Issued by: State Council
Issue No.: Order of No. 790 State Council
Release Date: September 30, 2024
Effective date:  January 1, 2025
Links: https://www.gov.cn/zhengce/zhengceku/202409/content_6977767.htm

The Regulation refines the principled norms and systems stipulated in the three fundamental laws in data protection: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. The main contents are as follows:
1. General compliance obligations of network data processors
a. It is required to establish and improve network data security management systems and emergency response plans for security incidents.
b. For network data processors using automated tools (such as web crawlers) to access and collect network data, new obligations have been added to assess the impact and process the special categories of personal information in compliance with regulations.
c. For network data processors providing generative artificial intelligence services, a requirement has been raised to strengthen the security management of training data.

2. Provisions on personal information protection
a. Network data processors shall regularly conduct audits to ensure compliance with personal information processing regulations, either internally or by entrusting a professional institution.
b. Network data processors that process the personal information of more than 10 million individuals are required to comply with the compliance obligations of significant data processors.

3. Important data security system
a. It is clarified that data which has not been identified or publicly catalogued as important data does not require a security assessment for cross-border transfer.
b. It is required that the network data security officer for important data processors be a member of the management team.
c. For important data processors, new requirements have been added including ex ante risk assessments, annual risk assessments and submission of the annual reports.

4. Provisions on cross-border security management of network data
a. New provisions allow network data processors to transfer personal information overseas without undergoing a security assessment, standard contract filing, or personal information protection certification, provided that such transfer is essential for fulfilling statutory duties or legal obligations.

5. Obligations of network platform service providers
a. The criteria for large-scale network platforms based on user volume have been clarified (i.e., having more than 50 million registered users or more than 10 million monthly active users).
b. It specifies the content requirements for the annual social responsibility report on personal information protection published by large-scale network platform service providers.