important data and core data.

A key issue in China's data related rules is defining the scope of the important data and core data, which is an ongoing process. The draft requires all regions and agencies to work with data processors to identify and formulate the catalogs of important and core data, and report the lists to the national cybersecurity agency (the CAC). (Article 27) Earlier this year, the National Information Security Standardization Technical Committee issued a draft guidance (link in Chinese) on identifying important data, but the guidance was never finalized.

Cybersecurity review

The draft sets out four types of data-related activities that must file for cybersecurity reviews:

• The mergers, reorganizations, or divisions of internet platform operators that gather and manage a large amount of data related to national security, economic development, and public interests, when the activity affects or may affect national security;
• Foreign listing of data processors which process personal information of more than one million people;
• Public listing of data processors in Hong Kong, when it affects or may affect national security;
• Other data processing activities that affect or may affect national security. (Article 13)

Any violation of this provision will result in fines of up to 2 million yuan and be subject to other penalties as well. (Article 60)

The details of cybersecurity reviews are provided by the CAC in a draft of measures issued in July. The same document also requires security review for foreign listing of data processors which process personal information of more than one million people, purchase of network products and services by critical information infrastructure operators, as well as other purchases of network products and services that could threaten national security.

Protection of important data

Once identified as such, important data is subject to stricter protections. In particular, the draft states that processors of important data and data processors that go public overseas shall conduct self or third-party data security assessment on a yearly basis and report the results to municipal level of cyber agencies before January 31 of next year. The report should include:

• Handling and processing of important data;
• Identified data security risks and adopted measures;
• Data security management system and data security protection measures including data backup, encryption, access control and others, as well as the implementation and the effectiveness of the protection measures;
• Implementation of national data security laws, administrative regulations and standards;
• Data security incidents and responses;
• Security assessment of sharing, trading and entrusted processing of important data, as well as providing important data overseas;
• Complaints related to data security and handling of the complaints;
• Other data security conditions specified by the national cybersecurity agencies and other competent and regulatory authorities. (Article 32)

If the assessment of sharing, trading, entrusted processing and exporting of important data concludes that the data transaction will endanger national security, economic development or public interests, such transaction shall not proceed. (Article 32)

The exports of important data will also have to pass an administrative assessment, which will be explained further below.

A violation of Article 32 and 33 will be fined up to 5 million yuan and be subject to other penalties as well. (Article 62)

Cloud computing services purchased by state agencies or critical information infrastructure operators shall pass the security assessment conducted by the national cybersecurity agencies in conjunction with the relevant departments of the State Council. (Article 34)

The draft also notes that the processing of personal information of more than 1 million individuals will be subject to the same rules as important data. (Article 26)

Cross border data transfer

Data can be transferred overseas when meeting one of the following conditions:

• It passes the data export security assessment conducted by the national cybersecurity agencies;
• Both the data processor and the data recipient have obtained the personal information protection certification issued by professional organizations recognized by China’s national cybersecurity agencies;
• Setting forth both sides’ rights and obligations in a standard contract in accordance with the rules formulated by national cybersecurity agencies;
• Other conditions stipulated by laws, administrative regulations or rules formulated by national cybersecurity agencies. (Article 35)

There are some exceptions in which data can be exported without meeting the conditions. For instance, if the data processor transfers personal information on behalf of the individual to fulfill a contact, or such transfer is to protect the life, health or financial safety of the individual, the above-mentioned requirements may not apply. (Article 35)

While security assessment is not required for all data exports, a security assessment by national agencies is mandatory when the exports involve:

• Data that contains important data
• Personal information transferred by a critical information infrastructure operator or data processor that handles more than one million individuals’ personal data
• Other situations required by national cybersecurity agencies. (Article 37)

The CAC recently drafted measures which set out details on security assessment for data exports. The draft measures lay out more scenarios when an assessment is warranted, in addition to the ones illustrated above.

The draft creates a carve-out for international agreements, under which data can be exported without going through assessments. (Article 38)

During the data outflows, data exporters shall fulfill a series of obligations to ensure the safety of data. The exports should stop if national cybersecurity agencies so determine. Data cannot be turned over to foreign judicial or law enforcement agencies, unless authorized by national agencies. (Article 39)

All data processors that export personal information and important data are required to produce annual security reports and report to cyberspace agencies at the municipal level. (Article 40)

Violations of Article 37, 39, and 40 will result in fines of up to 10 million yuan and be subject to other penalties as well. (Article 64 and 65)

The draft also bans the bypassing of internet gateways, which are designed to block the inflow of information that is banned by laws and regulations. (Article 41) It states that any individual or organization shall not provide software, tools, routes, server hosting, technical support, payment settlement, or other services to circumvent the gateways. Any violation will result in confiscation of illegal incomes, fines, suspension or revocation of business license, and other punishments. (Article 66) China officially banned (link in Chinese) unlicensed VPNs in 2018. The draft seems to reinforce the restrictions by highlighting the punishment on unauthorized VPN providers.

Other provisions

For general data activities, the draft prohibits the following actions:

• Endangering national security or leaking state secretes;
• Infringing others' reputation, privacy, copyright and other legal rights;
• Obtaining data through theft or other illegal methods;
• Illegally selling or providing data to others;
• Making, publishing, copying, and disseminating illegal information;
• Other actions prohibited by laws and administrative regulations. (Article 8)

It also imposes a series of obligations on data processors in terms of data protection (Article 9-18). A violation of these obligations will result in fines of up to 2 million yuan and be subject to other penalties as well. (Article 60)

In the personal data chapter, the draft outlines specific rules for personal data processing and transfer, detailed requirements for notification and consent, and scenarios when personal data shall be deleted or anonymized. (Article 19-25) Any violation of the protection of personal data will be fined up to 50 million yuan or 5% of the revenue in previous year, as well as other administrative penalties. (Article 61)

In the chapter governing internet platform operators, the draft sets forth requirements for the operators to protect users’ privacy and prohibit operators from using user data to harm consumers’ interests or fair competition.

As part of breaking down the wall between different providers, the draft states that “[network operators] cannot restrict users from accessing other internet platforms or transferring files to other internet platforms unless there are valid reasons.” (Article 48) Previously, major internet platforms would block the links from other platforms, a practice to eliminate competition. In a press conference (link in Chinese) in September, government officials said they would address this issue. Now these draft regulations are the first attempt to impose penalties on the behavior.

For large network platform operators that have more than 100 million daily active users, when changing the platform rules and privacy rules, they shall publish such proposal for public comments, have such proposal assessed by third-party organization, and obtain the approval of cybersecurity agencies at the provincial level or above. (Article 43)

The draft defines “network platform operators” as “data processors that provide users with internet services such as information, social networking, transactions, payment, audiovisual, and other services,” and defines “large network platform operators” as “network platform operators that have more than 50 million users, handle a large amount of personal information and important data, and have large social influence and market dominance.”