29 September 2021
This e-bulletin summarises the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement, industry and international developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.
Key highlights
The Personal Information Protection Law (PIPL) is finally here, and implementation is imminent! Although there are still a number of question marks in relation to some key considerations, organisations should start to take implementation steps including updating their privacy policy and consent mechanisms for personal information processing, reviewing data processing agreements with third parties as well as adopting a set of comprehensive internal data compliance policies. In relation to organisations that operate outside of China, or may export personal information outside of China, it will also be important to assess the extra-territorial application of the PIPL and implement appropriate cross border data transfer mechanisms.
The Chinese central government released the long-awaited Regulations on Critical Information Infrastructure (CII) Security Protection, which will pave the way for enforcing the protection regimes for the CII. Companies, especially those in the important industries and sectors, should keep themselves updated with any CII identification rules to be published by the Protection Departments and evaluate the possibility of their network infrastructure and information system being considered CII.
Multiple ministries jointly issued the Interim Provisions on Automotive Data (Auto Data) Security Management in the context of intensive regulatory and enforcement actions, aimed to tighten cybersecurity and data protection in the automotive industry. The regulation applies to an extensive variety of players in the industry and may reshape the product design as regards the underlying approach to Auto Data. The broad scope of important data will subject a substantial proportion of processors of Auto Data to special protection measures. With the Data Security Law and PIPL taking effect in September and November respectively, we expect more enforcement actions in the automotive industries, which will pose a compliance challenge for companies operating in the automotive and transport industries in China.
To read our articles on the key regulations discussed above, please click links in below section.
Our views
Regulatory developments
1. PIPL was promulgated on August 20, and will come into effect on November 1, 2021
On August 20, the 30th session of the Standing Committee of the 13th National People’s Congress passed the Personal Information Protection Law of the People’s Republic of China (the “PIPL”) after 3 years of legislative process. As the first law in China that specifically aims at the protection of personal information, PIPL will have a direct and far-reaching impact on the protection of personal information rights and interests of citizens, as well as the data privacy compliance practices of various organization. While drawing on international experience, PIPL also sets out provisions with Chinese characteristics, including definition of sensitive information, legal liability section, and institutions that perform personal information duties. Compared to the Second Draft, the final version retains most framework but change a few key points, such as clearly regulate APP’s personal information protection obligations and liabilities, automated decision-making shall not “kill big data”, strengthen protection on minors’ information, improve protection rules for cross-border personal information, emphasize obligations of important Internet platforms, etc. PIPL, together with the CSL and DSL, construct and improve a more complete and comprehensive legal system in the field of information protection and cyber security in China.
On August 17, the State Council promulgated the Regulations on the Security Protection of Critical Information Infrastructure (the “CII Regulations”), which propose enhanced security requirements and measures, including the scope of critical information infrastructure, liabilities of regulatory authorities, operator’s liabilities and obligations. Compared to the 2017 Draft, the CII Regulations set out three rules for identifying information infrastructures , while ensuring the operability of the specific implementation, which as a core supporting administrative regulation of China’s Cyber Security Law (“CSL”). Noteworthy, emerging Internet platforms may also be included in the scope of critical information infrastructure.
On August 16, the Regulations on the Management of Automobile Data Security (for Trial Implementation) (the “Regulations”) was approved by National Development and Reform Commission, MIIT, Ministry of Public Security and Ministry of Transport. As the first data security management rules for automatic industry, the Regulations has some prominent changes from the Draft, mainly the basic definition of concepts related to automobile data, legal obligation of processors, identification and recognition of important data, and specific rules on how to obtain the authorization of personal information subjects. The Regulations are with a view to further realizing the important security risks in data processing activities in automobile industry to be prevented beforehand, supervised and punished afterwards, which are based on the basic principles of data security and personal information protection laws and regulations, including PIPL which promulgated on the same day.
4. Regulations on Prohibition of Cyber Unfair Competition was drafted for public comments
On August 17, the State Administration for Market Regulation issued the Draft of Regulations on Prohibition of Cyber Unfair Competition for public comments (the “Draft”), in order to stop and prevent cyber unfair competition and maintain a fair competitive market order. The Draft provides that operators shall not use data or algorithms to implement traffic hijacking, interference, malicious incompatibility by influencing user choice or other means. In addition, the operators shall not collect or analyze transaction information, browsing content and number of times, etc, and provide different transaction information unreasonably to counterparties with the same trading which disrupt the order of fair trade in market.
On August 27, the Office of the Central Cyberspace Affairs Commission issued the Draft of Internet Service Algorithm Recommendation Management, which was formulated in accordance with CSL, DSL and PIPL, in order to regulate the algorithm recommendation activities of Internet information service. In addition to stipulating the principles and obligations that service providers shall comply with, the Draft explicitly proposes the rights of users to set off algorithmic recommendations, emphasizing that the law’s attitude to control the personalization of users, as well as attaching importance to the choice of user’s personal will and the protection of personal privacy.
6. 2021 Cybersecurity Standards Project was established
On August 25, National Information Security Standardization Technical Committee released a notice, announcing the list of 2021 Cybersecurity Standards Project. The Project includes 12 standard development projects, such as cyber data classification and grading, software supply chain; 17 standard revision projects, and 29 standard research projects, involving hot areas like face recognition, Internet of Things, CII.
On August 4, the National Information Security Standardization Technology Technical Committee released notice of national standard on machine learning algorithms to solicit public opinions (the “Standard”). The Standard specifies the safety requirements and verification methods in machine learning algorithms, including design and development, verification testing, deployment and operation, etc.
Enforcement developments
1. Supreme Procuratorate issued Notice on Personal Information Protection Public Interest Litigation
On August 21, the Supreme People’s Procuratorate of the People’s Republic of China issued Notice on the Implementation of the Personal Information Protection Law to Promote Public Interest Litigation on Personal Information Protection (the “Notice”), to standardize the handling of related public interest litigation cases and effectively perform legal duties of prosecution, which reflects PIPL’s provision that incorporate protection of personal information in the legal field of public interest litigation (PIPL Article 70). According to the PIPL, litigation will focus on sensitive personal information; special groups such as children, women, people with disabilities, the elderly, the military; key areas including education, healthcare, employment, pension, consumption; handling of large-scale personal information of more than 1 million people; specific objects formed by time, space and other linkages.
On August 18, MIIT issued Notice containing list of 43 applications with problems of illegal behavior regarding user’s call address book, location information and open screen pop-ups. These applications, including well-known companies such as Ctrip, Tencent, Suning, Alibaba, Vip shop, etc, are required to complete rectification before August 25.
3. First civil action brought in Hunan on Facial Recognition
Local court in Changha, Huanan Province, has accepted a civil case brought against a property management company for illegally collecting facial information for entry into an office building. This is believed to be the first case of its kind brought to the court after the Civil Code and relevant judicial interpretation on facial information took effect.
4. Management work on illegal activities such as camera spying
On August 9, the Office of the Central Cyberspace Affairs Commission issued the results of remediation management on violations of citizens’ privacy such as illegal use of cameras to spy on personal privacy images, trading privacy videos, teaching spying and filming technology. The Office instructed to supervise various platforms to clean up more than 22,000 pieces of illegal and harmful information, dispose of more than 4,000 platform accounts, 132 groups, and take down more than 1,600 pieces of illegal products.
5. CVERC monitored and found fourteen illegal APPs
According to National Computer Virus Emergency Response Center (CVERC)’s monitoring, fourteen APPs are found to have privacy non-compliance and violate relevant provisions of Cybersecurity Law. Among them, 1 APP lacked privacy police; 13 APPs did not explicit show all privacy rights to users; 5 started collecting personal information before users’ approval; 6 did not provide effective functions of correction, deletion and cancellation of information; and 1 did not establish information security complaint and report channels.
Industry developments
Shenzhen released notice on Pilot Implementation Plan to Implement Chief Data Officer System
On August 9, Shenzhen issued its CDO pilot implementation plan in Shenzhen (the “Plan”) and will set up pilot CDO in municipal government, Futian and other four district governments, as well as eight municipal departments including Municipal Public Security Bureau, to help develop Shenzhen construction of smart city and digital government. The Plan clearly defines six major responsibilities of CDO and establishes an evaluation mechanism of CDO. For these pilot districts and departments, the Plan set out specific tasks for CDO, which combine data resources and business application basis and characteristics in different area.
For further information, please contact:
James Gong, Partner, Bird & Bird
james.gong@twobirds.com