Data Protection in 2024: the Formation of the Data Protection Regulatory Framework

2024 marked a significant milestone in China’s data protection landscape. During the year, the regulatory authorities refined, optimized, and ultimately established a comprehensive framework for cross-border data transfers. The final issuance of the Regulations for the Administration of Network Data Security (网络数据安全管理条例), one of the country’s most pivotal data regulations, represented a key moment in the evolution of China’s data protection regulatory system.

At the same time, the rollout and enforcement of data protection regulations across various industries, alongside the introduction of critical national and sectoral standards and practical guidelines, signaled a shift toward more sophisticated and precise regulatory oversight. This maturing and increasingly structured regulatory environment aligns with the Chinese government's broader initiative to promote the development and circulation of data resources.

1.         Finalization of the Regulatory Framework for Cross-border Data Transfers.

On March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the final version of the Provisions on Facilitating and Regulating Cross-border Data Flow (促进和规范数据跨境流动规定, the “Provisions”), which took immediate effect. The Provisions introduce significant modifications to China’s previous data export regime, easing—though not entirely eliminating—the compliance burden for enterprises engaged in cross-border personal information transfers. By establishing a more flexible and structured framework, the Provisions strike a balance between regulatory oversight and streamlined procedures. Notably, they introduce exemptions for certain data export scenarios, relax thresholds for smaller data transfers, and grant Free Trade Zones (“FTZs”) greater autonomy in managing data exports. At the same time, they reinforce data protection obligations and provide clearer guidelines for identifying and transferring important data. A key provision states that if data is not classified as "important" by the relevant authorities, data handlers are not required to undergo a security assessment for its overseas transfer.

Concurrently with the Provisions, the CAC also released the second edition of the Guidelines for Filing for Security Assessments of Overseas Transfers of Data (数据出境安全评估申报指南) and the Guidelines for the Record Filing of Standard Contracts for the Overseas Transfer of Personal Information (个人信息出境标准合同备案指南). Additionally, the regulator introduced an online system enabling data handlers to apply for security assessments or file standard contracts more efficiently, significantly streamlining both processes.

“This regulatory refinement fosters a more predictable environment for businesses and promotes global digital cooperation”

In November 2024, the CAC officially issued the Compliance Guidelines for Overseas Transfers of Data (数据出境合规指引), further clarifying regulatory requirements for cross-border data transfers and strengthening the protection of personal information and important data. These Guidelines emphasize a categorized and graded management approach, introduce assessment reporting systems, and define compliance obligations, offering enterprises clearer guidance on cross-border data transfer activities. This regulatory refinement fosters a more predictable environment for businesses and promotes global digital cooperation.

The finalization of the cross-border data transfer regulatory framework has notably reduced compliance burdens for data handlers while facilitating the orderly flow of data. According to the CAC, since the implementation of the Provisions, the number of data export security assessment cases has decreased by approximately 60% compared to the previous year, while standard contract filings for personal information exports have dropped by around 50%. As of December 2024, the CAC had completed 285 security assessments and processed 1,071 standard contract filings, with only 27 projects failing to pass security assessments, accounting for less than 10% of the total. These figures suggest that applications for security assessments and standard contract filings have increasingly become routine compliance tasks for data handlers—an observation further supported by practical experience.

2.         The Introduction of the Most Important Regulations in the Field of Data Governance.

On September 30, 2024, the State Council released the official text of the Regulations for the Administration of Network Data Security (网络数据安全管理条例, the “Regulations”), which are set to take effect on January 1, 2025. This marks a significant milestone in China’s evolving data security landscape. The Regulations primarily consolidate and reiterate existing compliance obligations related to personal information processing, important data security management, cross-border data transfers, vulnerability and emergency response, data provision, and entrusted processing, among other areas. These requirements are drawn from the three pillars of China’s data compliance framework: the Cybersecurity Law (网络安全法), the Data Security Law (数据安全法), and the Personal Information Protection Law (个人信息保护法), along with their respective implementing rules. The Regulations apply to all network data processing activities within China and extend to foreign entities processing personal information of Chinese individuals. They also strengthen security obligations related to national security, data breach reporting, and risk assessments.

“Specific obligations are introduced for large-scale data handlers, particularly those processing over 10 million personal data records”

The Regulations require network data handlers to implement comprehensive security management systems, enforce strict controls over data sharing and entrusted processing, and conduct regular risk assessments. Specific obligations are introduced for large-scale data handlers, particularly those processing over 10 million personal data records. Companies must also comply with strict cross-border data transfer requirements, including security assessments or contractual safeguards for transferring personal information overseas, especially when handling important data. A key focus of the Regulations is the management of important data, with explicit requirements for appointing data security officers, conducting security risk assessments, and ensuring proper data handling during corporate transitions. Additionally, large platform operators are required to publish annual reports on personal information protection and implement measures to combat deceptive data practices.

The Regulations set the foundation for a more structured and secure digital environment in China. To ensure compliance, companies must take proactive steps, including strengthening data governance frameworks, enhancing transparency in data processing, and preparing for regulatory audits. By reinforcing China’s commitment to data sovereignty, the Regulations present both challenges and opportunities for businesses operating in or engaging with the Chinese market.

3.         Sectoral Data Protection Rules Driving the Refinement of Data Protection Regulation

In addition to national legislation on data protection, sectoral regulators have also introduced and implemented industry-specific data protection rules. Beyond the general provisions of the Data Security Law (数据安全法) and the Regulations for the Administration of Network Data Security (网络数据安全管理条例), these sectoral regulations reflect the distinct data governance approaches and priorities of each industry, contributing to a more detailed and comprehensive framework for data protection.

On May 24, 2024, the Ministry of Industry and Information Technology (“MIIT”) announced the issuance of the Implementing Rules for Data Security Risk Assessments in the Industry and Information Technology Sector (Trial Implementation) (工业和信息化领域数据安全风险评估实施细则（试行）). These rules apply to data security risk assessments conducted by handlers of important data and core data within the industrial and information technology sectors. Under the rules, such assessments must evaluate the legality, necessity, and methods of data processing, as well as the establishment of data security management systems and policies. The assessments must also examine organizational and staffing arrangements for data security responsibilities, the technical capabilities deployed to safeguard data, and the adequacy of personnel training in data security. Additionally, they must consider risks to national security and public interest arising from data incidents, the security obligations of data recipients, and compliance with national data export security assessment requirements. Handlers of important and core data are required to conduct at least one data security risk assessment annually, with additional special assessments mandated under specific circumstances, such as new cross-entity data transfers, commissioned data processing, the transfer of core data, or significant adverse changes to the security status of important or core data.

On October 31, 2024, MIIT published the Contingency Plan for Data Security Incidents in the Industry and Information Technology Sector (Trial Implementation) (工业和信息化领域数据安全事件应急预案（试行）, the “Contingency Plan”) along with its corresponding appendices. The Contingency Plan is designed to implement and clarify the requirements for data security incident management as set out in relevant laws and regulations. It provides clear definitions of what constitutes a “data security incident”, establishes four designated levels of such incidents, and specifies the corresponding reporting obligations, including when and to whom an in-scope data handler must report a data security incident.

“The Measures aim to support the innovative application of data, enhance data security capabilities, and safeguard national security and social stability”

On March 22, 2024, the Ministry of Natural Resources issued the Measures for the Administration of Data Security in the Natural Resources Sector (自然资源领域数据安全管理办法, the “Measures”) to promote data sharing, openness, development, and utilization in the natural resources sector. The Measures aim to support the innovative application of data, enhance data security capabilities, and safeguard national security and social stability. The data covered under the Measures include information collected and generated during natural resource-related activities, such as geographic data (e.g., basic geographic information and remote sensing images) and data on land, minerals, forests, grasslands, water, wetlands, sea areas, and islands. The data governed by the Measures also encompasses data related to spatial planning, resource management, land protection, ecological restoration, and real estate registration. Regarding data classification and management, the Measures require the Ministry of Natural Resources to establish standards for data classification, the identification of important and core data, and data security. This includes developing dynamic management systems for critical data directories. Data handlers bear primary responsibility for the security of their data processing activities and must protect data in accordance with its classification, applying the highest level of protection when processing data of different classifications simultaneously. Additionally, data handlers must establish a comprehensive data security management system, implement specific protection measures at each stage of the data lifecycle, and maintain processing logs secured with commercial encryption techniques.

On April 15, 2024, the Ministry of Finance and the CAC jointly issued the Tentative Measures for Data Security Management of Accounting Firms (会计师事务所数据安全管理暂行办法), which set clear requirements for accounting firms auditing critical infrastructure, platforms with over one million users, or important data. These firms must implement the Multi-Layered Protection Scheme at Level 3 and adopt encryption and other security technologies to protect data. Violations of these Interim Measures will be subject to enforcement by financial, cyberspace, public security, and national security authorities.

On December 27, 2024, the National Financial Regulatory Administration released the Measures for the Data Security Management of Banking and Insurance Institutions (银行保险机构数据安全管理办法), one of the most significant sets of sector-specific regulations governing data compliance. These measures comprehensively address data governance throughout the full lifecycle within banking and insurance institutions. Key areas covered include data security governance, classification and grading, security management, technical protection, personal information protection, risk monitoring and response, supervision, and enforcement. The measures apply to nearly all banking and insurance institutions and regulate all data processing activities except those involving state secrets. They outline concrete obligations and procedures for data compliance, covering aspects such as data security management structures, classification and grading, personal information protection, outsourcing management, emergency incident response, and baseline data security requirements. Specifically, regarding baseline data security requirements for banking and insurance institutions, the Measures introduce the concept of a data security protection baseline, setting minimum security standards for safeguarding data. The scope of application primarily focuses on sensitive-level data and above, including core data, important data, and other sensitive categories. Institutions are required to establish logically separated network security zones based on data classification levels and apply region-specific data security protection baselines. The measures detail security protection requirements across five key areas: information system protection, data access control, data transmission security, data storage security, and data destruction management. This framework reflects a practical integration of data classification and grading principles, ensuring differentiated protection measures tailored to the varying levels of data sensitivity.

In addition to the sectoral regulations that have already been published and implemented in 2024, certain data protection rules remain in the consultation phase. For instance, in June 2024, the Civil Aviation Administration of China released two draft regulations for public consultation: the Measures for Civil Aviation Data Management (Draft for Comments) (民航数据管理办法（征求意见稿）) and the Measures for Civil Aviation Data Sharing Management (Draft for Comments) (民航数据共享管理办法（征求意见稿）). The first set of draft Measures addresses various aspects of data management within the civil aviation sector, including responsibilities and role assignments, data resource directories, data collection and governance, data sharing, data application, security protections, and regulatory supervision. With respect to data sharing and utilization, the second set of draft Measures proposes an industry-wide data-sharing mechanism built upon shared platforms. They define the responsibilities, rights, and obligations of key stakeholders, including data managers, platform providers, data providers, and data users. The framework envisions a unified management system for shared data directories and data collection task lists, ensuring structured and efficient data-sharing processes. The draft also outlines principles, strategic objectives, and specific requirements for the application of public, enterprise, and personal data within the civil aviation sector.

4.         The Introduction of Important Data Protection Standards

In 2024, one of the most significant national standards for data protection to be released was GB/T 43697-2024 Data Security Technology – Data Classification and Grading Rules (数据安全技术 数据分类分级规则, “GB/T 43697”), published by the National Cybersecurity Standardization Technical Committee (“TC260”) on March 21, 2024. GB/T 43697 addresses key aspects such as data classification and grading, as well as the identification of important data and core data.

This standard serves as a reference for industry regulatory authorities in formulating sector-specific data classification and grading frameworks. It is also applicable to data handlers conducting classification and grading activities, providing standardized methodologies for compliance. As a universal standard, GB/T 43697 outlines principles, frameworks, methods, and processes for data classification and grading. Notably, it introduces an “Important Data Identification Guide”, assisting industry regulators in developing detailed classification and grading standards and establishing important data directories. Data handlers can also rely on this guide for internal classification and important data identification, ensuring alignment with sector-specific standards once they are issued.

Additional national data security standards are currently under development, including:

• Data Security Technology – Security Requirements for Government Data Processing (Draft for Comments) (数据安全技术 政务数据处理安全要求（征求意见稿）)
• Data Security Technology – Guidance on Social Responsibility for Data Security and Personal Information Protection (Draft for Comments) (数据安全技术 数据安全和个人信息保护社会责任指南（征求意见稿）)
• Data Security Technology – Personal Information Protection Compliance Audit Requirements (Draft for Comments) (数据安全技术 个人信息保护合规审计要求（征求意见稿）)

These standards are expected to be finalized and implemented later in 2025.

A significant development in national data standardization occurred on September 25, 2024, when the National Development and Reform Commission, the National Data Administration, the CAC, the MIIT, the Ministry of Finance, and the Standardization Administration of China jointly released the Guide for the Establishment of the National Data Standard System(国家数据标准体系建设指南). This guide aims to establish a unified, efficient, and sustainable data standard system to support the high-quality development of the digital economy. It focuses on seven key areas:
1)         Basic general standards
2)         Data infrastructure
3)         Data resources
4)         Data technology
5)         Data circulation
6)         Integrated applications
7)         Security protection

By the end of 2026, the plan is to establish a comprehensive national data standard system, including the revision of over 30 national standards covering data management, circulation infrastructure, and data services.

Beyond universal national standards, sector-specific data security standards are also being introduced. A notable example is the mandatory national data standard for intelligent connected vehicles, led by the Ministry of Natural Resources. On June 25, 2024, the draft version of the Basic Requirements for the Security Processing of Spatiotemporal Data in Intelligent Connected Vehicles (智能网联汽车时空数据安全处理基本要求) was released for public consultation, with the final version expected to be published in 2025.

In 2024, TC260 also released multiple practice guidelines focused on data protection, including:

• Guidelines for Cybersecurity Standards Practices—Protection Requirements in Respect of Cross-Boundary Processing of Personal Information in the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland and Hong Kong) (网络安全标准实践指南——粤港澳大湾区（内地、香港）个人信息跨境处理保护要求)
• Guidelines for Cybersecurity Standards Practices—Guidelines for Identifying Sensitive Personal Information (网络安全标准实践指南——敏感个人信息识别指南)
• Guidelines for Cybersecurity Standards Practices—Guidelines for One-Touch Halting of the Collection of Out-of-Vehicle Data (网络安全标准实践指南——一键停止收集车外数据指引)

These guides provide practical guidance for data handlers in ensuring compliance throughout data processing activities. They address common operational challenges and may potentially evolve into formal national standards in the future.

5.         Continuously Advancing the Development and Application of Data Resources

In 2024, there was a strong push by central government departments, led by the National Data Administration, to advance the in-depth development and application of data resources. Several key policies were introduced at the national level to support this effort, while at the provincial level, various regions developed and released local data management regulations, accompanied by regional policies aimed at promoting the application and development of data resources. These policies encompass a range of areas, including the openness and sharing of public data, data resource transactions, and the registration of intellectual property for data resources.

“By the end of 2026, the plan aims to create over 300 typical application scenarios, achieve an annual growth rate of over 20% in the data industry, and significantly enhance the quality of data products and services”

At the outset of 2024, the “Data Elements ×” Three-Year Action Plan (2024-2026) (“数据要素×”三年行动计划（2024—2026年）) was jointly published by the National Data Administration and 16 other departments. This plan seeks to leverage the multiplier effect of data elements to drive economic and social development, with a focus on 12 key industries and fields: industrial manufacturing, modern agriculture, commerce, transportation, financial services, scientific innovation, cultural tourism, healthcare, emergency management, meteorological services, urban governance, and green development. The plan emphasizes four core principles:
1)         Demand-driven and practical results;
2)         Pilot-first approach with breakthroughs in key areas;
3)         Effective markets and proactive government involvement; and
4)         Open integration with secure order.

By the end of 2026, the plan aims to create over 300 typical application scenarios, achieve an annual growth rate of over 20% in the data industry, and significantly enhance the quality of data products and services.

Following this, several policies aimed at promoting the development and application of data resources were gradually introduced. In May 2024, the State Council’s Executive Meeting reviewed and approved the Action Plan for the Digital Transformation of the Manufacturing Industry (制造业数字化转型行动方案). In September 2024, the General Office of the CPC Central Committee and the General Office of the State Council issued the Opinions on Accelerating the Development and Utilization of Public Data Resources (关于加快公共数据资源开发利用的意见). In December 2024, the National Data Administration, in collaboration with other ministries, released the Opinions on Promoting the Development and Utilization of Enterprise Data Resources (关于促进企业数据资源开发利用的意见). By the end of the year, the National Development and Reform Commission also issued the Guiding Opinions on Promoting the High-Quality Development of the Data Industry (关于促进数据产业高质量发展的指导意见). Additionally, in November 2024, the National Data Administration published the Implementing Plan for Improving the Governance of Data Flow Security and Promoting the Marketization and Valuation of Data Elements (Draft for Comments) (关于完善数据流通安全治理 更好促进数据要素市场化价值化的实施方案（征求意见稿）), seeking public feedback.

Among these, the Opinions on Promoting the Development and Utilization of Enterprise Data Resources (关于促进企业数据资源开发利用的意见) have had the greatest impact in driving companies to develop and apply data resources. This document aims to fully unlock the value of enterprise data resources to propel the digital economy and foster high-quality development. It focuses on five key areas:
1)   Enhancing Data Rights Mechanisms

• Encourages the separation of data ownership, usage, and management rights.
• Promotes new business models based on "authorized use and shared benefits" to facilitate data circulation.

2)   Strengthening Digital Competitiveness

• Supports enterprises in appointing Chief Data Officers (known as “CDOs”) and improving data governance structures.
• Encourages the use of advanced technologies such as cloud computing, big data analytics, and AI to optimize operations.

3)   Driving Industry-Wide Transformation

• Promotes data-driven innovation across industrial supply chains.
• Encourages cross-industry data sharing and integration to support the digitalization of traditional sectors.

4)   Advancing High-Quality Development

• Advocates for enterprise data applications in public services and governance, such as smart cities and digital rural areas.
• Encourages data utilization to improve administrative efficiency and drive innovation.

5)   Fostering an Open and Transparent Data Ecosystem

• Supports the establishment of a regulated data circulation market, including data brokers and trustees.
• Encourages the development of data standards, evaluation frameworks, and compliance mechanisms.

6.         The Outlook for 2025

Reflecting on the legislative progress and policy developments in data protection throughout 2024, it is anticipated that throughout 2025 the regulatory focus will shift toward the formulation and release of important data catalogs for key industries. Companies will be expected to conduct data classification, grading, and important data identification under the guidance of regulatory authorities, ensuring compliance with evolving data governance requirements.

At the same time, as policies on data resource development continue to be refined and implemented, additional incentive mechanisms may be introduced to clarify the boundaries of data development and regulatory compliance. These measures will help businesses maximize the value of data assets accumulated through their operations, enabling them to better leverage data resources while ensuring compliance with legal and regulatory frameworks.

Casper Sek, Partner Jingtian & Gongcheng