3 December 2021
This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement, industry and international developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.
Key highlights
The Cyberspace Administration of China (CAC) released the fourth draft regulation on data export security assessment since 2017, which we expected to be close to the final draft. The draft regulation extends scope of export that will be subject to the governmental security assessment conducted by the CAC and clarifies the thresholds for personal information processors. More details on the procedures of the governmental security assessment have also been released.
In addition to the governmental security assessment applicable to a designated range of data exports, the draft regulation also requires all data processors to conduct a self-assessment before exporting data outside China.
Companies are advised to take actions as soon as possible to prepare for the impact of the draft regulation. For more details on the draft regulation and measures companies can take, please read our articles below.
Our Views
China Released the Long-Awaited Draft Measures of Security Assessment for Data Export: Any Clarity?
Regulatory Developments
1. Data Export Security Assessment Measures was drafted for public comments
On October 29, the Cyberspace Administration of China (the “CAC”) issued the draft of Data Export Security Assessment Measures for public comments. The measures specifies the circumstances where export security assessments are required, and the relevant application materials and the factors to be assessed. It clarifies the application of a hybrid regime of "self-assessment and governmental security assessment", and enhances the review of data export agreements.
2. Law Against Telecommunication Network Fraud was drafted for public comments
On October 23, the draft of Law Against Telecommunication Network Fraud was issued for public comments. The draft law emphasizes on real-name authentication requirements for mobile communication and Internet services providers, increases the penalties for illegal trading, renting and lending of telephone cards, IoT cards, financial accounts and Internet accounts and proposes assistance and aid mechanism for telecommunications network fraud victims.
3. Anti-Monopoly Law Amendments was drafted for public comments
On October 23, the draft of Anti-Monopoly Law Amendments was issued for public comments, with a deadline of November 21. The draft requires the anti-monopoly enforcement agencies of the State Council to strengthen reviews of operators’ concentration in fields affecting people’s livelihood, and sectors including finance, science and technology, and media. It also stipulates that operators shall not abuse their advantages on data and algorithms, technology and capital, or rules to exclude or restrict competition, and shall not reach monopoly agreements with other operators or provide substantial assistance to others in reaching such agreements.
On October 29, The State Administration for Market Regulation issued the drafts of Guidelines on Internet Platform Classification and Grading Guide and Implementation of Internet Platforms’ Responsibilities. The classification and grading guidelines classifies platforms into six categories based on their connected parties and main functions, and grades platforms into three levels according to the scale of users, business types and potential capabilities to restrict vendors’ contacts or transactions with users. The implementation guide sets out the responsibilities of platforms in terms of fair competition, data security, ecological governance, employee management and environmental protection, and imposes higher obligations for giant platform operators.
On October 20, CAC and six other departments jointly issued a Notice on Further Enhancement of the Management of Preventing Primary and Secondary School Students from Online Games Addictions, which strengthens real-name authentication requirements on users’ registrations and logins,and requires all real-name information submitted by users to be verified by the anti-addiction system operated by the National Press and Publication Administration. For online games that fails to take proper anti-addiction measures after launch, distributes illegal or inappropriate information or content or operate online games without obtaining necessary approvals, authorities in charge of publication, cyber administration, telecom, public security and market order are entitled to impose penalties in accordance applicable laws.
6. CAC released Internet User Account Name Information Management Regulations for public comments
On October 26, CAC released the draft of Internet User Account Name Information Management Regulations, requiring Internet user account service platforms to take measures such as hybrid-verification to improve the accuracy of real-name authentication. For users registering accounts and engaging in content generation in economic, education, health and judicial areas, platform operators shall conduct background checks on the users.
On October 12, the People's Bank of China(“PBOC”) issued Notice on Strengthening the Administration of Payment Acceptance Terminals and Related Businesses, which will come into effect on March 1, 2022. The notice focuses on the administration of payment acceptance terminal businesses, special nominated vendors and acquiring business monitoring. It in particular requires banks, payment institutions and clearing institutions to establish rules for the classification and grading of transaction information and to handle customer transaction information with lawfulness, prudence, necessity and integrity.
On October 26, the National Health Commission (the “NHC”) released the draft of Administrative Rules for the Regulation of Internet Diagnosis and Treatment. This is the first detailed implementation rules for the operation of Internet diagnosis and treatment services at national level, since the NHC and the National Administration of Traditional Chinese Medicine jointly issued 3 administrative measures (including the Measures for the Administration of Internet Diagnosis and Treatment (for Trial Implementation)) in 2018. The draft rules emphasize the implementation of real-name authentication requirements for patients and physicians and the traceability of data in treatment processes. It also requires all platforms used by medical institutions for providing online diagnosis and treatment services must pass multi-level protection scheme level 3 or higher assessments.
9. Two draft standards concerning automobile data collection security were issued for public comments
On October 8 and October 19, TC260 released the draft Security Guidelines for Automotive Data Collection and Processing and the draft Security Requirements for Automotive Data Collection as a non-mandatory national standard. The two draft standards put forward security requirements concerning the storage, transmission and export of out-of-vehicle data, cockpit data, operational data and localisation and track data, and emphasize that the automobile manufacturers should be responsible for the overall data security of vehicles.
10. Chongqing Province issued guidelines for classifying and grading public data
On October 11, Chongqing Big Data Application and Development Bureau issued the Guidelines on Public Data Classification and Grading (for Trial Implementation). The guide classifies data by referring to both the context and industry concerned, and grades data into 4 levels (namely, public data, restricted data, sensitive data and secret data) based on the potential impact resulted from any unauthorised processing of data.
11. Guangdong Province issued guidelines for public data management
On October 18, the Guangdong Provincial Government passed the Guangdong Public Data Management Measures with the effective date of November 25. Under the measures, the data of public service providers is for the first time under the current national regulatory regime considered as public data. The measures requires administrative organs to follow the principle of "one data, one source", and specifies that the subjects of any data trading shall be limited to data products and services generated through scientific researches, product developments, consulting services, data processing, data analysis and other specific innovation and entrepreneurial activities.
On October 13, the Chongqing Municipal Administration of Market Regulation issued the revised version of the Rules of Conduct for the Implementation of Statutory Responsibilities of Online Trading Platform Operators, which has been officially implemented since November 1. The rules imposes special requirements on the collection and use of consumers' sensitive personal information, and explicitly prohibits online trading platform operators from relying on general, implied or bundled consent for personal information processing. If a vendor on a platform offers automotive payment renewal services, it shall inform users in clearly noticeable ways before any user signs ups the auto-renewal services and 5 days before any auto-renewal takes place, and give the user the right to select whether to proceed with the auto-renewal.
Enforcement Developments
1. MIIT urged enterprises to establish a "double list" system of personal information
On October 19, the spokesperson of the Ministry of Industry and Information Technology (the “MIIT”) publicly announced the launch of a six-month operation to improve public perception of personal information protection by urging enterprises to establish a "double list" containing personal information collected and shared with 3rd parties, and to improve both privacy policy and permission collection pop-ups. In addition, the MIIT will also establishes a scheme to publish and rank APP stores and third-party software development kits (SDKs) operators who fail to implement the with implementation personal information protection responsibilities.
2. MIIT Removed 96 APPs and reported 3 illegal SDKs
On October 15, the MIIT issued a notification listing 96 Apps that were ordered to be removed for APP stores due to infringements of users’ rights and failure to make corrections in time. In addition, three SDKs operated by ByteDance group entities were specifically listed for serious violation (taking up 37.4%、29.9% and 8.0% respectively of the total violations identified).
On October 29, the Hangzhou Internet Court issued a decision against a large e-commerce platform's illegal processing of citizens' personal information and ruled that the platform shall not provide personal information to its built-in payment software without user's permission. In addition, the decision contains detailed analysis on the data processor’ subjective fault, the relationship between informed consent and other lawful bases, and the mechanisms to obtain separate consent.
4. MIIT held an administrative guidance meeting to regulate user harassments with pop-ups on PC
On October 28, the MIIT organized an administrative guidance meeting concerning the design and setup of pop-ups on PC terminals. The meeting pointed out typical problems related to pop-ups on PC terminals, including lack of user permission, difficulty in closing pop-ups and bundled installation with other software. The MIIT emphasized on enterprises’ obligations to protect users' right to be informed about the sources of pop-ups, the right to close the pop-ups and the right to enjoy a better user experience without facing too many pop-ups when start any PC terminal.
As reported by People's Court Daily on October 22, Huzhou Intermediate Court decided in the second trial that, the defendants’ unauthorized sharing of geographic data acquired through Q company’s CORS accounts violated Article 27 of the Cyber Security Law and Article 7 of the Regulations on the Security Protection of Computer Information Systems. The defendants were sentenced with fixed-term imprisonment and criminal fines in accordance with Article 285 of the Criminal Law. The CORS accounts sold by Q Company could provide access to geolocation differential service to centimeter-level accuracy. Unauthorised sharing of such geographic data not only infringed on the commercial interests and system security of Q Company, but also posed risks on national geographic data security.
6. CAC launched “Operation Qinglang” to enforce against online account related violations
On October 18, the CAC held a national working meeting to launch “Operation Qinglang”, emphasizing the importance of enforcing against five types of online user account related violations: "reincarnation" of banned accounts, using account names including illegal or inappropriate information, creating false followers of celebrity accounts, conducting malicious marketing, and renting or selling online game accounts to minors
7. Shanghai Municipal AMR launched 2021 specialized action with 15 departments
On October 29, Shanghai Municipal Administration for Market Regulation jointly launched the 2021 “Operation Wangjian” with 15 other departments including the CAC. The action focused on regulating platforms’ unfair competition, illegal processing of personal information and prejudicial pricing. During the Operation, the AMR took enforcement action against Internet financial platforms who infringed individuals’ personal crediting information rights, and against express companies who infringed the personal information security of users.
Industry Developments
1. Futu and Tiger Brokerage were warned about data export risks
On October 14, People's Daily published an article pointing out that there were risks involved in the personal information security work (in particular that related to cross-border transfer of personal information) of 2 brokerage firms, Futu and Tiger.. Both brokerages have responded, stating that they have carried out self-examination and rectification in accordance with the requirements of relevant laws and regulations.
2. Over 20 enterprises signed self-regulatory commitment in Shenzhen
On October 22, over 20 APP operators signed the Personal Information Protection Self-regulatory Commitment by APP Operators in Shenzhen. They committed to implement 10 requirements concerning implementing the principle of minimization and necessity, fair trade, separate consent, responses to users’ right requests, review of 3rd party services and network security protection. They also committed to refrain from conducting any prejudicial pricing or illegal surveillance activities.
For further information, please contact:
James Gong, Partner, Bird & Bird
james.gong@twobirds.com