Technology M&A 2025

CHINA Trends and Developments Contributed by: Joanna Jiang, Richard Qiang, Greg Guo and Dimitri Phillips, DaHui Lawyers

Network Data Security Regulations On 30 September 2024, China’s State Council promulgated the finalised, binding version of the Regulations on Network Data Security (the “NDS Regulations”), which take effect from 1 January 2025. The NDS Regulations primarily serve to supplement and elucidate China’s data secu- rity regime by providing additional guidance, requirements, and clarifications on the country’s existing cybersecurity framework. The following updates merit a closer look from companies with operations in China. • In the event of a network data security inci- dent that impacts the legitimate interests of individuals or organisations, network data handlers are mandated to promptly inform the affected stakeholders through various means, including by phone, text, messaging apps, email, or public announcements, and provide a comprehensive explanation of the risks, potential damages, and remedial actions taken. • In cases where network data handlers will change, or network data will be transferred, due to a merger, division, dissolution, bank- ruptcy, or other similar circumstances, the recipient or surviving network data handlers must continue fulfilling the original network data handler’s data security protection obliga- tions. In addition to the existing requirements under PRC law, the NDS Regulations have expanded this obligation to encompass all network data, including but not limited to PI.

• The NDS Regulations stipulate that a network data handler’s privacy policy must expressly define the retention period for any processed PI. If the retention period is contractually ambiguous, the methods for determining the retention period should be clearly articulated. • Network data handlers that inadvertently col- lect unnecessary PI or collect PI without legal consent are required to anonymise or delete the information. • Network data handlers that process any important data are required to appoint a Data Protection Officer (“DPO”) and establish an internal data security management depart- ment. Taken as a whole, the NDS Regulations did not introduce any significant burdens or liabilities beyond those included in China’s pre-existing cybersecurity regime. The requirements for des- ignating a DPO and maintaining an internal data security management department merely apply to handlers of important data and are therefore unlikely to affect most foreign companies with subsidiaries or business operations in China. The NDS Regulations’ detailed clarifications and guidance provide a clearer path for compliance, making it easier for businesses to operate and merge with confidence in China’s robust digital economy.

88

CHAMBERS.COM

Powered by