The Personal Information Protection System of the Regulation on Network Data Security Management (Mainland China)

The Regulation on Network Data Security Management (hereinafter referred to as the "Regulation") has been implemented since January 1, 2025.  As an administrative regulation involving three important areas of network security, data security, and personal information protection, this Regulation is not only a simple repetition of the three important laws of the People's Republic of China: the Network Security Law, the Data Security Law, and the Personal Information Protection Law (hereinafter referred to as the "PIPL "), but also supplements and innovatively regulates the provisions of the above three laws, further refining the compliance requirements for network data protection.  This article aims to interpret the detailed requirements related to the PIPL in the Regulation, with a focus on sorting out the issues in the Regulation that have a significant impact on corporate compliance under the PIPL.

The third chapter of the Regulation, consisting of eight articles, emphasizes the key content of handling personal information and clarifies the compliance obligations of enterprises for personal information protection.

I. Clarify the nature of the notification of personal information processing rules and emphasize the content of the notification.

Article 17 of the PIPL stipulates that personal information processors shall fulfill the obligation of "significant means" in informing.  The Regulation further requires network data processors to fulfill the obligations of "centralized public display, easy access, and prominent placement" when notifying.  In view of this, companies are reminded that when multiple personal information processing rules are involved, including but not limited to children's personal information processing rules, current personal information processing rules, and expired personal information processing rules, they should be prominently displayed to facilitate user access to information.

Article 21 of the Regulation requires network data processors to inform individuals of the purpose, method, type, and recipient information of the collection and provision of personal information to other network data processors, and to list them in the form of a list or other forms.  This establishes a notification requirement for the "dual list ^[1]  (i.e. the list of collected personal information and the list of shared personal information with third parties) at the level of administrative regulations.  Of course, according to the wording of the above clause, "notifying in the form of a list" is not the only legal way.  However, for enterprises, this listing method can effectively enhance the transparency of personal information processing rules and avoid compliance risks.

The Regulation clearly requires that the retention period of personal information and the processing methods after expiration should be informed.  If the retention period is difficult to determine, the method for determining the retention period should be clarified.  Compared to the requirement in the PIPL that personal information processing rules should include provisions on the retention period of personal information, the Regulation provides clear instructions on the difficulty of determining the retention period in practice.

II. Clarify the special requirements for automated collection

Article 24 of the Regulation stipulates that if the collection of non-essential personal information or personal information without legal consent cannot be avoided due to the use of automated collection technology, or if an individual cancels their account, the network data processor shall delete the personal information or anonymize it.  Regarding this point, intelligent production enterprises such as smart connected vehicles and smart home devices should pay attention to the principle of minimum necessity when collecting personal information.  In an era where cameras and sensors are ubiquitous, it is inevitable for companies to collect unnecessary personal information, and flaws in the collection technology measures will not be a reason for companies to exempt themselves from liability.  Therefore, companies should further evaluate their existing product equipment and technical capabilities, prepare technical disposal plans, and ensure timely deletion or anonymization of non-essential personal information or personal information without personal consent to meet compliance requirements.

III. Refine the conditions for exercising the right to carry personal information

Article 45 ^[2] of the PIPL specifies the right to carry personal information.  However, this regulation is principle-based and lacks specific operational rules.  Article 25 of the Regulation specifies the conditions for the transfer of personal information.  For requests that meet the following conditions, network data processors are required to provide channels for other designated network data processors to access and obtain relevant personal information: (1) be able to verify the true identity of the requester; (2) The request for transfer refers to personal information that the information subject has agreed to provide or collected based on the contract; (3) The transfer of personal information is technically feasible; (4) Transferring personal information does not harm the legitimate rights and interests of others.  It is worth noting that although the Regulation has more detailed provisions than the PIPL, there are still doubts about the actual implementation of the right to carry information.  It is suggested that relevant enterprises focus on referring to the draft of the national standard "Requirements for Personal Information Transfer Based on Personal Requests in Information Security Technology" that is closely related to the right to carry personal information, and adjust the response mechanism of personal information subject rights through this standard, establishing response processes and related technical means.

IV. Clarify the additional obligations that processors of personal information of 10 million or more individuals should fulfill

According to Article 28 of the Regulation, network data processors who process personal information of 10 million or more individuals shall comply with the two obligations of important data processors stipulated in the Regulation: (1) clarify the person in charge of network data security and the network data security management agency; (2) Measures should be taken to ensure the security of important data due to mergers, divisions, dissolution, bankruptcy, etc., and to report important data disposal plans, as well as the name or contact information of the recipient, to relevant authorities at or above the provincial level. If the competent department is unclear, it shall report to the data security work coordination mechanism at or above the provincial level.

In summary, we recommend that companies conduct compliance assessments of their existing systems and update their compliance processes based on their own circumstances in order to meet the new regulatory requirements proposed under the PIPL in the Regulation.