by Ruoxin SU, Research Associate at Institute of Chinese Law, PhD Candidate at Vrije Universiteit Brussel, Belgium
1. Background
On September 30, 2024, the State Council of China officially adopted the Regulation on Network Data Security Management (hereinafter referred to as the ‘Network Data Regulation’), which is set to become effective from January 1, 2025.[1] The finalization of the Network Data Regulation has been highly anticipated since the Cybersecurity Administration of China (‘CAC’),[2] China’s super cyber regulator, unveiled the initial draft for public consultation in November 2021.[3] This is because the Network Data Regulation is China’s first administrative regulation specifically dedicated to data security. It broadens the regulatory scope by introducing the concept of ‘network data’ and further clarifies the existing data laws, including the two pillars of China’s data protection legal framework, i.e., the Personal Information Protection Law (‘PIPL’)[4] and the Data Security Law (‘DSL’)[5]. Particularly, the State Council of China has included the Network Data Regulation within its national legislative work plan for three consecutive years.
2. What is network data?
There are a variety of data-related definitions within China’s existing data legislation, regulations, and national standards, each clarifying distinct application scopes. For example, the PIPL aims to regulate the activities of processing personal information both within China and outside of China under certain circumstances. It defines the scope of personal information as information recorded electronically or otherwise relating to an identified or identifiable natural person.[6]The DSL distinguishes between important data and core data according to the significance of data in economic and social development, as well as the extent of harm to national security, public interests, or the legitimate rights and interests of individuals and organizations once it is tampered with, destroyed, leaked, or illegally obtained or illegally used. Additionally, national standards for information security offer diverse definitions of diverse categories and sub-categories of data, such as health data, genetic data, biometric data and financial data.
The term ‘network data’ was firstly introduced in the Cybersecurity Law (‘CSL’) of 2016,[7] which established the foundation of China’s contemporary cyberspace and data governance framework. However, the CSL did not elaborate the scope and meaning of network data. In Article 62.1 of the Network Data Security, it refers to network data as ‘all kinds of electronic data processed and generated through the network’. This definition, compared to the broader definition of data in the DSL, which encompasses any recorded information by electronic or other means, emphasizes the electronic form of data and excludes data recorded by non-electronic means, such as physical documentation. Considering the bourgeoning digital economy and the widespread adoption digital solutions in business, it is reasonable to anticipate that the Network Data Security will apply to a number of enterprises in terms of their activities of processing network data in the day-to-day business operations. Furthermore, the Network Data Regulation elaborates some important and basic definitions that the PIPL and the DSL fail to explain, such as ‘network data processor’, ‘entrusted processing’, ‘joint processing’ and ‘separate consent’.
The Network Data Regulation not only applies to the processing of network data within China but also extends extraterritorially to activities conducted outside China that jeopardize national security, public interest, or the legitimate interests of Chinese citizens and organizations.[8] This approach largely aligns with Article 2 of the DSL, which governs the extraterritorial application of the law. Moreover, in terms of processing personal information outside of China, there is a parallel application of both the PIPL and the Network Data Regulation if such processing activities is intended provide products or services to individuals within China or aim to analyze and evaluate their behaviors.[9] It could be observed that the Network Data Security demonstrates consistence and convergence with the existing high-level data legislation regarding the rules on the extraterritorial application of the law.
3. What is new for personal information protection and data security
Personal information protection
In line with the personal information protection rules established in the PIPL, the Network Data Regulation highlights the rights and interests that individuals own regarding their personal information processed by companies. These rights include the right to information, copy, correction, supplementation, deletion, restriction, deregistration, consent revocation and portability regarding their personal information processed.[10] Specifically, it reiterates the data processor’s obligation to timely respond to the individuals exercising their personal information rights and to provide the detailed information relevant to its personal information processing activities to notify the individuals.[11] As for the right to data portability, which enables individuals to transfer their personal information from one data processor to a third data processor appointed by them, the Network Data Regulation further outlines the statutory conditions based on the general rule under the PIPL. A data processor should provide a way to allow the third data processor to access and obtain the personal information of the requesting individual where, collectively, (a) the real identity of such an individual can be verified; (b) the personal information requested was previously collected on the basis of consent or a contract; (c) the transfer of personal information is technically feasible; and (d) other individuals’ legitimate interest will not be jeopardized.[12] To strike a balance between individual rights and data processor responsibilities, data processors may charge necessary fees caused by the transfer of personal information if the individual makes such a request of right to portability for many times to an unreasonable extent.
Important data security
Beyond safeguarding data of individuals, Chinese cyber regulators emphasize a lot the security of so-called ‘important data’ in numerous laws and regulations, such as the CSL, the DSL and the Measures on Data Export Security Assessment. Within China’s data security framework, important data is characterized as non-personal and critical to national security and public interests—encompassing economic performance, social stability, and public health—while excluding personal data. The CSL and the DSL mandate that data processors handling important data should fulfill a set of enhanced security obligations. However, these high-level laws have not provided a precise and clear definition of important data, making the identification of important data a complex issue for companies operating in China due to legal ambiguity and a lack of regulatory guidance.
On this issue, the Network Data Regulation takes a significant step by providing an official definition of important data within China’s administrative regulations. It refers to important data as data in specific fields, specific groups, specific regions, or reaching a certain precision and scale, once tampered with, destroyed, leaked, or illegally obtained, or illegally used for profit, may directly endanger national security, economic operation, social stability, public health and safety.[13] Incorporating the new rules introduced by the Provisions on Promoting and Regulating Cross-Border Data Transfer (“Cross-Border Data Transfer Provisions”, see also our previous article[14]) in 2023,[15] the Network Data Regulation reaffirms that the existence of important data depends on whether it is notified or publicly announced by competent regulators.[16] In this sense, the Network Data Regulation further confirms this rule for identifying important data at the level of administrative regulation, which has the higher legal hierarchy than the Cross-Border Data Transfer Provisions as departmental rules. Moreover, if a company processes personal information of more than 10 million persons, it will be classified as an important data processor and should adhere to the same enhanced security protection obligations as those processing important data. In other words, while personal information itself does not constitute the legally defined ‘important data’, the processing of vast amounts of personal information may, in the view of Chinese regulators, pose security risks comparable to those associated with processing important data.
Data security in generative AI training
The development and training of large language models cannot be achieved without vast amounts of training data. However, how to guarantee the legal compliance with the changing regulatory landscape has become a tricky problem for many enterprises. In response to the rapid evolution of AI services and the associated algorithm training activities, the CAC has issued two pieces of departmental rules since 2022, i.e., the Provisions on the Administration of Algorithm Recommendation for Internet Information Services[17] and the Interim Measures for the Management of Generative Artificial Intelligence Services.[18] In 2024, China’s National Information Security Standardization Technical Committee (“TC260”) also published a piece of non-binding national standards to guide the security of providing generative AI services, i.e., Basic Requirements for the Security of Generative Artificial Intelligence Services.[19] However, neither CAC’s rules nor national standards offer clear legal certainties regarding data security requirements for generative AI services at a higher legal hierarchy. In this context, several new provisions in the Network Data Regulation could be seen as a regulatory enhancement and supplementation at the level of administrative regulation.
Specifically, the Network Data Regulation outlines a general data security obligation in the stage of training generative AI. Network data processors providing generative AI services should strengthen the security management of training data and training data processing activities, taking effective measures to prevent and deal with network data security risks.[20] When companies employ automated tools to access and collect network data, they shall assess the impact on network services and refrain from illegally infiltrating others’ networks or disrupting the normal operation of network services.[21] It primarily aims to clarify the boundaries of legitimate use of automated data collection technology, such as web crawler tools for extracting competitive intelligence from websites and cookies for tracking user behavior on websites. Moreover, the Network Data Security further enhances individuals’ right to delete their personal information in the context of deploying automated data collection techniques. If it is unavoidable to collect unnecessary personal information or those without the consent of the individual, the network data processor should delete such personal information or anonymize it.[22]
National security review
The Network Data Regulation introduces a new procedure for ensuring network data security: national security review. This mechanism is triggered when network data processing activities pose a potential threat to China’s national security, as outlined in Article 13. Importantly, this aligns with the existing national security review system established by the National Security Law,[23] which covers areas such as foreign investment, specific items and key technologies, network information technology products and services, construction projects involving national security matters and other major activities that affect or may affect China’s national security. In this sense, the Network Data Regulation doesn’t introduce a completely new government review process in the field of data security. Instead, it serves to activate and emphasize the existing national security review mechanism specifically for network information technology products and services.
Notably, the provision of national security review did not exist in the first version of the legislative proposal of the Network Data Regulation in 2021. It was added in its final text that the CAC adopted in 2024. The initial draft mentioned another well-known government approval mechanism called cybersecurity review, which was established in the Cybersecurity Law in 2016 and further clarified in the Measures on Cybersecurity Review[24] in 2021. It aimed to impose an obligation of going through the CAC’s cybersecurity review to certain data processing activities that affect or may affect China’s national security. This include scenarios such as where (a) internet platform operators, who have aggregated a large amount of data resources related to national security, economic development and public interest, implement mergers, reorganizations, or divisions that affect or may affect national security; (b) companies who process personal information of more than one million individuals go public overseas; and (c) companies go public in Hong Kong, which affects or may affect national security.[25] Such a requirement brought concerns and uncertainty for companies pursuing share listings in the Hong Kong stock market, with apparently additional cybersecurity compliance burden.[26] Nevertheless, in the finally adopted version of the Network Data Regulation, this requirement of cybersecurity review was completely removed.
4. A wrap-up of latest legislative developments for cross-border data transfer
Chapter 5 of the Network Data Regulation provides for the security management of network data in the context of cross-border transfer, while it does not substantially introduce new requirements beyond the existing regulatory framework for cross-border data transfer. Currently, China’s cross-border data transfer framework is supported by the legislative “Three Horse Carriages” for data protection and cybersecurity, i.e., the CSL, the DSL and the PIPL.[27] Based on this framework, the CAC has been developing specific rules to implement various tools for regulating data flows from China to other countries since 2022, including the security assessment for data export, the standard contract for personal information export, and the personal information protection certification which proves a company’s sufficient security protection capabilities for transferring personal data internationally. The year 2024 marked a significant shift in China’s international data transfer regulations with the issuance of the Provisions on Promoting and Regulating Cross-Border Data Transfer (“CBDT Provisions”), a set of updated rules in this field (see our previous article regarding the CBDT Provisions).[28]
The Network Data Regulation closely aligns with the CBDT Provisions and largely summarizes existing cross-border data transfer provisions from previous data laws and recent CAC rules. For instance, it reiterates that the determination of ‘important data’ only depends on whether companies have been informed by regulators or whether such data has been publicly announced as important data. This reflects a crucial change introduced by the CBDT Provisions. Furthermore, Article 35 outlines several conditions under one of which companies can transfer personal information to other countries. Based on Article 38 of the PIPL (items highlighted in bold), it also further supplements the PIPL according to the new CBDT Provisions:
“(1) Pass the data export security assessment organized by the CAC;
(2) Obtain personal information protection certification issued by professional institutions in accordance with the provisions of the CAC;
(3) Comply with the provisions of the standard contract for the cross-border transfer of personal information formulated by the CAC;
(4) In order to conclude or perform a contract to which the individual is a party, it is truly necessary to provide personal information abroad;
(5) In order to implement cross-border human resources management in accordance with the labor rules and regulations formulated according to law and the collective contract signed according to law, and it is necessary to provide employees’ personal information abroad;
(6) In order to perform statutory duties or statutory obligations, it is really necessary to provide personal information abroad;
(7) It is really necessary to provide personal information overseas in order to protect the life, health and property safety of natural persons under emergency circumstances;
(8) Other conditions stipulated by laws, administrative regulations or the national cyberspace administration.”
5. New requirements for large network platforms as “gatekeepers”
The “large network platform” is a new definition proposed by the Network Data Regulation, which comes with additional regulatory requirements beyond those for other network platform service providers. A network platform is considered ‘large’ if it satisfies the following criteria collectively: (a) has more than 50 million registered users or more than 10 million monthly active users; (b) has complex business types; and (c) its network data processing activities have significant impacts on national security, economic operation, and people’s livelihood.[29] However, in the initial draft of the Network Data Security, a large network platform was defined as an Internet platform operator with more than million users, who processes large amounts of personal information and important data, and possesses strong social mobilization capabilities and market dominance.[30] Thus, the criteria for identifying a large network platform were further relaxed and clarified in the final version of the Network Data Regulation, compared to those proposed in the legislative draft. This change reflects a more practical and reasonable regulatory approach to these significant Internet service providers, substantially easing the additional compliance burden for some of large Internet platforms that process personal information of over 10 million individuals.
Although the Network Data Regulation firstly introduces the new definition of “large network platform”, a similar approach is already reflected in the existing China’s digital law. For instance, the Regulations on Protecting Minors in Cyberspace[31], which was issued by the State Council and became effective on 1 January 2024, and the PIPL provide slightly different criteria for identifying a “gatekeeper” platform service provider subject to extra regulatory requirements. Specifically, Article 58 of the PIPL imposed several additional obligations on personal information processors that provide important Internet platform services, have a large number of users and complex business types. Such additional obligations include, for example, establishing an independent organization for personal information protection within the company, regularly publishing social responsibility reports on personal information protection, and developing platform rules according to the principles of transparency and fairness. In the Regulations on Protecting Minors in Cyberspace, its “gatekeeper” provisions target at network platform service providers with a large number of minor users or a significant impact on minors. These platforms must additionally fulfill special obligations to protect minors’ physical and mental health, as well as other rights and interests in the cyberspace.[32]
Beyond general data security obligations, a company qualified as a large network platform must publish a social responsibility report on personal information protection every year. This report informs the public of the effectiveness of its personal information protection measures and relevant organizational arrangements.[33] Moreover, a large network platform should not impose unfair practices on users by utilizing network data, algorithms, and platform rules. Examples include processing users’ personal data through misleading, cheating or coercion, unreasonably restricting users’ access to and use of network data generated by themselves on the platform, and applying unreasonable differential treatment to users.[34] These requirements stem from the unbalanced relationship between large network platforms and individuals users, where the former usually owns advanced technologies to determine how its business model and algorithms interact with and influence users. Accordingly, the Network Data Regulation seeks to offer stronger protection for individual users on the Internet who are often unavoidably at disadvantage of technical knowledge and market information.
In the EU, the Digital Services Act (“DSA”)[35] and the Digital Market Act (“DMA”)[36] takes a similar approach of regulating the large platform service providers as “gatekeepers” of the digital market, such as Apple, Google, Amazon, Booking etc. The gatekeeper theory, which was originally proposed in journalism studies, describes how media professionals select and filter news content before it reaches the public. These media professionals who could screen and control the information flow are called “gatekeepers”.[37] In the context of the EU’s DSA and DMA, it refers to a few very large online platforms as “gatekeepers”, as identified by the European Commission,[38] that control the access and flow of data in the digital market. Acting as private rule-makers, these platforms create bottlenecks that can stifle competition. These ‘gatekeeper’ platforms provide core services, have a significant impact on the EU internal market, control critical gateways for businesses to reach consumers, and have entrenched and durable positions. They are subject to a series of obligations to ensure fair competition, transparency, and choice for consumers and businesses. The application of gatekeeper theory is also aimed at regulating the power of these large platforms, preventing unfair practices, and promoting a more level playing field for smaller providers in the digital space.
6. Conclusion
The Network Data Regulation represents a significant milestone in China’s evolving data governance framework. Proposed in November 2021—shortly after the DSL and PIPL took effect—and finalized nearly three years later, the regulation has undergone substantial refinement to become a comprehensive and structured administrative regulation. Its adoption signals a key step toward harmonizing China’s major data laws, including the CSL, DSL, PIPL, and the CAC’s related rules, fostering greater consistency and coherence in the legal landscape of data governance. While much of the regulation consolidates existing rules established over the past three years, it also addresses critical gaps that higher-level laws could not amend without extensive statutory procedures. Notable additions include provisions on individuals’ data portability rights, data security obligations in AI training, and stricter requirements for large network platforms. These updates reflect both the regulators’ growing enforcement experience and the accelerating advancements in the digital economy and AI technologies. By bridging gaps in existing data laws and addressing emerging challenges, the Network Data Regulation lays a critical foundation for China’s evolving data governance framework. It reinforces protections for individuals and businesses while fostering a regulatory environment that is more aligned with the complexities of the digital age.
[1] Regulation on Network Data Security Management (<网络数据安全管理条例>), available at: https://www.gov.cn/zhengce/zhengceku/202409/content_6977767.htm
[3] https://www.cac.gov.cn/2021-11/14/c_1638501991577898.htm
[4] Personal Information Protection Law of the People’s Republic of China (<中华人民共和国个人信息保护法>), available at: https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm
[5] Data Security Law of the People’s Republic of China (<中华人民共和国数据安全法>), available at: http://www.npc.gov.cn/c2/c30834/202106/t20210610_311888.html
[6] Article 4 of the PIPL
[7] Cybersecurity Law of the People’s Republic of China (<中华人民共和国网络安全法>), available at: http://www.npc.gov.cn/zgrdw/npc/xinwen/2016-11/07/content_2001605.htm
[8] Article 2 of the Network Data Regulation
[9] Ibid.
[10] Chapter 3 of the Network Data Regulation
[11] Article 21 and 23 of the Network Data Regulation
[12] Article 22 of the Network Data Regulation
[13] Article 62(4) of the Network Data Regulation
[14] Ruoxin Su, China’s New Rules for Cross-Border Data Transfer: What Changes are Brought to the Existing Regulatory Regime, Istituto di Diritto Cinese, 24 May 2024, available at: https://dirittocinese.com/2024/05/14/chinas-new-rules-for-cross-border-data-transfer-what-changes-are-brought-to-the-existing-regulatory-regime/
[15] Provisions on Promoting and Regulating Cross-border Data Transfers (<促进和规范数据跨境流动规定>), available at: https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm
[16] Article 37 of the Network Data Regulation
[17] Provisions on the Administration of Algorithm Recommendation for Internet Information Services (<互联网信息服务算法推荐管理规定>), available at: https://www.gov.cn/zhengce/2022-11/26/content_5728941.htm
[18] Interim Measures for the Management of Generative Artificial Intelligence Services (<生成式人工智能管理暂行办法>), available at: https://www.gov.cn/zhengce/zhengceku/202307/content_6891752.htm
[19] Basic Requirements for the Security of Generative Artificial Intelligence Services (<生成式人工智能服务安全基本要求>), available at: https://www.tc260.org.cn/upload/2024-03-01/1709282398070082466.pdf
[20] Article 19 of the Network Data Regulation
[21] Article 18 of the Network Data Regulation
[22] Article 24 of the Network Data Regulation
[23] National Security Law of the People’s Republic of China (<中华人民共和国国家安全法>), available at: https://www.gov.cn/zhengce/2015-07/01/content_2893902.htm
[24] Measures on Cybersecurity Review (<网络安全审查办法>), available at: https://www.gov.cn/zhengce/2022-11/26/content_5728942.htm
[25] Article 13 of the draft Network Data Regulation (draft for public comments)
[26] Dashveenjit Kaur, How will China’s new data security law affect Hong Kong IPOs?, Techwire Asia, December 2021, https://techwireasia.com/2021/12/how-will-chinas-new-data-security-law-affect-hong-kong-ipos/
[27] China: Comprehensive personal information protection regime established, Baker McKenzie, 31 August 2021, https://insightplus.bakermckenzie.com/bm/data-technology/china-comprehensive-personal-information-protection-regime
[28] Ruoxin Su, China’s New Rules for Cross-Border Data Transfer: What Changes are Brought to the Existing Regulatory Regime, Istituto di Diritto Cinese, 24 May 2024, available at: https://dirittocinese.com/2024/05/14/chinas-new-rules-for-cross-border-data-transfer-what-changes-are-brought-to-the-existing-regulatory-regime/
[29] Article 62(8) of the Network Data Regulation
[30] Article 73(10) of the draft Network Data Regulation (draft for public comments)
[31] Regulations on Protecting Minors in Cyberspace (<未成年人网络保护条例>), available at: https://www.gov.cn/zhengce/content/202310/content_6911288.htm
[32] Article 20 of the Regulations on Protecting Minors in Cyberspace
[33] Article 44 of the Network Data Regulation
[34] Article 46 of the Network Data Regulation
[35] REGULATION (EU) 2022/2065 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2065
[36] Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act), https://eur-lex.europa.eu/legal-content/EN/TXT/?toc=OJ%3AL%3A2022%3A265%3ATOC&uri=uriserv%3AOJ.L_.2022.265.01.0001.01.ENG
[37] Barzilai‐Nahon, K. (2008). Toward a theory of network gatekeeping: A framework for exploring information control. Journal of the American society for information science and technology, 59(9), 1493-1512.
[38] See European Commission, Digital Markets Act (DMA) – Gatekeepers, https://digital-markets-act.ec.europa.eu/gatekeepers_en
