China has unveiled its latest Network Data Security Management Regulations, set to take effect on 1 January 1 2025. The Regulations mark a significant shift from earlier more restrictive approaches to data security, particularly regarding the classification of ‘Important Data’.
The new Regulations adopt a more business-friendly stance while maintaining necessary security measures. A key feature is the refined definition of ‘Important Data’, which covers information that “may directly endanger national security, economic operations, social stability, public health, and safety if tampered with, destroyed, leaked, or illegally obtained.”
This represents an evolution from China’s previously more stringent approach in 2017, which included specific data types and volume-based restrictions. The current Regulations delegate the responsibility of preparing Important Data catalogues to sectoral and regional regulators, who must promptly publicise or notify regulated entities of any designated Important Data.
Notable other changes include new thresholds for personal data processing. Organisations handling personal data of more than 10 million subjects must now comply with specific cybersecurity requirements, an increase from the previous threshold of 1 million. However, some industry-specific variations exist, such as in the automotive sector, where the threshold is set at 100,000 data subjects.
The Regulations also demonstrate China’s commitment to balancing security with business needs through several pro-business elements, including strengthened exemptions to cross-border data transfer requirements and the removal of direct security review requirements for AI-based products and services. Additionally, the Regulations show more flexibility in handling compliance issues, introducing tolerance for minor violations that are promptly corrected.
These measures reflect China’s broader strategy to encourage foreign investment and free trade while maintaining appropriate oversight of data security, marking a significant development in the country’s evolving approach to data governance.
For a full reading of the media release, see here.
