New PRC Cyber Data Security Regulations Will Impact U.S. Sensitive Data in China

On 24 September, the State Council of the People’s Republic of China (PRC) issued the order to promulgate the “Regulations on the Management of Network Data Security” (网络数据安全管理条例), hereafter referred to as Cyber Data Security Regulations). The State Council’s Standing Committee approved the regulations on 30 August, and they will take effect on 1 January 2025. Pamir assesses that the new set of regulations strengthens the PRC government’s oversight of data management. In this respect, the vague and unclear provisions of the regulations will enable Chinese government agencies to arbitrarily exercise their authority. 

Provisions of the new regulations further demonstrate the need for American companies to store their sensitive data outside the PRC. Beijing’s pursuit of technological supremacy and self-reliance, supported by PRC regulations and practices stressing data localization, indicates that the Chinese government is committed to ensuring that all data, including those essential for high-technology R&D and manufacturing, remain in China. Therefore, American businesses with sensitive data stored in the PRC are advised to adopt risk mitigation measures, including the removal of relevant data from China before the Cyber Data Security Regulations take effect on 1 January 2025. In this context, American businesses should also adopt a cautious approach in response to the PRC Ministry of Industry and Information Technology’s 23 October announcement that it would pilot a program to remove the 50% cap on foreign ownership of Chinese data centers. Foreign ownership does not remove the requirement to comply with PRC laws and regulations, meaning that U.S. companies that own data storage facilities in China must still address risks associated with Beijing’s data localization policy. 

The PRC government first circulated a draft of the nine-chapter, 64-article Cyber Data Security Regulations for public feedback in November 2021. The regulations stipulate that they were created in accordance with the “PRC Cybersecurity Law” (中华人民共和国网络安全法, promulgated in November 2016), the “PRC Data Security Law” (中华人民共和国网络安全法, promulgated in June 2021), and the “PRC Personal Information Protection Law” (中华人民共和国个人信息保护法, promulgated in August 2021). On 30 September, the PRC government held a press conference during which unnamed senior officials of the PRC Ministry of Justice and the Cyberspace Administration of China (CAC) said that the purpose of the regulations was to implement the aforementioned laws.

Security of “Important Data” and Cross-Border Data

The Cyber Data Security Regulations devoted two chapters to the following areas: 1) the security of “important data” and 2) the security of cross-border data. 

The Cyber Data Security Regulations define “important data” as “data in specific fields, groups, or regions, or data reaching a certain level of accuracy and scale [e.g., personal information of more than 10 million people], which may directly endanger national security, economic operations, social stability, public health, and public safety, if tampered with, destroyed, leaked, or illegally obtained or used.” The regulations mandate that the “national data security work coordination mechanism” (国家数据安全工作协调机制) coordinate “relevant [government] departments to formulate catalogues of important data” to “strengthen the protection of important data.” 

• The “national data security work coordination mechanism” was first mentioned in the PRC Data Security Law. According to Article 5 of the law, the “central state security leading institution” (中央国家安全领导机构) is responsible for the establishment of the coordination mechanism. Based on this reference, Pamir assesses that it is likely that the Central National Security Commission (中央国家安全委员会, CNSC) of the Chinese Communist Party (CCP), chaired by Chinese leader XI Jinping, directly oversees the coordination mechanism. The CNSC was created in 2013, one year after Xi became the top Chinese leader.

According to the Cyber Data Security Regulations, local Chinese authorities and government agencies must develop catalogues for important data in their respective localities and agencies. The catalogues should also include important data from “relevant sectors and fields,” most likely referring to commercial industries and research fields. The regulations further specify obligations and security responsibilities for processors of important data (PID), which are individuals or organizations authorized to determine the purposes and methods for processing those data. In this respect, the regulations require PIDs to submit an annual security risk management report to their provincial-level authorities, which will then share those reports with cybersecurity and law enforcement authorities.    

With respect to ensuring the security of cross-border data, the Cyber Data Security Regulations stipulate that the CAC is responsible for formulating relevant policies and coordinating the establishment of a “national special working mechanism for data export security management” (国家数据出境安全管理专项工作机制) and major projects relating to the security of exported data. According to the regulations, personal information can be exported if one of the following criteria is satisfied:

• Successfully completed the CAC-organized data export security assessment.
• Certified by a professional organization in accordance with CAC rules.
• Complied with CAC rules concerning “personal information export standard contract.”
• To create or execute a contract.
• To carry out cross-border human resources management in accordance with “collective contracts.”
• To comply with legal obligations.
• To protect life, health, and property in an emergency.
• To fulfill international treaty obligations.
• Other unspecified conditions stipulated by PRC laws, regulations, and CAC rules.

The Cyber Data Security Regulations stipulate that the outbound transfers of important data collected or generated through business operations in China are only permitted after security assessments by PRC cyberspace administration authorities. However, unspecified “relevant” government agencies will first determine the data’s importance. No security assessment would be required if those agencies determine that the data in question are unimportant.   

Business Impact

Some legal experts on Chinese laws note that many terms contained in the Cyber Data Security Regulations remain unclear and may be subject to interpretations by PRC government officials. In addition, the regulations’ implementation is likely to vary across localities, which is customary for all Chinese laws and regulations. In any case, companies should review their privacy and human resources policies to ensure compliance with the regulations. Moreover, foreign companies operating in China should expect additional scrutiny, particularly with respect to cross-border data transfers.