Promulgation Authority: State Council
Release Date: 2024.09.24
Effective on 2025.01.01
Chinese Name: 网络数据安全管理条例
Source: https://www.gov.cn/zhengce/content/202409/content_6977766.htm
Decree No.790 of the State Council
The Regulation on Network Data Security Management, adopted at the 40th executive meeting of the State Council on August 30, 2024, are hereby promulgated, effective January 1, 2025.
Article 1 In order to regulate network data handling activities, ensure the security of network data, promote the reasonable and effective use of network data in accordance with the law, protect the legitimate rights and interests of individuals and organizations, and safeguard national security and public interests, this Regulation is enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Law of the People’s Republic of China on the Protection of Personal Information and other relevant laws.
Article 2 This Regulation applies to network data handling activities and the supervision and administration of security thereof carried out within the territory of the People’s Republic of China.This Regulation also applies to the activities outside the territory of the People’s Republic of China to handle the personal information of natural persons within the territory of the People’s Republic of China, which conform to the circumstances prescribed in the second paragraph of Article 3 of the Law of the People’s Republic of China on the Protection of Personal Information.
Any network data handling activities outside the territory of the People’s Republic of China that damage the national security, public interests or the legitimate rights and interests of citizens and organizations of the People’s Republic of China shall be investigated for legal liability in accordance with the law.
Article 3 Network data security management shall be carried out by adhering to the leadership of the Communist Party of China, implementing the overall concept of national security, and promoting the development and utilization of network data and ensuring the security of network data on an overall basis.
Article 4 The State encourages the innovative application of network data in various industries and fields, strengthens the development of the capacity for protection of network data security, supports the innovation of technologies, products and services relating to network data, carries out publicity, education and talent training for network data security, and promotes the development and utilization of network data and the industrial development.
Article 5 The State protects network data by category and by grade, according to the importance of network data in economic and social development, as well as the extent of the damage caused to national security, public interests or the legitimate rights and interests of individuals and organizations by network data once the network data are tampered with, destroyed, divulged, illegally acquired or illegally utilized.
Article 6 The State actively participates in the development of international rules and standards relating to network data security to promote international exchange and cooperation.
Article 7 The State supports relevant industry organizations in developing codes of conduct for network data security pursuant to their articles of association, strengthening industry self-regulation, guiding their members to strengthen network data security protection, improving the level of network data security protection and promoting the healthy development of the industry.
Article 8 No individual or organization may use network data to engage in any illegal activities or engage in any illegal network data handling activities such as stealing or acquiring network data by other illegal means, illegally selling or illegally providing network data to others.No individual or organization may provide any program or tool specially used for the illegal activities as mentioned in the preceding Paragraph; any individual or organization who is fully aware that a person engages in the illegal activities mentioned in the preceding Paragraph shall not provide the person with Internet access, server hosting, network storage, communication transmission and other technical support or with advertising and promotion, payment and settlement and other assistance.
Article 9 Network data handlers shall, in accordance with the provisions of laws and administrative regulations and the mandatory requirements of national standards, and on the basis of classified protection of cyber security, strengthen the protection of network data security, establish and perfect the system of network data security management, and take technical measures such as encryption, backup, access control and security authentication as well as other necessary measures to protect network data from being falsified, destroyed, divulged or illegally acquired or used, dispose of network data security incidents, prevent illegal and criminal activities aiming at and using network data, and assume primary responsibility for the security of the network data handled by them.
Article 10 Network products and services provided by a network data handler shall comply with the compulsory requirements of the relevant national standards; in the case of any risk such as security defect or bug discovered to be associated with a network product or service, the network data handler shall take remedial measures forthwith, notify users in a timely manner and report the same to the relevant competent authority in accordance with the provisions; in the case of any harm to the national security or public interest, the network data handler shall also report the same to the relevant competent authority within 24 hours.
Article 11 Network data handlers shall establish and perfect their emergency response plan for network data security incidents. In the case of a network data security incident, the network data handler shall activate its emergency response plan forthwith, with measures taken to prevent the expansion of the harm and to eliminate the potential security hazard and report the same to the competent authority as required.Where a network data security incident causes harm to the legitimate rights and interests of individuals or organizations, the network data handler shall promptly notify the interested parties of the security incident, risks, harm consequences, remedial measures taken and so on by means of telephone calls, text messages, instant messaging tools, e-mails, announcements or otherwise; where laws and administrative regulations provide that such notification may not be made, such provisions shall prevail. When finding any clue of suspected crime during its handling of a network data security incident, the network data handler shall report the case to the public security organ or State security organ as required and cooperate in the detection, investigation and handling of the case.
Article 12 When providing other network data handlers with personal information and important data or entrusts other network data handlers to process personal information and important data, a network data handler shall, by contract or otherwise, agree with the network data recipient on the processing purpose, method and scope as well as the security protection obligations of the network data recipient, and supervise the network data recipient’s performance of such obligations. Records of the personal information and important data provided to other network data handlers or the processing of such personal information and important data upon entrustment shall be kept for at least three years.The network data recipient shall perform its obligations of network data security protection, and process personal information and important data according to the agreed purpose, method and scope.
Where two or more network data handlers jointly decide on the purpose and method of the handling of personal information and important data, they shall agree upon their respective rights and obligations.
Article 13 Where network data handlers carry out network data processing activities that affect or may affect national security, they shall undergo a national security review in accordance with relevant national regulations.
Article 14 Where a network data handler needs to transfer network data due to merger, demerger, dissolution or bankruptcy, the network data recipient shall continue to perform its network data security protection obligations.
Article 15 A State organ that entrusts others to build, operate and maintain its e-government system, or to store and handle government data shall go through strict approval procedures in accordance with the relevant provisions of the State, specify the entrusted party’s authority for processing network data and protection responsibilities, among others, and supervise the entrusted party’s performance of network data security protection obligations.
Article 16 A network data handler that provides services for state agencies or critical information infrastructure operators, or participates in the construction, operation and maintenance of other public infrastructure or public service systems, shall perform its obligation of network data security protection and provide secure, stable and continuous services in accordance with the provisions of laws and regulations and contractual stipulations.Without the consent of the entrusting party, the network data handler as referred to in the preceding paragraph shall not access, obtain, retain, use, divulge or provide others with network data, nor shall it conduct association analysis of network data.
Article 17 An information system providing services to State organs shall strengthen network data security management to ensure network data security according to the management requirements for e-government system mutatis mutandis.
Article 18 When accessing and collecting network data by using automatic tools, network data handlers shall assess the impact of such access on network services and shall not illegally invade into others’ networks or interfere with the normal operation of network services.
Article 19 A network data handler providing generative artificial intelligence services shall strengthen its security management of training data and training data handling activities and take effective measures to prevent and dispose of network data security risks.
Article 20 A network data handler providing products and services to the public shall subject itself to social supervision and shall establish a convenient channel for complaining and reporting about network data security, make public the ways to complain and report and other information, and promptly accept and handle complaints and reports about network data security.
Chapter III Protection of Personal Information
Article 21 Prior to handling personal information, if a network data handler informs individuals according to the law by formulating rules for handling personal information, such rules shall be publicly displayed in a centralized manner, easily accessible and put in an eye-catching position, and the content shall be definite, specific, clear and understandable, including but not limited to the following:
(1) the title or name and contact information of the network data handler;
(2) the purpose, method and type of handling of personal information, as well as the necessity of handling of sensitive personal information and the impact of handling on individuals’ rights and interests;
(3) the retention period of personal information and the method for handling such information upon expiration; If it is difficult to determine the retention period, the method for determining the retention period shall be specified; and
(4) Methods and channels etc. for individuals to access, reproduce, transfer, correct, supplement, delete and restrict handling of personal information, to deregister accounts and withdraw their consents.When informing individuals of the purpose, method and type of personal information to be collected and provided to other network data handlers, as well as the information of the network data recipient in accordance with the provisions of the preceding paragraph, the network data handler shall state such information in the form of a checklist, among others. Where handling the personal information of minors under the age of 14, the network data handler shall also develop special rules for handling personal information.
Article 22 Where the handling of personal information of an individual is subject to the individual’s consent, the network data handler shall comply with the following provisions:
(1) It shall not collect personal information beyond the scope and shall not obtain the individual’s consent by means of misleading, fraud or coercion, etc. if the collection of personal information is necessary for the provision of products or services to the individual.
(2) It shall obtain the individual’s separate consent if the individual’s sensitive personal information such as biometric information, religious belief, specific identity, medical health information, financial accounts and whereabouts is handled.
(3) It shall obtain the consent of the individual’s parents or other guardians if the personal information of the individual who is under the age of 14 is handled.
(4) It shall not handle personal information beyond the purpose, method, type and period of storage agreed by the individual for handling of his/her personal information;
(5) It shall not frequently ask for consent after the individual has explicitly expressed disagreement with the handling of his/her personal information; and
(6) It shall obtain the individual’s consent again if the purpose, method or type of handling of the individual’s personal information changes.Where laws and administrative regulations provide that the handling of sensitive personal information is subject to written consent, such provisions shall prevail.
Article 23 Where an individual requests to access, copy, correct, supplement, delete or restrict the handling of his/her personal information, or where an individual deregisters his/her account or withdraws his/her consent, the network data handler shall accept the request in a timely manner and provide convenient methods and channels to support the individual in exercising his/her rights, and shall not set up unreasonable conditions to restrict the individual’s reasonable request.
Article 24 Where it is impossible to avoid the collection of unnecessary personal information by using automatic collection technology or an individual’s personal information without obtaining his/her consent according to the law, or an individual deregisters his/her account, the network data handler shall delete or anonymize the personal information. Where the storage period as prescribed by laws and administrative regulations has not expired, or it is difficult to delete or anonymize the personal information technically, the network data handler shall cease the handling other than storing such information and taking necessary security protection measures.
Article 25 For the request of an individual for transfer of personal information that meets the following conditions, the network data handler shall provide channels for the network data handler designated by the individual to access or obtain relevant personal information:
(1) where the true identity of the person making the request can be verified;
(2) where the personal information requested for transfer is the personal information that the individual has agreed to provide or has been collected on the basis of a contract;
(3) where the transfer of personal information is technically feasible; and
(4) where the transfer of personal information does not damage the legitimate rights and interests of others.If the number of requests for transfer of personal information significantly exceeds a reasonable range, the network data handler may charge necessary fees based on the costs of transferring personal information.
Article 26 Where an overseas network data handler who handles the personal information of domestic natural persons establishes a special agency or designates a representative within the territory of the People’s Republic of China in accordance with Article 53 of the Law of the People’s Republic of China on the Protection of Personal Information, it shall submit such information as the name and contact information of the agency or the representative to the local cyberspace administration of the city divided into districts, and the local cyberspace administration shall promptly notify the competent authority at the same level.
Article 27 A network data handler shall periodically conduct compliance audits, either on its own or by commissioning a specialized agency, of its handling of personal information in compliance with laws and administrative regulations.
Article 28 A network data handler handling the personal information of more than 10 million individuals shall also comply with the provisions governing network data handlers handling important data (hereinafter referred to as the “handlers of important data” in short) as specified in Articles 30 and 32 hereof.
Chapter IV Security of Important Data
Article 29 The national data security work coordination mechanism arranges and coordinates the relevant departments in formulating catalogs of important data and strengthens the protection of important data. All regions and departments shall, under the system for data classification and hierarchical protection, determine the specific catalogs of important data of their respective regions, departments as well as related industries and fields, and focus on protection of network data included in the catalogs.Network data handlers shall identify and declare important data in accordance with the relevant provisions of the State. For data that is confirmed as important data, the relevant region and department shall promptly notify network data handlers or publicly announce the same. Network data handlers shall perform their responsibility of network data security protection.
The State encourages network data handlers to use technologies and products such as data labels and identifiers to improve important data security management.
Article 30 Handlers of important data shall specify the person in charge of network data security and the management body for network data security. The management body for network data security shall perform the following responsibilities of network data security protection:
(1) formulating and implementing network data security management systems and operation procedures as well as emergency response plans for network data security incidents;
(2) organizing activities such as network data security risk monitoring, risk assessment, emergency drills, publicity, education and training on a regular basis, and promptly disposing of network data security risks and incidents; and
(3) accepting and handling complaints and reports about network data security.The person in charge of network data security shall have professional knowledge of network data security and relevant management experience and shall be a member of the management team of the network data handler, with the right to directly report the situation of network data security to the relevant competent authority.
Network data handlers that control important data of specific type and scale specified by the relevant competent authority shall conduct security background review of the person in charge of network data security and personnel in key positions and strengthen the training for the relevant personnel. When conducting such review, they may apply for assistance from the public security authorities and State security authorities.
Article 31 Handlers of important data shall conduct risk assessment prior to providing, entrusting others to handle or jointly handling important data, except for the performance of statutory duties or obligations.The risk assessment shall focus on assessing the following aspects:
(1) whether the provision, entrusted handling, and joint handling of network data, as well as the purpose, method or scope of handling of network data by network data recipients are legal, proper and necessary;
(2) the risk that the network data provided, entrusted for handling or jointly handled may be tampered with, destroyed, divulged, illegally obtained or illegally used, and the risk to national security, public interests, or the legitimate rights and interests of individuals and organizations;
(3) the integrity and compliance of network data recipients;
(4) whether the requirements on network data security set forth in the relevant contract concluded or to be concluded with a network data recipient can effectively constrain the network data recipient to perform its obligations for network data security protection;
(5) whether the technical and management measures taken or to be taken can effectively prevent the risks that network data may be tampered with, destroyed, divulged, illegally obtained or illegally used; and
(6) other assessment contents specified by the relevant competent authority.
Article 32 Where the security of important data may be affected due to merger, demerger, dissolution or bankruptcy of a handler of important data, the handler of important data shall take measures to ensure the security of network data, and report its important data disposal plan and the title or name and contact information of the recipient to the competent authority at or above the provincial level; if the competent authority is not specified, the handler of important data shall report to the coordination mechanism for data security at or above the provincial level.
Article 33 Handlers of important data shall conduct risk assessment of their network data handling activities on an annual basis and submit risk assessment reports to the competent authorities at or above the provincial level, which shall in turn promptly notify the cyberspace administration and the public security organ at the same level.The risk assessment report shall include the following aspects:
(1) basic information of the network data handler, information of the management body for network data security, and the name and contact information of the person in charge of network data security;
(2) the purpose, type, quantity, method, scope, storage period and storage location etc. of the important data handled as well as the information on network data handling activities carried out, excluding the contents of network data themselves,
(3) management systems for network data security and the implementation thereof, technical measures such as encryption, backup, label identification, access control, security authentication and other necessary measures and the effectiveness thereof;
(4) network data security risks discovered, network data security incidents that have occurred and the handling thereof;
(5) risk assessment of the provision, entrusted handling and joint handling of important data;
(6) cross-border transmission of network data; and
(7) other information to be reported as specified by the competent authority.
The risk assessment report submitted by the service provider of a large network platform that handles important data shall include, in addition to the information specified in the preceding paragraph, an adequate description of the network data security of key businesses and supply chains.
For a handler of important data whose important data handling activities might endanger the national security, the competent authority at or above the provincial level shall order it to take measures such as making rectifications or ceasing the handling of important data. The handler of important data shall take measures forthwith as required.
Chapter V Cross-border Security Management of Network Data
Article 34 The state cyberspace administration shall make overall planning and coordinate with the relevant authorities to establish a special work mechanism of national data cross-border security management, develop upon study relevant policies for national network data cross-border security management, and coordinate the handling of major matters relating to network data cross-border security.
Article 35 A network data handler may transmit personal information abroad if it meets any of the following conditions:
(1) having passed the security assessment for data cross-border transmission organized by the state cyberspace administration;
(2) having been certified by a specialized agency in respect of the protection of personal information in accordance with the provisions of the state cyberspace administration;
(3) meeting the provisions on standard contract for cross-border transmission of personal information as developed by the state cyberspace administration;
(4) necessary to provide personal information abroad in order to conclude or perform a contract to which it is a party;
(5) necessary to provide personal information of employees abroad under the employment rules and regulations formulated in accordance with the law and collective contracts concluded in accordance with the law;
(6) necessary to provide personal information abroad in order to perform statutory duties or obligations;
(7) necessary to provide personal information abroad in order to protect the life, health and property security of natural persons in an emergency; and
(8) other conditions provided for in laws, administrative regulations or by the state cyberspace administration.
Article 36 Where the international treaties or agreements concluded or acceded to by the People’s Republic of China have provisions on conditions for provision of personal information outside the territory of the People’s Republic of China, among others, such provisions may prevail.
Article 37 Where it is necessary to provide important data generated or collected by a network data handler during its operation within the territory of the People’s Republic of China to overseas parties, such provision shall pass the security assessment for data cross-border transmission organized by the state cyberspace administration. If a network data handler identifies and declares important data according to relevant provisions of the State, which have not been notified by the relevant region or department or have not been announced to the public as important data, no security assessment is required for cross-border transmission of such data as important data.
Article 38 After passing the security assessment for data cross-border transmission, the provision of personal information and important data abroad by the network data handler shall not beyond the purpose, method, scope, type and scale etc. of the data to be transmitted abroad as specified at the time of the assessment.
Article 39 The State takes measures to prevent and deal with cross-border security risks and threats to network data. No individual or organization may provide programs or tools etc. specially designed to destroy or avoid technical measures and shall not provide a person with technical support or assistance if he/it is fully aware of such activities as destroying or avoiding technical measures committed by the person.
Chapter VI Obligations of Network Platform Service Providers
Article 40 Network platform service providers shall specify the network data security protection obligations of third-party product and service providers accessing their platforms through platform rules, contracts or otherwise, and urge third-party product and service providers to strengthen network data security management.The provisions of the preceding paragraph apply to the manufacturers of equipment such as smart terminals pre-installed with applications.
Where a third-party product or service provider carries out network data handling activities in violation of laws, administrative regulations, platform rules or contracts, causing damage to users, the network platform service provider, the third-party product or service provider, the manufacturer of equipment such as smart terminals pre-installed with applications shall assume corresponding liability in accordance with the law.
The State encourages insurance companies to develop liability insurance products for damage caused to network data and encourages network platform service providers and manufacturers of equipment such as smart terminals pre-installed with applications to take out insurance.
Article 41 Network platform service providers providing application distribution service shall establish application verification rules and carry out relevant verification of network data security. Where it is found that the applications to be distributed or distributed do not comply with the provisions of laws, administrative regulations or the mandatory requirements of national standards, measures such as warning, no distribution, suspension or termination of distribution shall be taken.
Article 42 Network platform service providers pushing information to individuals in an automatic decision -making manner shall set up a personalized recommendation closing option that is easy to understand, access and operate, and provide users with such functions as refusing to receive pushed information and deleting user tags targeted at their personal characteristics.
Article 43 The State promotes the development of public services for network identity authentication and popularizes and applies such services under the principles of government guidance and user voluntariness.Network platform service providers are encouraged to support users in using the national network identity authentication public services for registration and verification of their identity information.
Article 44 Large network platform service providers shall release annual social responsibility reports on personal information protection, and the contents of such reports shall include but not be limited to the measures for personal information protection and the effects thereof, the acceptance of applications for the exercise of rights by individuals, and the performance of duties by the supervision body for personal information protection which is mainly composed of external members.
Article 45 Where the service provider of a large network platform provides cross-border network data, it shall comply with the administrative requirements of the State on cross-border data security management and improve the relevant technical and administrative measures to prevent cross-border security risks of network data.
Article 46 The service provider of a large network platform shall not engage in the following activities by using network data, algorithms and platform rules:
(1) handling network data generated by users on the platform by misleading, fraud, coercion or other means;
(2) restricting users’ access to or use of network data generated on the platform without justified reasons;
(3) giving unreasonable differential treatment to users, which damages the legitimate rights and interests of users; and
(4) other activities prohibited by laws and administrative regulations.
Chapter VII Supervision and Administration
Article 47 The state cyberspace administration is responsible for the overall planning and coordination of network data security and relevant supervision and administration.Public security authorities and national security authorities shall, pursuant to the provisions of relevant laws, administrative regulations and this Regulation, assume the responsibility for supervising and administering network data security ex officio, and prevent and crack down on illegal and criminal activities which endanger network data security in accordance with the law.
The national data management body shall perform corresponding responsibilities for network data security in its specific work of data management.
Local regions and their departments shall be responsible for the network data collected and generated during their work and for the network data security.
Article 48 All competent authorities concerned shall assume the responsibility for supervising and administering the network data security of their respective industries and fields, designate the agencies responsible for the protection of network data security of their respective industries and fields, develop and organize the implementation of emergency response plans for network data security incidents in their respective industries and fields on an overall basis, regularly organize the assessment of network data security risks of their respective industries and fields, supervise and inspect the performance by network data handlers of their obligations of protecting network data security, and guide and urge network data handlers to promptly rectify existing potential risks.
Article 49 The state cyberspace administration shall coordinate with the competent authorities concerned to promptly summarize, study and determine, share and release information relating to network data security risks, and strengthen the sharing of network data security information, the monitoring and early warning of network data security risks and threats, and the emergency response to network data security incidents.
Article 50 The competent authorities concerned may take the following measures to supervise and inspect network data security:
(1) requiring a network data handler and its relevant personnel to explain the items under supervision and inspection;
(2) consulting and copying documents and records relating to network data security;
(3) inspecting the operation of network data security measures;
(4) inspecting the equipment and articles relating to network data handling activities; and
(5) taking other necessary measures as prescribed by laws and administrative regulations.The network data handler shall cooperate in the supervision and inspection of network data security conducted by competent authorities in accordance with the law.
Article 51 When carrying out the supervision and inspection of network data security, the competent authorities concerned shall be objective and fair, and shall not charge any fees from the entity under inspection.During the supervision and inspection of network data security, the competent authorities concerned shall not access or collect business information that is not related to network data security, and the information obtained may only be used as necessary for the purpose of maintaining network data security and should not be used for any other purpose.
Where finding that there are relatively high security risks in the network data handling activities of a network data handler, the competent authorities concerned may, according to its prescribed authority and procedures, require the network data handler to suspend relevant services, modify platform rules, and improve technical measures to eliminate potential security risks of network data.
Article 52 When carrying out supervision and inspection of network data security, the competent authorities concerned shall strengthen coordination and cooperation with each other and information communication, and reasonably determine the frequency and methods of inspection, so as to avoid unnecessary inspection and cross and repeated inspection.The compliance audit in respect of personal information protection, risk assessment for important data, security assessment for cross-border transfer of important data and so on shall be connected more closely to avoid repeated assessment and audit. Where the contents of risk assessment and cybersecurity grade assessment for important data overlap, the relevant results can be mutually admissible.
Article 53 The competent authorities concerned and their staff members shall keep confidential, in accordance with the law, the network data such as personal privacy, personal information, trade secrets and confidential business information that they have accessed in the performance of their responsibility, and shall not disclose or illegally provide the same to others.
Article 54 The state cyberspace administration may, in concert with the competent authorities concerned, take corresponding necessary measures in accordance with the law against any overseas organization or individual who engages in network data handling activities that endanger the national security or public interests of the People’s Republic of China or infringe upon the personal information rights and interests of the citizens of the People’s Republic of China.
Article 55 For violation of Article 12, Articles 16-20, Article 22, Paragraphs 1 and 2 of Article 40, Article 41 and Article 42 hereof, the competent authorities in charge of cyberspace, telecommunications and public security, etc. shall, ex officio, order the violator to make rectification, give a warning to the violator, and confiscate the illegal income of the violator. In case of refusal to make rectification or serious circumstances, the violator shall be subject to a fine of not more than 1 million yuan, and may be ordered to suspend relevant business, cease operation for rectification, or have the relevant business permit or business license revoked, and the person directly in charge and other directly liable persons shall be subject to a fine of not less than 10,000 yuan but not more than 100,000 yuan.
Article 56 For violation of Article 13 hereof, the competent authorities in charge of cyberspace, telecommunications, public security, national security, etc. shall, ex officio, order the violator to make rectification, give a warning to the violator, impose a fine of not less than 100,000 yuan but not more than 1 million yuan concurrently on the violator, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan concurrently on the person directly in charge and other directly liable persons; in case of refusal to make rectification or serious circumstances, the violator shall be subject to a fine of not less than 1 million yuan but not more than 10 million yuan, and may be ordered to suspend relevant business, cease operation for rectification, or have the relevant business permit or business license revoked, and the person directly in charge and other directly liable persons shall be subject to a fine of not less than 100,000 yuan but not more than 1 million yuan.
Article 57 For violation of Paragraph 2 of Article 29, Paragraphs 2 and 3 of Article 30, Article 31 and Article 32 hereof, the competent authorities in charge of cyberspace, telecommunications and public security, etc. shall, ex officio, order the violator to make rectification, give a warning to the violator, impose a fine of not less than 50,000 yuan but not more than 500,000 yuan concurrently on the violator, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan concurrently on the person directly in charge and other directly liable persons; in case of refusal to make rectification or serious consequences such as massive data leakage are caused, the violator shall be subject to a fine of not less than 500,000 yuan but not more than 2 million yuan, and may be ordered to suspend relevant business, cease operation for rectification, or have the relevant business permit or business license revoked, and the person directly in charge and other directly liable persons shall be subject to a fine of not less than 50,000 yuan but not more than 200,000 yuan.
Article 58 For violation of other relevant provisions hereof, the violator shall be prosecuted for legal liability by the competent authority concerned in accordance with the Cybersecurity Law of the People’s Republic of China, Data Security Law of the People’s Republic of China, Law of the People’s Republic of China on the Protection of Personal Information and other applicable laws.
Article 59 A network data handler who voluntarily eliminates or mitigates the harmful consequences of its illegal acts, commits minor illegal acts and makes rectification in a timely manner without causing harmful consequences, or commits illegal acts for the first time with minor harmful consequences and makes rectification in a timely manner, shall be subject to a lighter or mitigated administrative penalty or be exempted from administrative penalty in accordance with the Law of the People’s Republic of China on Administrative Penalties.
Article 60 For a state agency that fails to perform its obligations of network data security protection set forth herein, its superior authority or the competent authority concerned shall order it to make rectification and impose disciplinary actions on the person directly in charge and other directly liable persons in accordance with the law.
Article 61 Whoever violates this Regulation, with damage to others caused, shall be subject to the civil liability pursuant to the law; if the violation of public security administration is constituted, a penalty for public security administration shall be imposed pursuant to the law; and if a crime is constituted, criminal liability shall be investigated pursuant to the law.
Chapter IX Supplementary Provisions
Article 62 The following terms as used herein shall have the following meanings:
(1) “Network data” refers to various electronic data handled and generated through networks.
(2) “Network data handling activities” refer to the collection, storage, use, processing, transmission, provision, disclosure and deletion of network data.
(3) “Network data handler” refers to an individual or organization that independently determines the handling purpose and handling method in network data handling activities.
(4) “Important data” refers to the data in a specific field, group or region or with a certain precision and scale, which, once tampered with, destroyed, divulged, illegally obtained or illegally used, may directly endanger national security, economic operation, social stability, public health and security.
(5) “Entrusted handling” refers to the network data handling activities carried out by any individual or organization entrusted by a network data handler according to the agreed purpose and method.
(6) “Joint handling” refers to the network data handling activities in which two or more network data handlers jointly determine the handling purpose and handling method for network data.
(7) “Separate consent” refers to that an individual specifically gives specific and clear consent with respect to a specific handling of his/her personal information.
(8) “Large network platform” refers to a network platform with more than 50 million registered users or more than 10 million monthly active users, complex business types, and network data handling activities having a significant impact on national security, economic operation, national welfare and people’s livelihood, etc.
Article 63 The network data handling activities in respect of core data shall be carried out in accordance with the relevant regulations of the State.This Regulation does not apply to the handling of personal information by natural persons due to personal or family affairs.
The provisions of the Law of the People’s Republic of China on Guarding State Secrets and other laws and administrative regulations shall apply to the network data handling activities involving state secrets or work secrets.
Article 64 This Regulation shall come into force on January 1, 2025.