CAC Notice for Soliciting Public Comments on the Regulations for the Administration of Network Data Security (Exposure Draft)

By Francesca YuLast Updated on Nov 17, 2021
CAC Notice for Soliciting Public Comments on the Regulations for the Administration of Network Data Security (Exposure Draft)

Promulgation Authorities: Cyberspace Administration of China

Release Date: 2021-11-14

Effective Date: TBC

Source: http://www.cac.gov.cn/2021-11/14/c_1638501991577898.htm

Original Title: 国家互联网信息办公室关于《网络数据安全管理条例(征求意见稿)》公开征求意见的通知

CAC Notice for Soliciting Public Comments on the Regulations for the Administration of Network Data Security (Exposure Draft)

To implement the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws on data security management, regulate network data processing activities, protect the legitimate rights and interests of individuals and organizations in cyberspace, and safeguard national security and the public interest, according to the State Council’s 2021 legislative agenda, the Office of the Cyberspace Administration of China (“CAC”), in conjunction with relevant authorities, have drafted upon study the Regulations for the Administration of Network Data Security (Exposure Draft), which are hereby promulgated for public comments. The public may provide feedback through any of the following channels and ways:

1. Email comments to: shujuju@cac.gov.cn; or

2. Send comments by letter to: Network Data Administration, CAC, No. 11 Chegongzhuang Street, Xicheng District, Beijing 100044, with the words “Comments solicited for the Regulations on Network Data Security Management” indicated on the envelope.

The deadline for feedback is December 13, 2021.

Office of the CAC

November 14, 2021

Annex:

Regulations for the Administration of Network Data Security (Exposure Draft)

Chapter I General Provisions

Article 1 These Regulations are enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws to regulate network data processing activities, ensure data security, protect the legitimate rights and interests of individuals and organizations in cyberspace, and safeguard national security and the public interest.

Article 2 These Regulations apply to data processing activities carried out through networks as well as the supervision and regulation of network data security within the territory of the People’s Republic of China.These Regulations also apply to the processing carried out outside the territory of the People’s Republic of China of data of individuals or organizations within the territory of the People’s Republic of China if such processing falls under any of the following circumstances:

1. where the processing purpose is to provide products or services to recipients in China;

2. where it analyses or evaluates the behavior of individuals or organizations in China;

3. where it involves the processing of China’s important data; or

4. any other circumstance as stipulated in law or administrative regulations.

These Regulations do not apply to data processing activities carried out by natural persons for personal or family affairs purposes.

Article 3 The State coordinates development and security, attaches equal importance to promoting data development and utilization and ensuring data security, enhances the development of data security protection capabilities, ensures the free flow of data in a lawful and orderly manner, and promotes the use of data in a lawful, reasonable and efficient manner.

Article 4 The State supports technologies, products and service innovation and talent training related to data development and utilization and security protection.The State encourages state agencies, industry organizations, enterprises, educational and scientific research institutions, and relevant specialized agencies, among others, to carry out cooperation in data development and utilization and security protection, as well as to carry out publicity, education and training on data security.

Article 5 The State establishes a classified and graded data protection system. Data are divided into general data, important data and core data according to the impact and degree of importance of the data in relation to national security, the public interest, or the legitimate rights and interests of individuals or organizations, and different protection measures shall be taken for data at different levels.The State focuses on the protection of personal information and important data and implements strict protection of core data.

All regions and departments shall, in accordance with the requirements of national data classification and grading, classify and manage the data of their regions, departments and related industries and fields.

Article 6 Data processors shall be responsible for the security of the data they process, fulfill their data security protection obligations, accept government and social supervision, and assume social responsibility.Data processors shall establish sound data security management systems and technical protection mechanisms in compliance with relevant laws and administrative regulations as well as the mandatory requirements of national standards.

Article 7 The State promotes the openness and sharing of public data, promotes data development and utilization, and regulates public data in accordance with the law.The State establishes a sound data trading management system, specifying the standards for the set up and operation of data trading organizations and regulating data flow and trading activities to ensure the flow of data in a lawful and orderly manner.

Chapter II General Rules

Article 8 Any individual or organization carrying out data processing activities shall abide by law and administrative regulations and respect social morality and ethics, and shall not engage in any of the following activities:1. harming of national security, honor or interests, or leakage of state secrets or official work-related secrets;

2. infringement upon the reputation, privacy, copyright or other legitimate rights of others;

3. acquisition of data by theft or other illegal means;

4. illegal sale or illegal provision of data to others;

5. production, release, reproduction or dissemination of illegal information; and

6. other activities prohibited by laws or administrative regulations.

Any individual or organization that knows or ought to know that others is engaged in any of the activities stated in the preceding paragraph shall not provide such others with any technical support, tool or program or advertising, payment, settlement or other services.

Article 9 Data processors shall adopt backup, encryption, access control or other necessary measures to protect data from leakage, theft, tampering with, damage, loss and illegal use, to respond to data security incidents, and to guard against illegal and criminal activities targeting or using data, in order to maintain the integrity, confidentiality and availability of data.Data processors shall enhance the security protection of data processing systems, data transmission networks, and data storage environments, among others, under the graded cybersecurity protection requirements, and any system that processes important data shall in principle meet the security protection requirements for Level 3 or higher cyberspace and critical information infrastructure, and any system that processes core data shall be strictly protected in accordance with relevant regulations.

Data processors shall use encryption to protect important data and core data.

Article 10 Upon discovering that a network product or service used or provided has a security flaw or loophole or poses a risk such as threating national security or harming the public interest, the data processor concerned shall immediately take remedial measures.

Article 11 Data processors shall establish a data security emergency response mechanism, and promptly activate such emergency response mechanism at the time of a data security incident to take measures to prevent the spread of harm and eliminate potential security risks. If a security incident has caused harm to an individual or organization, the data processor concerned shall notify any interested party of such information as the security incident and risk situation, the consequence of harm caused, and the remedial measures that have been taken shall be notified through phone calls, SMS, instant messaging tools or emails, etc. within three business days; in case that an interested party cannot be reached, the notification may be made through a public announcement, except where such notification is not required according to relevant provision of laws or administration regulations. For any security incident involving criminal offense, the data processor concerned shall report the case to public security authorities as required.For any data security incident such as the leakage, damage, or loss of important data or the personal information of more than 100,000 people, the data processor concerned shall additionally perform the following obligations:

1. reporting the basic information of the incident, including the quantity and type of data involved, possible impact, and disposal measures already taken or proposed to be taken, to the districted city-level cybersecurity authority and other relevant competent authorities within eight (8) hours of the occurrence of the security incident; and

2. submitting an investigation and assessment report covering the cause of the incident, the consequence of harm caused, the accountability, and the improvement measures taken, among other information, to the districted city-level cybersecurity authority and other relevant authorities within five (5) business days of the disposal of the incident.

Article 12 Data processors shall abide by the following rules in the provision of personal information to any third party, or the sharing or trading of important data with, or contracting of processing of important data to any third party:1. informing the individual concerned of the purpose and manner of providing the personal information, the type, scope, and the period and place of retention of the personal information to be provided, and obtaining consent from the individual, except where personal consent is not required according to relevant laws or administrative regulations or where the personal information has been anonymized;

2. agreeing with the data recipient upon, among others, the purpose, scope and manner of the processing of the data and the data security protection measures to be taken, establishing, by contract or otherwise, the data security responsibilities of both parties, and supervising the data processing activities of the data recipient; and

3. retaining personal consent records and log records for the provision of personal information, and approval records and log records for the sharing, trading or contracting of processing of important data for at least five years.

The data recipient shall perform the agreed obligations and shall not process personal information or important data beyond the agreed purpose, scope or method of processing.

Article 13 A data processor shall apply for a cybersecurity review in compliance with relevant national regulations under any of the following circumstances:1. a merger, reorganization, or division to be conducted by an Internet platform operator who has amassed a large number of data resources that concern national security, economic development or the public interest, which will or may impact national security;

2. the data processor processing the personal information of more than one million individuals is to go public overseas;

3. the data processor processing is to go public in Hong Kong, which will or may impact national security; or

4. other data processing activities that will or may have an impact national security.

The establishment of headquarters overseas or an operation center or R&D center overseas by a large Internet platform operator shall be reported to the national cyberspace authority and other competent authorities.

Article 14 Where a merger, reorganization or division occurs to a data processor, the data recipient concerned shall continue to perform data security protection obligations, and if important data or the personal information of more than one million people is involved, the event shall be reported to the districted city-level competent authority. Where a dissolution or declared bankruptcy occurs to the data processor, the event shall be reported to the districted city-level competent authority, and the data shall be handed over or deleted in accordance with relevant requirements, or if the competent authority cannot be identified, the report shall be made to the districted city-level cyberspace authority.

Article 15 With regard to the data obtained through other channels, the data processor concerned shall perform data security protection obligations in accordance with these Regulations.

Article 16 State agencies shall establish and improve their data security management systems in accordance with laws, administrative regulations and the mandatory requirements of national standards, and implement data security protection responsibilities to ensure the security of government affairs-related data.

Article 17 Data processors shall assess the impact on the performance or functions of network services when using an automated tool to access or collect data, which shall not interfere with the normal functions of network services.Where the use of an automated tool to access or collect data violates any law, administrative regulations or the industry’s self-regulatory agreement, affects the normal functions of network services, or infringes the intellectual property or other legitimate rights and interests of others, the data processor concerned shall stop accessing or collecting data and take appropriate remedial measures.

Article 18 Data processors shall establish convenient channels for data security-related complaints and reports and receive and deal with the complaints and reports in a timely manner.Data processors shall make public the contact information for receiving complaints and reports and the information of the responsible person, and disclose the number of personal information security-related complaints received and processed, the processing results, and the average processing time, to receive social oversight.

Chapter III Personal Information Protection

Article 19 Data processors shall process personal information for specified and reasonable purposes and in compliance with the principles of lawfulness, legitimacy and necessity. Where the processing of personal information is based on personal consent, the following requirements shall be met:1. the personal information processed shall be necessary for providing a service to the individual concerned or fulfilling an obligation prescribed by law or administrative regulations;

2. the processing shall be limited to the minimum period and the minimum frequency necessary for achieving the purpose of the processing and conducted in a way that has the least impact on personal rights and interests; and

3. an individual shall not be refused a service or interfered with in the normal use of a service due to his or her refusal to provide information other than that necessary for the provision of such service to the individual.

Article 20 With regard to the processing of personal information, data processors shall develop personal information processing rules and strictly abide by these rules. Personal information processing rules shall be displayed in a centralized manner, made easy to access, and placed in a prominent place, with content which is clear and specific, in a concise and plain style, and systematically and fully explains the processing of personal information to individuals.Personal information processing rules shall include without limitation, the following content:

1. the personal information needed as identified based on the functions of the product or service provided, and the purpose, use, manner, and frequency or time of the processing and the type and place of retention of the personal information to be processed by each function, among other information, stated in a list form, as well as the impact on individuals if they refuse the processing of their personal information;

2. the retention period for personal information or the method for determining the retention period for personal information, and the way to handle personal information upon the expiration of such period;

3. the ways and methods for individuals to access, copy, correct, delete, restrict the processing of, and transfer their personal information, as well as to deregister an account and withdraw consent to the processing of their personal information;

4. the names of all third-party codes or plug-ins that collect personal information, which are embedded in the product or service, displayed in a centralized manner or otherwise stated in a manner easy to access by users, and the purpose, manner, and frequency or time of collection and the type of personal information to be collected by each third-party code or plug-in, and its personal information processing rules;

5. any circumstance under which personal information is provided to a third party, and the purpose and manner of the provision, the type of personal information to be provided, relevant information of the data recipient etc.;

6. personal information security risks and protection measures; and

7. channels for complaints and reports about personal information security issues and the way to resolve them, and the contact information of the personal information protection officer.

Article 21. Where personal consent shall be obtained for the processing of personal information, the data processor concerned shall abide by the following rules:1. consent shall be requested to an individual for different types of service proposed respectively, and No general terms shall be used to obtain consent;

2. specific consent shall be obtained for the processing of personal biometric, religious belief, specific identity, medical and health, financial account, location tracking or other sensitive personal information;

3. guardian’s consent shall be obtained for the processing of the personal information of a minor below the age of fourteen;

4. consent to the processing of personal information shall not be compelled on grounds such as for improving service quality, enhancing user experience or developing a new product;

5. consent shall not be obtained by misleading, fraudulent, coercive or any such means;

6. an individual shall not be induced or compelled, through bundling different types of services, making a batch request for consent or otherwise, into giving batch consent to the processing of personal information;

7. personal information shall not be processed beyond the authorized scope of the consent given; and

8. there shall not be frequent requests for consent or interferences with the normal use of service after an individual has expressly refused consent.

If there is a change to the purpose or manner of the processing or the type of personal information to be processed, the data processor shall obtain personal consent again and at the same time amend the personal information processing rules.

The data processor shall bear the burden of proof in case of a dispute over the validity of the consent given by an individual.

Article 22 Data processors shall delete or anonymize an individual’s personal information within fifteen (15) business days in any of the following circumstances:1. where the purpose of processing of the personal information has been achieved or the personal information is no longer necessary for achieving the purpose of processing;

2. where the retention period as agreed with the user or stated in the personal information processing rules expires;

3. where service is terminated or the individual’s account is deregistered; or

4. where it cannot be avoided that the personal information collected is beyond what is necessary or consented to by the individual due to the use of automated collection technology or other reasons.

If it is technically difficult to delete the personal information, or it is difficult to delete the personal information within fifteen(15) business days due to the complexity of the service or other reasons, the data processor concerned may not process the personal information except for the storage and necessary measures taken for its security protection, and shall provide a reasonable explanation to the individual.

Where it is otherwise provided in law or administrative regulations, such other provision shall prevail.

Article 23 With regard to reasonable requests from individuals for access to, copying, correction, supplementation, restriction of processing, or deletion of their personal information, the data processor concerned shall perform the following obligations:1. providing an easy method and way that supports the individuals in conducting structured queries for information such as the type and amount of their personal information collected, without restrictions imposed in terms of time, location or any other factor on the reasonable requests from individuals;

2. providing easy functions that support the individuals in the copying, correction, supplementation, restriction of processing, and deletion of their personal information, withdrawal of consent and deregistration of account, without any unreasonable conditions imposed thereon; and

3. processing and providing feedback within fifteen (15) business days on a request received from an individual for copying, correction, supplementation, restriction of processing, or deletion of the person’s personal information, withdrawal of consent or deregistration of account.

Where it is otherwise provided by law or administrative regulations, such other provision shall prevail.

Article 24 With regard to a request for transfer of personal information that meets any of the following requirements, the data processor concerned shall provide transfer services for the personal information to be accessed and obtained by the other data processor designated by the requesting individual:1. the personal information requested to be transferred was collected based on consent or personal information necessary for the conclusion or performance of a contract;

2. the personal information requested to be transferred is the personal information of the requesting individual or another individual’s information obtained lawfully and not against the wish of that another individual by the requesting individual; and

3. the legal identity of the requesting individual can be authenticated;The data processor concerned shall give a reasonable risk warning to a request for transfer of personal information if it finds any risk of illegally processing the personal information by the other data processor designated to receive the personal information.

If the number of requests for transfer of personal information from an individual is clearly beyond the reasonable range, the data processor concerned may charge a reasonable fee.

Article 25 Data processors who use biometrics to authenticate personal identity shall conduct a risk assessment of the necessity and security of the use, and shall not use facial, gait, fingerprint, iris, voiceprint or other biometric features as the sole method for personal identity authentication to compel individuals to consent to the collection of their personal biometric information.Where it is otherwise provided for by laws or administrative regulations, such other provisions shall prevail.

Article 26 Data processors processing the personal information of more than one million individuals shall also abide by the provisions of Chapter IV of these Regulations relating to the processors of important data.

Chapter IV Security of Important Data

Article 27 Each region or authority shall, in accordance with relevant national requirements and standards, organize data processors in the region or organization as well as the relevant industries or fields to identify important data and core data, and organize the development of catalogues of important data and core data for the region or authority and the relevant industries or fields, and submit the catalogues to the national cyberspace authority.

Article 28 The processor of any important data shall designate a data security officer and establish a data security management body. The data security management body led by the data security officer shall perform the following responsibilities:1. studying and making recommendations for major decisions related to data security;

2. developing and implementing data security protection plans and data security incident emergency response plans;

3. conducting data security risk monitoring, and disposing of data security risks and incidents in a timely manner;

4. organizing activities such as data security awareness, education and training, risk assessment, and emergency drills to be conducted on a regular basis;

5. receiving and disposing of data security-related complaints and reports; and

6. reporting data security situations to cyberspace authorities and other competent or regulatory authorities in a timely manner as required.

The data security officer shall have professional knowledge in data security and related management experience, who shall be a member of the data processor’s decision-making level, and have the right to directly report data security situations to cyberspace authorities and other competent or regulatory authorities.

Article 29 The processor of any important data shall file with the districted city-level cyberspace authority for the record within fifteen (15) business days after identifying the important data, which shall contain the following information:1. the basic information of the data processor, information of the data security management body, and the name and contact information of the data security officer;

2. the purpose, manner, and scope of the data processing, and the amount, type, and period and place of retention of the data processed, not including the data content itself; and

3. Other information to be filed for the record as required by the national cyberspace authority and competent or regulatory authorities.

Any material change to the purpose or scope of the processing, the type of data processed, or the data security protection measures taken, among others, shall be filed anew for the record.

The cyberspace authorities and other relevant authorities shall share the record-filing information based on the division of responsibilities between them.

Article 30 The processor of any important data shall develop a data security training plan, organize all-employee data security education and training to be conducted on a yearly basis, and the yearly education and training hours for data security-related technical and managerial personnel shall not be less than twenty (20) hours.

Article 31 The processor of any important data shall give priority to secure and credible network products and services in its procurement of network products and services.

Article 32 A data processor who processes important data or who is listed overseas shall complete an annual data security assessment either self-conducted or conducted by a data security service organization engaged, and before January 31 of each year, submit the annual data security assessment report of the previous year to the districted city-level cyberspace authority, which shall contain the following information:1. the processing of any important data;

2. any data security risks discovered and measures for their disposal;

3. the data security management system, data backup, encryption, access control and other security protection measures, and the implementation of the management system and the effectiveness of the protection measures;

4. the implementation of national data security laws, administrative regulations and standards;

5. any data security incidents that occurred and their disposal;

6. the security assessment of the sharing or trading of any important data with, or the contracting of processing or the provision of any important data to an overseas recipient;

7. data security-related complaints received and their handling; and

8. other data security situations as specified by the national cyberspace authority and competent or regulatory authorities.

The data processor shall retain a risk assessment report for at least three years.

The cyberspace authorities and other relevant authorities shall share the reported information based on the division of responsibilities between them.

In the security assessment of the sharing or trading of any important data with, or the contracting of processing or the provision of any Important data to the overseas recipient, the data processor shall focus on assessing the following

1. whether the sharing or trading of the data with, or the contracting of processing or the provision of the data to the overseas recipient, and whether the purpose, manner or scope of the data processing by the data recipient, is lawful, legitimate, and necessary;

2. the risk of the data being leaked, damaged, tampered with, or abused, as well as the risk posed to national security, economic development or the public interest in the sharing or trading of the data with, or the contracting of processing or the provision of the data to the overseas recipient;

3. background information such as the data recipient’s credit standing and status of compliance with law, any cooperation relationship between the data recipient and a foreign government agency, and whether the data recipient is subject to sanctions by the Chinese government; whether the responsibilities committed by the data recipient and the ability of the data recipient to perform the responsibilities can effectively ensure the security of the data;

4. whether the data security requirements specified in the relevant contract entered into with the data recipient can effectively bind the data recipient to the performance of the data security protection obligations; and

5. whether the management and technical measures taken in the data processing process can prevent data leakage, data damage and other risks;If it is believed upon assessment that national security, economic development or the public interest may be harmed, the data processor shall not carry out the sharing or trading of the data with, or the contracting of processing or providing of the data to the overseas recipient.

Article 33 For the sharing or trading of important data with, or the contracting of processing of important data to an overseas recipient, the data processor concerned shall obtain the approval of the competent authority at the districted city level or above, or if the competent authority cannot be identified, shall obtain the approval of the cyberspace authority at the districted city level or above.

Article 34 Any cloud computing service to be procured by a state agency or a critical information infrastructure operator shall be subject to the security assessment organized by the national cyberspace authority in conjunction with relevant authorities under the State Council.

Chapter V Security Management of Cross-Border Data Transfers

Article 35 Where it is necessary for a data processor to provide data to a recipient outside the People’s Republic of China due to business or other reasons, any of the following conditions shall be met:1. a security assessment organized by the national cyberspace authority has been passed for the cross-border data transfer;

2. both the data processor and the data recipient have passed the personal information protection certification conducted by a professional institution recognized by the national cyberspace authority;

3. a contract made in accordance with the standard contract provisions formulated by the national cyberspace authority has been entered into with the overseas data recipient, establishing the rights and obligations of both parties; or

4. any other condition as prescribed by law or administrative regulations or the national cyberspace authority is met;Exception applies where the provision of an individual’s personal information by the data processor to the overseas recipient is necessary for entering into or performing a contract to which the individual is a party, or where the personal information must be provided to the overseas recipient for the protection of the personal life or health or property safety of the individual.

Article 36 To provide the personal information of an individual to a recipient outside the People’s Republic of China, the data processor concerned shall inform the individual of, among other information, the name and contact information of the overseas data recipient, the purpose and manner of the processing, the type of the personal information to be processed, and the way for the individual to exercise personal information rights against the overseas data recipient, and obtain specific consent from the individual.If specific consent has been obtained from an individual for the cross-border transfer of the person’s personal information at the time of collecting the personal information, it is not required to further obtain specific consent from the individual for the cross-border transfer of any personal information covered by that specific consent.

Article 37 Under any of the following circumstances, the provision of data collected or generated within the territory of the People’s Republic of China by a data processor to an overseas recipient shall be subject to the cross-border data transfer security assessment organized by the national cyberspace authority:1. where the data to be transferred overseas contain important data;

2. where personal information is provided to the overseas recipient by a critical information infrastructure operator or a data processor processing the personal information of more than one million individuals; or

3. other circumstances as prescribed by the national cyberspace authority.

Where a security assessment is not required according to a provision of law or administrative regulations or regulations of the national cyberspace authority, such provision shall prevail.

Article 38 Where there is a stipulation on the condition or any other stipulation for the provision of personal information to a receipt outside the People’s Republic of China in an international treaty or agreement concluded or acceded to by the People’s Republic of China, such stipulation may apply.

Article 39 Data processors shall perform the following obligations when providing data to an overseas recipient:1. not providing the personal information to the overseas recipient beyond what is stated in the personal information protection impact assessment report submitted to the cyberspace authority, such as the purpose, scope or manner of the provision or the type or amount of data to be provided;

2. not providing the personal information to the overseas recipient beyond the purpose, scope or manner of the provision, the data type or amount or other conditions identified in the security assessment conducted by the cybersecurity authority;

3. adopting contracting and other effective measures to supervise the data recipient to use the data in accordance with the purpose, scope, and manner agreed between the parties, and to perform data security protection obligations to ensure data security; and

4. receiving and processing user complaints related to the cross-border data transfer;

5. assuming liability under the law if harm has been caused by the cross-border data transfer to the legitimate rights and interests of an individual or organization or to the public interest;

6. retaining relevant log records and approval records for the cross-border data transfer for more than three years;

7. at the time when the national cyberspace authority, in conjunction with relevant authorities the State Council, check the type and scope of the personal information or important data provided to the overseas recipient, presenting the information in writing and in a readable form;

8. stopping the transfer of data to the overseas recipient if the data are deemed by the national cyberspace authority not to be transferred overseas, and taking effective remedial measures for security of the data already transferred overseas; and

9. if it is necessary to further transfer the personal information already transferred overseas, reaching an agreement on the conditions for the further transfer with the individual concerned, and establishing the security protection obligations to be performed by the data recipient.

Unless approved by competent authorities of the People’s Republic of China, no individual or organization within China may provide data stored within the territory of the People’s Republic of China to a foreign judicial or law enforcement agency.

Article 40 A data processor who provides personal information or important data to any overseas recipients shall prepare a cross-border data transfer security report by January 31 of each year to report the following cross-border data transfer information of the previous year to the districted city-level cyberspace authority:1. the name and contact information of any and all data recipients;

2. the type, quantity and purpose of the data transferred overseas;

3. the place and period of retention, and scope and manner of use of the data overseas;

4. cross-border data transfer-related user complaints and their handling;

5. any data security incidents that occurred and their disposal;

6. any further transfer of the data transferred overseas; and

7. other matters to be reported for cross-border data transfers as specified by the national cyberspace authority.

Article 41 The State establishes security gateways for cross-border data transfers to block the transmission of information that originates from outside the People’s Republic of China and that is prohibited by law or administrative regulations from being released or transmitted.No individual or organization may provide any program, tool or cable etc., which is used for passing through or bypassing a security gateway for cross-border data transfers, or provide any Internet access, server hosting, technical support, communication and marketing, payment and settlement, application downloading or other services for passing through or bypassing a security gateway for cross-border data transfers.

The traffic of domestic users accessing domestic networks shall not be routed overseas.

Article 42 Data processors engaged in cross-border data activities shall establish and improve the relevant technical and management measures in compliance with the national security regulatory requirements on cross-border data transfers.

Chapter VI Obligations of An Internet Platform Operator

Article 43 Internet platform operators shall establish data-related platform rules, a privacy policy and an algorithm strategy disclosure system, and timely disclose the drafting procedures and adjudication procedures to ensure fairness and impartiality of the platform rules, privacy policy and algorithms.For the formulation of platform rules or privacy policy or any amendment thereto which will have a material impact on user rights and interests, an Internet platform operator shall solicit public consultation on its official website or on the Internet platform of the relevant industry association for personal information protection, and the period for soliciting public consultation shall not be less than thirty(30) business days to ensure that users can sufficiently and conveniently express their opinions. The Internet platform operator shall sufficiently adopt public opinions to amend and improve its platform rules or privacy policy, and announce information about the adoption of the opinions in a manner that is easy for access by users, while stating the reasons for not adopting any opinions, to receive social oversight.

The formulation of platform rules or privacy policy of a large Internet platform operator with more than 100 million daily active users or any amendment thereto that will have a material impact on user rights and interests shall be evaluated by a third-party agency recognized by the national cyberspace authority, and submitted to the cyberspace authority and telecommunications authority at or above the provincial level for approval.

Article 44 An Internet platform operator shall be responsible for the data security management of any third-party product or service connected to its platform, establish, by contract or otherwise, the data security responsibilities of the third party, and urge the third party to enhance data security management and adopt necessary data security protection measures.If the third-party product or service causes damage to a user, the user may demand an advance of compensation from the Internet platform operator.

The preceding two paragraphs are applicable to any third-party product pre-installed on a mobile communication terminal.

Article 45 The State encourages Internet platform operators that provide instant messaging services to provide users with personal communication and non-personal communication options in terms of functional design. Personal communication information shall be strictly protected in accordance with personal information protection requirements, and non-personal communication information shall be managed in accordance with regulations relating to public information.

Article 46 Internet platform operators shall not use data, their platform rules or otherwise to engage in the following activities:1. applying differentiated pricing of a product or service on users with the same transaction status without good reason or otherwise harming the lawful interests of users by using the user data collected or held by the platform;

2. selling at the lowest price in the promotion of products or otherwise harming fair competition by using the business operator data collected or held by the platform;

3. misleading, deceiving or coercing users, processing users’ data against their wishes, infringing users’ right to decide on the processing of their data by using data; or

4. imposing any unreasonable restriction or barrier in areas such as platform rules, algorithms, technology or traffic allocation to restrict the fair access by small or micro-enterprises on the platform to the industry or market data generated by the platform, obstructing market innovation.

Article 47 Internet platform operators who provide app distribution services shall establish and disclose their app review rules and conduct security reviews of the apps in compliance with relevant laws and administrative regulations and the regulations of the national cyberspace authorities. For an app that does not comply with law or administrative regulations or any mandatory requirement of a national standard, measures such as refusal of entry to the store, urging of rectification or removal from the store shall be taken.

Article 48 An Internet platform operator who provides instant messaging services to the public shall, in compliance with the regulations of the telecommunications authority under the State Council, provide data interfaces for the instant messaging services provided by other Internet platform operators, and support the intercommunication of user data between different instant messaging services, and shall not restrict the access or transfer of files by users to another Internet platform without good reason.

Article 49 Internet platform operators who provide information to users using personal information and algorithms for personalized push notifications shall be responsible for the authenticity, accuracy, and legitimacy of sources of the pushed information, and shall meet the following requirements:1. obtaining personal consent when collecting personal information for personalized recommendations;

2. allowing users to refuse targeted push notifications by offering a one-click option to turn off personalized recommendations which is easy to understand, access and operate, and allowing users to reset, modify, and adjust push parameters that target their personal characteristics; and

3. allowing individuals to delete their personal information collected or generated by targeted push notification services, unless otherwise provided by law or administrative regulations or otherwise agreed with the user.

Article 50 The State develops public service infrastructure for network identity authentication and provide public services for personal identity authentication under the principle that the government provides guidance and netizens may participate on a voluntary basis.Internet platform operators shall support and give priority to the use of personal identity authentication services provided by the national public service infrastructure for identify authentication.

Article 51 Any data collected or generated by Internet platform operators in the course of providing services to state agencies, participating in the development, operation, maintenance or management of any public infrastructure or public service system, or providing services using public resources, shall not be used for other purposes.

Article 52 Where a relevant authority under the State Council needs to retrieve or access any public data or public information held by an Internet platform operator to perform its statutory duties, it shall specify the scope, purpose and basis of the retrieval or access and the type of data, and strictly limit the retrieval or access to the scope of performing its statutory duties, and shall not use the public data or public information retrieved or accessed for purposes other than performing its statutory duties.The Internet platform operator shall cooperate with the relevant authority in retrieving or accessing the public data or public information.

Article 53 A large Internet platform operator shall have an annual audit conducted by a third-party auditor in respect of, among other situations, the platform’s data security, implementation of the platform rules and its commitments, protection of personal information, and development and utilization of data, and disclose the outcome of the audit.

Article 54 Internet platform operators who carry out data processing activities using artificial intelligence, virtual reality, deep synthesis or other new technology shall conduct security assessments in compliance with relevant national regulations.

Chapter VII Supervision and Regulation

Article 55 The national cyberspace authority is responsible for the overall planning and coordination of data security and related supervision and regulation.Authorities such as the public security authorities and national security authorities shall undertake data security regulatory responsibilities within the scope of their respective duties.

Authorities for industry, telecommunications, transportation, finance, natural resources, healthcare, education or science and technology and other competent authorities shall undertake data security regulatory responsibilities in their respective industries or fields.

The competent authorities shall designate the data security protection agency and personnel and develop and organize the implementation of data security plans and data security incident emergency plans, for their respective industries or fields.

The competent authorities shall organize data security risk assessments to be carried out on a regular basis in their respective industries or fields, to conduct supervisory inspections of the performance of data security protection obligations by data processors, and guide and urge data processors to promptly rectify any existing hazards.

Article 56 The State establishes a sound data security emergency response mechanism, improve the cybersecurity incident emergency plans and the platforms for sharing cybersecurity information, include data security incidents into the national cybersecurity incident emergency response mechanism, and enhance the sharing of data security information, the monitoring and alerts for data security risks and threats, and the emergency response and disposal for data security incidents.

Article 57 Relevant competent or regulatory authorities may take the following measures in a supervisory inspection of data security:1. requiring the relevant staff of the data processor to provide explanations to any matter subject to the supervisory inspection;

2. accessing or retrieving data security-related files or records;

3. using a testing tool or engaging a professional institution to conduct technical testing on the operation of data security measures in accordance with the established protocols;

4. verifying the type and scope of data transferred overseas; and

5. other necessary measures as provided for by law, administrative regulations or rules.

Relevant competent or regulatory authorities shall be objective and fair and shall not charge fees from the inspected entity when conducting a data security supervisory inspection. The information obtained in a data security supervisory inspection may only be used for the need of maintaining data security and shall not be used for other purposes.

Data processors shall cooperate with relevant competent or regulatory authorities in data security supervisory inspections, including providing explanations of, among other information, the operations, technical systems, algorithm principles and data processing protocols of the organization, making security-related data available for access, and providing necessary technical support.

Article 58 The State establishes a data security audit system. Data processors shall engage professional data security audit institutions to conduct regular compliance audits of whether their processing of personal information is in compliance with laws and administrative regulations.Competent or regulatory authorities shall organize audits to be carried out on important data processing activities, with focus on, among other situations, data processors’ performance of the obligations prescribed by law or administrative regulations.

Article 59 The State supports relevant industry organizations in developing data security codes of conduct, strengthening the industry’s self-regulation, guiding members to enhance data security protection, improving the level of data security protection, and promoting the healthy development of the industry in accordance with their articles of association.The State supports the establishment of industry organizations for personal information protection to carry out the following activities:

1. receiving personal information protection-related complaints and reports, and conducting investigations and mediation;

2. providing information and consulting services to individuals, and supporting individuals in lawfully initiating litigation against acts of infringement of personal information rights and interests;

3. exposing acts of infringement of personal information rights and interests, and conducting social oversight of the protection of personal information;

4. reporting personal information protection information to relevant authorities, providing consultation and recommendations; and

5. lawfully filing a lawsuit with a people’s court against illegal processing of personal information that infringes the rights and interests of multiple individuals.

Chapter VIII Legal Liability

Article 60 With regard to any data processor who has failed to perform under Article 9, 10, 11, 12, 13, 14, 15 or 18, the relevant competent authority shall impose an order to make corrections and a warning, and may also impose a fine of not less than CNY50,000 but not more than CNY500,000 on the data processor, as well as a fine of not less than CNY10,000 but not more than CNY100,000 on any directly responsible manager and any other directly liable personnel; and in case of refusal to make corrections or if harm to data security or any other serious consequence has been caused, a fine of not less than CNY500,000 but not more than CNY2 million shall be imposed, and an order may also be imposed to suspend relevant operations or suspend business for rectification, and the revocation of the relevant business permit or the business license on the data processor, and a fine of not less than CNY50,000 but not more than CNY200,000 on any directly responsible manager and any other directly liable personnel.

Article 61 With regard to any data processor who has failed to perform any data security protection obligation prescribed in Article 19, 20, 21, 22, 23, 24, or 25, the relevant authority shall impose on the data processor, an order to make corrections, a warning, and the confiscation of illegal income; and for any an application found to have illegally processed personal information, impose an order to suspend or terminate its services; and in case of refusal to make corrections, a fine of not more than CNY1 million shall be imposed on the data processor, and a fine of not less than CNY10,000 but not more than CNY100,000 on any directly responsible manager and any other directly personnel.With regard to the circumstances of a violation stated in the preceding paragraph that are serious, the relevant authority shall impose an order to make corrections, the confiscation of illegal income, and a fine of not more than CNY50 million or not more than 5% of the previous year’s revenue, and may also impose an order to suspend relevant operations or suspend business for rectification, and the revocation of the relevant business permit or the business license by notification to the relevant competent authority, on the data processor; and impose a fine of not less than CNY100,000 but not more than CNY1 million on any directly responsible manager and any other directly liable personnel, and may also decide to ban the individual from serving as a director, supervisor, executive or personal information protection officer in a relevant enterprise for a certain period.

Article 62 With regard to any data processor who has failed to perform any data security protection obligation prescribed in Article 28, 29, 30, 31, 32, or 33, the relevant authority shall impose on the data processor, an order to make corrections and a warning; and for any system or application found to have illegally processed important data, impose an order to suspend or terminate its services; and in the case of refusal to make corrections, impose a fine of not more than CNY2 million on the data processor, as well as a fine of not less than CNY50,000 but not more than CNY200,000 on any directly responsible manager and any other directly personnel.With regard to the circumstances of a violation stated in the preceding paragraph that are serious, the relevant authority shall impose an order to make corrections, the confiscation of illegal income, and a fine of not less than CNY2 million but not more than CNY5 million, and may also impose an order to suspend relevant operations or suspend business for rectification, and the revocation of the relevant business permit or the business license by notification to the relevant competent authority, on the data processor; and impose a fine of not less than CNY200,000 but not more than CNY1 million on any directly responsible manager and any other directly personnel.

Article 63 With regard to any critical information infrastructure operator who has violated Article 34 hereof, the relevant authority shall impose on the operator an order to make corrections, as well as penalties in accordance with law or administrative regulations.

Article 64 With regard to any data processor who has violated Article 35, 36, or 37, the first paragraph of Article 39, or Article 40 or 42, the relevant authority shall impose an order to make corrections, a warning, and the suspension of cross-border data transfers, and may also impose a fine of not less than CNY100,000 but not more than CNY1 million, on the data processor, and impose a fine of not less than CNY10,000 but not more than CNY100,000 on any directly responsible manager and any directly liable personnel; and if the circumstances of the violation are serious, shall impose a fine of not less than CNY1 million but not more than CNY10 million, and may also impose an order to suspend relevant operations or suspend business for rectification, and the revocation of the relevant business permit or the business license, on the data processor, and impose a fine of not less than CNY100,000 but not more than CNY1 million on any directly responsible manager and any directly liable personnel.

Article 65 With regard to anyone who has violated the second paragraph of Article 39 hereof by providing data to a foreign judicial or law enforcement agency without the approval of the competent authority, the relevant competent authority shall impose a warning, and may also impose a fine of not less than CNY100,000 but not more than CNY1 million on the offender, as well as a fine of not less than CNY10,000 but not more than CNY100,000 on any directly responsible manager and any other directly liable personnel; and if the circumstances of the violation are serious, the relevant competent authority shall impose a fine of not less than CNY1 million but not more than CNY5 million, and may also impose an order to suspend relevant operations or suspend business for rectification, and the revocation of the relevant business permit or the business license, on the offender, as well as a fine of not less than CNY50,000 but not more than CNY500,000 on any directly responsible manager and any other directly liable personnel.

Article 66 With regard to any individual or organization that has violated Article 41 hereof, the relevant competent authority shall impose an order to make corrections, a warning, and the confiscation of illegal income on the offender ; and in the case of refusal to make corrections, impose a fine of not less than one but not more than ten times the illegal income or if there is no illegal income, a fine of not less than CNY50,000 but not more than CNY500,000 on any directly responsible manager and any other directly liable personnel; if the circumstances of the violation are serious, the relevant competent authority shall impose an order to suspend relevant operations or suspend business for rectification, and the revocation of the relevant business permit or business license, on the offender ; if the violation constitutes a criminal offence, penalties shall be imposed in accordance with the relevant law or administrative regulations.

Article 67 With regard to any Internet platform operator who has violated Article 43, 44, 45, 47 or 53, the relevant authority shall impose on it an order to make corrections and a warning; and in the case of refusal to make corrections, impose a fine of not less than CNY500,000 but not more than CNY5 million on the operator, and a fine of not less than CNY50,000 but not more than CNY500,000 on any directly responsible manager and any other directly liable personnel; and may, if the circumstances are serious, impose an order to suspend relevant operations, suspend business for rectification or shut down the website, and the revocation of the relevant business permit or the business license, on the operator.

Article 68 With regard to any Internet platform operator who has violated Article 46, 48, or 51 hereof, the relevant competent authority shall impose on it, an order to make corrections and a warning, and in the case of refusal to make corrections, a fine of between one percent and five percent of the previous year’s sales revenue; if the circumstances of the violation are serious, the relevant competent authority shall impose an order to suspend the relevant operations or suspend business for rectification, and the revocation of the relevant business license or the business license; if the violation constitutes a criminal offence, penalties shall be imposed in accordance with the relevant law or administrative regulations.

Article 69 With regard to any Internet platform operator who has violated Article 49 or 54 hereof, the relevant competent authority shall be impose on it, an order to make corrections and a warning; and in the case of refusal to refuse to make corrections, impose a fine of not less than CNY50,000 but not more than CNY500,000 on the operator, and a fine of not less than CNY10,000 but not more than CNY100,000 on any directly responsible manager and any other directly liable personnel; and if the circumstances are serious, the relevant competent authority may impose an order to suspend relevant operations, suspend business for rectification or shut down the website, and the revocation of the relevant business permit or the business license on the operator.

Article 70 With regard to any data processor who has violated these Regulations and caused damage to others, the data processor shall be held civilly liable under the law; and shall be subjected to penalties for the violation of public security administration rules if the violation constitutes a violation of public security administration; and shall be held criminally liable under the law if the violation constitutes a criminal offense.

Article 71 With regard to any state agency that has failed to perform its data security protection obligations prescribed in these Regulations, its superior authority or the authority performing data security regulatory responsibilities shall order the agency to make corrections; and impose disciplinary sanctions in accordance with the law on the any directly liable official or any other directly liable personnel.

Article 72 Whoever carries out data processing activities outside the People’s Republic of China that are harmful to the national security, public interest or legitimate rights and interests of the citizens or organizations of the People’s Republic of China shall be held legally liable according to the law.

Chapter IX Supplementary Provisions

Article 73 For the purposes of these Regulations, the following terms shall have the following meaning:1. “network data” (abbreviated as “data”) refers to any information recorded in electronical form.

2. “data processing activities” refers to activities such as the collection, retention, use, processing, transmission, provision, disclosure, or deletion of data.

3. “important data” means data, the tampering with, or sabotage, leakage, illegal acquisition or illegal use of which, if it happens, may cause harm to national security or the public interest, including the following data:

(1) government affairs-related data that have not been disclosed, official work-related secrets, intelligence data, and law enforcement or judicial data;

(2) export control data, data related to the core technology, design, production process or any such information involved in an export control item, data on any scientific and technological advances in encryption, biology, electronic information, artificial intelligence or any other field that has a direct impact on national security or economic competitiveness;

(3) data on national economic performance, business data of an important industry, statistical data and other data that are expressly required to be protected and controlled from dissemination by any national law, administrative regulations or departmental rules;

(4) data on the production or operation safety in the industrial, telecommunications, energy, transportation, water resources, finance, national defense technology industry, customs, tax or any other key sector or field, data on any critical system component or the supply chain of anu critical equipment;

(5) national basic data on the population and health or natural resources and environment, such as genetic, geographical, mineral, and meteorological data that reach the threshold amount or degree of precision prescribed by the relevant state authority;

(6) data on the development or operation of national infrastructure or critical information infrastructure or its security data, data on the geographic location or security condition or other data of a national defense facility, military administration zone, national defense research or production unit or any other important sensitive area; and

(7) other data that may impact the nation’s security such as political, territorial, military, economic, cultural, social, scientific and technological, ecological, resource, nuclear facility, overseas interest, biological, space, polar or maritime security.

4. “core data” means data related to national security, any lifeline of the national economy, an important aspect of people’s wellbeing, any major public interest or any other such data.

5. “data processor” means an individual or organization that independently make decisions on the purpose and manner of processing in data processing activities.

6. “public data” means any type of data collected or generated by a state agency or an organization authorized by law or administrative regulations with the function of managing public affairs, in the course of performing its public management duties or providing public services, or any type of data related to the public interest that is collected or generated by any other organization in the course of providing a public service.

7. “contracting of processing” means that data processing activities are carried out in accordance with the agreed purpose and manner by a third party contracted by the data processor.

8. “specific consent” means consent to the processing of each item of personal information in specific data processing activities to be conducted by the data processor, not including a one-time consent for multiple items of personal information or to multiple types of processing activities.

9. “Internet platform operator” means a data processor who provide Internet platform services such as information releasing, social networking, transaction, payment, or audio-visual services.

10. “large Internet platform operator” means an Internet platform operator who has more than 50 million users, processes a large amount of personal information or important data, or has a strong capacity to mobilize the public or a dominant market position.

11. “security gateway for cross-border data transfers” means important security infrastructure for blocking access to overseas reactionary websites and harmful information, preventing cyberattacks from overseas, controlling cross-border transmissions of network data, or preventing, investigating and combating cross-border cybercrimes.

12. “public information” means information of the nature of public communications, which is collected or generated by a data processor in the provision of a public service, including publicly released information, publicly redistributable information, and information without a specified recipient, etc.

Article 74 Any data processing activity involving the use of state secrets, core data or encryption shall be governed by the relevant national regulations.

Article 75 These Regulations shall come into force on MM/DD/YYYY.