Network Data Security Management Regulations

Chapter Ⅰ: General Provisions

Article 1: To standardize network data processing activities, ensure the security of network data, promote the lawful, reasonable, and effective use of network data, protect the legitimate rights and interests of individuals and organizations, maintain national security and public interests, and in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Personal Information Protection Law of the People's Republic of China, this regulation is hereby formulated.
Article 2: The Regulation shall apply to the handling of network data within the territory of the People's Republic of China and its supervision and administration for security.
Activities that handle personal information of natural persons within the territory of the People's Republic of China outside the territory of the People's Republic of China, in accordance with the provisions of Article 3, paragraph 2, of the Personal Information Protection Law of the People's Republic of China, shall also be subject to these Regulations.
Any network data processing activities conducted outside the territory of the People's Republic of China that damage the national security, public interests or legitimate rights and interests of citizens and organizations of the People's Republic of China shall be investigated for legal liability in accordance with the law.
Article 3: The work of network data security management shall adhere to the leadership of the Communist Party of China, implement the overall concept of national security, and coordinate the promotion of the development and utilization of network data with the guarantee of network data security.
Article 4: The state encourages the innovative application of network data in various industries and fields, enhances the capability building for security protection of network data, supports the innovation of technologies, products and services related to network data, carries out publicity and education on security of network data and cultivates relevant talents, so as to promote the development and industrialization of network data.
Article 5: The State shall implement a tiered protection regime for network data according to its importance in economic and social development, as well as the extent of harm it would cause to national security, public interests or the legitimate rights and interests of individuals or organizations if such data are tampered with, damaged, leaked, illegally obtained or misused.
Article 6: The state actively participates in the formulation of international rules and standards related to network data security, promoting international exchanges and cooperation.
Article 7: The state supports relevant industry organizations in formulating network data security codes of conduct in accordance with their articles of association, enhancing industry self-discipline, guiding members to strengthen the protection of network data security, improving the level of network data security protection, and promoting the healthy development of the industry.

 

Chapter Ⅱ: General Provisions

Article 8: No individual or organization shall use network data to engage in illegal activities, nor shall they engage in the illegal handling of network data, such as stealing or obtaining network data through other illegal means, illegally selling network data, or illegally providing network data to others.
No individual or organization may provide programs or tools specifically designed for the illegal activities mentioned above; those who knowingly assist others in engaging in such illegal activities by providing technical support such as internet access, server hosting, network storage, and communication transmission, or by offering advertising promotion, payment settlement, etc., are prohibited from doing so.
Article 9: Network data processors shall, in accordance with the provisions of laws and administrative regulations and the mandatory requirements of national standards, strengthen network data security protection on the basis of cybersecurity level protection. They should establish and improve network data security management systems, take technical measures such as encryption, backup, access control, and security authentication, as well as other necessary measures to protect network data from being altered, destroyed, leaked, or illegally obtained or utilized. They should handle network data security incidents, prevent criminal activities targeting or exploiting network data, and bear primary responsibility for the security of the network data they process.
Article 10: Network data handlers shall ensure that the network products and services they provide comply with the mandatory requirements of relevant national standards. When any risks such as security defects or loopholes are identified in the network products or services, immediate remedial measures should be taken and users should be notified in a timely manner according to regulations, and reports should be submitted to the relevant competent authorities. In cases involving harm to national security and public interests, network data handlers shall also report to the relevant competent authorities within 24 hours.
Article 11: Network data processors shall establish and improve network data security incident contingency plans. In the event of a network data security incident, they shall immediately activate the plan, take measures to prevent further harm, eliminate potential safety hazards, and report to the relevant competent authorities as required.
If a network data security incident causes harm to the legitimate rights and interests of individuals or organizations, the handler of network data shall promptly notify the relevant parties by means of telephone, text message, instant messaging tool, email, or public announcement of the security incident and risk situation, the consequences of harm, and the remedial measures already taken; where laws and administrative regulations stipulate that no notification is required, such provisions shall apply. During the process of handling a network data security incident, if the handler discovers suspected criminal activities, they shall report them to the public security organs and state security agencies in accordance with regulations and cooperate in investigation, inquiry, and disposal work.
Article 12: When providing or entrusting other network data handlers to handle personal information and important data, the network data handler shall conclude an agreement with the recipient on matters such as the purpose, method, scope of handling, and security protection obligations through contracts or other means. The network data handler shall also supervise the performance of these obligations by the recipient. Records of such handling shall be kept for at least three years.
The recipient of network data shall fulfill the obligation to protect network data security and handle personal information and important data in accordance with the agreed purposes, methods, scope, etc.
When two or more network data handlers jointly determine the purposes and methods of processing personal information and important data, they shall agree on their respective rights and obligations.
Article 13: Network data handlers shall conduct national security reviews in accordance with relevant state regulations if their network data processing activities affect or are likely to affect national security.
Article 14: When a network data handler needs to transfer network data due to merger, division, dissolution, bankruptcy, or other reasons, the recipient of the network data shall continue to fulfill the obligation to protect the security of network data.
Article 15: When state organs entrust others to build, operate, and maintain electronic government affairs systems, and store and process government data, they shall strictly follow the national regulations for approval procedures, clearly define the network data processing authority and protection responsibilities of the entrusted party, and supervise the entrusted party in fulfilling its obligations to protect network data security.
Article 16: Network data processors that provide services to state organs and operators of key information infrastructure, or participate in the construction, operation, and maintenance of other public infrastructures and service systems, shall fulfill their obligations for network data security protection in accordance with laws and regulations and the terms of the contract, and provide safe, stable, and continuous services.
The network data processor specified in the preceding paragraph shall not, without the consent of the principal, access, obtain, retain, use, disclose or provide to others any network data, nor shall it conduct correlation analysis on the network data.
Article 17: Information systems providing services to state organs shall strengthen the management of network data security by referring to the management requirements of electronic government affairs systems, ensuring the security of network data.
Article 18: Network data processors who use automated tools to access and collect network data shall assess the impact on network services, and shall not illegally intrude into others' networks or interfere with the normal operation of network services.
Article 19: Network data processors providing generative artificial intelligence services shall strengthen the safety management of training data and processing activities related to training data, and take effective measures to prevent and handle network data security risks.
Article 20: Network data processors that provide products and services to the public shall accept social supervision, establish convenient channels for complaints and reports on network data security, disclose information such as complaint and report methods, and promptly handle complaints and reports on network data security.

 

Chapter Ⅲ: Personal Information Protection

Article 21: Before processing personal information, a network data processor shall inform individuals by establishing and disclosing personal information processing rules in accordance with the law. The personal information processing rules shall be publicly displayed in an easily accessible and prominent location, ensuring clarity and ease of understanding. The content should be specific and unambiguous, including but not limited to the following:
(ⅰ) The name or names and contact information of the network data processor;
(ⅱ) The purposes, methods, and types of personal information processing, the necessity of processing sensitive personal information, and its impact on personal rights and interests;
(ⅲ) The retention period of personal information and the handling method after expiration, if it is difficult to determine the retention period, the method for determining the retention period should be clarified;
(iv) Methods and channels for individuals to access, copy, transfer, correct, supplement, delete, restrict processing of personal information, as well as to cancel accounts and withdraw consent.
Where a network data handler informs an individual of the purposes, means, and categories of personal information collected and provided to other network data handlers in accordance with the preceding paragraph, it shall set forth such information in the form of a list. Where a network data handler handles personal information of minors under the age of 14, it shall also formulate special rules for the processing of personal information.
Article 22: Network data handlers who process personal information based on individual consent shall comply with the following provisions:
(ⅰ) The collection of personal information shall be limited to what is necessary to provide products or services, and no excessive personal information shall be collected. Consent from individuals shall not be obtained through misleading, fraudulent, or coercive means.
(ⅱ) Processing sensitive personal information such as biometrics, religious beliefs, specific identities, medical health, financial accounts, and location data shall be subject to the individual's separate consent.
(ⅲ) The processing of personal information of minors under the age of 14 shall be subject to the consent of their parents or other guardians.
(ⅳ) Personal information shall not be processed beyond the purposes, methods, types, and retention periods agreed upon by the individual;
(ⅴ) Frequent requests for consent must not be made after an individual has explicitly expressed disagreement to the processing of their personal information.
(ⅵ) If the purposes, methods, or types of personal information processing are changed, consent from the individual must be obtained again.
Where laws or administrative regulations stipulate that the processing of sensitive personal information shall be subject to written consent, such provisions shall apply.
Article 23: When an individual requests to access, copy, correct, supplement, delete, restrict processing of their personal information, or when an individual terminates their account or withdraws consent, the network data processor shall promptly accept such requests and provide convenient methods and channels for individuals to exercise their rights, without setting unreasonable conditions that limit reasonable requests from individuals.
Article 24: In cases where it is impossible to avoid collecting unnecessary personal information or personal information that has not been lawfully obtained through the use of automated collection technologies, or when an individual deletes their account, the network data handler shall delete such personal information or process it anonymously. If the statutory retention period stipulated by laws and administrative regulations has not expired, or if deleting or anonymizing personal information is technically impractical, the network data handler shall cease all processing activities except for storage and taking necessary security protection measures.
Article 25: For personal information transfer requests that meet the following conditions, network data handlers shall provide channels for other designated network data handlers to access and obtain relevant personal information:
(ⅰ) can verify the true identity of the applicant;
(ⅱ) The personal information requested to be transferred is that which the individual has consented to provide or collected based on a contract;
(ⅲ) Transferring personal information is technically feasible;
(ⅳ) Transferring personal information does not harm the legitimate rights and interests of others.
When the number of requests for transferring personal information, etc., clearly exceeds a reasonable range, the network data processor may charge necessary fees based on the cost of transferring personal information.
Article 26: Where a network data processor outside the territory of the People's Republic of China handles personal information of natural persons within the territory, and establishes a special agency or appoints a representative in accordance with Article 53 of the Personal Information Protection Law of the People's Republic of China, it shall submit the name of the agency or the name of the representative, contact information, etc. to the cyberspace administration of the city divided into districts where it is located; the cyberspace administration shall promptly inform the relevant higher-level departments.
Article 27: Network data handlers shall regularly conduct compliance audits, by themselves or by entrusting professional institutions, on their handling of personal information in accordance with laws and administrative regulations.
Article 28: Network data handlers that process personal information of more than 10 million individuals shall also comply with the provisions set forth in Articles 30 and 32 of this Regulation for network data handlers processing important data (hereinafter referred to as "important data handlers").

 

Chapter Ⅳ: Important Data Security

 

Article 29: The national data security coordination mechanism coordinates relevant departments to formulate a catalog of important data, strengthening the protection of such data. All regions and departments shall, in accordance with the data classification and grading protection system, determine the specific catalog of important data within their respective jurisdictions and related industries and fields, focusing on protecting network data included in the catalogues.

Network data handlers shall identify and declare important data in accordance with national regulations. For data that is confirmed to be important, the relevant regions and departments shall promptly inform the network data handlers or make public announcements. Network data handlers shall fulfill their responsibilities for protecting network data security.

The state encourages network data handlers to use technologies and products such as data tags to improve the level of important data management.

Article 30: The handler of important data shall designate a person in charge of network data security and establish an agency responsible for the administration of network data security. The agency responsible for the administration of network data security shall perform the following responsibilities for the protection of network data security:

(ⅰ) Develop and implement network data security management systems, operational procedures, and emergency response plans for network data security incidents;

(ⅱ) Regularly organize activities such as network data security risk monitoring, risk assessment, emergency drills, and publicity and education training to promptly handle network data security risks and incidents;

(ⅲ) Accept and handle complaints and reports on network data security.

The person responsible for network data security should have professional knowledge of network data security and relevant management experience, serve as a member of the management team of the network data processor, and have the authority to report directly to the relevant competent authorities on the situation of network data security.

A network data processor who possesses important data of specific types and scales as stipulated by the relevant competent authorities shall conduct security background checks on network data security officers and key personnel, enhance training for relevant personnel. When conducting such checks, they may apply to public security organs and state security agencies for assistance.

Article 31: Before providing, entrusting the processing of, or jointly handling important data, the handler of important data shall conduct a risk assessment, except when it is for the purpose of fulfilling statutory duties or obligations.

Risk assessment should focus on evaluating the following:

(ⅰ) Whether the provision, entrustment of processing, joint processing of network data, and the purposes, methods, and scope of handling network data by the recipient are legal, legitimate, and necessary;

(ⅱ) The risk of tampering, damage, leakage, or illegal access and use of network data provided, entrusted for processing, or jointly processed; as well as the risks to national security, public interests, or the legitimate rights and interests of individuals and organizations.

(ⅲ) The integrity, compliance with laws and regulations, etc., of the recipient of network data;

(ⅳ) Whether the requirements for network data security in relevant contracts concluded or to be concluded with the recipient of network data can effectively bind the recipient of network data to fulfill its obligations to protect network data security;

(ⅴ) Whether the technical and management measures taken or to be taken can effectively prevent risks such as tampering, damage, leakage, illegal access, or illegal use of network data;

(ⅵ) Other assessment contents specified by the relevant competent authorities.

Article 32: Where the handler of important data may affect the security of important data due to merger, division, dissolution, bankruptcy, etc., it shall take measures to ensure network data security and report to the relevant competent authorities at or above the provincial level the important data disposal plan, the name or title of the recipient and its contact information, etc.; if the competent authority is not clear, it shall report to the data security coordination mechanism at or above the provincial level.

Article 33: The handler of important data shall conduct a risk assessment on its network data processing activities annually and submit the risk assessment report to the relevant supervisory departments above the provincial level, which shall promptly inform the cyberspace administration and public security organs at the same level.

The risk assessment report should include the following content:

(ⅰ) Basic information of the network data processor, information on the network data security management organization, name and contact details of the person responsible for network data security;

(ⅱ) The purposes, types, quantity, methods, scope, storage period, and storage location of important data processing activities, excluding the content of network data itself;

(ⅲ) Network data security management systems and implementation status, technical measures such as encryption, backup, tagging, access control, and secure authentication, other necessary measures and their effectiveness;

(ⅳ) The network data security risks discovered, the network data security incidents occurred and their handling situation;

(ⅴ) Risk assessment of providing, entrusting processing, and jointly handling important data;

(ⅵ) The situation of network data leaving the country;

(ⅶ) Other reporting content specified by the relevant competent authorities.

The risk assessment reports submitted by large online platform service providers that handle important data should, in addition to the content specified in the preceding paragraph, fully explain the security situation of key business and supply chain network data.

Where data handlers of important data conduct activities that may endanger national security, the competent authorities at or above the provincial level shall order them to take corrective measures or stop handling such data. Data handlers of important data shall immediately take measures in accordance with relevant requirements.

 

Chapter Ⅴ: Cross-border Management of Network Data Security

 

Article 34: The national cyberspace administration coordinates with relevant departments to establish a special working mechanism for the management of data exiting the country, researches and formulates relevant policies on the management of network data exiting the country, and coordinates the handling of major matters related to the security of network data exiting the country.

Article 35: A network data processor may provide personal information to a location outside of China under any of the following conditions:

(ⅰ) Successful completion of a security assessment for data exit organized by the national cyberspace administration;

(ⅱ) Obtain personal information protection certification from a professional institution in accordance with the regulations of the national internet information department;

(ⅲ) Compliance with the provisions on standard contracts for personal information transfer out of the country formulated by the national internet and informatization department;

(ⅳ) The Personal Information is required to be provided to a location outside the territory of China for the purpose of concluding and performing a contract to which the Individual is a party;

(ⅴ) To implement cross-border human resources management in accordance with legally formulated labor rules and regulations and collective contracts signed according to law, it is necessary to provide employee personal information to the outside world;

(ⅵ) To fulfill statutory duties or obligations, it is necessary to provide personal information to overseas entities;

(ⅶ) In urgent situations where personal information needs to be provided overseas to protect the life, health, and property safety of natural persons.

(ⅷ) Other conditions stipulated by laws, administrative regulations or the national cyberspace administration.

Article 36: If international treaties or agreements that the People's Republic of China has concluded or joined provide for conditions regarding the provision of personal information to entities outside the territory of the People's Republic of China, such provisions may be followed.

Article 37: If network data handlers operating within the territory of the People's Republic of China need to provide important data collected and generated during their operations to overseas entities, they shall undergo a data exit security assessment organized by the national cyberspace administration. Network data handlers shall identify and declare important data in accordance with relevant state regulations; however, if they have not been informed or publicly designated as important data by the relevant regions or departments, they are not required to declare such data as important data for the purpose of undergoing a data exit security assessment.

Article 38: After passing the data export security assessment, a network data processor providing personal information and important data to overseas entities shall not exceed the purposes, methods, scope, types, and scale of data export that were specified during the assessment.

Article 39: The state shall take measures to prevent and respond to security risks and threats to the cross-border transfer of data within cyberspace. No individual or organization may provide programs or tools specifically designed to damage or circumvent technical measures; those who knowingly assist others in damaging or circumventing technical measures shall not provide technical support or assistance.

 

Chapter Ⅵ: Obligations of Network Platform Service Providers

 

Article 40: Network platform service providers shall clarify the network data security protection obligations of third-party product and service providers who access their platforms through platform rules or contracts, and urge these third parties to strengthen network data management.

The producers of smart terminals and other devices with pre-installed applications are subject to the provisions of the preceding paragraph.

If a third-party product and service provider violates the provisions of laws, administrative regulations, platform rules, or contract agreements in carrying out network data processing activities, thereby causing harm to users, the network platform service provider, the third-party product and service provider, and the producers of smart terminals with pre-installed applications shall bear corresponding legal liabilities according to law.

The country encourages insurance companies to develop insurance products for liability for damage to network data, and encourages network platform service providers, smart terminal equipment producers with pre-installed applications, etc. to take out insurance.

Article 41: Network platform service providers that offer application distribution services shall establish verification rules for applications and carry out relevant verifications concerning network data security. If they discover that an application to be distributed or already distributed does not comply with the provisions of laws, administrative regulations, or the mandatory requirements of national standards, they shall take measures such as issuing warnings, refusing distribution, suspending distribution, or terminating distribution.

Article 42: Network platform service providers that use automated decision-making to push information to individuals shall set up an easy-to-understand, accessible, and operable personalized recommendation opt-out option, and provide users with the ability to refuse receiving pushed information and delete user tags based on their personal characteristics.

Article 43: The state promotes the construction of public services for online identity authentication and popularizes their use based on government guidance and user voluntariness.

Encourage Internet platform service providers to support users in using the national network identity authentication public services to register and verify real identity information.

Article 44: Large online platform service providers shall publish an annual social responsibility report on personal information protection, which shall include but not be limited to personal information protection measures and their effectiveness, the handling of applications for exercising rights by individuals, and the performance of duties by a personal information protection oversight body mainly composed of external members.

Article 45: Large online platform service providers shall comply with national data cross-border security management requirements when providing network data across borders, improve relevant technical and management measures, and prevent potential risks to the security of network data in cross-border transmission.

Article 46: Large online platform service providers shall not engage in the following activities using network data, algorithms, and platform rules:

(ⅰ) Dealing with network data generated by users on the platform through means such as misrepresentation, fraud, or coercion;

(ⅱ) Unreasonably restrict users from accessing or using the network data generated by them on the platform;

(ⅲ) Unreasonably discriminate against users, thereby harming their legitimate rights and interests;

(ⅳ) Other activities prohibited by law or administrative regulations.

 

Chapter Ⅶ: Supervision and Management

Article 47: The State Internet Information Office is responsible for coordinating and managing network data security and related supervision and management work.

Public security organs and state security agencies shall, in accordance with relevant laws, administrative regulations and the provisions of this Regulation, undertake the supervisory and management responsibilities for network data security within their respective scope of duties, and take legal measures to prevent and combat criminal activities that endanger network data security.

National data management authorities shall perform corresponding network data security duties in the course of undertaking specific data management work.

Each region and department is responsible for the network data collected and generated in their own work, as well as the security of such network data.

Article 48: Each relevant competent department shall assume the responsibility for supervising and managing the network data security of its industry or field. It should designate an organization to protect the network data security of its industry or field, formulate and implement emergency response plans for network data security incidents in a coordinated manner, regularly organize risk assessments for network data security within its industry or field, conduct supervision and inspection on the performance of network data security protection obligations by network data processors, and guide and urge network data processors to rectify existing risks and hidden dangers in a timely manner.

Article 49: The state Internet and information department coordinates with relevant departments to promptly summarize, analyze, share, and release information related to network data security risks. It strengthens the sharing of network data security information, monitoring and early warning of network data security risks and threats, as well as emergency response to network data security incidents.

Article 50 The relevant competent authorities may take the following measures to supervise and inspect network data security:

(ⅰ) require network data handlers and their related personnel to provide explanations on matters under supervision and inspection;

(ⅱ) to consult and copy documents and records related to network data security;

(ⅲ) Check the operation of network data security measures;

(ⅳ) Inspect equipment and items related to network data processing activities;

(ⅴ) Other necessary measures stipulated by laws and administrative regulations.

A network data processor shall cooperate with the competent authorities in conducting supervision and inspection of network data security in accordance with law.

Article 51: The competent authorities shall conduct objective and impartial supervision and inspection of network data security, and shall not charge fees to the entities under inspection.

The competent authorities shall not access or collect business information unrelated to network data security during the supervision and inspection of network data security. The information obtained can only be used for the maintenance of network data security and shall not be used for other purposes.

Where the relevant competent authorities discover that the network data processing activities of a network data processor present significant security risks, they may require the network data processor to suspend related services, amend platform rules, improve technical measures and other steps in accordance with the prescribed authority and procedures to eliminate potential security risks associated with network data.

Article 52: When conducting supervision and inspection of network data security, relevant competent authorities shall strengthen coordination and information sharing, reasonably determine the frequency and methods of inspection, and avoid unnecessary or overlapping inspections.

Personal information protection compliance audits, risk assessments of important data, and security assessments for the exit of important data should be better coordinated to avoid repeated assessments and audits. When there is overlap between the content of important data risk assessment and network security level evaluation, relevant results can be mutually recognized.

Article 53: The relevant authorities and their staff members shall keep confidential the personal privacy, personal information, business secrets, and confidential business information, etc. of network data that they have learned about in the course of performing their duties according to law, and shall not disclose or illegally provide them to others.

Article 54: The state cyberspace administration and relevant competent authorities may take necessary and appropriate measures in accordance with the law against overseas organizations or individuals that conduct network data processing activities that endanger China's national security and public interests or infringe upon personal information rights and interests of Chinese citizens.

 

Chapter Ⅷ: Legal Responsibility

 

Article 55: In the event of violation of Articles 12, 16 through 20, 22, the first and second paragraphs of Article 40, Article 41, and Article 42 of these Regulations, the competent authorities in the fields of cyberspace administration, telecommunications, public security, etc. shall, pursuant to their respective responsibilities, order rectification, issue warnings, confiscate illegal gains; if rectification is refused or circumstances are serious, a fine of less than 1 million yuan may be imposed, and operations related to the violations may be suspended, businesses may be shut down for rectification, relevant business licenses may be revoked, or business permits may be rescinded. Directly responsible managers and other directly responsible persons may be fined not less than 10,000 yuan but not more than 100,000 yuan.

Article 56: In violation of Article 13 of these Regulations, the competent authorities in charge of network information, telecommunications, public security, and national security shall order rectification and issue a warning based on their respective responsibilities. They may also impose a fine of no less than 100,000 yuan but no more than 1 million yuan. The directly responsible person in charge and other directly responsible persons may be fined no less than 10,000 yuan but no more than 100,000 yuan. If the violation is not corrected or if the circumstances are serious, a fine of no less than 1 million yuan but no more than 10 million yuan may be imposed, and the relevant business operations may be suspended, the business may be shut down for rectification, the relevant business license or business license may be revoked. The directly responsible person in charge and other directly responsible persons may be fined no less than 100,000 yuan but no more than 1 million yuan.

Article 57: In the event of violation of Article 29, paragraph 2, Article 30, paragraph 2 and 3, Article 31, and Article 32 of these Regulations, the competent authorities such as the Cyberspace Administration, telecommunications departments, and public security organs shall order rectification and issue warnings based on their respective responsibilities. They may also impose fines ranging from 50,000 yuan to 5 million yuan. The directly responsible person in charge and other directly responsible individuals may be fined between 10,000 yuan and 1 million yuan. If the violation is not corrected or if it leads to massive data breaches or other serious consequences, a fine of no less than 500,000 yuan but no more than 2 million yuan may be imposed. Additionally, suspension of related business operations, business closure for rectification, revocation of relevant business licenses, or revocation of business permits may be ordered. The directly responsible person in charge and other directly responsible individuals may be fined between 50,000 yuan and 2 million yuan.

Article 58: Violation of other relevant provisions of this Regulation shall be investigated for legal liability by the relevant competent authorities in accordance with the relevant provisions of laws such as the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Personal Information Protection Law of the People's Republic of China.

Article 59: If a network data processor takes the initiative to eliminate or mitigate the consequences of illegal acts, if the illegal acts are minor and corrected in time without causing harm, or if it is a first-time violation with minor harm and corrected in time, penalties may be mitigated or exempted in accordance with the provisions of the Administrative Punishment Law of the People's Republic of China.

Article 60: If a state organ fails to fulfill its obligations under this Regulation concerning the protection of network data security, it shall be ordered to make corrections by its superior organ or the relevant competent department; disciplinary sanctions shall be imposed on the directly responsible person in charge and other directly responsible persons according to law.

Article 61: In violation of the provisions of these Regulations, those who cause damage to others shall bear civil liability in accordance with the law; if their actions constitute violations of public security administration, they shall be punished for public security administration in accordance with the law; if their actions constitute crimes, they shall be investigated for criminal responsibility in accordance with the law.

 

Chapter Ⅸ: Appendix

 

Article 62 The meanings of the following terms in this Regulation are as follows:

(ⅰ) Network data refers to various electronic data processed and generated through the network.

(ⅱ) Network data processing activities refer to the collection, storage, use, processing, transmission, provision, disclosure, and deletion of network data.

(ⅲ) Network data processor refers to an individual or organization that autonomously determines the purpose and method of processing in network data processing activities.

(ⅳ) Important data refers to information specific to a particular field, group, region, or that has reached a certain level of accuracy and scale, which, if altered, destroyed, leaked, illegally obtained, or misused, could directly endanger national security, economic operations, social stability, public health, and safety.

(ⅴ) Entrusted processing refers to the network data processing activities carried out by a network data processor entrusting individuals or organizations to process network data according to agreed purposes and methods.

(ⅵ) Joint processing refers to the network data processing activities in which two or more network data processors jointly determine the purposes and means of processing network data.

(ⅶ) Specific consent refers to the specific and clear consent given by an individual for a specific processing of their personal information.

(ⅷ) Large online platforms refer to those with more than 50 million registered users or more than 10 million monthly active users, complex business types, and whose data processing activities have a significant impact on national security, economic operation, and people's livelihood.

Article 63: The handling of core data through network data processing activities shall be carried out in accordance with the relevant state regulations.

Natural persons who handle personal information for personal or family affairs shall not be subject to these Regulations.

Carrying out network data processing activities involving state secrets and work secrets shall be subject to the provisions of laws and administrative regulations such as the "Law of the People's Republic of China on Guarding State Secrets".

Article 64: This regulation shall be implemented from January 1, 2025.