On September 10, 2024, the People’s Republic of China introduced new Network Data Security Management Regulations to enhance its data security framework. These regulations, approved by the State Council, are designed to clarify and strengthen the enforcement of existing laws, including the Cybersecurity Law, Data Security Law, and Personal Information Security Law. By establishing a comprehensive national framework, these regulations will supersede previous data security measures issued by local and ministerial authorities.
The new regulations will significantly broaden data security controls, particularly over “important data,” which encompasses categories related to national security and economic information, such as intellectual property. Companies handling such data will now be required to disclose their data practices and submit to audits conducted by the Cyberspace Administration of China. This increased scrutiny aims to ensure that sensitive information is protected in line with the country’s rigorous data security standards.
In addition to tightening domestic controls, the regulations extend China’s data security laws to include international data processing. This move is expected to impact foreign companies operating in China, potentially accelerating their efforts to compartmentalize and localize data storage in compliance with Chinese regulations. The regulations mandate that handlers of PRC-related data report breaches and comply with PRC security requirements for cross-border data flows.
The introduction of these regulations reflects China’s ongoing efforts to enhance its control over data, both within its borders and beyond. By expanding access to and control over foreign data, alongside strengthening protections for domestic information, the regulations aim to bolster China’s strategic objectives in data management and cybersecurity. The new framework represents a significant shift in how data security will be managed and enforced in China.
Reference:
