"Network Data Security Management Regulations" Released — How Should Game Companies Respond?
The 2024 Network Data Security Management Regulations impose heightened compliance obligations on game companies regarding data protection, minor consent, AI training data de-sensitization, and cross-border data transfer rules.
On September 30, 2024, the State Council officially released the “Network Data Security Management Regulations” (hereinafter referred to as the “Regulations”), which will take effect on January 1, 2025.
The Regulations began soliciting public comment on November 14, 2021, and after nearly three years, the final version was finally published. The official version contains substantial revisions compared to the draft, making it more aligned with recent legal trends and the current environment.
As one of the representatives of data-intensive industries, the release of the Regulations means that game companies will face a new round of compliance challenges.
Next, let’s take a look at what game companies should pay attention to when facing the Regulations.
This article represents only the author’s personal views and does not constitute legal advice or legal opinion.
I. Strengthened Data Management Obligations
Chapter 2 of the Regulations, “General Provisions,” mainly addresses the data management obligations of network data processors. The official definition of “network data processor” refers to “individuals or organizations that independently determine the purposes and methods of data processing in network data processing activities.” Generally speaking, game companies fall under this category.
Noteworthy content in Chapter 2 includes the following:
Re-emphasis on “Classified Protection of Cybersecurity”
Article 9 stipulates that “network data processors shall strengthen data protection in accordance with laws, administrative regulations, and mandatory requirements of national standards,” with the premise being “on the basis of classified protection of cybersecurity.”
This means that classified protection of cybersecurity will become a prerequisite for game launches (i.e., before beginning to process user data).
Data Exchange Requires Separate Contracts or Clauses
Article 12 provides:
When network data processors provide, entrust processing of, personal information and important data to other network data processors, they shall agree through contracts or other means with the data recipient on the purpose, method, scope, and security protection obligations of processing, and supervise the recipient’s compliance.
Game development and operation companies engage in extensive data exchanges. In some cooperation models, both parties may even access user personal data from the user database.
Conventional game cooperation contracts may only specify the data owner, lacking the necessary content described in the Regulations.
Given that the typical data processing model involves one party collecting user personal information and then sharing it with another party for review and use, this fits the definition of “data provision.” Therefore, it is worth considering adding corresponding contract clauses, or even drafting a dedicated “Data Processing Appendix” to specify the details of data processing and约束 the behavior of both parties.
Web Scraping is Permitted, But Aggressive Scraping is Not
Article 18 stipulates:
Network data processors using automated tools to access and collect network data shall assess the impact on network services and shall not illegally intrude into others’ networks or disrupt the normal operation of network services.
When operating games, companies may need to visit other websites to collect user reviews, download information, and other data for market analysis. This inevitably involves the use of automated tools to collect data (commonly known as “scraping”).
Previously, the legality of “scraping” has been in a gray area. The publication of this article opens a small door without implementing a “one-size-fits-all” ban.
Before scraping, it is necessary to assess the impact on network services. In terms of specific operations, I believe that as long as you do not dump entire databases, crash others’ websites, and only collect and process publicly available information, the risk level is relatively low and would not simply be deemed infringement.
De-sensitization of AI Training Data
Article 19 stipulates:
Network data processors providing generative artificial intelligence services shall strengthen the security management of training data and training data processing activities, and take effective measures to prevent and address network data security risks.
This article has two implications:
- Secure storage of training data to prevent leakage;
- Proper processing of data content during training;
The overall core is essentially “data de-sensitization.” When collecting AI training data, sensitive data and information must be excluded to avoid data leakage during training or being trained into the model, which could lead to the output of sensitive information.
For building personal专属 models (such as personal assistants), when processing personal data is unavoidable, consider using dedicated LoRA models to avoid personal data being output by other users after overall training on the large model.
II. Detailed Personal Information Protection Measures
Chapter 3, “Personal Information Protection,” mainly addresses measures related to personal information protection. The core content has appeared in the “Personal Information Protection Law”. Below are some noteworthy points:
Protection of Minors
Articles 21 and 22 specifically address the protection of minors’ information.
Article 21 stipulates that when collecting personal information of minors, network data processors “shall formulate special personal information processing rules”;
Article 22 stipulates that “when processing personal information of minors under the age of 14, shall obtain the consent of the minor’s parents or other guardians;”
Combining the two articles, game companies are required to formulate a separate “Minor Privacy Policy” for minor users to check and agree to, in addition to the normal “Privacy Policy.”
When user identity verification indicates that the user is under 14, parental or guardian consent is required to complete the registration process.
Aside:
There is actually a bug here.
Collecting personal information of users under 14 requires guardian consent, but the process of obtaining age information already constitutes “data collection” (data processing).
Game companies may consider implementing front-end verification first: if the user is under 14, initiate the guardian verification process; only when the user is 14 or older should ID card data be transmitted, to minimize this bug.
Quick Withdrawal of Consent
Article 23 stipulates that users may request changes to their personal data, withdrawal of consent, account cancellation, etc., at any time. Network data processors shall handle such requests promptly, provide convenient methods, and shall not set unreasonable conditions to hinder changes.
Some operating companies’ user SDKs may only have functions for collection (registration) and display (showing registration information), lacking functions for changing, revising, or deleting user information. Therefore, it is worth considering adding relevant functions to the SDK, or setting up forms, customer service, or other convenient methods to allow users to change their personal information.
However, this article does not specifically address whether core personal information such as bound phone numbers and ID card information can be easily changed.
If all information is considered changeable, it could create situations such as “allowing users to sell accounts (change绑定的 phone number and real-name information)” and “adults changing to minors and then applying for refunds,” which would be quite unfavorable to game companies.
Game companies may also consider change strategies and change review plans to explore the possibility of “reasonable changes” while avoiding violations of the “quick change” requirement.
De-sensitization or Anonymization of Scraped Data
Article 24 again mentions “scraping,” stating that when it is unavoidable to collect personal information during scraping, de-sensitization or anonymization processing is required. It is evident that the authorities have once again affirmed that “scraping” is operable.
To determine whether the scraped results contain personal information, game companies can consider setting up algorithms to review the scraped results.
With the rapid development of AI technology, game companies may also consider using local AI (using online AI may pose risks of infringing personal information or illegally transmitting personal information) for processing.
Obligations of Important Data Processors
When a network data processor processes personal information of more than 10 million people (total in the database), it becomes an important data processor and must bear additional responsibilities and obligations.
It needs to design contingency plans; when cooperating with other parties in processing personal information, it must conduct advance assessments; and it must submit annual risk assessment reports to the relevant competent authorities.
III. Clarification of Cross-Border Data Transfer Rules
Transfer of Certain Personal Data Does Not Require Assessment
Article 35 stipulates that personal information may be transferred abroad if any of the following conditions are met:
(a) Passing the data cross-border security assessment organized by the national cyberspace administration; (b) Obtaining personal information protection certification from a professional institution in accordance with national cyberspace administration regulations; (c) Complying with the national cyberspace administration’s regulations on standard contracts for the export of personal information; (d) Necessarily providing personal information abroad for the conclusion or performance of a contract to which the individual is a party; (e) Necessarily providing employee personal information abroad for cross-border human resource management in accordance with legally formulated labor规章制度 and legally signed collective contracts; (f) Necessarily providing personal information abroad for the performance of statutory duties or obligations; (g) Necessarily providing personal information abroad for the protection of the life and health and property safety of natural persons in an emergency; (h) Other conditions provided by laws, administrative regulations, or the national cyberspace administration.
Items (d) through (g) are situations that do not require prior approval for export.
In addition, Article 37 stipulates that if international treaties or agreements concluded or acceded to by China provide conditions for the provision of personal information abroad, those provisions may also be followed.
These two articles optimize the approval process for data cross-border assessment. When a game company needs to cooperate with foreign companies or individuals and needs to provide the personal information of internal employees, it no longer needs to undergo assessment.
However, providing game user personal information still requires cross-border assessment.
Aside: “The Wall Has Collapsed”
Compared to the 2021 draft, the official version has deleted the following content:
Article 41: The state establishes a data cross-border security gateway to block the dissemination of information originating from outside the People’s Republic of China that is prohibited from publication or transmission by laws and administrative regulations. Any individual or organization shall not provide programs, tools, lines, etc., for penetrating or bypassing the data cross-border security gateway, nor provide Internet access, server hosting, technical support, dissemination promotion, payment settlement, application download, etc., for penetrating or bypassing the data cross-border security gateway. When domestic users access domestic networks, their traffic must not be routed abroad.
Draft for Comment
Some have interpreted this as “the wall will be removed in 2025.”
But I believe this is not correct.
In the official version, this content was changed to:
Article 39: The state takes measures to prevent and address cross-border risks and threats to network data security. No individual or organization may provide programs, tools, etc.,专门用于破坏或避开 technical measures; knowing that others are engaged in activities of破坏或避开 technical measures, they shall not provide technical support or assistance.
In terms of wording, it has been somewhat模糊化, but the core content remains unchanged.
Measures will still be taken to “prevent cross-border data security risks and threats”;
It still does not allow anyone to provide “programs and tools to circumvent measures.”
The previous wording was a bit too direct; the current description is “just right.”
IV. Platform Obligations
In addition to game developers and operators that directly process user data, game platforms are also assigned corresponding obligations.
Violations by Games, Platforms Suffer
Article 40 stipulates that platforms have an obligation to督促上架产品 comply with data security obligations. If a third party violates, the platform will also bear penalties:
If a third-party product or service provider violates laws, administrative regulations, or platform rules or contract terms in conducting network data processing activities, causing damage to users, the network platform service provider, the third-party product or service provider, and the producer of pre-installed application smart terminals and other devices shall bear corresponding responsibilities in accordance with the law.
Therefore, Article 41 grants platforms verification rights. When they discover that a listed product contains violating content, they can directly take measures such as warnings, non-distribution, suspension of distribution, or termination of distribution. When a platform terminates cooperation through these measures, it will not be deemed in breach of contract.
Encouragement to Use National Network Identity Authentication Public Services
Article 43 mentions that the state promotes the construction of network identity authentication public services, guides users to use them, and encourages network platform service providers to support users in using them.
The national network identity authentication public service, known as “Network Certificate” and “Network ID,” has been widely discussed. Interested readers can also browse:
Although it is only a draft for comment, considering the recent official辟谣 of online misinformation and the mention of related content in this Regulation, the launch of “Network Certificate” and “Network ID” is undoubtedly a foregone conclusion.
Although it is not yet mandatory, game platforms and operators can start considering how to integrate the relevant authentication API in advance and reserve functional interfaces for early adoption.
V. Conclusion
There is not much to discuss regarding supervision and penalties. It is sufficient to know that the Cyberspace Administration, public security, and national security are the regulatory authorities, and the maximum penalty is 2 million yuan, which is also the normal penalty range.
The introduction of the “Network Data Security Management Regulations” undoubtedly imposes higher data security requirements on the gaming industry. However, this should not be seen as a mere compliance burden, but rather an important opportunity to promote the healthy development of the industry.
Game companies should actively respond by integrating data security protection into the entire process of business development, both safeguarding user rights and laying a solid foundation for the company’s long-term development.
In the digital wave, data security will become an important component of a company’s core competitiveness. Those game companies that can be well-prepared before the implementation of the new regulations will not only smoothly navigate the compliance transition period but also have the opportunity to take the lead in future market competition.
Therefore, game companies should prepare for the future and begin compliance preparations early, welcoming the new era of data security with a proactive attitude.
