Offices – China
Explore all Offices
Global Reach
Global Reach

Apart from offering expert legal consultancy for local jurisdictions, CMS partners up with you to effectively navigate the complexities of global business and legal environments.

Explore our reach
Insights – China
Explore all insights
Expertise
Insights
Insights

CMS lawyers can provide future-facing advice for your business across a variety of specialisms and industries, worldwide.

Explore topics
Offices
Global Reach
Global Reach

Apart from offering expert legal consultancy for local jurisdictions, CMS partners up with you to effectively navigate the complexities of global business and legal environments.

Explore our reach
CMS China
Insights
Trending Topics
About CMS

Select your region

Newsletter 16 Oct 2024 · China

China Releases Regulations on Network Data Security Management

2 min read

On this page

On 30 September 2024, the State Council of China released the Regulations on Network Data Security Management (“Regulations”), which will come into effect on 1 January 2025.

1.      Background

The Regulations are the first administrative-level legal instrument in China following the establishment of the basic framework of China’s three fundamental laws in the field of data protection, i.e. the PRC Cybersecurity Law (“CSL”), the PRC Personal Information Protection Law (“PIPL”), and the PRC Data Security Law (“DSL”). After the release of the draft version for public comments in November 2021, following three years of anticipation, the Regulations have been finally published and will take effect on 1 January 2025.

The Regulations, overall, provide detailed stipulations of the three fundamental data laws, but many provisions have already been reflected and covered in previously issued laws, regulations, and national standards. Therefore, our article will focus on some new and key content from the perspective of company’s obligations.

2.      Scope of application

According to Article 2 of the Regulations, the Regulations apply to network data processing activities and their safety supervision and management within the territory of China. The activities processing personal information of Chinese natural persons, as well as the processing activities that would harm China’s national security, public interests, or the lawful rights and interests of citizens or organizations, carried out outside China, are also subject to the Regulations.

Based on the definitions in the Regulations, “network data” refers to “all kinds of electronic data processed and created through networks”, which theoretically excludes any data processed by physical means, such as on paper. The term “network data processor”1 refers to “a person or organization that decides on its own purpose and processing method in network data processing activities”.

Therefore, considering the widespread use of network processing data and the growing degree of digitization, most companies are subject to the Regulations and should attach importance to the Regulations.

Please click here to read the full newsletter.

1 The companies mentioned below are all referred to as network data processors.