Regional Round-Up: China Q3 2024

China Releases Administrative Regulations for Network Data Security

After almost three years since the Cyberspace Administration of China released the draft Administrative Regulations for Network Data Security (网络数据安全管理条例, “Regulations“) for public comment in November 2021, the Regulations were officially issued by the State Council of the People’s Republic of China (“PRC“) on 30 September 2024. The Regulations will take effect on 1 January 2025.

The Regulations provide in detail the principles and systems relating to data security outlined in these three higher-level laws: (i) Cybersecurity Law of the PRC, (ii) Data Security Law of the PRC, and (iii) Personal Information Protection Law of the PRC (“PIPL“). For example, they clarify the content and format requirements for fulfilling notification obligations under the PIPL by formulating personal information processing rules (i.e. privacy policies). Additionally, the Regulations mandate that network data processors which process the personal data of more than 10 million people must comply with certain obligations applicable to important data processors. These include: (i) appointing a network data security officer with specialised knowledge in network data security and relevant management experience; (ii) establishing a network data security management organisation; and (iii) reporting obligations during mergers, reorganisations, or divisions if these might affect the security of important data.

The Regulations are aligned with existing regulations, incorporating in particular certain provisions under the Regulations on Promoting and Regulating Cross-border Data Flow (促进和规范数据跨境流动规定). These include exemptions from the three data export regulatory requirements.

The Regulations also introduce an additional exemption from the three data export regulatory requirements: where it is deemed necessary to provide personal information overseas to fulfil statutory duties or obligations. Such circumstance corresponds to one of the circumstances where personal information can be processed without the consent of the individual as outlined in the PIPL.

China Releases AI Safety Governance Framework

On 9 September 2024, the National Technical Committee 260 on Cybersecurity of Standardization Administration of China (TC260) released the “AI Safety Governance Framework” (“Framework“), with the official English version available here. The Framework is a step forward for the Global AI Governance Initiative (launched by the Cyberspace Administration of China on 18 October 2023), which aims to promote responsible artificial intelligence (“AI“) innovation while safeguarding China’s national security, public welfare, and data privacy.

Part 1 of the Framework outlines the principles for AI safety governance, which include (i) being inclusive and prudent to ensure safety, (ii) identifying risks with agile governance, (iii) integrating technology and management for coordinated response, and (iv) promoting openness and cooperation for joint governance and shared benefits.

To implement the aforesaid principles, the main contents of the Framework heavily focus on two major types of AI-related risks: (i) “inherent safety risks”, and (ii) “safety risks in AI applications”. These two major types of risks are further classified in Part 3 of the Framework.

Accordingly, Parts 4 and 5 of the Framework proposes technical countermeasures and comprehensive governance measures corresponding to each type of AI-related risk. Both parts are helpfully summarised in the “Table of AI Safety and Security Risks to Technical Countermeasures and Comprehensive Governance Measures” attached to the Framework.

Part 6 of the Framework formulates safety guidelines for different groups of people including developers, service providers, users and general public.

In summary, the Framework identifies different types of risks at both the development and application levels, which practitioners at both levels and different stages and users (including general public) should pay attention to. It is important for AI practitioners to comply with and implement relevant measures and guidelines provided in the Framework. Given the global nature of AI, we would also like to highlight that the Framework emphasises the importance of safeguarding information and compliance with data security and privacy laws, such as the PRC Cybersecurity Law and the PRC Personal Information Protection Law, when engaging in AI-related business.

China Further Eases Foreign Investment Restrictions

On 8 September 2024, the National Development and Reform Commission of the People’s Republic of China (“PRC“) and the PRC Ministry of Commerce (“MOFCOM“) officially released the Special Administrative Measures (Negative List) for Foreign Investment Access (2024 Edition) (外商投资准入特别管理措施(负面清单)(2024年版), “Negative List 2024“). This new edition takes effect on 1 November 2024.

The Negative List 2024 reduces the nationwide negative list for foreign investment access from 31 items to 29 items. It removes the requirement that publication printing must be controlled by a Chinese party. It also removes the prohibition on foreign investment in the processing techniques of traditional Chinese medicine decoction pieces, such as steaming, frying, roasting, and calcining, as well as the production of proprietary Chinese medicine secret prescription products. This effectively eliminates all foreign investment access restrictions in the manufacturing sector in China.

Just one day before the release of the Negative List 2024, MOFCOM, the National Health Commission of the PRC, and the National Medical Products Administration issued the Notice on Carrying out the Pilot Program for Expanding Opening-up in the Medical Field (MOFCOM No. [2024] 568) (关于在医疗领域开展扩大开放试点工作的通知, “Notice“) to expand the opening up of foreign investments in China’s healthcare sector. According to this Notice, foreign-invested enterprises are now permitted to engage in the development and application of human stem cell, gene diagnosis and treatment technologies for product registration and production within the China (Beijing) Pilot Free Trade Zone, China (Shanghai) Pilot Free Trade Zone, China (Guangdong) Pilot Free Trade Zone and Hainan Free Trade Port. Approved products can be used nationwide. It is also noteworthy that the Notice intends to permit the establishment of wholly foreign-owned hospitals (excluding traditional Chinese medicine hospitals and excluding the acquisition of public hospitals) in nine places, including Beijing, Tianjin, Shanghai, Nanjing, Suzhou, Fuzhou, Guangzhou, Shenzhen and the whole island of Hainan. The specific conditions, requirements and procedures for the establishment of these wholly foreign-owned hospitals will be announced separately.

We believe these new policies will create new opportunities for foreign investment and collaboration in China, especially in the healthcare sector. More detailed regulations are also expected to be released soon.

Please note that whilst the information in this Update is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice

Rajah & Tann Asia is a network of legal practices based in Asia.

Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

This website is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this website.

© 2024 Rajah & Tann Asia. All Rights Reserved. All trademarks are property of their respective owners.