Regulation on Network Data Security Management

Regulation on Network Data Security Management

Order of the State Council of the People's Republic of China
(No. 790)

The Regulation on Network Data Security Management, as adopted at the 40th executive meeting of the State Council on August 30, 2024, is hereby issued, and shall come into force on January 1, 2025.

Premier: Li Qiang
September 24, 2024

Regulation on Network Data Security Management

Chapter I General Provisions
Article 1 This Regulation is developed in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and other applicable laws for the purposes of regulating network data processing activities, ensuring the security of network data, promoting the reasonable and effective use of network data in accordance with the law, protecting the lawful rights and interests of individuals and organizations, and safeguarding national security and public interest.
Article 2 This Regulation shall apply to network data processing activities and the security supervision and administration thereof conducted within the territory of the People's Republic of China.
This Regulation shall also apply to the activities conducted outside the territory of the People's Republic of China to process the personal information of natural persons within the territory of the People's Republic of China, provided that such activities fall under the circumstances specified in paragraph 2 of Article 3 of the Personal Information Protection Law of the People's Republic of China.
Whoever conducts network data processing activities outside the territory of the People's Republic of China to the detriment of the national security, public interest, or the lawful rights and interests of citizens and organizations of the People's Republic of China shall be held legally liable in accordance with the law.
Article 3 In the management of network data security, the leadership of the Communist Party of China shall be adhered to, a holistic approach to national security shall be carried out, and efforts shall be coordinated to promote network data development and utilization and ensure network data security.
Article 4 The state encourages the innovative application of network data in all industries and fields, and shall strengthen the building of capacity for ensuring network data security, support the innovation of technologies, products, and services related to network data, carry out publicity, education, and talent training for ensuring network data security, and promote the development and utilization of network data and industrial development.
Article 5 The state shall implement classified and graded protection of network data based on the importance of network data in economic and social development and the degree of harm caused to national security, public interest, or the lawful rights and interests of individuals and organizations once network data is tampered with, destroyed, divulged, illegally obtained, or illegally used.
Article 6 The state shall actively participate in the development of international rules and standards related to network data security to promote international exchange and cooperation.
Article 7 The state supports relevant industry organizations in developing codes of conduct for network data security in accordance with their bylaws, strengthening industry self-regulation, directing their members to strengthen network data security protection, improving the level of network data security protection, and promoting the sound development of the industry.
Chapter II General Rules
Article 8 No individual or organization may use network data to engage in illegal activities, steal or obtain network data by other illegal means, illegally sell or illegally provide network data to others, or carry out other illegal network data processing activities.
No individual or organization may provide any program or tool specially used for conducting illegal activities specified in the preceding paragraph. Any individual or organization knowing that a person conducts illegal activities as mentioned in the preceding paragraph shall not provide the person with Internet access, server hosting, network storage, communication and transmission, or other technical support or provide assistance in advertising promotion, payment and settlement, among others.
Article 9 A network data processor shall, in accordance with the provisions of applicable laws and administrative regulations and the compulsory requirements of national standards, and on the basis of graded cybersecurity protection, strengthen network data security protection, establish and improve network data security management rules, take technical measures such as encryption, backup, access control, and security authentication, and other necessary measures to protect network data from being tampered with, destroyed, divulged, illegally obtained, or illegally used, handle network data security incidents, prevent illegal and criminal activities against and using network data, and assume primary responsibility for the security of network data processed by it.
Article 10 Network products and services provided by a network data processor shall comply with the compulsory requirements of relevant national standards. When a network data processor discovers any risk such as security defect and loophole of its network products or services, it shall immediately take remedial measures, inform users in a timely manner, and report the same to the appropriate department in accordance with the applicable provisions. If any damage is caused to national security or public interest, the network data processor shall also report the same to the appropriate department within 24 hours.
Article 11 A network data processor shall establish and improve its contingency plan for network data security incidents, and when a network data security incident occurs, it shall immediately activate its contingency plan, take measures to prevent the expansion of the harm, eliminate hidden security risks, and report the same to the appropriate department in accordance with the applicable provisions.
If any network data security incident damages the lawful rights and interests of any individual or organization, the network data processor shall promptly notify interested parties of the security incident and risks, harmful consequences, and remedial measures taken, among others, by such means as telephone calls, text messages, instant messaging tools, e-mail, or public announcements. If any law or administrative regulation prescribes that the notice is not required, such provisions shall prevail. If a network data processor finds any clue to suspected illegal or criminal acts in the process of handling a network data security incident, it shall report the case to the public security authority or the state security authority in accordance with the applicable provisions, and cooperate in conducting criminal investigation, investigation, and disposal.
Article 12 Where a network data processor provides, or entrusts the processing of, personal information and important data to any other network data processor, it shall, by reaching a contract or other methods, agree on the purpose, method, and scope of processing as well as security protection obligations, among others, with network data recipients, and oversee the performance of obligations by network data recipients. Records of such data provision or entrusted processing shall be kept for at least three years.
A network data recipient shall fulfill its obligations of network data security protection and process personal information and important data according to the agreed purpose, method, and scope, among others.
If two or more network data processors jointly decide on the purpose and methods of processing personal information and important data, they shall agree on their respective rights and obligations.
Article 13 Where network data processing activities carried out by a network data processor affect or may affect national security, national security review shall be conducted in accordance with the relevant provisions issued by the state.
Article 14 Where a network data processor needs to transfer network data due to its business combination, division, dissolution, bankruptcy, or any other reason, the network data recipient shall continue to fulfill its network data security protection obligations.
Article 15 In commissioning others to construct, operate, or maintain an e-government system or store or process government data, a state organ shall undergo strict approval procedures in accordance with relevant provisions issued by the state, specify the commissioned party's authority to process network data and protection responsibilities, among others, and oversee the commissioned party's performance of data security protection obligations.
Article 16 Where a network data processor provides services to state organs or critical information infrastructure operators, or participates in the construction, operation, and maintenance of other public infrastructure or public service systems, it shall fulfill its network data security protection obligations in accordance with the provisions of laws and regulations and as agreed upon in contracts and provide secure, stable, and continuous services.
A network data processor as mentioned in the preceding paragraph shall not, without the consent of the principal, access, obtain, retain, use, divulge, or provide others with network data, or conduct correlation analysis of network data.
Article 17 For an information system providing services to a state organ, network data security management shall be strengthened to ensure network data security by reference to the requirements for the management of the e-government system.
Article 18 A network data processor using automatic tools to access and collect network data shall assess the impact on network services and shall not illegally invade others' networks or interfere with the normal operation of network services.
Article 19 A network data processor providing generative artificial intelligence services shall strengthen the security management of training data and training data processing activities, and take effective measures to prevent and handle network data security risks.
Article 20 A network data processor providing products and services to the public shall accept social supervision, and establish convenient channels for filing complaints and reports on network data security, announce the methods for filing complaints and reports and other information, and promptly accept and handle the complaints and reports on network data security.
Chapter III Personal Information Protection
Article 21 Where a network data processor, before processing personal information, informs an individual in accordance with the law by developing rules for processing personal information, such rules for processing personal information shall be publicly displayed in a centralized manner, easily accessible, and placed in a conspicuous position with explicit, specific, clear, and understandable content, including but not limited to:
(1) the name and contact information of the network data processor;
(2) the purpose and method of processing personal information, the type of personal information to be processed, the necessity of processing sensitive personal information, and the impact on personal rights and interests;
(3) the period of preserving personal information and the method for processing such information upon expiration; and if it is difficult to determine the preservation period, the method for determining the preservation period shall be specified; and
(4) the methods and channels, among others, for individuals to access, reproduce, transfer, correct, supplement, delete, and restrict the processing of personal information, and to deregister their accounts and withdraw their consents.
When informing individuals of the collection and provision of personal information to other network data processors in accordance with the provisions of the preceding paragraph, a network data processor shall specify the purpose, method and type regarding the processing of personal information, as well as the information on the network data recipient, in a list or any other form. If a network data processor processes the personal information of minors under the age of 14, the processor shall also develop special rules for processing personal information.
Article 22 A network data processor processing personal information based on an individual's consent shall comply with the following provisions:
(1) It shall not collect personal information beyond the scope and shall not obtain the individual's consent by misleading, fraudulent, coercive, or other means, if the collection of personal information is necessary for the provision of products or services.
(2) It shall obtain the individual's separate consent if the individual's sensitive personal information such as biometric information, religious belief, specific identity, medical and health care, financial account, and whereabouts is processed.
(3) It shall obtain the consent of the minor's parents or other guardians if the personal information of the minor under the age of 14 is processed.
(4) It shall not process personal information beyond the purpose, method, type, and preservation period agreed upon by the individual for processing his or her personal information.
(5) It shall not frequently request consent after the individual has explicitly expressed his or her refusal to process his or her personal information.
(6) In case of any change in the purpose or method of processing personal information or the type of personal informati......