China Cybersecurity And Data Protection: Monthly Update – Oct 2020 Issue.

This e-bulletin summarises the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement, industry and international developments in this area.

Key highlights

The draft Personal Information Protection Law is to have its first reading with the Standing Committee of the National People’s Congress this month. If passed, it will become China‘s first unified piece of national legislation on the protection of personal information.
 

Separately, as part of the People’s Bank of China’s efforts to protect financial consumers, it has updated its requirements on the protection of customer’s personal financial information. In conjunction with this, it has also issued a “how-to” guide on the classification of financial institutions’ financial data security.
 

In addition, the Ministry of Public Security has provided guidance on the implementation of the multi-level protection scheme for network security and the protection of critical information infrastructure. As a result, we expect that there will be an increase in enforcement actions by the Ministry.

1. NPC Standing Committee to review draft law on personal information protection
 

On 29 September 2020, the Standing Committee of the 13th National People’s Congress confirmed that the draft Personal Information Protection Law would be considered at its next session to be held from 13 to 15 October.
 

With the rise in recent years of the illegal collection and use of personal information, coupled with an increase in infringement against personal information rights, the enactment of the Personal Information Protection Law is timely and necessary. Whilst the “Right to Privacy and Protection of Personal Information” chapter of the Civil Code has laid the foundation for personal information protection in China, the new law has been drafted against the backdrop of the global internet and big data boom and will serve as a comprehensive and centralised piece of legislation to protect personal information
 

2. People’s Bank of China issues measures to protect financial consumers‘ rights
 

On 15 September 2020, the People’s Bank of China issued measures to protect the rights and interests of financial consumers. The measures establish the required mechanisms to protect financial consumers’ fundamental and long-term interests. In particular, Chapter III focuses on the protection of consumers’ financial information and requires banks and payment institutions to follow the principle of legality, fairness and necessity when processing such information, and further protects financial consumers’ right to know and the right to consent to the processing of personal financial information.
 

3. People’s Bank of China issues guidelines for classifying financial data
 

On 23 September 2020, the People’s Bank of China issued guidelines which detail the objectives, principles and scope of the classification of financial data. The guidelines apply to data classification conducted by financial institutions as well as data inspection and assessment conducted by third-party assessment institutions. The guidelines also specify the factors, rules and process for determining financial data classification. They aim to assist financial institutions to implement clear financial data protection objectives, properly allocate resources and funds for data protection, and promote the safe flow of financial data across industries.
 

4. Guidance on implementation of multi-level protection scheme and security protection system for critical information infrastructure
 

On 7 September 2020, the Ministry of Public Security issued guidance on the implementation of the multi-level protection scheme (MLPS) and security protection system for critical information infrastructure. It provides guidance to improve the MLPS and security protection systems with the aim of developing a comprehensive protection system for national cybersecurity. In relation to the MLPS, operators are required to file network gradings with the competent authorities, conduct tests and evaluations on a regular basis, and make and necessary rectifications. Separately, in relation to the security protection system for critical information infrastructure, operators must recognise critical information infrastructure, strengthen the protection of important data and personal information, and strengthen security management of personnel, products and services in key positions.
 

5. Public consultation on guidelines for big data security protection in telecommunications sector
 

On 30 September 2020, the National Information Security Standardization Technical Committee issued a consultation draft of guidelines for big data protection in the telecommunications sector. They provide guidance on the classification of big data and on security protection in terms of management and technology based on the life cycle of big data. They apply to big data providers, system developers, system operators, partners and other organisations in the telecommunication sector. They aim to protect data during the construction and operation of a big data system by and the cooperation between the relevant parties. Guidance is also included for third-party institutions when evaluating the big data protection capabilities of operators in the telecommunications sector.
 

6. Guidelines for mobile applications when handling common personal data protection issues
 

On 18 September 2020, the National Information Security Standardization Technical Committee issued guidelines for mobile App operators on resolving some of the commonly occurring issues relating to personal information protection. Common issues highlighted in the guidelines include the collection of personal information which is outside of scope, coerced authorisation, frequent request for authorisation and failure to inform users of the purpose for collection. The guidelines provide App operators with guidance and solutions to resolve these issues.
 

7. Guidelines on system permissions for mobile App operators
 

On 18 September 2020, the National Information Security Standardization Technical Committee issued guidelines for mobile App operators when applying and obtaining system permission in Apps. The guidelines set out the basic principles and requirements and provide guidelines aimed at preventing personal information security breaches caused by improper use of system permissions. In addition, the guidelines serve as a reference point for mobile App developers, operators of mobile App distribution platforms and mobile intelligent terminal manufacturers.
 

8. Consultation on guidelines on the security requirements for third-party software development toolkits in mobile Apps
 

On 18 September 2020, the National Information Security Standardization Technical Committee issued a consultation draft of guidelines on the security requirements for third-party software development toolkits (SDKs). With the widespread development and application of mobile internet technology, the draft guidelines seek to reduce security concerns in respect of mobile Apps, in particular in relation to personal information leaks caused by third party SDKs. Security “gaps” found in third party SDKs and their illegal collection of mobile App users’ personal information are highlighted as some of the current issues.
 

9. Beijing Free Trade Zone to pilot cross-border data flow and digital trading
 

On 7 September 2020, the Beijing Municipal Bureau of Economy and Information Technology outlined its plans for 2020-2022 to promote innovation and the development of the digital economy. The plan proposes building digital trade platforms and data trading platforms and promoting the integration of digital technology in traditional industries. In particular, the plan proposes a pilot program for security management of cross-border data flow and establishing a digital trading pilot zone in the Beijing Free Trade Zone.
 

The plan proposes to establish a secure and open environment to facilitate developments in the area of cross-border data flow and data protection capacity certification for cross-border delivery in digital service trade, overseas consumption and the movement of people. The plan proposes to classify types of cross-border data and to establish rules for cross-border data flows, together with mechanisms to protect data and control risk .

10. Public consultation on protection of trade secrets
 

On 4 September 2020, the State Administration for Market Regulation issued draft rules on the protection of trade secrets. The draft rules cover infringements of trade secrets by hacking certain systems (such as servers, emails and cloud disks) without, or beyond the scope of any, authorisation. They also prohibit the destruction of trade secrets through computer viruses being embedded into certain systems. The rules provide for fines of up to RMB5 million for breaches which harm office systems or computer data.
 

11. Consultation on general specifications for the security of block chain technology
 

On 9 September 2020, the Shanghai Information Security Evaluation and Certification Centre issued a consultation draft of general specifications for the security of block chain technology. These provide additional guidance on, and increased regulation of, block chain technologies to ensure their secure and proper development. The specifications highlight the consensus mechanism within the block chain technology as being the core of the technical framework of a block chain, ensuring consistency within the data and providing corresponding preventive measures against security risks. In addition, the specifications emphasise the risks to personal information protection and, therefore, require that relevant technologies be used to protect personal information, including mainstream signature methods, data transformation technologies, and side chain technology.
 

12. Consultation on administrative rules for online recruitment services
 

On 17 September 2020, the Ministry of Human Resources and Social Security issued a consultation draft of administrative rules for online recruitment services. The draft rules set out the required qualifications for engaging in online recruitment services and how they should be regulated. They cover the requirements for examining recruitment information as well as the requirements for network security, information protection and fee management. In addition, the rules require online recruitment service institutions to disclose its qualifications, verify information of the job seekers and establish information security protection systems. Employers and job seekers alike must ensure that information they provide is legitimate and accurate.

1. Mobile Apps removed for infringing user rights and interests
 

On 14 September 2020, the Ministry of Industry and Information Technology announced that it had removed 23 mobile Apps for infringing users’ rights and interests. This follows the circulation on 31 August 2020 of a list of 101 infringing mobile App companies. The 23 App companies had failed to rectify the issues, resulting in their removal in accordance with the Cybersecurity Law and other laws and regulations. Relevant App stores also immediately removed the infringing Apps from their stores following this announcement.
 

2. Details of websites that require rectification action under the “Qinglang” special rectification campaign released
 

On 14 September 2020, the Cyberspace Administration of China published details of the second group of websites which are required to take rectification action under the “Qinglang” special rectification campaign. By way of background, this campaign was jointly launched by the Cyberspace Administration and the Ministry of Education in July, aimed at ensuring the online safety of minors. As a result of the campaign, the national network information system, in collaboration with the relevant telecommunications department, have suspended 64 websites, has revoked or rejected the approval or filings of illegal websites and shut down 6,907 websites. More than 860,000 illegal accounts or groups have also been terminated by websites due to breaches of their user service agreements.
 

3. Guangdong Communication Administration publishes details of mobile Apps with privacy-related issues
 

On 15 September 2020, the Guangdong Communication Administration published a list of 129 Apps (which included PowerWord and WPS Office) with data security and privacy compliance issues. This follows a similar exercise in March 2020 where penalties were imposed on a number of illegal Apps. Since then, the Guangdong Communication Administration has continued its inspection of local mainstream Apps and has taken a variety of enforcement actions, including making public notifications, removing relevant Apps, imposing administrative penalties and follow-up compliance tests. These investigations, aimed at safeguarding the rights of App users and improving data security protections, also extend to third-party SDKs, mini programs, fast applications, application distribution platforms and mobile terminal equipment.
 

4. Beijing Communication Administration launches special 2020 action campaign targeting App data security
 

On 3 September 2020, the Beijing Communication Administration announced that a special 2020 action campaign to inspect and test mobile App’s data security will be held between 1 September 2020 and 31 December 2020. The aim is to identify any illegal collection and use of personal information and is focused on 197 Apps which have obtained their business licenses within the jurisdiction and which have been frequently downloaded in mainstream mobile App stores in the domestic market. It also seeks to raise awareness of the importance of data security protection, promote data security governance and ensure the security of personal information by mobile Apps.

1. China launches the Global Data Security Initiative and calls for global cooperation
 

On 8 September 2020, the Chinese Foreign Minister presented the Global Data Security Initiative at a senior-level meeting during an international symposium on digital opportunities. The Minister stated that global digital governance should adhere to the principles of multilateralism, secure development and fairness and justice. The main components of the global initiative include : (i) actively maintaining the openness, security and stability of the supply chain of global information technology products and services; (ii) opposing the use of information technology for activities that endanger national security and the public interests of other countries; (iii) prohibiting mandatory storage of overseas data in the People’s Republic of China for domestic enterprises; (iv) prohibiting obtaining overseas data directly from enterprises or individuals without permission of other countries; and (v) prohibiting enterprises establishing “backdoor practices” in their products and services.

1. US Department of Justice declares that US users are not prohibited from using WeChat
 

On 17 September 2020, the US Department of Justice stated in a San Francisco Court document that WeChat-related applications would not be banned for the time being, the Ministry of Commerce would not take action against “individuals or groups using or downloading WeChat applications for personal or commercial information exchange” and WeChat users would not assume “criminal or civil liability.” After US President Trump’s executive order to block WeChat, the US WeChat Users Alliance, a not-for-profit group, established by Chinese people in the United States, filed a lawsuit against President Trump’s executive order. The group cited that the ban infringed on the freedom of speech, religion, and other constitutional rights of WeChat users in the US.
 

2. App iOS 14 system released but IDFA policy update postponed until early 2021
 

On 17 September 2020, Apple launched the iOS 14 system, its latest mobile operating system, in China. This update strengthened the privacy protections for users as the Safari browser now prevents trackers from tracking users across website. Apps are now required to obtain users permission before using Identifier for Advertisers (IDFA) to collect users data from other Apps and websites. As Apple’s changes to the IDFA policy were met with backlash from App developers and advertisers, the IDFA update has been postponed by Apple to early 2021 in part to provide App developers sufficient time to adapt to the changes IDFA will bring.
 

3. Strict ban on use of facial recognition technology in Portland, United States
 

On 9 September 2020, the city of Portland, Oregon, imposed a strict ban against the use of facial recognition technology in the city. This ban, a first of its kind legislation in the United States, prohibits the government from using facial recognition technology and extends the probation to private the use of facial recognition technology in places such as stores, restaurants and hotels. However, the ban does not extend to personal use, such as using facial recognition technology to unlock mobile phones. The relevant legislators highlighted that the ban is to uphold racial equality and protect citizens’ right to privacy.