Data Security: Safeguarding the High-Quality Development of Digital Economy

On November 7, 2016, the Cybersecurity Law of the People's Republic of China (CSL) was passed by the National People's Congress and officially took effect on June 1, 2017. As China's first comprehensive law governing cyberspace security, the CSL outlines key requirements for safeguarding national cyberspace sovereignty, protecting critical information infrastructure, securing key data and personal information, and defining the cybersecurity responsibilities of all stakeholders.

On September 1, 2021, the Data Security Law of the People's Republic of China (DSL) came into effect. Serving as a cornerstone for data protection and the growth of the digital economy, the DSL emphasizes the data classification and protection. It imposes explicit obligations on organizations to implement data security policies, manage data security risks, and report data security incidents. The law has played a key role in standardizing data usage and transactions.

On November 1, 2021, China enacted the Personal Information Protection Law (PIPL), its first dedicated law on personal information protection. The PIPL establishes a legal framework for the lawful processing of personal information, outlines compliance obligations for data processors, sets requirements for cross-border data transfers, and details legal liabilities. Together with the CSL and DSL, the PIPL has created a comprehensive legal regime for data security and privacy in China. On November 14, 2021, the Cyberspace Administration of China (CAC) issued a public notice soliciting comments on the draft Regulation for the Administration of Network Data Security, which further elaborates on the principles of the CSL, DSL, and PIPL. After three years of review, on August 30, 2024, the State Council Executive Meeting approved the Regulation for the Administration of Network Data Security (Draft).

On September 30, 2024, the Regulation for the Administration of Network Data Security was officially issued and will be enacted from January 1, 2025. This Regulation, the first formally issued by the State Council under the CSL, DSL, and PIPL, introduces specific controls for network data processors. It covers areas such as data security strategies, governance, lifecycle protection, management frameworks, and data security operations and technologies. Furthermore, the regulation provides additional guidance on personal information protection, security of key data, cross-border data management, and network platform service providers' data security obligations, including details on implementation and penalties for non-compliance.

Building on the latest regulatory compliance requirements and our extensive experience in data security management, KPMG has prepared this publication to offer practical insights and recommendations for businesses seeking to comply with data security compliance requirements.