Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · REGULATION ON NETWORK DATA SECURITY MANAGEMENT

Regulation on Network Data Security Management.

网络数据安全管理条例

Promulgated by: State Council.
Document No.: Decree No. 790 of the State Council.
Adopted at the 40th executive meeting of the State Council on August 30, 2024.
Promulgated September 24, 2024. Effective January 1, 2025.
Premier Li Qiang.


Chapter I General Provisions

Article 1. In order to regulate network data handling activities, ensure the security of network data, promote the reasonable and effective use of network data in accordance with the law, protect the legitimate rights and interests of individuals and organizations, and safeguard national security and public interests, this Regulation is enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Law of the People’s Republic of China on the Protection of Personal Information and other relevant laws.

Article 2. This Regulation applies to network data handling activities and the supervision and administration of security thereof carried out within the territory of the People’s Republic of China. This Regulation also applies to the activities outside the territory of the People’s Republic of China to handle the personal information of natural persons within the territory of the People’s Republic of China, which conform to the circumstances prescribed in the second paragraph of Article 3 of the Law of the People’s Republic of China on the Protection of Personal Information. Any network data handling activities outside the territory of the People’s Republic of China that damage the national security, public interests or the legitimate rights and interests of citizens and organizations of the People’s Republic of China shall be investigated for legal liability in accordance with the law.

Article 3. Network data security management shall be carried out by adhering to the leadership of the Communist Party of China, implementing the overall concept of national security, and promoting the development and utilization of network data and ensuring the security of network data on an overall basis.

Article 4. The State encourages the innovative application of network data in various industries and fields, strengthens the development of the capacity for protection of network data security, supports the innovation of technologies, products and services relating to network data, carries out publicity, education and talent training for network data security, and promotes the development and utilization of network data and the industrial development.

Article 5. The State protects network data by category and by grade, according to the importance of network data in economic and social development, as well as the extent of the damage caused to national security, public interests or the legitimate rights and interests of individuals and organizations by network data once the network data are tampered with, destroyed, divulged, illegally acquired or illegally utilized.

Article 6. The State actively participates in the development of international rules and standards relating to network data security to promote international exchange and cooperation.

Article 7. The State supports relevant industry organizations in developing codes of conduct for network data security pursuant to their articles of association, strengthening industry self-regulation, guiding their members to strengthen network data security protection, improving the level of network data security protection and promoting the healthy development of the industry.

Chapter II General Rules

Article 8. No individual or organization may use network data to engage in any illegal activities or engage in any illegal network data handling activities such as stealing or acquiring network data by other illegal means, illegally selling or illegally providing network data to others. No individual or organization may provide any program or tool specially used for the illegal activities as mentioned in the preceding Paragraph; any individual or organization who is fully aware that a person engages in the illegal activities mentioned in the preceding Paragraph shall not provide the person with Internet access, server hosting, network storage, communication transmission and other technical support or with advertising and promotion, payment and settlement and other assistance.

Article 9. Network data handlers shall, in accordance with the provisions of laws and administrative regulations and the mandatory requirements of national standards, and on the basis of classified protection of cyber security, strengthen the protection of network data security, establish and perfect the system of network data security management, and take technical measures such as encryption, backup, access control and security authentication as well as other necessary measures to protect network data from being falsified, destroyed, divulged or illegally acquired or used, dispose of network data security incidents, prevent illegal and criminal activities aiming at and using network data, and assume primary responsibility for the security of the network data handled by them.

Article 10. Network products and services provided by a network data handler shall comply with the compulsory requirements of the relevant national standards; in the case of any risk such as security defect or bug discovered to be associated with a network product or service, the network data handler shall take remedial measures forthwith, notify users in a timely manner and report the same to the relevant competent authority in accordance with the provisions; in the case of any harm to the national security or public interest, the network data handler shall also report the same to the relevant competent authority within 24 hours. 24

Article 11. Network data handlers shall establish and perfect their emergency response plan for network data security incidents. In the case of a network data security incident, the network data handler shall activate its emergency response plan forthwith, with measures taken to prevent the expansion of the harm and to eliminate the potential security hazard and report the same to the competent authority as required. Where a network data security incident causes harm to the legitimate rights and interests of individuals or organizations, the network data handler shall promptly notify the interested parties of the security incident, risks, harm consequences, remedial measures taken and so on by means of telephone calls, text messages, instant messaging tools, e-mails, announcements or otherwise; where laws and administrative regulations provide that such notification may not be made, such provisions shall prevail. When finding any clue of suspected crime during its handling of a network data security incident, the network data handler shall report the case to the public security organ or State security organ as required and cooperate in the detection, investigation and handling of the case.

Article 12. When providing other network data handlers with personal information and important data or entrusts other network data handlers to process personal information and important data, a network data handler shall, by contract or otherwise, agree with the network data recipient on the processing purpose, method and scope as well as the security protection obligations of the network data recipient, and supervise the network data recipient’s performance of such obligations. Records of the personal information and important data provided to other network data handlers or the processing of such personal information and important data upon entrustment shall be kept for at least three years. The network data recipient shall perform its obligations of network data security protection, and process personal information and 3 important data according to the agreed purpose, method and scope. Where two or more network data handlers jointly decide on the purpose and method of the handling of personal information and important data, they shall agree upon their respective rights and obligations.

Article 13. Where network data handlers carry out network data processing activities that affect or may affect national security, they shall undergo a national security review in accordance with relevant national regulations.

Article 14. Where a network data handler needs to transfer network data due to merger, demerger, dissolution or bankruptcy, the network data recipient shall continue to perform its network data security protection obligations.

Article 15. A State organ that entrusts others to build, operate and maintain its e-government system, or to store and handle government data shall go through strict approval procedures in accordance with the relevant provisions of the State, specify the entrusted party’s authority for processing network data and protection responsibilities, among others, and supervise the entrusted party’s performance of network data security protection obligations.

Article 16. A network data handler that provides services for state agencies or critical information infrastructure operators, or participates in the construction, operation and maintenance of other public infrastructure or public service systems, shall perform its obligation of network data security protection and provide secure, stable and continuous services in accordance with the provisions of laws and regulations and contractual stipulations. Without the consent of the entrusting party, the network data handler as referred to in the preceding paragraph shall not access, obtain, retain, use, divulge or provide others with network data, nor shall it conduct association analysis of network data.

Article 17. An information system providing services to State organs shall strengthen network data security management to ensure network data security according to the management requirements for e-government system mutatis mutandis.

Article 18. When accessing and collecting network data by using automatic tools, network data handlers shall assess the impact of such access on network services and shall not illegally invade into others’ networks or interfere with the normal operation of network services.

Article 19. A network data handler providing generative artificial intelligence services shall strengthen its security management of training data and training data handling activities and take effective measures to prevent and dispose of network data security risks.

Article 20. A network data handler providing products and services to the public shall subject itself to social supervision and shall establish a convenient channel for complaining and reporting about network data security, make public the ways to complain and report and other information, and promptly accept and handle complaints and reports about network data security.

Chapter III Protection of Personal Information

Article 21. Prior to handling personal information, if a network data handler informs individuals according to the law by formulating rules for handling personal information, such rules shall be publicly displayed in a centralized manner, easily accessible and put in an eye-catching position, and the content shall be definite, specific, clear and understandable, including but not limited to the following: (1) the title or name and contact information of the network data handler;

(2) the purpose, method and type of handling of personal information, as well as the necessity of handling of sensitive personal information and the impact of handling on individuals’ rights and interests;

(3) the retention period of personal information and the method for handling such information upon expiration; If it is difficult to determine the retention period, the method for determining the retention period shall be specified; and

(4) Methods and channels etc. for individuals to access, reproduce, transfer, correct, supplement, delete and restrict handling of personal information, to deregister accounts and withdraw their consents. When informing individuals of the purpose, method and type of personal information to be collected and provided to other network data handlers, as well as the information of the network data recipient in accordance with the provisions of the preceding paragraph, the network data handler shall state such information in the form of a checklist, among others. Where handling the personal information of minors under the age of 14, the network data handler shall also develop special rules for handling personal information.

Article 22. Where the handling of personal information of an individual is subject to the individual’s consent, the network data handler shall comply with the following provisions: (1) It shall not collect personal information beyond the scope and shall not obtain the individual’s consent by means of misleading, fraud or coercion, etc. if the collection of personal information is necessary for the provision of products or services to the individual.

(2) It shall obtain the individual’s separate consent if the individual’s sensitive personal information such as biometric information, religious belief, specific identity, medical health information, financial accounts and whereabouts is handled.

(3) It shall obtain the consent of the individual’s parents or other guardians if the personal information of the individual who is under the age of 14 is handled.

(4) It shall not handle personal information beyond the purpose, method, type and period of storage agreed by the individual for handling of his/her personal information;

(5) It shall not frequently ask for consent after the individual has explicitly expressed disagreement with the handling of his/her personal information; and

(6) It shall obtain the individual’s consent again if the purpose, method or type of handling of the individual’s personal information changes. Where laws and administrative regulations provide that the handling of sensitive personal information is subject to written consent, such provisions shall prevail.

Article 23. Where an individual requests to access, copy, correct, supplement, delete or restrict the handling of his/her personal information, or where an individual deregisters his/her account or withdraws his/her consent, the network data handler shall accept the request in a timely manner and provide convenient methods and channels to support the individual in exercising his/her rights, and shall not set up unreasonable conditions to restrict the individual’s reasonable request.

Article 24. Where it is impossible to avoid the collection of unnecessary personal information by using automatic collection technology or an individual’s personal information without obtaining his/her consent according to the law, or an individual deregisters his/her account, the network data handler shall delete or anonymize the personal information. Where the storage period as prescribed by laws and administrative regulations has not expired, or it is difficult to delete or anonymize the personal information technically, the network data handler shall cease the handling other than storing such information and taking necessary security protection measures.

Article 25. For the request of an individual for transfer of personal information that meets the following conditions, the network data handler shall provide channels for the network data handler designated by the individual to access or obtain relevant personal information: (1) where the true identity of the person making the request can be verified;

(2) where the personal information requested for transfer is the personal information that the individual has agreed to provide or has been collected on the basis of a contract;

(3) where the transfer of personal information is technically feasible; and

(4) where the transfer of personal information does not damage the legitimate rights and interests of others. If the number of requests for transfer of personal information significantly exceeds a reasonable range, the network data handler may charge necessary fees based on the costs of transferring personal information.

Article 26. Where an overseas network data handler who handles the personal information of domestic natural persons establishes a special agency or designates a representative within the territory of the People’s Republic of China in accordance with Article 53 of the Law of the People’s Republic of China on the Protection of Personal Information, it shall submit such information as the name and contact information of the agency or the representative to the local cyberspace administration of the city divided into districts, and the local cyberspace administration shall promptly notify the competent authority at the same level.

Article 27. A network data handler shall periodically conduct compliance audits, either on its own or by commissioning a specialized agency, of its handling of personal information in compliance with laws and administrative regulations.

Article 28. A network data handler handling the personal information of more than 10 million individuals shall also 1000 comply with the provisions governing network data handlers handling important data (hereinafter referred to as the “handlers of important data” in short) as specified in Articles 30 and 32 hereof.

Chapter IV Security of Important Data

Article 29. The national data security work coordination mechanism arranges and coordinates the relevant departments in formulating catalogs of important data and strengthens the protection of important data. All regions and departments shall, under the system for data classification and hierarchical protection, determine the specific catalogs of important data of their respective regions, departments as well as related industries and fields, and focus on protection of network data included in the catalogs. Network data handlers shall identify and declare important data in accordance with the relevant provisions of the State. For data that is confirmed as important data, the relevant region and department shall promptly notify network data handlers or publicly announce the same. Network data handlers shall perform their responsibility of network data security protection. The State encourages network data handlers to use technologies and products such as data labels and identifiers to improve important data security management.

Article 30. Handlers of important data shall specify the person in charge of network data security and the management body for network data security. The management body for network data security shall perform the following responsibilities of network data security protection: (1) formulating and implementing network data security management systems and operation procedures as well as emergency response plans for network data security incidents;

(2) organizing activities such as network data security risk monitoring, risk assessment, emergency drills, publicity, education and training on a regular basis, and promptly disposing of network data security risks and incidents; and

(3) accepting and handling complaints and reports about network data security. The person in charge of network data security shall have professional knowledge of network data security and relevant management experience and shall be a member of the management team of the network data handler, with the right to directly report the situation of network data security to the relevant competent authority. Network data handlers that control important data of specific type and scale specified by the relevant competent authority shall conduct security background review of the person in charge of network data security and personnel in key positions and strengthen the training for the relevant personnel. When conducting such review, they may apply for assistance from the public security authorities and State security authorities.

Article 31. Handlers of important data shall conduct risk assessment prior to providing, entrusting others to handle or jointly handling important data, except for the performance of statutory duties or obligations. The risk assessment shall focus on assessing the following aspects:

(1) whether the provision, entrusted handling, and joint handling of network data, as well as the purpose, method or scope of handling of network data by network data recipients are legal, proper and necessary;

(2) the risk that the network data provided, entrusted for handling or jointly handled may be tampered with, destroyed, divulged, illegally obtained or illegally used, and the risk to national security, public interests, or the legitimate rights and interests of individuals and organizations;

(3) the integrity and compliance of network data recipients;

(4) whether the requirements on network data security set forth in the relevant contract concluded or to be concluded with a network data recipient can effectively constrain the network data recipient to perform its obligations for network data security protection;

(5) whether the technical and management measures taken or to be taken can effectively prevent the risks that network data may be tampered with, destroyed, divulged, illegally obtained or illegally used; and

(6) other assessment contents specified by the relevant competent authority.

Article 32. Where the security of important data may be affected due to merger, demerger, dissolution or bankruptcy of a handler of important data, the handler of important data shall take measures to ensure the security of network data, and report its important data disposal plan and the title or name and contact information of the recipient to the competent authority at or above the provincial level; if the competent authority is not specified, the handler of important data shall report to the coordination mechanism for data security at or above the provincial level.

Article 33. Handlers of important data shall conduct risk assessment of their network data handling activities on an annual basis and submit risk assessment reports to the competent authorities at or above the provincial level, which shall in turn promptly notify the cyberspace administration and the public security organ at the same level. The risk assessment report shall include the following aspects:

(1) basic information of the network data handler, information of the management body for network data security, and the name and contact information of the person in charge of network data security;

(2) the purpose, type, quantity, method, scope, storage period and storage location etc. of the important data handled as well as the information on network data handling activities carried out, excluding the contents of network data themselves,

(3) management systems for network data security and the implementation thereof, technical measures such as encryption, backup, label identification, access control, security authentication and other necessary measures and the effectiveness thereof;

(4) network data security risks discovered, network data security incidents that have occurred and the handling thereof;

(5) risk assessment of the provision, entrusted handling and joint handling of important data;

(6) cross-border transmission of network data; and

(7) other information to be reported as specified by the competent authority. The risk assessment report submitted by the service provider of a large network platform that handles important data shall include, in addition to the information specified in the preceding paragraph, an adequate description of the network data security of key businesses and supply chains. For a handler of important data whose important data handling activities might endanger the national security, the competent authority at or above the provincial level shall order it to take measures such as making rectifications or ceasing the handling of important data. The handler of important data shall take measures forthwith as required.

Chapter V Cross-border Security Management of Network Data

Article 34. The state cyberspace administration shall make overall planning and coordinate with the relevant authorities to establish a special work mechanism of national data cross- border security management, develop upon study relevant policies for national network data cross-border security management, and coordinate the handling of major matters relating to network data cross-border security.

Article 35. A network data handler may transmit personal information abroad if it meets any of the following conditions: (1) having passed the security assessment for data cross-border transmission organized by the state cyberspace administration;

(2) having been certified by a specialized agency in respect of the protection of personal information in accordance with the provisions of the state cyberspace administration;

(3) meeting the provisions on standard contract for cross-border transmission of personal information as developed by the state cyberspace administration;

(4) necessary to provide personal information abroad in order to conclude or perform a contract to which it is a party;

(5) necessary to provide personal information of employees abroad under the employment rules and regulations formulated in accordance with the law and collective contracts concluded in accordance with the law;

(6) necessary to provide personal information abroad in order to perform statutory duties or obligations;

(7) necessary to provide personal information abroad in order to protect the life, health and property security of natural persons in an emergency; and

(8) other conditions provided for in laws, administrative regulations or by the state cyberspace administration.

Article 36. Where the international treaties or agreements concluded or acceded to by the People’s Republic of China have provisions on conditions for provision of personal information outside the territory of the People’s Republic of China, among others, such provisions may prevail.

Article 37. Where it is necessary to provide important data generated or collected by a network data handler during its operation within the territory of the People’s Republic of China to overseas parties, such provision shall pass the security assessment for data cross-border transmission organized by the state cyberspace administration. If a network data handler identifies and declares important data according to relevant provisions of the State, which have not been notified by the relevant region or department or have not been announced to the public as important data, no security assessment is required for cross-border transmission of such data as important data.

Article 38. After passing the security assessment for data cross-border transmission, the provision of personal information and important data abroad by the network data handler shall not beyond the purpose, method, scope, type and scale etc. of the data to be transmitted abroad as specified at the time of the assessment.

Article 39. The State takes measures to prevent and deal with cross-border security risks and threats to network data. No individual or organization may provide programs or tools etc. specially designed to destroy or avoid technical measures and shall not provide a person with technical support or assistance if he/it is fully aware of such activities as destroying or avoiding technical measures committed by the person.

Chapter VI Obligations of Network Platform Service Providers

Article 40. Network platform service providers shall specify the network data security protection obligations of third-party product and service providers accessing their platforms through platform rules, contracts or otherwise, and urge third- party product and service providers to strengthen network data security management. The provisions of the preceding paragraph apply to the manufacturers of equipment such as smart terminals pre-installed with applications. Where a third-party product or service provider carries out network data handling activities in violation of laws, administrative regulations, platform rules or contracts, causing damage to users, the network platform service provider, the third-party product or service provider, the manufacturer of equipment such as smart terminals pre-installed with applications shall assume corresponding liability in accordance with the law. The State encourages insurance companies to develop liability insurance products for damage caused to network data and encourages network platform service providers and manufacturers of equipment such as smart terminals pre-installed with applications to take out insurance.

Article 41. Network platform service providers providing application distribution service shall establish application verification rules and carry out relevant verification of network data security. Where it is found that the applications to be distributed or distributed do not comply with the provisions of laws, administrative regulations or the mandatory requirements of national standards, measures such as warning, no distribution, suspension or termination of distribution shall be taken.

Article 42. Network platform service providers pushing information to individuals in an automatic decision -making manner shall set up a personalized recommendation closing option that is easy to understand, access and operate, and provide users with such functions as refusing to receive pushed information and deleting user tags targeted at their personal characteristics.

Article 43. The State promotes the development of public services for network identity authentication and popularizes and applies such services under the principles of government guidance and user voluntariness. Network platform service providers are encouraged to support users in using the national network identity authentication public services for registration and verification of their identity information.

Article 44. Large network platform service providers shall release annual social responsibility reports on personal information protection, and the contents of such reports shall include but not be limited to the measures for personal information protection and the effects thereof, the acceptance of applications for the exercise of rights by individuals, and the performance of duties by the supervision body for personal information protection which is mainly composed of external members.

Article 45. Where the service provider of a large network platform provides cross-border network data, it shall comply with the administrative requirements of the State on cross- border data security management and improve the relevant technical and administrative measures to prevent cross- border security risks of network data.

Article 46. The service provider of a large network platform shall not engage in the following activities by using network data, algorithms and platform rules: (1) handling network data generated by users on the platform by misleading, fraud, coercion or other means;

(2) restricting users’ access to or use of network data generated on the platform without justified reasons;

(3) giving unreasonable differential treatment to users, which damages the legitimate rights and interests of users; and

(4) other activities prohibited by laws and administrative regulations.

Chapter VII Supervision and Administration

Article 47. The state cyberspace administration is responsible for the overall planning and coordination of network data security and relevant supervision and administration. Public security authorities and national security authorities shall, pursuant to the provisions of relevant laws, administrative regulations and this Regulation, assume the responsibility for supervising and administering network data security ex officio, and prevent and crack down on illegal and criminal activities which endanger network data security in accordance with the law. The national data management body shall perform corresponding responsibilities for network data security in its specific work of data management. Local regions and their departments shall be responsible for the network data collected and generated during their work and for the network data security.

Article 48. All competent authorities concerned shall assume the responsibility for supervising and administering the network data security of their respective industries and fields, designate the agencies responsible for the protection of network data security of their respective industries and fields, develop and organize the implementation of emergency response plans for network data security incidents in their respective industries and fields on an overall basis, regularly organize the assessment of network data security risks of their respective industries and fields, supervise and inspect the performance by network data handlers of their obligations of protecting network data security, and guide and urge network data handlers to promptly rectify existing potential risks.

Article 49. The state cyberspace administration shall coordinate with the competent authorities concerned to promptly summarize, study and determine, share and release information relating to network data security risks, and strengthen the sharing of network data security information, the monitoring and early warning of network data security risks and threats, and the emergency response to network data security incidents.

Article 50. The competent authorities concerned may take the following measures to supervise and inspect network data security: (1) requiring a network data handler and its relevant personnel to explain the items under supervision and inspection;

(2) consulting and copying documents and records relating to network data security;

(3) inspecting the operation of network data security measures;

(4) inspecting the equipment and articles relating to network data handling activities; and

(5) taking other necessary measures as prescribed by laws and administrative regulations. The network data handler shall cooperate in the supervision and inspection of network data security conducted by competent authorities in accordance with the law.

Article 51. When carrying out the supervision and inspection of network data security, the competent authorities concerned shall be objective and fair, and shall not charge any fees from the entity under inspection. During the supervision and inspection of network data security, the competent authorities concerned shall not access or collect business information that is not related to network data security, and the information obtained may only be used as necessary for the purpose of maintaining network data security and should not be used for any other purpose. Where finding that there are relatively high security risks in the network data handling activities of a network data handler, the competent authorities concerned may, according to its prescribed authority and procedures, require the network data handler to suspend relevant services, modify platform rules, and improve technical measures to eliminate potential security risks of network data.

Article 52. When carrying out supervision and inspection of network data security, the competent authorities concerned shall strengthen coordination and cooperation with each other and information communication, and reasonably determine the frequency and methods of inspection, so as to avoid unnecessary inspection and cross and repeated inspection. The compliance audit in respect of personal information protection, risk assessment for important data, security assessment for cross-border transfer of important data and so on shall be connected more closely to avoid repeated assessment and audit. Where the contents of risk assessment and cybersecurity grade assessment for important data overlap, the relevant results can be mutually admissible.

Article 53. The competent authorities concerned and their staff members shall keep confidential, in accordance with the law, the network data such as personal privacy, personal information, trade secrets and confidential business information that they have accessed in the performance of their responsibility, and shall not disclose or illegally provide the same to others.

Article 54. The state cyberspace administration may, in concert with the competent authorities concerned, take corresponding necessary measures in accordance with the law against any overseas organization or individual who engages in network data handling activities that endanger the national security or public interests of the People’s Republic of China or infringe upon the personal information rights and interests of the citizens of the People’s Republic of China.

Article 55. For violation of Article 12, Articles 16-20, Article 22, Paragraphs 1 and 2 of Article 40, Article 41 and Article 42 hereof, the competent authorities in charge of cyberspace, telecommunications and public security, etc. shall, ex officio, order the violator to make rectification, give a warning to the violator, and confiscate the illegal income of the violator. In case of refusal to make rectification or serious circumstances, the violator shall be subject to a fine of not more than 1 million yuan, and may be ordered to suspend relevant business, cease operation for rectification, or have the relevant business permit or business license revoked, and the 100 person directly in charge and other directly liable persons shall be subject to a fine of not less than 10,000 yuan but not more than 100,000 yuan.

Article 56. For violation of Article 13 hereof, the competent authorities in charge of cyberspace, telecommunications, public security, national security, etc. shall, ex officio, order the violator to make rectification, give a warning to the violator, impose a fine of not less than 100,000 yuan but not more than 1 million yuan concurrently on the violator, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan concurrently on the person directly in charge and other directly liable persons; in case of refusal to make rectification or serious circumstances, the violator shall be subject to a fine of not less than 1 million yuan but not more than 10 million yuan, and may be ordered to suspend relevant business, cease operation for rectification, or have the relevant business permit or business license revoked, and the person directly in charge and other directly liable persons shall be subject to a fine of not less than 100,000 yuan but not more than 1 million yuan.

Article 57. For violation of Paragraph 2 of Article 29, Paragraphs 2 and 3 of Article 30, Article 31 and Article 32 hereof, the competent authorities in charge of cyberspace, telecommunications and public security, etc. shall, ex officio, order the violator to make rectification, give a warning to the violator, impose a fine of not less than 50,000 yuan but not more than 500,000 yuan concurrently on the violator, and impose a fine of not less than 10,000 yuan but not more than 5 50 100,000 yuan concurrently on the person directly in charge and other directly liable persons; in case of refusal to make rectification or serious consequences such as massive data 1 leakage are caused, the violator shall be subject to a fine of not less than 500,000 yuan but not more than 2 million yuan, 10 and may be ordered to suspend relevant business, cease operation for rectification, or have the relevant business permit or business license revoked, and the person directly in charge and other directly liable persons shall be subject to a fine of not less than 50,000 yuan but not more than 200,000 yuan.

Article 58. For violation of other relevant provisions hereof, the violator shall be prosecuted for legal liability by the competent authority concerned in accordance with the Cybersecurity Law of the People’s Republic of China, Data Security Law of the People’s Republic of China, Law of the People’s Republic of China on the Protection of Personal Information and other applicable laws.

Article 59. A network data handler who voluntarily eliminates or mitigates the harmful consequences of its illegal acts, commits minor illegal acts and makes rectification in a timely manner without causing harmful consequences, or commits illegal acts for the first time with minor harmful consequences and makes rectification in a timely manner, shall be subject to a lighter or mitigated administrative penalty or be exempted from administrative penalty in accordance with the Law of the People’s Republic of China on Administrative Penalties.

Article 60. For a state agency that fails to perform its obligations of network data security protection set forth herein, its superior authority or the competent authority concerned shall order it to make rectification and impose disciplinary actions on the person directly in charge and other directly liable persons in accordance with the law.

Article 61. Whoever violates this Regulation, with damage to others caused, shall be subject to the civil liability pursuant to the law; if the violation of public security administration is constituted, a penalty for public security administration shall be imposed pursuant to the law; and if a crime is constituted, criminal liability shall be investigated pursuant to the law.

Chapter IX Supplementary Provisions

Article 62. The following terms as used herein shall have the following meanings: (1) “Network data” refers to various electronic data handled and generated through networks.

(2) “Network data handling activities” refer to the collection, storage, use, processing, transmission, provision, disclosure and deletion of network data.

(3) “Network data handler” refers to an individual or organization that independently determines the handling purpose and handling method in network data handling activities.

(4) “Important data” refers to the data in a specific field, group or region or with a certain precision and scale, which, once tampered with, destroyed, divulged, illegally obtained or illegally used, may directly endanger national security, economic operation, social stability, public health and security.

(5) “Entrusted handling” refers to the network data handling activities carried out by any individual or organization entrusted by a network data handler according to the agreed purpose and method.

(6) “Joint handling” refers to the network data handling activities in which two or more network data handlers jointly determine the handling purpose and handling method for network data.

(7) “Separate consent” refers to that an individual specifically gives specific and clear consent with respect to a specific handling of his/her personal information.

(8) “Large network platform” refers to a network platform with more than 50 million registered users or more than 10 million monthly active users, complex business types, and network data handling activities having a significant impact on national security, economic operation, national welfare and people’s livelihood, etc.

Article 63. The network data handling activities in respect of core data shall be carried out in accordance with the relevant regulations of the State. This Regulation does not apply to the handling of personal information by natural persons due to personal or family affairs. The provisions of the Law of the People’s Republic of China on Guarding State Secrets and other laws and administrative regulations shall apply to the network data handling activities involving state secrets or work secrets.

Article 64. This Regulation shall come into force on January 1, 2025 2025.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

23 briefs reference this law.

  • § 01 · SECURITY-REVIEW

    One Company, Four Reviews: JunHe Maps China's Security-Review 'Matrix' in the Security-First Era

    With the Measures for Network Data Security Risk Assessment (Order No. 24) in place, China's security-review architecture has four operating pillars: foreign investment security review (NDRC + MOFCOM), cybersecurity review (CAC + 12 departments), data export security assessment (CAC), and the new normalized network data security risk assessment (CAC coordination + sectoral authorities). JunHe lawyer Chen Sijia walks each regime through the same five questions — who reviews, what is reviewed, when review is triggered, and with what legal consequences — and lands on two points overseas counsel should not miss. First, the four regimes differ in kind: the first three are ex-ante, admission-style reviews with veto power, while the risk assessment is an annual, improvement-oriented 'physical exam.' Second, review decisions are effectively final — the mainstream view treats them as final administrative acts with no administrative reconsideration or litigation available — so cooperation during the review is the only real strategy. A closing lifecycle walkthrough shows how a single AI-model company can trip all four lines in sequence: FDI review at fundraising, cybersecurity review at GPU procurement, export assessment at model training, cybersecurity review again at foreign listing, and the annual risk assessment as a standing duty.

    security-review · national-security · cybersecurity-review
  • § 02 · IMPORTANT-DATA

    Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers'

    With the Network Data Security Risk Assessment Measures (Order No. 24) taking effect August 20, 2026, the annual risk-assessment duty stops being a principle and becomes a hard calendar event — but only for 'important-data handlers' (重要数据处理者). DCC's summary of a self-identification guide from the Data Security R&D Center of the Ministry of Public Security's Third Research Institute (公安部三所 / TRIMPS), author Lü Mingxuan, walks the threshold test the institution that helps draft the standards wants processors to run before the clock starts. There are three independent gates, any one of which puts you in: (1) you process data meeting the 'important data' definition under Article 62 of the Network Data Security Management Regulation; (2) the deeming rule — you process the personal information of more than 10 million people, which pulls you into the important-data duties of Regulation Arts. 30 and 32 regardless of whether you hold any 'important data'; or (3) your data sits on a regional, departmental, or sectoral important-data catalogue. Entrusted processors inherit the duty from an important-data-handler client; CIIO status and important-data-handler status are separate, intersecting tests; and identifying important data runs through GB/T 43697-2024 Appendix G's 18 factors plus the applicable catalogues. The guide then lays out the operating requirements once you are in: annual mandatory assessment plus trigger-based instant assessments, a stacked PIPIA for the 10-million-PI cohort, three-year report retention, and submission within 20 working days. DCC's read for overseas counsel: classification is the gate, the 10-million-PI deeming rule is the trap for consumer businesses with no 'important data' at all, and the self-ID needs to happen now.

    important-data · risk-assessment · network-data
  • § 03 · GBT-35273

    From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard

    On June 17, 2026 the National Cybersecurity Standardization Technical Committee (TC260), with CESI as drafting lead, released for public comment a systematic revision of GB/T 35273 — China's most-cited personal-information standard, the de-facto 'small PIPL.' The draft retitles the standard from 'Information Security Technology' to 'Data Security Technology' and expands its normative references from one standard to eight. DCC reads the revision as a role change, not a clause count: the standard moves from a consent-and-notice manual into a governance-capability framework. The substantive increments against GB/T 35273-2020: a new Chapter 5 importing PIPL Article 13's seven lawful bases as a standalone chapter with hard boundaries on each (contract-necessity, HR, public-disclosure) plus an evidence-chain duty; a sensitive-PI redefinition aligned to PIPL Article 28 with a new aggregation rule (multiple items that together meet the threshold are treated as sensitive as a whole); a formal 'separate consent' definition (3.7) with a negative list; a new eighth basic principle, 'quality assurance' (Chapter 4(f)); dedicated AI clauses on the collection side (6.7), in minimum-necessity (6.1 d–f), in aggregation/training (8.4), and a new generative-AI use clause (8.5.4) with output review and a 15-working-day deletion SLA; a unified-account-system clause (8.6) aimed at one-account-many-products groups; a terminal/IoT collection clause (6.8); a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (13) covering the person in charge of personal information protection, working body, processing-activity records, impact assessment, and a GB/T 46903-anchored compliance audit. Subject-rights response time tightens from 30 days to 15 working days. Clause numbers are from the comment draft and are not final; formal release is expected after 2027.

    gbt-35273 · personal-information · pipl
  • § 04 · RISK-ASSESSMENT

    From Principle to Running System: How the Network Data Security Risk Assessment Measures Operationalize the Data Security Law

    On June 18, 2026 the CAC, MIIT and the Ministry of Public Security jointly issued the Measures for Network Data Security Risk Assessment as Order No. 24, effective August 20, 2026. The 25-article rule adds no new substantive duty; it turns the Data Security Law's open-ended 'conduct risk assessment' obligation into an executable, verifiable, trigger-able governance system. DCC reads it as a three-tier standing model plus an event-driven escalation layer: important-data handlers must assess every year (general-data handlers are encouraged to every three), retain the report for three years and submit it within 20 working days; sectoral competent authorities run annual inspection plans filed by end-January; the national cyberspace administration consolidates and cross-shares reports with telecom, public-security and state-security departments; and where a high-risk finding or a breach of important data or large-scale personal information appears, regulators can compel assessment by a certified institution and order the operator to cease processing important data. The four institutional increments over the DSL: an annual mandatory action, networked multi-department supervision, a three-track assessment structure, and dynamic event-triggered oversight.

    risk-assessment · network-data · data-security
  • § 05 · ENFORCEMENT

    Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases

    In June 2026 Shanghai's cyberspace authority fined Shanghai Ctrip Commerce ¥10 million for unlawfully exporting personal information without implementing data-export security-assessment requirements — the first time a Chinese cross-border data penalty amount has been made public. DCC reads the fine against the three earlier Shanghai / MPS cross-border cases compiled by HexCode in 数据何规 (a hotel company that exported fields the CAC assessment had rejected, a property company that exported accommodation and financial-account data with no approval at all, and the Dior breach case) to surface the doctrine all four share: building a CRM or central-reservation system offshore does not make the bulk transfer of customer PI to headquarters 'necessary,' so it cannot escape the security-assessment / standard-contract / certification gate or PIPL's separate-consent and individual-notification requirements. The enforcement gradient — the assessment-rejected exporter was fined while the no-approval exporter was only warned — signals that subjective culpability is weighing on penalty severity.

    enforcement · cross-border-data · pipl
  • § 06 · ENFORCEMENT

    CAC Names 30 Apps and Mini-Programs for PI Violations — Nearly Half for Ineffective Account Cancellation

    On June 11, 2026 the Office of the Central Cyberspace Affairs Commission published a notification naming 30 apps and mini-programs for personal-information collection and use violations, found in testing organized under the 2026 CAC + MIIT + MPS joint special campaign. The violations fall into four categories — undisclosed PI collection rules (7 apps), frequent demands for non-essential permissions (4), incomplete SDK disclosure (5), and, the dominant category at 14 of 30, failure to provide an effective account-cancellation function. DCC reads the notification as the CAC tier of the same campaign whose MIIT testing tier we covered in the Batch 56 brief: a broader perimeter that expressly includes mini-programs, a 15-working-day rectify-and-report deadline, and a clear signal that exit rights — account cancellation and deletion — are a 2026 testing priority.

    enforcement · cac · app-compliance
  • § 07 · DATA-PROPERTY-RIGHTS

    Data 'Parallel Property Rights' — They Can Confer Status, but Can't Secure Control

    Part four — and the synthesis — of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework takes up 'parallel property rights' (数据平行财产权): how to allocate rights when the *same* data is held, used, and operated by *multiple* parties at once. Building on Xiong Bingwan and Zhuang Hongshan's 'one-data, multiple-rights' (一数数权) idea — data is non-rivalrous and copyable, so the same right over the same data can sit with several parties without excluding each other — Hong argues parallel property rights are best understood as *default rules* for incomplete-contract, collaborative-production settings: internally, parallel use is presumed; externally, operation is classified by data type (by-products each party may operate alone; purpose-built or fused data needs the others' consent); and parallel holders share a *joint defensive* interest against third parties. But the substance, he shows, falls back on derivative data — and here Xiong, Xu Ke (许可), and Shen Weixing (申卫星), despite different scenarios and tests, all tilt the derivative-data right to the *processor*, leaving the data contributor with contract/compensation/tort/PI remedies rather than ownership of the new product. DCC's read for overseas counsel: parallel property rights cut *attribution* uncertainty (who may use, operate, defend) but not *control* uncertainty (future use, detection, tracing, modelled value, third-party chains, ongoing compliance) — status, not control.

    data-property-rights · parallel-property-rights · derivative-data
  • § 08 · DATA-PROPERTY-RIGHTS

    Why Upstream Won't Operate Its Data — Control Degradation, Derivative Data, and Irreducible Uncertainty

    Part three of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' framework turns to the Right to Operate Data (数据经营权) — the right to provide data externally by transfer, licence, capital contribution, or pledge — and asks a question prior to 'what does operation transfer?': in real conditions, *will* an upstream party operate its data at all? His answer: yes, but narrowly. Control-dependent upstreams (platforms, holders of core user or irreplaceable industrial/training data) tend not to provide open, raw, autonomous access, and shift to controlled use or simply decline. The reason is structural. Once a downstream party is licensed to use data, the derivative data it produces is a *new object*: the upstream's *erga omnes* (对世) control over the raw data does not reach it, leaving the upstream — at most — a contractual claim against one counterparty. Hong then catalogues the uncertainties an upstream faces *ex ante*: some that attribution rules could touch but can't eliminate (qualification of the output, default ownership, good-faith of the processor, measurement of remedy), and some no rule can reach (combinatorial/unforeseeable value, undetectable misuse, the privity-and-insolvency chain, fusion and co-ownership, abstraction leakage into model parameters and learned skills, personal-information exposure, and counterparty hold-up). DCC's read for overseas counsel: this is the rigorous explanation of why Chinese data 'supply' is thin and why sandbox / privacy-computing structures dominate — defining a right does not supply the conditions to exercise it.

    data-property-rights · data-operation-right · data-economy
  • § 09 · DATA-PROPERTY-RIGHTS

    When the 'Right to Use Data' Goes External — Provision, Derivative Data, and the Erosion of Upstream Control

    Part two of Hong Yanqing's (洪延青, 网安寻路人) study notes on China's 'separation of three rights' data-property framework turns to the Right to Use Data (数据使用权). The official definition (国家数据局, Common Data Terms Batch 2) makes the use right an *internal* power — 'I use my own data' to process, aggregate, analyse, and form derivative data — exercised on the premise of *not* providing data externally. So 'granting a use right to a downstream party' is not the use right travelling outward; it is the upstream party exercising its **operation right** to license, while the downstream party acquires a use right. That externalisation flips the downstream's legal position from PIPL **entrusted processor** (委托处理) to **provision** (提供) or **joint processing** — triggering notice and *separate consent* for personal information, and the Network Data Security Regulation's contracting duties. And because a strong use right lets the downstream form **derivative data** (衍生数据) — models, scores, indices, labels — value migrates downstream even though the raw data stays upstream. DCC's read for overseas counsel: in China data deals the use right is real but never self-bounding; whether a partner will grant an open, autonomous use right depends on its business model (control-dependent vs monetisation), and the default structure you should expect is *controlled use* (sandbox, privacy computing, federated modelling), not a clean copy.

    data-property-rights · data-use-right · data-economy
  • § 10 · DATA-PROPERTY-RIGHTS

    Two Paths for the 'Right to Hold Data' — and Why the Narrow One May Add Little

    Hong Yanqing (洪延青, 网安寻路人) works through the most unstable concept in China's 'separation of three rights' data-property framework — the Right to Hold Data (数据持有权). He pushes two readings to their logical ends. Path 1, the official 'complete separation' (三权完全切割): if the rights to hold, use, and operate data are truly independent, the holding right shrinks to a bare 'lawful-control state' whose only content is defensive — and that defense is already provided, against the world, by PIPL Article 10, DSL Article 32, the Network Data Security Regulation, and Article 13 of the Anti-Unfair Competition Law, so its incremental value as a standalone property right is thin. Path 2, the 'mother-right' reconstruction (持有权母权化): redefine 'holding' from factual control to a normative control that contains utilization potential, so the rights to use and operate are carved out from within it. DCC's read for overseas counsel: in Chinese data deals the tradeable substance sits in the rights to use and operate plus contract, registration, and compliance — not in 'who holds the data' — and China's data-property theory is still genuinely unsettled.

    data-property-rights · data-holding-right · data-economy
  • § 11 · HEALTH-DATA

    China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures

    On 12 February 2026 five agencies — the National Health Commission, the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — jointly issued the Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial). It is the first operational, sector-specific rulebook that turns the Data Security Law, PIPL, and the Network Data Security Regulation into concrete hospital obligations: a three-tier core/important/general data classification keyed to MLPS levels and commercial cryptography; a five-pillar full-lifecycle security system; a ten-item data prohibition list and an eight-item personal-information prohibition list; heightened protection for special groups; limits on facial recognition and AI; and a real enforcement chain running from named-person accountability through regulatory interviews, administrative penalties, civil tort liability, and criminal referral. DCC reads it for overseas pharma, medtech, and hospital-JV counsel — with the cross-border choke point and its academic-cooperation carve-out as the parts that most affect global clinical-data flows.

    health-data · healthcare · data-classification
  • § 12 · CRITICAL-INFORMATION-INFRASTRUCTURE

    Are You a CII Operator or an Important-Data Handler? A Practitioner's Assessment Framework Under China's New Rules

    China's Cybersecurity Law, Data Security Law, and Network Data Security Management Regulations impose materially heavier compliance obligations on critical information infrastructure (CII) operators (关键信息基础设施运营者) and important-data handlers (重要数据处理者) than on ordinary data processors. This brief, drawing on a DEXC+ practitioner analysis by Gu Qingzhuo (古青卓) of the Shenzhen Data Exchange compliance team, explains how the two statuses are determined under the current framework, why neither is self-evident from a company's own assessment alone, how recent rules — including the Regulations on Promoting and Regulating Cross-Border Data Flows and the national standard GB/T 43697-2024 — have clarified but not fully resolved the important-data identification problem, and what overseas counsel should do when advising clients that operate in China's critical sectors.

    critical-information-infrastructure · important-data · data-security
  • § 13 · ANONYMIZATION

    Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime

    Xu Ke (UIBE) calls PIPL Article 4's anonymization carve-out a 'zombie provision' (僵尸法条) — on the books, never used, and one of the biggest blockages in the data-element market. His diagnosis: the zombie state is caused not by the text but by three unaddressed worries (processors fear the standard is unattainable or value-destroying; regulators fear anonymization becomes an evasion tool; users fear it's a hollow promise). His cure is a concentric-circle architecture that maps three risk types (systemic / operational / residual) onto three layers of anonymity (presumptive / determined / trust). This is the most complete academic blueprint yet for making the anonymization clause operational — and it pairs directly with TRIMPS's risk-based, recipient-relative reading.

    anonymization · personal-information · data-economy
  • § 14 · ANONYMIZATION

    From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative

    The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer.

    anonymization · personal-information · de-identification
  • § 15 · DATA-ECONOMY

    Tang Linyao — Data-Broker Derivative Harms and the 'Data Integration Analysis Framework'

    Tang Linyao (Chinese Academy of Social Sciences) maps the regulatory gap for data-broker derivative harms — the harms that arise not from direct PI leakage but from the integration and aggregation activity that data brokers themselves perform. The analytical core: a vertical / horizontal data-relations framework that explains why existing PIPL-style protection (vertical-relationship-focused) systematically fails to address horizontal-relationship harms; and the 'abstract risk substantialization' doctrine borrowed from US precedent and EU GDPR to bring data-broker risk into ex-ante regulatory scope. Operationally, Tang proposes a 'Data Integration Analysis Framework' with concrete tiering (三高 / 双高 / 单高 / 三低) that translates academic doctrine into compliance-program-grade controls. Applied to a real Shenzhen Data Exchange listing as worked example.

    data-economy · data-broker · data-exchange
  • § 16 · ENFORCEMENT

    Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine

    In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance.

    enforcement · samr · platform-liability
  • § 17 · ENFORCEMENT

    MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse

    MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel.

    enforcement · miit · app-compliance
  • § 18 · DATA-PROPERTY-RIGHTS

    Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights

    NDA's official 政策解读 on a tactically critical sub-question of the three-rights framework: when a data processor outsources storage, processing, or analysis to a third-party service provider — typical cloud, BPO, or e-government-system arrangements — does the entrusted party acquire any of the three property rights? NDA's clear answer: no. The entrusted processor (受托人) is not a 'data processor' in the property-rights sense — it merely executes instructions on behalf of the data processor (the principal). It cannot use the data outside the entrusted scope, cannot transfer the data into market circulation, and cannot apply the data to its own debt repayment or bankruptcy distribution. The line is anchored to the Civil Code's contract-of-mandate rules — a long-standing piece of Chinese commercial law extended cleanly into the data-element regime.

    data-property-rights · data-twenty · entrusted-processing
  • § 19 · DATA-TRADING

    Mapping the Red Lines: Compliance Assessment for Surveying and Geographic-Information Data Products on a Chinese Data Exchange

    When Sichuan province's first surveying and geographic-information (测绘地理信息) data product was listed on the Shenzhen Data Exchange (深圳数据交易所), the compliance team from Si Chuan Rui Li Heng Law Firm worked through a seven-point assessment framework that goes well beyond general data-trading rules. This brief walks overseas counsel through that framework: why the surveying-and-mapping regime (测绘法 and subordinate rules) adds a specialist qualification layer on top of the Network Data Security Management Regulations; how the classified-surveying-results (涉密测绘成果) screen works in practice; what 'important geographic-information data' (重要地理信息数据) means for tradability; and why data origin — self-collected versus purchased versus project-derived — changes the due-diligence checklist materially. The operational takeaway: for this sector, general data-exchange compliance is necessary but not sufficient.

    data-trading · surveying-data · geographic-information
  • § 20 · PIA

    The PIA as a Trading-Compliance Line — What the Network Data Security Management Regulations Add for Personal-Information Data Products

    China's personal-information protection impact assessment (PIA / 个人信息保护影响评估) has long been a statutory requirement under PIPL, but uptake in data-trading contexts remains low. A DEXC+ analysis by Wang Senpeng of Shenzhen Data Exchange argues that the Network Data Security Management Regulations (网络数据安全管理条例, 'Network Data Regs') significantly refine when and how a PIA must be conducted before a personal-information data product changes hands. The brief maps three trigger layers — subject compliance, subject-matter compliance, and circulation compliance — and then draws out the evaluation dimensions the Regulations add: a new 'dual-list' privacy-policy requirement, data-processing-agreement minimum contents, a three-year record-keeping obligation, and tightened rules on web-scraping and de-identification. For overseas counsel: a PIA is no longer just a cross-border formality — it is the primary compliance gate for trading sensitive data, delegated-processing arrangements, and any automated-decision-making data product.

    pia · personal-information-protection · data-trading
  • § 21 · PERSONAL-INFORMATION

    Is There Such a Thing as 'Game Data Compliance' in China? — Li Wenlong's Field Notes

    Li Wenlong (科技利维坦) reports field observations on personal-data collection inside Chinese games, framed around three questions: is there an industry-specific 'game data compliance' mode; where is enforcement actually concentrated; and does the Chinese picture differ from abroad. His read: domestic game-data compliance is still at a 'wild-west stage' — the violations being caught are the blunt, clearly-unlawful kind (a game demanding photo-album permission), and the enforcement frontier is no different from any other app ecosystem. A principle-level framework was in place before 2023, but the yardstick stays crude, with no breakthrough on concrete evaluation standards — which caps how deep either enforcement or compliance can go. Overseas (GDPR and consumer law), games were under-scrutinised until the last year or two. The forward warning: games will be the main carrier of VR and will embed many models, so the compliance picture is about to get far more complex. For overseas counsel advising game studios on the China market: a reality check on what is — and isn't — being enforced.

    personal-information · pipl · app-compliance
  • § 22 · IMPORTANT-DATA

    How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan

    Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data.

    important-data · data-classification · cross-border
  • § 23 · CROSS-BORDER

    FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data

    Article 6 of the 2024 CBDF Provisions authorized Free Trade Zones to publish data-export negative lists. Since then, Tianjin, Beijing, Hainan, Shanghai, Zhejiang and others have published negative lists covering 17 sectors — automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, and more. Compliance Talker's analysis walks through the structural convergence of the negative lists, the important-data identification refinements each FTZ has produced, and the operational impact on enterprises both inside and outside the FTZs.

    cross-border · important-data · ftz-negative-list
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →