Authors: Ting ZHENG丨Raymond YAN丨Eryin YING丨Lin ZHU丨Shirley LIANG
Overview
On 30 September 2024, China's State Council announced the finalized Regulation for the Administration of Network Data Security (《网络数据安全管理条例》, "Network Data Regulation"), which will take effect on 1 January 2025. This regulation provides a framework for personal information (PI) protection, cross-border data transfers, network data security management and the responsibilities of internet platform providers.
In this article, we draw on our experience in advising foreign-funded banks on PI protection policies and cross-border data transfers, to outline the key provisions of the regulations, their implications for the operations of these banks and their clients, and to provide guidance on how to align with the new regulatory requirements.
PI protection
From the PI protection perspective, while closely aligned with the Personal Information Protection Law ("PIPL"), the Network Data Regulation has provided additional requirements for implementation of the PIPL. Please refer to below the key new requirements and implications for foreign-funded banks:
Important data
The Network Data Regulation (Chapter 4) integrates existing definitions and obligations (risk monitoring and assessment etc.) of important data and its processors under the Data Security Law (《数据安全法》, "DSL") and data export rules but remains generic. It's still the case that banks must wait for PBOC and NFRA's classification and catalogue of important data to be applied in the banking sector. That said, we expect most foreign-funded banks are unlikely classified and identified to handle any important data, so no action is required until the banking regulator notifies otherwise.
Cross-border transfers
The Network Data Regulation (Chapter 5) integrates existing data export requirements and only provides an additional exemption and provides clarity on an existing exemption in terms of contract with individuals:
Data security measures
The Network Data Regulation (Chapter 2) provides high-level data security measures as follows. We trust most of the foreign-funded banks have duly addressed most of these measures under the cross border data transfer mechanism as they conform to those having been required by the DSL and the Guidelines for the Data Management of Banking Financial Institutions (《银行业金融机构数据治理指引》, "Banking Data Management Guidelines").
Outlook
As foreign-funded banks operating in China navigate the evolving regulatory landscape, especially with the heightened focus on PI protection and cross-border data transfers, proactive compliance is crucial. The Network Data Regulation places significant emphasis on strict adherence, with severe penalties for non-compliance. Foreign-funded banks should revisit their privacy statements and internal procedures from time to time. We will continue to closely monitor any material developments in this regard and keep you updated.
Important Announcement |
|
This Legal Commentary has been prepared for clients and professional associates of Han Kun Law Offices. Whilst every effort has been made to ensure accuracy, no responsibility can be accepted for errors and omissions, however caused. The information contained in this publication should not be relied on as legal advice and should not be regarded as a substitute for detailed advice in individual cases. If you have any questions regarding this publication, please contact: |
|
Ting ZHENG Tel: +86 21 6080 0203 Email: ting.zheng@hankunlaw.com |
|
Raymond YAN Tel: +86 21 6080 0512 Email: raymond.yan@hankunlaw.com |
