Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 27
Asia-Pacific Data Privacy and Cybersecurity Guide 2025
requirements and related implementation
rules. Personal data handlers are still obliged
to perform the broad range of statutory
compliance obligations, including notifying
data subjects and obtaining their separate
consent to the international transfer, as well as
executing data transfer agreement and taking
necessary security measures, leaving much
work still to be done.
Network Data Regulation
China’s newly enacted Network Data
Regulation (effective January 1, 2025
introduces critical updates to strengthen
governance over network data while balancing
cross-border data flows and compliance
flexibility. As a supplement to the CSL, DSL,
and PIPL, the regulation clarifies operational
requirements for foreign and domestic entities
whose data processing subject to the said laws
(including those that subject to the
extra-territorial application thereof).
For instance;
Incident Report:
Data incidents affecting national security or
public interest must be reported to relevant
supervising authorities within 24 hours.
Portability of Personal Data:
Data subjects may request data transfers if: (i)
identity of the requester is verified; (ii) data
requested to be transferred was collected
via consent/contract; and (iii) the requested
transfer is technically feasible and not harmful
to others’ legitimate interests and rights. The
network data handler is entitled to charge for
excessive requests.
Obligations for Massive Data Processing:
Network data handler processing personal
data of more than 10 million individuals
shall: (i) appoint network data security
officer and establish the dedicated network
data security body; (ii) implement technical
and organisational measures to ensure
network data security and promptly report to
27
provincial-level or higher regulators the data
disposal plan and identity, and contact details
of data recipients in case of merger, division,
dissolution, or bankruptcy (or other events
jeopardising data security, collectively
Key Transactions).
Obligations for large network platforms:
Large network platforms (with more than 50
million registered users or 10 million monthly
active users, who have complex business types
(undefined) and whose data processing may
have significant impact on national security,
economic operations, and public welfare) shall
release annual social responsibility reports on
personal data protection and be mindful of the
activities using network data, algorithms, and
platform rules (e.g., no fraud, no coercion, no
unreasonable restrictions and no unreasonable
differential treatment).
Obligations for Network Platform
Service Providers:
1. Network platform service providers
shall legally bind third-party entities on
its platform to adhere to data security
obligations through enforceable contractual
terms or platform policies (same for
manufacturers of equipment such as smart
terminals pre-installed with applications).
Relatedly, they will bear shared liability for
violations committed by third-party service
providers operating within their ecosystems.
2. Providers of application distribution
services must conduct pre-launch security
evaluations of hosted applications and
mandate corrective actions for
non-compliant offerings.
3. Platforms utilising automated
decision-making systems for personalized
content delivery must implement
user-controlled opt-out mechanisms,
ensuring individuals can freely disengage
from algorithmic recommendations.
