The Regulations on Network Data Security Management (hereinafter referred to as the "Regulations"), which will take effect on January 1, 2025, stipulate in Article 30 that "processors of important data must appoint a network data security officer... The officer shall possess professional knowledge of network data security and relevant management experience. The officer shall be a member of the data processor’s management and have the authority to directly report network data security matters to the relevant authorities." Additionally, Article 28 of the Regulations further specifies that "when a network data processor handles the personal information of over 10 million individuals, it must also comply with the provisions of Article 30 of the Regulations."

From a legal interpretation standpoint, combined with practical experience, the legal team led by attorney Ramon Huang from Huiye Law Firm offers a concise analysis of the frequently discussed issues related to the "network data security officer" in the industry. The following insights are provided for reference only.

(1) Important data processors: According to Article 27 of the Data Security Law and Article 30 of the Regulations on Network Data Security Management, important data processors must designate a network data security officer. China adopts a management model of "catalog list + identification and reporting + confirmation and notification" for important data.

(2) Processors of personal information exceeding 10 million individuals: According to Article 52 of the Personal Information Protection Law and Article 28 of the Regulations on Network Data Security Management, personal information processors handling personal information of more than 10 million individuals must appoint a network data security officer. Based on recent regulatory practices, this number includes all subjects whose personal information is legally processed by the processor on the reference date (including members, users, transaction counterparts, employees, etc.). The statistics may be de-duplicated by headcount but should not be split in bad faith to evade legal responsibility. In practice, group companies that lack independent management, human resources, systems, or business operations generally need to consolidate the number of individuals processed.

In addition to the enterprises mentioned above, based on the Personal Information Security Specification and current industry practice, enterprises primarily serving consumers (e.g., financial, transportation, automotive, retail, pharmaceutical, and internet sectors) are also advised to appoint a network data security officer.

The Data Security Law and the Regulations on Network Data Security Management (including the draft for public comment) specify that the network data security officer is appointed through a "designation" process. The Personal Information Protection Law requires a "nomination" process for the personal information protection officer, and the Cybersecurity Law mandates the network security officer be "confirmed." However, the Cybersecurity Law and the Regulations on the Security Protection of Critical Information Infrastructure stipulate that the security officer for critical information infrastructure operators (referred to as "CIIO") must be "established" and be "dedicated."

Therefore, based on the above laws and combining legal interpretation techniques, referring to the practices of security assessments for data exports and standard contract filings, and drawing from standard documents like the Personal Information Security Specification, enterprises can appoint a network data security officer through an appointment letter, job notice, internal policies, or policy attachments. Moreover, following the principle of "greater includes the lesser" in legal interpretation, only CIIOs are legally required to have a dedicated security officer. Other enterprises are not legally obligated to establish a dedicated network data security officer and can appoint existing personnel (e.g., DPO, legal head, compliance head, CISO, etc.) to simultaneously serve as the "data security officer," "network data security officer," or "personal information protection officer."

However, from the perspective of responsibility and risk isolation, and in reference to standard documents like the Personal Information Security Specification, enterprises primarily serving consumers (e.g., financial, transportation, automotive, retail, pharmaceutical, internet sectors) are advised to appoint a dedicated person responsible for network data security and personal information protection. Additionally, according to the Regulations on the Protection of Children's Personal Information on the Internet, a dedicated person must be appointed for the protection of children's personal information.

Finally, at the entity level, group companies lacking independent management, human resources, systems, business operations, or different brands under the same entity, can generally have one person concurrently serve as the network data security officer.

According to the Regulations on Network Data Security Management (including its draft for public comment) and the earlier Data Security Management Measures (Draft for Public Comment), the qualifications for a network data security officer remain consistent, requiring "professional knowledge of network data security" and "relevant management work experience." Drawing from the qualification requirements for security officers specified in telecommunications business license applications, ICP filings, and public security network filings, "professional knowledge of network data security" generally needs to be supported by materials such as related exams, certificates, education, and academic background. "Relevant management work experience" generally requires supporting materials such as appointment documents, work experience, and project experience.

Considering the substantive legal requirements such as having "the authority to report network data security matters directly to relevant competent authorities" and being "responsible for supervising personal information processing activities and the protection measures taken," and drawing from the telecommunications business license application, ICP filings, and public security network filing requirements, it is recommended that the network data security officer be a Chinese within the enterprise (including the group). However, based on practices in data export security assessments and standard contract filings, there are no explicit restrictions regarding the employment contract or nationality for network data security officers.

For enterprises in special industries, a security background check should be conducted for the network data security officer to ensure that they do not have any risk-related history that could affect their ability to hold the position.

From the Data Security Management Measures (Draft for Public Comment) to the Regulations on Network Data Security Management (Draft for Public Comment) and the official Regulations on Network Data Security Management, there has been a historical change in the level of authority required for the network data security officer. The Data Security Management Measures (Draft for Public Comment) required that the officer "report directly to the main responsible person of the network operator," while the Regulations on Network Data Security Management (Draft for Public Comment) specified that they should be a "decision-making level member." In the official Regulations on Network Data Security Management, the requirement is a "management-level member." Reviewing this historical process and considering the textual interpretation of "decision-making level" and "management level" in other laws, there appears to be a clear trend toward "delegation" of authority.

Moreover, "management-level member" should not be simply equated with "senior management personnel" under the Company Law. Since there is no explicit legal definition from higher-level laws, and based on relevant regulations for listed companies and financial institutions, "management-level members" should include board members, supervisors, senior executives, and personnel who, based on internal company legal documents, receive specific treatment. However, the rank must meet the substantive legal requirements of having "the authority to report network data security matters directly to relevant competent authorities" and being "responsible for supervising personal information processing activities and the protection measures taken." For domestic enterprises, the rank should refer to the Interim Provisions on the Transfer of State-Owned Property Rights to Management Personnel, which includes "the head of the unit and other members of the leadership team." For foreign-owned enterprises, the rank is suggested to be at least vice general manager or vice president level, but it should not be lower than the director level.

In different types of enterprises and regions, different personnel typically serve as the network data security officer. Common models include having a dedicated DPO, the head of network security, the IT head, the legal head, the compliance head, or the public relations head take on the role. For those where other department heads serve concurrently, a network data security management organization is usually established, composed of personnel from relevant departments. This organization typically has at least one dedicated member. Additionally, companies often provide the network data security officer with commensurate rank, salary, job subsidies, and responsibility-related compensation for those taking on this concurrent role.

The Personal Information Protection Law specifies that the responsibility of the personal information protection officer is to "conduct supervision." The Regulations on Network Data Security Management only outline the responsibilities of the network data security management organization and do not explicitly define the duties of the network data security officer. However, at the very least, the officer should be responsible for "reporting network data security matters to the relevant competent authorities." Regulations on Network Data Security Management (Draft for Public Comment) stated that the data security officer "leads" the work of the data security management organization.

Considering the requirement for "management experience" and the level of "management member," the network data security officer, as the actual head of the network data security management organization, is expected to comprehensively lead and supervise the company's data security work. This includes but is not limited to, organizing the development of management policies, regularly conducting risk assessments and training, managing risk events, and handling complaints and reports. The specific responsibilities can be adjusted according to the company's departmental structure and industry practices or by referencing documents such as the Personal Information Security Specification, Security Requirements for Network Data Processing, and Security Protection Requirements for Interactive Internet Services.

The Regulations on Network Data Security Management (Draft for Public Comment) specified detailed training requirements for network data security officers, stating that "annual training should be no less than 20 hours." The official Regulations on Network Data Security Management deleted this detailed requirement. However, under the Personal Information Protection Law and Data Security Law, companies are required to "regularly provide security education and training to employees." Therefore, from the perspective of corporate compliance and risk mitigation, it is recommended that companies provide annual training to the network data security officer and other members of the network data security management organization. The training content should differ from the general, company-wide awareness training.

The Regulations on Network Data Security Management further elaborate on Article 53 of the Personal Information Protection Law but do not specify the qualifications for the domestic designated representative. Considering factors such as confidentiality, cost, and regulatory convenience, it may be good practice for the network data security officer of the domestic affiliate company to also serve as the designated representative of the foreign group. However, due to the uncontrollable political risks associated with foreign groups, from a risk isolation perspective, it may also be possible for other members of the domestic affiliate's network data security management organization to serve in this role. Additionally, companies can explore the possibility of having an external intermediary agency member serve as the designated representative, as is practiced in places like Singapore.

The Regulations on Network Data Security Management do not continue the separate reporting requirement stipulated in the Personal Information Protection Law or Regulations on Network Data Security Management (Draft for Public Comment). Instead, important data processors are required to submit the "name and contact information of the network data security officer" as part of their annual risk assessment report. However, personal information processors handling over 10 million individuals' data are not legally required to conduct annual risk assessments, and the process for reporting their network data security officers remains unclear. Considering the policy direction in the Regulations on Network Data Security Management regarding the strengthening of legal system connections and the commonality of the supervising agencies, it is recommended that companies report the information as part of processes such as data export security assessments and compliance audits, to reduce the compliance burden.

The Regulations on Network Data Security Management do not require companies to disclose the name and contact information of the network data security officer through privacy policies, corporate social responsibility reports, or other means to the public.

Neither the Data Security Law, the Personal Information Protection Law, nor the Regulations on Network Data Security Management impose specific legal liabilities solely on the network data security officer. Instead, they refer to "persons directly in charge and other directly responsible personnel" within the enterprise.

Whether the network data security officer will be deemed a "person directly in charge" depends on whether the officer holds managerial responsibility in specific business activities or data processing operations, as well as their subjective fault and causation. In practice, the network data security officer can mitigate their risks by establishing operating procedures policy, purchasing special insurance, and consulting professional agencies.