The Cyberspace Administration of China (CAC) Sunday released new draft regulations implementing new laws recently passed by China on cybersecurity, data security, and personal data.

China’s Personal Information Protection Law took effect earlier this month and carries the strongest consumer protection requirements globally to date. Fines can reach 50 million Chinese yuan (about $7.8 million US dollars) or five percent of a violating company’s annual revenue. The  Cybersecurity Law became effective in 2017, and the Data Security Law came into effect in September 2021.

The new regulations would require companies to report basic information regarding data breaches affecting more than 100,000 people to the relevant branch office of the CAC within eight hours and provide an update to the same office within five days of resolving the incident.

The regulations also increase reporting obligations for companies. Companies must answer reasonable requests for data access within fifteen days, which includes providing convenient methods and channels to support access.

The regulations facilitate consumer privacy requirements set forth in the Personal Information Protection Law, including setting out channels to allow users to delete their personal information, withdraw consent, and cancel their accounts. Users can opt out of targeted advertising, companies must receive consent before collecting personal information, and companies must notify consumers when they share user data with third parties.

The CAC is currently soliciting public comment on these regulations. Public comment runs until December 13.