For people who care about data protection laws in China, this summer has been way too exciting and even a bit fatiguing. What’s more, the 2022 legislation plan that was just released by the central government indicates another blockbuster regulation may be finalised in the coming twelve months – the Network Data Security Management Regulations.
Released in November last year, the former draft of these management regulations received a large volume of industry feedback and has been under revision for the past 8 months. There are, however, rumors in the market saying that this has been sufficient time to allow publication of the final rules this month, with effectiveness being as early as September…!
Why is it a key regulation?
As we know, there are three pillars to the PRC data protection legal system: the Cybersecurity Law, Data Security Law and Personal Information Protection Law. The management regulations are a key set of rules to implement these pillar laws and connect them to the lower-level central government department rules and national standards.
In the past few weeks, China has made substantial progress to flesh out the three methods for completing personal information cross-border transfers: the security assessment measures were finalised last week; the draft standard contract – the equivalent of Standard Contractual Clauses under the EU’s GDPR – was released for public comments the week before that; and a certification regime for cross-border data transfers, similar to the Binding Corporate Rules under GDPR, was given its first audition as a lower-level technical document one week before that. It would be timely for the management regulations to be published to connect these implementing mechanisms with the upper-level laws.
How would the management regulations affect businesses?
Let’s consider a few key examples based on the first draft:
- Firstly, the final form of the regulations will almost surely confirm the thresholds for personal data localisation, which will in turn determine the methods by which a business can choose to transfer personal information overseas. Crucially, a multinational corporation will need to pass a government-led security assessment if it meets the thresholds.
- Second, the final form will likely clarify the more stringent obligations to be imposed on internet platform operators in terms of personal data protection – digital giants’ cost-bases are only set to increase.
If tech and other businesses in the Chinese market are yet to complete comprehensive data protection examinations, now might be the last call. Full implementation of the PRC’s data protection regime could soon be upon us!