Order of the State Council of the People's Republic of China
No. 790
The "Regulations on the Management of Network Data Security" were passed at the 40th executive meeting of the State Council on August 30, 2024, and are hereby promulgated to take effect on January 1, 2025.
Prime Minister Li Qiang
September 24, 2024
Regulations on the Management of Network Data Security
Chapter I: General Provisions
Article 1: These Regulations are formulated on the basis of the "Cybersecurity Law of the People's Republic of China", the "Data Security Law of the People's Republic of China", the "Personal Information Protection Law of the People's Republic of China", and other laws, so as to regulate network data handling activities, ensure network data security, promote the reasonable and effective use of network data in accordance with law, protect the lawful and effective use of network data, protect the lawful rights and interests of individuals and organizations, and preserve national security and the public interest.
Article 2: These Regulations apply to the carrying out of network data handling activities and their security oversight and management within the mainland territory of the People's Republic of China.
These Regulations also apply to the processing of the personal information of natural persons within People's Republic of China territory outside People's Republic of China mainland of the People's Republic of China, where the circumstances provided for in paragraph 2 of article 3 of the "People's Republic of China Personal Information Protection Law" are met.
Where online data processing activities are carried out outside the territory of the People's Republic of China, harming the national security of the People's Republic of China, the public interest, or the lawful rights and interests of citizens or organizations, legal responsibility is to be pursued in accordance with law.
Article 3: Network data security management efforts are to adhere to the leadership of the Communist Party of China, implement the overall national security concept, and make overall plans to promote the development and use of online data and ensure network data security.
Article 4: The state encourages the innovative use of network data in all industries and fields, strengthens capacity for network data security protections, supports innovation in technologies, products, and services related to network data, carries out publicity and education on network data security and personnel training, and promotes the development and use of network data and the development of the industry.
Article 5: The state is to carry out categorical and hierarchical protections of online data on the basis of its importance in economic and social development, as well as the degree of harm to national security, the public interest, or the lawful rights and interests of individuals or organizations once it has been tampered with, destroyed, leaked, or illegally obtained or used.
Article 6: The state actively participates in the drafting of international rules and standards related to network data security, and promotes international exchanges and cooperation.
Article 7: The state supports relevant industry organizations in drafting norms of conduct for network data security in accordance with their charters, strengthening industry self-discipline, guiding members to strengthen network data security protections, increasing the level of network data security protections, and promoting the healthy development of the industry.
Chapter II: General Provisions
Article 8: Individuals and organizations must not use network data to engage in illegal activities, and must not engage in illegal network data handling activities such as stealing or otherwise illegally obtaining network data, illegally selling or illegally providing network data to others.
No individual or organization must provide programs or tools specifically for engaging in the illegal activities described in the preceding paragraph; Where it is clearly known that others are engaged in the illegal activities described in the preceding paragraph, they must not be provided with technical support such as internet access, server hosting, network storage, or communication transmission, or assistance such as advertising and promotion, payment and settlement, etc.
Article 9: In accordance with the provisions of laws and administrative regulations and the mandatory requirements of national standards, and on the basis of graded network security protections, network data handlers shall strengthen network data security protections, establish and complete network data security management systems, employ technical measures such as encryption, backups, access control, and security authentication, and other necessary measures to protect network data from being tampered with, destroyed, leaked, or illegally obtained or used, handle network data security incidents, and prevent illegal and criminal activities against and use network data. and bear the main responsibility for the security of the network data processed.
Article 10: The network products and services provided by network data handlers shall comply with the mandatory requirements of relevant national standards; When it is discovered that network products or services have security flaws, vulnerabilities, or other risks, remedial measures shall be immediately employed, and users shall be promptly informed and reported to the relevant competent departments in accordance with provisions; Where it involves endangering national security or the public interest, network data handlers shall also report to the relevant regulatory departments within 24 hours.
Article 11: Network data handlers shall establish and complete emergency response plans for network data security incidents, and when network data security incidents occur, they shall immediately initiate the emergency response plan, employ measures to prevent the expansion of harm, eliminate potential security risks, and report to the relevant regulatory departments in accordance with provisions.
Where network data security incidents cause harm to the lawful rights and interests of individuals or organizations, network data handlers shall promptly notify interested parties of the security incident, the risk situation, the harmful consequences, and the remedial measures already employed, using methods such as phone calls, text messages, instant messaging tools, emails, or announcements; Where laws and administrative regulations provide that notice may not be given, follow those provisions. Where network data handlers discover leads on suspected violations or crimes in the course of handling network data security incidents, they shall report the case to the public security organs and state security organs in accordance with provisions, and cooperate in carrying out investigation, investigation, and disposition efforts.
Article 12: Where network data handlers provide or entrust the handling of personal information and important data to other network data handlers, they shall agree with the network data recipient on the purpose, methods, scope, security protection obligations, and so forth through contracts and so forth, and conduct oversight of the network data recipients' performance of their obligations. Records of the handling of personal information and important data provided to or entrusted to other network data handlers shall be stored for at least 3 years.
Network data recipients shall perform network data security protection obligations, and handle personal information and important data in accordance with the agreed purpose, methods, scope, and so forth.
Where two or more network data handlers jointly decide on the purposes and methods of handling personal information and important data, they shall agree on their respective rights and obligations.
Article 13: Where network data handlers carry out online data handling activities that impact or might impact national security, they shall conduct a national security review in accordance with relevant state provisions.
Article 14: Where network data handlers need to transfer network data due to reasons such as mergers, divisions, dissolutions, or bankruptcy, the network data recipients shall continue to perform network data security protection obligations.
Article 15: State organs entrusting others to establish, operate, or maintain e-government systems, and store and process government affairs data, shall follow relevant state provisions to go through strict approval procedures, clarify the entrusted party's authority to handle online data, responsibility for protection, and so forth, and supervise the entrusted party's performance of network data security protection obligations.
Article 16: Where network data handlers provide services to state organs or critical information infrastructure operators, or participate in the construction, operation, or maintenance of other public infrastructure or public service systems, they shall perform network data security protection obligations in accordance with the provisions of laws and regulations and contractual agreements, and provide safe, stable, and continuous services.
Without the consent of the entrusting party, network data handlers provided for in the preceding paragraph must not access, obtain, retain, use, leak, or provide network data to others, and must not conduct correlation analysis of network data.
Article 17: Information systems providing services to state organs shall refer to the management requirements of the e-government system to strengthen network data security management and ensure network data security.
Article 18: Network data handlers using automated tools to access or collect network data shall assess the impact on network services, and must not illegally invade others' networks, and must not interfere with the normal operation of network services.
Article 19: Network data processors providing generative AI services shall strengthen security management of training data and training data processing activities, and employ effective measures to prevent and address network data security risks.
Article 20: Network data handlers who provide products and services to the public shall accept societal oversight, establish convenient channels for online data security complaints and reports, publish information such as the methods for complaints and reports, and promptly accept and handle network data security complaints and reports.
Chapter III: Protection of Personal Information
Article 21: Where online data handlers lawfully inform individuals through the drafting of personal information handling rules before handling personal information, the personal information handling rules shall be publicly displayed, easily accessible, and placed in a conspicuous position, with clear, specific, clear and understandable content, including but not limited to the following content:
(1) The name or contact information of the network data handlers;
(2) The purpose, methods, and types of personal information handled, the necessity of handling sensitive personal information, and the impact on individual rights and interests;
(3) Where it is difficult to determine the retention period for personal information and the methods for handling it after the expiration period, and where it is difficult to determine the retention period, the method for determining the retention period shall be clarified;
(4) Methods and channels for individuals to review, copy, transfer, correct, supplement, delete, or restrict the handling of personal information, as well as methods and channels for canceling accounts and withdrawing consent.
Where network data handlers inform individuals of the purpose, methods, and types of personal information collected and provided to other network data handlers, as well as information on the recipients of the network data, in accordance with the provisions of the preceding paragraph, they shall list them in the form of a list. Where online data handlers handle the personal information of minors under the age of 14, they shall also draft special rules for handling personal information.
Article 22: Where network data handlers handle personal information on the basis of an individual's consent, they shall comply with the following provisions:
(1) The collection of personal information is necessary for the provision of products or services, and the collection of personal information must not exceed the scope, and the individual's consent must not be obtained through methods such as misleading, fraud, or coercion;
(2) Where sensitive personal information such as biometrics, religious beliefs, specific identities, medical health, financial accounts, and whereabouts are handled, separate consent shall be obtained from the individual;
(3) Where the personal information of minors under the age of 14 is handled, the consent of the minor's parents or other guardians shall be obtained;
(4) Personal information must not be handled beyond the purpose, methods, types, and retention periods for personal information that individuals have consented to;
(5) Consent must not be frequently solicited after individuals have clearly expressed their disagreement with the handling of their personal information;
(6) Where there is a change in the purpose, methods, or types of handling of personal information, the individual's consent shall be obtained anew.
Where laws and administrative regulations provide that written consent shall be obtained for the handling of sensitive personal information, follow those provisions.
Article 23: Where individuals request to access, reproduce, correct, supplement, delete, or restrict the handling of their personal information, or where individuals cancel their accounts or withdraw their consent, network data handlers shall promptly accept them, and provide convenient methods and channels to support individuals in exercising their rights, and must not set up unreasonable conditions to restrict individuals' reasonable requests.
Article 24: Where it is impossible to avoid the collection of unnecessary personal information or personal information that has not obtained the individual's consent in accordance with law due to the use of automated collection technologies or so forth, as well as where individuals cancel their accounts, network data handlers shall delete the personal information or conduct anonymization. Where the retention period provided for by laws or administrative regulations has not been completed, or where it is technically difficult to delete or anonymize personal information, network data handlers shall stop handling it other than storing it and employing necessary security protection measures.
Article 25: For requests for the transfer of personal information that meet the following requirements, network data handlers shall provide channels for other network data handlers designated by individuals to access and obtain relevant personal information:
(1) Be able to verify the true identity of the requester;
(2) The request to transfer is personal information that the person has consented to provide or that has been collected on the basis of a contract;
(3) The transfer of personal information is technically feasible;
(4) The transfer of personal information does not harm the lawful rights and interests of others.
Where the number of requests for the transfer of personal information is clearly beyond a reasonable scope, network data handlers may collect necessary fees based on the cost of transferring personal information.
Article 26: Where People's Republic of China overseas network data processors handling the personal information of domestic natural persons establish special institutions or designate representatives within the territory in accordance with article 53 of the "People's Republic of China Personal Information Protection Law", they shall report the name of the relevant institution or the name and contact information of the representative to the internet information department at the districted city level where they are located; Internet information departments shall promptly report to the relevant regulatory departments at the same level.
Article 27: Network data handlers shall periodically conduct compliance audits of their handling of personal information on their own or by retaining a professional body to comply with laws and administrative regulations.
Article 28: Where network data handlers handle the personal information of 10 million or more people, they shall also comply with the provisions of articles 30 and 32 of these Regulations on network data handlers handling important data (hereinafter "important data processors").
Chapter IV: Security of Important Data
Article 29: The national coordination mechanism for data security efforts is to coordinate with relevant departments to draft catalogs of important data, strengthening the protection of important data. Each region and department shall follow the data classification and hierarchical protection system to determine a specific directory of important data for that region, that department, and related industries and fields, and carry out key protections for network data entered into the catalog.
Network data handlers shall identify and report important data in accordance with relevant state provisions. Where data is confirmed to be important, the relevant regions and departments shall promptly inform the network data handlers or publicly release it. Network data handlers shall perform responsibility for network data security protection.
The state encourages network data handlers to use technologies and products such as data labels and identifications to increase the level of security management of important data.
Article 30: Processors of important data shall clarify the person responsible for network data security and the network data security management body. Network data security management bodies shall perform the following responsibilities for network data security protections:
(1) Draft and implement network data security management systems, operational procedures, and emergency response plans for network data security incidents;
(2) Periodically organize and carry out activities such as network data security risk monitoring, risk assessment, emergency drills, publicity, education, and training, and promptly address network data security risks and incidents;
(3) Accept and handle network data security complaints and reports.
The responsible person for network data security shall have professional knowledge of network data security and relevant management work experience, and members of the management of network data handlers shall serve as members, and have the right to directly report on the situation of network data security to the relevant regulatory departments.
Network data handlers who have the specific types and scales of important data provided for by the relevant regulatory departments shall conduct security background reviews of the persons responsible for network data security and personnel in key positions, and strengthen training for relevant personnel. During the review, they may apply for assistance from the public security organs or state security organs.
Article 31: Before processors of important data provide, entrust handling, or jointly handle important data, they shall conduct a risk assessment, except where it is the performance of legally-prescribed duties or obligations.
The risk assessment shall focus on the following elements:
(1) Whether the provision, entrustment, or joint handling of network data, as well as the purpose, methods, and scope of the network data recipient's handling of network data, are lawful, proper, and necessary;
(2) The risk of network data provided, entrusted for handling, or jointly handled being tampered with, destroyed, or leaked, or illegally obtained or illegally used, as well as risks to national security, the public interest, or the lawful rights and interests of individuals or organizations;
(3) Circumstances such as the creditworthiness and law-abiding of the network data recipients;
(4) Whether the requirements on network data security in the relevant contracts concluded or drafted with the network data recipients can effectively bind the network data recipients to perform network data security protection obligations;
(5) Whether the technical and management measures employed or proposed to be employed can effectively prevent risks such as the alteration, destruction, or leakage, or illegal acquisition or illegal use of network data;
(6) Other assessment content provided for by the relevant competent departments.
Article 32: Where processors of important data might impact the security of important data due to mergers, divisions, dissolutions, bankruptcy, or so forth, they shall employ measures to ensure network data security, and report the important data disposition plan, the name or contact information of the recipient, and so forth, to the relevant competent departments at the provincial level or above; Where the competent departments are not clear, they shall report to the data security work coordination mechanism at the provincial level or above.
Article 33: Handlers of important data shall annually carry out a risk assessment of their online data handling activities, and submit a risk assessment report to the relevant competent departments at the provincial level or above, and the relevant competent departments shall promptly report to the internet information departments and public security organs at the same level.
The risk assessment report shall include the following:
(1) Basic information on network data handlers, information on network data security management bodies, names and contact information of persons responsible for network data security, and so forth;
(2) The purpose, type, quantity, methods, scope, storage period, storage location, and so forth of handling important data, and the circumstances of carrying out network data handling activities, excluding the content of online data itself;
(3) Network data security management systems and their implementation, technical measures such as encryption, backups, labeling, access control, and security authentication, as well as other necessary measures, and their effectiveness;
(4) Network data security risks discovered, network data security incidents that occurred, and how they were handled;
(5) Risk assessment of important data provided, entrusted, or jointly handled;
(6) The circumstances of online data exports;
(7) Other report content as provided for by the relevant competent departments.
In addition to including the content provided for in the preceding paragraph, risk assessment reports submitted by large-scale online platform service providers that handle important data shall also fully explain situations such as key operations and supply chain network data security.
Where processors of important data have important data handling activities that might endanger national security, the relevant competent departments at the provincial level or above shall order them to employ measures such as making corrections or stopping the handling of important data. Handlers of important data shall immediately employ measures in accordance with relevant requirements.
Chapter V: Cross-border security management of network data
Article 34: The State Internet Information Department is to coordinate the establishment of special working mechanisms for the security management of national data exports, research and draft national policies related to the security management of online data exports, and coordinate the handling of major security matters related to the export of online data.
Article 35: Where any of the following conditions are met, network data handlers may provide personal information overseas:
(1) Passing a security assessment of data export organized by the state internet information department;
(2) In accordance with the provisions of the State Internet Information Department, personal information protection certification is carried out by a professional body;
(3) Comply with the provisions of the standard contract on the export of personal information formulated by the state internet information department;
(4) Where it is truly necessary to provide personal information overseas for the purpose of concluding or performing a contract to which an individual is a party;
(5) Implement cross-border human resources management in accordance with lawfully formulated labor rules and regulations and lawfully signed collective contracts, and truly need to provide employees' personal information overseas;
(6) Where it is truly necessary to provide personal information overseas in order to perform legally-prescribed duties or obligations;
(7) In emergency situations, it is truly necessary to provide personal information overseas in order to protect the safety of natural persons' lives, health, and property;
(8) Other requirements provided for by laws, administrative regulations, or the state internet information department.
Article 36: International treaties and agreements concluded or participated in by the People's Republic of China have provisions on the requirements for providing personal information outside the territory of the People's Republic of China, and other such provisions, may be implemented in accordance with those provisions.
Article 37: Where important data collected and produced by network data handlers in the course of operations within the territory of the People's Republic of China truly needs to be provided overseas, they shall pass a security assessment of data export organized by the State Internet Information Department. Where network data handlers identify and declare important data in accordance with relevant state provisions, but have not been notified by the relevant regions or departments or publicly released as important data, they do not need to make a security assessment for the export of data as important data.
Article 38: Where network data handlers provide personal information and important data overseas after passing the security assessment for data export, they must not exceed the purpose, method, scope, type, scale, and so forth of the data export that were clarified at the time of the assessment.
Article 39: The state is to employ measures to prevent and address cross-border security risks and threats to online data. No individual or organization may provide programs or tools specifically designed to undermine or circumvent technical measures; Those who clearly know that others are engaged in activities such as sabotaging or circumventing technical measures must not provide them with technical support or assistance.
Chapter VI: Obligations of Online Platform Service Providers
Article 40: Online platform service providers shall clarify the obligations of third-party product and service providers accessing their platforms to protect network data security through platform rules or contracts, and urge third-party product and service providers to strengthen network data security management.
The provisions of the preceding paragraph apply to manufacturers of equipment such as smart terminals with pre-installed applications.
Where third-party product and service providers carry out online data processing activities in violation of the provisions of laws or administrative regulations, or platform rules or contractual agreements, causing harm to users, the online platform service providers, third-party product and service providers, smart terminals with pre-installed applications, and other equipment producers shall bear corresponding responsibility in accordance with law.
The state encourages insurance companies to develop liability insurance for damage to network data, and encourages online platform service providers, smart terminals with pre-installed applications, and other equipment producers to take out insurance.
Article 41: Network platform service providers providing application distribution services shall establish rules for application verification and carry out verifications related to network data security. Where it is discovered that applications to be distributed or that have already been distributed do not comply with the provisions of laws, administrative regulations, or the mandatory requirements of national standards, measures such as warnings, non-distribution, suspension of distribution, or termination of distribution shall be employed.
Article 42: Where online platform service providers push information to individuals through automated decision-making, they shall set up options for turning off personalized recommendations that are easy to understand, access, and operate, and provide users with functions such as refusing to receive push information and deleting user labels that are specific to their personal characteristics.
Article 43: The state is to advance the establishment of public services for online identity authentication, and follow the principles of government guidance and user voluntariness to promote and apply them.
Online platform service providers are encouraged to support users in using the national network identity authentication public service to register and verify real identity information.
Article 44: Large-scale online platform service providers shall annually publish a report on social responsibility for the protection of personal information, the content of which includes, but is not limited to, personal information protection measures and effectiveness, acceptance of applications for the exercise of rights by individuals, and the performance of duties by personal information protection oversight bodies composed primarily of external members.
Article 45: Large-scale online platform service providers providing online data across borders shall comply with the national requirements for cross-border data security management, complete relevant technical and management measures, and prevent cross-border security risks to online data.
Article 46: Large-scale online platform service providers must not use online data, algorithms, platform rules, and so forth to engage in the following activities:
(1) Handling network data generated by users on the platform through methods such as misleading, fraud, or coercion;
(2) Restricting users' access to or use of network data generated on the platform without legitimate reasons;
(3) Carrying out unreasonable differential treatment of users, harming users' lawful rights and interests;
(4) Other activities prohibited by laws and administrative regulations.
Chapter VII: Supervision and Management
Article 47: The state internet information departments are responsible for the overall planning and coordination of network data security and related oversight and management efforts.
Public security organs and state security organs are to undertake network data security oversight and management duties within the scope of their respective duties in accordance with the provisions of relevant laws, administrative regulations, and these Regulations, and lawfully prevent and combat illegal and criminal activities that endanger network data security.
The state data management departments are to perform corresponding network data security duties in the specific undertaking of data management work.
All regions and departments are responsible for the network data and network data security collected and produced in the work of that region or department.
Article 48: All relevant regulatory departments undertaking oversight and management duties for network data security in that industry or field shall clarify the working bodies for network data security protection in that industry or field, make overall plans for drafting and organizing the implementation of emergency response plans for network data security incidents in that industry or field, periodically organize and carry out network data security risk assessments for that industry or field, conduct oversight and inspections of network data handlers' performance of network data security protection obligations, and guide and urge network data handlers to promptly make corrections to existing risks and hidden dangers.
Article 49: The state internet information departments are to plan and coordinate relevant regulatory departments to promptly summarize, assess, share, and publish information related to network data security risks, strengthening efforts on network data security information sharing, monitoring and early warning of network data security risks and threats, and emergency response to network data security incidents.
Article 50: Relevant regulatory departments may employ the following measures to conduct oversight and inspections of network data security:
(1) Request that network data handlers and their relevant personnel make explanations on oversight and inspection matters;
(2) Consult and copy documents and records related to network data security;
(3) Inspect the operation of network data security measures;
(4) Inspect equipment and items related to network data handling activities;
(5) Other necessary measures provided for by laws and administrative regulations.
Network data handlers shall cooperate with relevant regulatory departments in lawfully carrying out oversight and inspections of network data security.
Article 51: Relevant regulatory departments carrying out oversight and inspections of network data security shall be objective and fair, and must not collect fees from the units being inspected.
Relevant regulatory departments must not access or collect operational information unrelated to network data security during network data security oversight and inspections, and the information obtained may only be used as needed to maintain network data security, and must not be used for other purposes.
Where relevant regulatory departments discover that there are relatively large security risks in network data handlers' network data handling activities, they may follow the authority and procedures provided to request that network data handlers suspend relevant services, revise platform rules, improve technical measures, and so forth, to eliminate potential network data security risks.
Article 52: When relevant regulatory departments carry out oversight and inspections of network data security, they shall strengthen coordination and information communication, reasonably determine the frequency and method of inspections, and avoid unnecessary inspections and cross-duplicate inspections.
Personal information protection compliance audits, important data risk assessments, and security assessments for important data exports shall be strengthened to avoid duplicate assessments and audits. Where the content of the important data risk assessment and the network security level assessment overlap, the relevant results may be mutually admitted.
Article 53: Relevant regulatory departments and their staffs shall preserve the confidentiality of personal privacy, personal information, commercial secrets, confidential commercial information, and other network data that they learn of in the course of performing their duties, and must not leak or illegally provide it to others.
Article 54: Where foreign organizations or individuals engage in online data handling activities that endanger the national security or public interest of the People's Republic of China, or infringe upon the personal information rights and interests of citizens of the People's Republic of China, the State Internet Information Department, together with relevant competent departments, may employ corresponding necessary measures in accordance with law.
Chapter VIII: Legal Responsibility
Article 55: Where the provisions of articles 12, 16-20, 22, paragraphs 1 and 2 of article 40, 41 and 42 of these Regulations are violated, the competent departments for internet information, telecommunications, public security, and so forth, are to order corrections, give warnings, and confiscate unlawful gains on the basis of their respective duties; where corrections are refused or the circumstances are serious, a fine of up to 1,000,000 RMB is to be given, and an order may be made to suspend relevant operations, suspend operations for rectification, revoke relevant business permits or business licenses, and the directly responsible managers and other directly responsible personnel may be fined between 10,000 and 100,000 RMB.
Article 56: Where the provisions of article 13 of these Regulations are violated, the competent departments such as for internet information, telecommunications, public security, and national security are to order corrections and give warnings on the basis of their respective duties, and may give a concurrent fine of between 100,000 and 1,000,000 RMB, and may give a fine of between 10,000 and 100,000 RMB to the directly responsible managers and other directly responsible personnel; where corrections are refused or the circumstances are serious, a fine of between 1,000,000 and 10,000,000 RMB is to be given, and relevant operations may be suspended for rectification, relevant business permits or business licenses may be revoked, and directly responsible managers and other directly responsible personnel are to be fined between 100,000 and 1,000,000 RMB.
Article 57: Where the provisions of paragraph 2 of article 29, paragraphs 2 and 3 of article 30, article 31, and article 32 of these Regulations are violated, the competent departments such as for internet information, telecommunications, and public security are to order corrections on the basis of their respective duties, give warnings, and may give a concurrent fine of between 50,000 and 500,000 RMB, and the directly responsible managers and other directly responsible personnel may be fined between 10,000 and 100,000 RMB; where corrections are refused or serious consequences such as large amounts of data leaks are caused, a fine of between 500,000 and 2,000,000 RMB is to be given, and an order may be made to suspend relevant operations, suspend operations for rectification, revoke relevant business permits or business licenses, and give a fine of between 50,000 and 200,000 RMB to the directly responsible managers and other directly responsible personnel.
Article 58: Where other relevant provisions of these Regulations are violated, the relevant competent departments are to pursue legal responsibility in accordance with the relevant provisions of the "Cybersecurity Law of the People's Republic of China", the "Data Security Law of the People's Republic of China", the "Personal Information Protection Law of the People's Republic" and other laws.
Article 59: Where network data handlers have circumstances such as actively eliminating or mitigating the harmful consequences of illegal conduct, minor illegal conduct and timely correction without causing harmful consequences, or first violation of the law and minor harmful consequences and timely corrections, administrative punishments are mitigated, mitigated, or not given in accordance with the provisions of the "Administrative Punishment Law of the People's Republic of China".
Article 60: Where state organs do not perform obligations to protect network data security as provided for in these Regulations, the organ at the level above or the relevant competent departments are to order corrections; The directly responsible managers and other directly responsible personnel are to be given sanctions in accordance with law.
Article 61: Where the provisions of these Regulations are violated by causing harm to others, civil liability is to be borne in accordance with law; where a violation of the administration of public security is constituted, a public security administrative sanction shall be given in accordance with law; where a crime is constituted, criminal responsibility is pursued in accordance with law.
Chapter IX: Supplementary Provisions
Article 62: The meanings of the following terms in these Regulations:
(1) "Network data" refers to all kinds of electronic data processed and generated through networks.
(2) "Network data handling activities" refers to activities such as the collection, storage, use, processing, transmission, provision, disclosure, and deletion of network data.
(3) "Network data handlers" refers to individuals and organizations that independently decide the purpose and methods of handling in online data handling activities.
(4) "Important data" refers to data that might directly endanger national security, economic operations, social stability, public health and safety, once tampered with, destroyed, leaked, or illegally obtained or used in a specific field, specific group, or specific region, or that has reached a certain accuracy and scale.
(5) "Entrusted handling" refers to network data handling activities that network data handlers entrust individuals or organizations to carry out in accordance with the agreed purposes and methods.
(6) "Joint processing" refers to network data handling activities in which two or more network data handlers jointly decide on the purpose and method of handling network data.
(7) "Separate consent" refers to individuals specifically giving specific and explicit consent to the specific handling of their personal information.
(8) "Large-scale online platforms" refers to online platforms with 50 million or more registered users or 10 million or more monthly active users, complex business types, and network data processing activities that have an important impact on national security, economic operations, the national economy, and people's livelihoods.
Article 63: Carrying out network data processing activities for core data is to be carried out in accordance with relevant state provisions.
These Regulations do not apply to natural persons' handling of personal information for personal or family matters.
The provisions of laws and administrative regulations such as the "Law of the People's Republic of China on Guarding State Secrets" and other laws and administrative regulations are to be applied to network data processing activities involving state secrets and work secrets.
Article 64: These Regulations take effect on January 1, 2025.
Source: Chinese government website
Editor: Zhou Piaopiao
![Li Qiang presided over an executive meeting of the State Council to study and implement the spirit of the Third Plenary Session of the 20th Central Committee of the Communist Party of China and to study and strengthen policies and measures to support large-scale equipment renewal and trade-in of consumer goods[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)