On 24 Sept. 2024, China’s State Council published the “Regulation on Network Data Security Management” (网络数据安全管理条例, hereinafter the “Regulation”), which shall come into force on 1 Jan. 2025.
In China, three laws have been enacted as the pillars in the fields of network governance and data security: the “Cybersecurity Law”, the “Data Security Law”, and the “Personal Information Protection Law”. The purpose of the Regulation is to standardize network data processing activities, with a focus on personal information, important data, and cross-border data flow, and to refine and supplement compliance requirements for network data protection in existing laws.
The highlights of the Regulation are as follows.
- It clarifies the requirements for the exercise of rights such as access, copy, modification, supplementation, and deletion of personal information, as well as the conditions for the transfer of personal information.
- It requires processors of important data to conduct annual risk assessments of their network data processing activities, with clear reporting requirements for these assessments.
- It addresses issues related to the difficulty of opting-out of personalized recommendation services, the variety of personal information collected, and the misuse of personalized profiling data, by requiring the network platform service providers to set up opt-out options for personalized recommendations that are easy to understand, access, and use, and to provide users with such functions as refusing to receive pushed information and deleting user tags that are targeted to their personal characteristics.
Photo by Bells Mayer on Unsplash
Contributors: CJO Staff Contributors Team
