At Ningxia Data Labeling Industrial Base in Wuzhong, in Northwest China's Ningxia Hui Autonomous Region, on December 8, 2024, young annotators are busy identifying specific words in text or speech, outlining objects in images or videos, and tagging them on their computers. Photo: Chen Tao/GT

The Regulation on Network Data Security Management took effect on Wednesday, with a Chinese expert highlighting the importance of ensuring data security amid the widespread integration of AI technology.

The regulation aims to standardize activities related to the processing of online data, safeguard the security of online data, promote the lawful and efficient use of online data, protect the legitimate rights and interests of individuals and organizations, while safeguarding national security and public interests. It consists of nine chapters and 64 articles, according to the document issued by the government in September 2024.

No individuals or organizations may use online data to engage in illegal activities or data processing practices, nor may they engage in illegal data processing activities such as stealing or otherwise unlawfully obtaining, selling, or providing online data to others, according to the regulation. No individuals or organizations may provide programs or tools specifically designed for engaging in the aforementioned illegal activities; if they are aware that others are engaging in such illegal activities, they must not provide technical support such as internet access, server hosting, network storage, or communication transmission, nor assist with advertising promotion or payment settlement. 

Besides, no individuals or organizations may provide programs or tools specifically designed to destroy or circumvent technical measures; if they are aware that others are engaging in activities to destroy or circumvent technical measures, they must not provide technical support or assistance.

The regulation also stresses that network data processor, before processing personal information, shall formulate and prominently display clear personal information processing rules to inform individuals. These rules should be prominently displayed, easily accessible, and placed in a conspicuous location, with content that is clear, specific, and easy to understand. If the network data processor processes personal information of minors under the age of 14, it shall also formulate specific personal information processing rules.

Previously, officials from the Ministry of Justice and Office of the Central Cyberspace Affair Commission noted that some network platform service providers have failed to meet their obligations regarding network data security, while exploiting their data advantages to engage in activities prohibited by laws and regulations. Relevant legislation both domestically and internationally has explored practical solutions to these issues.

To address this problem, the regulation establishes the network data security protection obligations for network platform service providers, third-party service providers, as well as manufacturers of smart devices with pre-installed applications. It also requires network platform service providers that offer application distribution services to establish application verification rules and conduct relevant network data security verifications.

In response to challenges such as the difficulties in disabling personalized recommendation services, the variety of personal information collected, and the abuse of precise personal profiling data, it clarifies that network platform service providers should provide easily understandable, accessible, and operable options for users to disable personalized recommendations. This includes functionalities for users to refuse to receive push notifications and delete user tags related to their personal characteristics.

Network platform service providers are encouraged to support users in registering and verifying their real identity information using the national online identity authentication public service.

It also mandates that large network platform service providers release annual reports on personal data protection, detail measures to address cross-border security risks related to network data, and states their obligation not to engage in related activities using network data, algorithms, or platform rules.

As a subordinate supporting regulation to the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, the introduction of the regulation fills the gap of "administrative regulations" in the comprehensive legal framework for data governance in our country, according to the interpret document issued by the Ministry of Public Security. It provides solutions for the institutional connection and coordination, as well as the refinement and supplementation of rules under the framework of the three laws. 

This regulation plays a guiding role in the field of network data security protection. With the implementation of the regulations, China's network data security regulatory system will undergo a new round of adjustments, which will directly impact the current regulatory landscape, regulatory thinking, priorities and directions, as well as compliance with regulations in the field of network data security, the document said.

It should be noted that the current foundation and driving force of the national economy primarily rely on data, especially in the context of AI technology fully empowering various industries, Wang Sixin, a professor of law at the Communication University of China, told the Global Times on Wednesday. Ensuring the security of data has become particularly important, which includes the regulation and lawful use of data to prevent illegal exploitation. 

Wang emphasized the need for a comprehensive framework to ensure the legal and compliant use of data amid signs of misuse of AI technology for improper gains, which engages in irregular algorithm operations and other behaviors. "Therefore, we need to establish a broad direction, a comprehensive framework, and behavioral norms to ensure the legal and compliant use of data, minimize the occurrence of improper actions, and safeguard overall security," he said.