Li Qiang signs State Council order to announce the "Regulations on the Administration of Network Data Security"

Beijing, September 30, Xinhua News Agency - Premier Li Qiang of the State Council signed a government order on Thursday to publish the Regulations on the Administration of Network Data Security (hereinafter referred to as the "Regulations"), which will come into force on January 1, 2025.

The Regulation aims to regulate network data processing activities, ensure network data security, promote the lawful, reasonable and effective use of network data, protect the legitimate rights and interests of individuals and organizations, and safeguard national security and public interests. The Regulation consists of 9 chapters and 64 articles, mainly stipulating the following contents.

1.

Propose overall requirements and general regulations for network data security management. Explicitly encourage the innovative application of network data in various industries and fields, implement classification and grading protection for network data, actively participate in the formulation of international rules and standards related to network data security, strengthen industry self-discipline, and prohibit illegal network data processing activities. Require network data processors to fulfill obligations such as establishing and improving network data security management systems, reporting security risks, and handling security incidents.

2.

Refine personal information protection regulations. Clearly define the rules for handling personal information and the specific regulations that should be followed. Require network data processors to provide convenient methods and channels to support individuals in exercising their rights, and not set unreasonable conditions to restrict individuals' reasonable requests. Clarify the obligation to protect personal information collected through automated collection technology, and refine the implementation methods for personal information transfer requests.

3.

Improve the security system for important data. Clearly define the responsibilities and requirements for establishing an important data directory, and stipulate the obligation for network data processors to identify and declare important data. Establish the responsibilities of network data security management agencies and network data security responsible persons. Clearly define the specific requirements for risk assessment of important data.

4.

Optimize cross-border security management regulations for network data. Clarify the conditions under which network data processors can provide personal information to foreign countries, and stipulate that personal information can be provided to foreign countries in accordance with international treaties and agreements concluded or participated in. If it is not notified or publicly released as important data by relevant regions or departments, it is not necessary to declare it as important data for export security assessment.

5.

Clarify the obligations of network platform service providers. Establish network data security protection requirements for network platform service providers, third-party product and service providers, and other entities. Clarify the rules for pushing information to individuals through automated decision-making, and stipulate the requirements for large network platform service providers to publish annual reports on personal information protection social responsibility and prevent cross-border security risks of network data.