This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement, industry and international developments in this area.
Key highlights
On 28 December 2021, the Cyberspace Administration of China (CAC), jointly with 12 other ministries, issued the revised Measures of Cybersecurity Review. The Measures have extended the cybersecurity review to processing of core data, important data and personal information by network platform operators (NPOs). In particular, NPOs that intend to list outside of China will now need to apply for cybersecurity review over their listings if they process personal information of over one million users. Despite that the scopes of CII, core data and important data are yet to be specified, the CAC may still elect to enforce the Measures. NPOs should start to assess whether their processing activities impact or may impact national security and therefore trigger the cybersecurity review process.
The National Information Security Standardisation Technical Committee published a non-mandatory technical guidance on how to identify the level and class of data on 31 December 2021. This guidance confirms that data will be divided into three levels, i.e. ordinary data, important data and core data. Notably, it further divides ordinary data into four different levels and provides more details on the process of identifying the level of particular types of data. On classifications, the guidance also provides for the considerations and process for classification and sets out the classes of particular types of data. The technical guidance will serve as a useful reference for data processors implementing the system.
For further reading, please click links to the relevant articles below.
Our Views
China Updated its Cybersecurity Review Regime
Compliance Guide on Personal Information Protection for SMEs
China Data Protection and Cybersecurity – Annual Review of 2021 and Outlook for 2022 (I)
China Data Protection and Cybersecurity: Annual Review of 2021 and Outlook for 2022 (II)
Regulatory Developments
1. Measures on Cybersecurity Review Approved by 13 Regulators
On 28 December 2021, the Cyberspace Administration of China (CAC), jointly with 12 other ministries, issued the revised Measures of Cybersecurity Review (Measures), which was made public on 4 January 2022. The Measures extend the cybersecurity review to data processing activities by internet platform operators and certain foreign listings of Chinese companies. The Measures will take effect on 15 February 2022.
2. TC260 issued Guidelines for Classification and Grading of Network Data
On 31 December 2021, TC260 released the official version of Network Security Standards Practice Guide Network Data Classification and Grading Guidelines. Compared to the draft version released in September 2021, the official version further defines public data, organizational data, general data, public communication information and trade secrets, and reconstructs the path and framework for data classification and grading. In addition, the official draft also clarifies the correspondence of data classification rules and basic data classification and grading framework for industrial, telecommunication and financial industries.
3. Revised Law on Scientific and Technology Progress passed and will take effect on January 1 2022
The revised Law on Scientific and Technology Progress passed on 24 December 2021 and will take effect on 1 January 2022. In the updated provisions, the law emphasizes the improving of security review on cross-border scientific and technology cooperation projects and the regulating of export of important biological germplasm resources, genetic resources, data resources and other scientific and technology resources.
4. Anti-Organized Crime Law passed and will take effect on May 1 2022
The Anti-Organized Crime Law passed on 24 December 2021 and will take effect on May 1 2022. The law requires telecom business operators and Internet service providers to actively fulfil their obligations of cyber security management over content facilitating and inducing organised crimes, including prevention, continuing supervision, timely disposal and record keeping.
On 31 December 2021, CAC and other departments jointly issued the Regulations on Administration of Algorithmic Recommendation of Internet Information Services, which will take effect on 1 March 2022. The Regulations clarify the meaning of algorithmic recommendation technology, code of conduct for service providers and the requirements for protecting users’ rights and interests.
On 24 December 2021, the China Securities Regulatory Commission (CSRC) issued Regulations of the State Council on the Administration of Overseas Issuance and Listing of Securities by Domestic Enterprises (Draft). The Regulations clarify requirements for data export and offshore enforcement assistance in relation to offshore offerings and listings. In particular, both domestic entities and individuals shall report to the CSRC and obtain the consent of the CSRC and other relevant departments of the State Council before providing relevant documents and information to the overseas securities regulatory authorities.
On 17 December 2021, the Supreme Court publicly solicited opinions on the Provisions on Several Issues Concerning the Application of Law in Hearing Cases of Online Consumer Disputes (I). The Provisions mainly focus on hotspots such as online consumer fraud, live streaming e-commerce, takeaway catering and other issues involving consumer rights and interests such as returns without particular reasons and second-hand goods.
On 22 December 2021 the Ministry of Industry and Information Technology (MIIT) publicly solicited comments on the Guidelines for Reporting and Sharing of Data Security Risk Information in the Industrial and Information Technology Sector (for Trial Implementation). The Guidelines encourage security enterprises, data processors and other organizations to report risk information. MIIT will carry out risk information sharing and notification in accordance with the scope of data security risk impact by channel.
9. TC260 issued Guidelines for Cybersecurity Information Sharing
On 17 December 2021, TC260 publicly sought comments on Guidelines for Cybersecurity Information Sharing. The Guidelines specify elements, basic principles, scope and process of cybersecurity information sharing activities. This Guidelines apply to cybersecurity information sharing between national and industry authorities, network operators, cybersecurity service providers, research institutions and individuals.
10. CFSTC sought public comments on Data Security Assessment Specification
On 3 December 2022, CFSTC sought public comments on Data Security Assessment Specification. The Specification applies to financial data security assessments conducted by financial industry institutions, and specifies the main contents and methods of security assessments from three main assessment domains: data security management, data security protection, and data security operation and maintenance.
On 27 December 2021, PBOC and ASMR sought public comments on Interim Measures for Management of Beneficial Ownership Information of Market Entities (Draft). The measures regulate the means, content and management framework for the collection of beneficial owner information by financial institutions.
On 31 December 2021, PBOC, MIIIT, CAC and other four departments sought public comments on Regulation of Online Marketing of Financial Products. The Regulation applies to financial institutions or entrusted third-party internet platform operators that carry out online marketing of financial products, and makes relevant requirements regarding the content of marketing campaigns, marketing conduct norms and business cooperation.
On 30 December 2021, the CBIRC issued Measures for Supervision of Information Technology Outsourcing Risks of Bank Insurance Institutions, which added new requirements on cybersecurity, data security and data processing compliance requirements in cross-border outsourcing. With the entry into force of the Measures, the Guidelines on the Supervision of IT Outsourcing Risks of Banking Financial Institutions, the Notice of the General Office of China Banking Regulatory Commission on Strengthening the Risk Management of IT Non-resident Centralised Outsourcing of Banking Financial Institutions and the Notice of the General Office of China Banking Regulatory Commission on the Supervision and Assessment of IT Non-resident Centralised Outsourcing of Banking Financial Institutions were repealed at the same time.
On 16 December 2021, the CBIRC issued the Notice on Further Promoting the Standardised and Healthy Development of Credit Card Business (Draft for Comments). The Notice requires banking financial institutions to comply with the requirements of retrospective sales management and actively take measures such as audio and video recording to record data such as valid identification documents of credit card applicants, financial status related to credit card applications, credit records, signed credit card prospectus and acceptance contracts (agreements), important reminders and confirmation information, and to keep the above information for at least 2 years after the end of the business life with customers.
On 13 December 2021, CAC of Zhejiang Province sought public comments on Measures for the Administration of Information Services of Public Accounts of Internet Users in Zhejiang Province (for Trial Implementation). The Measures require that the platform should establish and strictly implement account registration, information content security, emergency disposal, network security, data security, personal information protection, credit evaluation, classification, real-time inspection and other management systems, and establish a dynamic management mechanism that is compatible with classification registration, classification production and classification management.
16. Fujian Province Releases Regulations on the Development of Big Data
On 15 December 2021, the Fujian Provincial People’s Congress issued Regulations on the Development of Big Data, which will take effect on 1 February 2022. The regulations make specific provisions for the development of big data in terms of data resources, infrastructure, development and application, data security, safeguards and legal responsibilities.
17. Hunan Province Releases Regulations on Network Security and Informatization
On 3 December 2021, the Hunan Provincial People’s Congress issued Regulations on Network Security and Informatization, which will take effect on 1 January 2022. The regulation is the first provincial-level local regulation to regulate both network security and informatization in China, and in the chapter of network security safeguard, it is clearly proposed to implement key protection for important information systems that are not included as CIIs.
On 16 December 2021, the Beijing Banking and Insurance Regulatory Bureau issued the Notice on Strengthening the Protection of Credit Card Consumers’ Rights and Interests. The notice requires banks to regulate the collection of credit card customer information, information sharing within the bank or group and information transmission with internet platforms, and prohibits the transmission of personal financial information such as customer credit limit information, account status and transaction details to internet platforms.
19. Jiangsu Provincial Government Released Measures for the Management of Public Data
On 18 December 2021, the Jiangsu Provincial Government issued Measures for the Management of Public Data in Jiangsu Province, which will take effect on 1 February 2022. The Measures emphasize the supervisory obligations of public management and service agencies and the security obligations of subjects entrusted with the construction and maintenance of relevant information systems and public data storage and processing services in the course of carrying out entrusted processing of public data.
On 20 December 2021, SASAC of Guangzhou Municipality released the Guidelines on Data Security Compliance Management for Enterprises Supervised by the State-owned Assets Supervision and Administration Commission of Guangzhou Municipality (Trial Version 2021), which provides detailed guidelines for the city’s state-controlled enterprises and enterprises under the effective control of the state-owned in terms of data security management responsibilities, construction of data security system specifications, data security compliance management measures, data protection in commercial cooperation, personal information protection and data security technology application.
Enforcement Developments
1. Walmart was fined by MPS of Shenzhen for violating Cybersecurity Law
On 29 December 2021, the Futian Branch of the Shenzhen Public Security Bureau decided to issue a warning to Walmart (China) Investment Co., Ltd. and ordered it to make corrections in accordance with the relevant regulations. According to Qichacha, the public security authorities found 19 exploitable vulnerabilities in the Walmart’s network system on November 25 and failed to deal with the vulnerabilities in a timely manner, which is in violation of China’s Cybersecurity Law.
2. CBIRC informs Huaxia Bank of 7 types of violations of consumer rights
On 16 December 2021, the Consumer Rights Protection Bureau of the CBIRC issued a circular on the infringement of consumer rights by Huaxia Bank. The circular pointed out a series of infringements of consumer information security by Huaxia Bank and asked the banks and insurance institutions to take a warning: inquiring into personal customer savings and deposit transaction information without customer authorisation in violation of the law; storing and transmitting personal customer information such as customer names, ID card numbers, bank account numbers and credit records on the public network and Internet in violation of the law; calling 19,900 customers who had cancelled their credit card accounts to market insurance products and calling some customers even after they had repeatedly and explicitly refused.
On 9 December 2021, the Ministry of Industry and Information Technology organized a “look-back” inspection for violations related to personal information collection in Apps such as Douban and Singing Bar, and took down a total of 106 Apps, which involved problems such as: forced, frequent and excessive requests for permissions; excessive collection of personal information; forced use of targeted pushing; difficulties in account cancellation; and lack of information disclosure in Apps on distribution platforms, as well as that the app information on the distribution platform was not clearly stated, etc.
4. 17 Apps, including Hellobike were notified for privacy non-compliance
As reported by Xinhua News Agency, Tianjin on 20 December 2021, CVERC recently found that 17 mobile applications, including Hello Travel, had privacy non-compliance and allegedly collected personal privacy information beyond the scope. The main problems include: not making clear to users all the privacy rights applied for; providing personal information to third parties without anonymisation; collecting personal information before obtaining users’ consent; not providing effective functions to correct and delete personal information and cancel users’ accounts; setting unreasonable conditions for cancelling users’ accounts; not establishing and publishing channels for complaints and reports on personal information security, or exceeding the promised time limit for handling responses.
5. CAC had regulatory talk and fined Douban
On 1 December 2021, the head of CAC interviewed the responsible person and chief editor of Douban.com, in response to the recent repeated appearance of prohibited information from being published or transmitted on Douban.com and its accounts, and ordered it to immediately rectify and seriously deal with those responsible in accordance with the Cybersecurity Law and other laws and regulations. In this regard, the CAC of Beijing has imposed a total administrative penalty of a fine of 1.5 million yuan in accordance with the law on Douban.com’s operating body.
6. CAC had regulatory talk and fined Sina Weibo
On 14 December 2021, CAC had regulatory talk with the responsible person in charge and chief editor of Sina Weibo, in response to the recent repeated appearance of Sina Weibo and its accounts of information prohibited by laws and regulations from being published or transmitted, ordered it to immediately rectify and seriously deal with those responsible persons and fined 3 million on operator based on Cybersecurity Law.
On 23 December 2021, under the guidance of MIIT, Telecommunications administration of Beijing interviewed four companies, including UFIDA, 263 Network Communications, E-Car Information and Sohu. The aforementioned companies have been continuously notified by the Ministry of Industry and Information Technology (MIIT) for 3 months because of the high number of network security threat issues found in the MIIT’s network security remote inspection.
8. CAC of Beijing had regulatory talk and fined Zhihu
As is reported by Wangxinbeijing, CAC of Beijing had regulatory talk with the person in charge of Zhihu.com in response to Zhihu.com’s repeated appearance of information prohibited from publication or transmission by laws and regulations. The authority ordered it to immediately rectify the situation and seriously deal with those responsible, in accordance with Cybersecurity Law. CAC of Beijing filed a case for administrative punishment against Zhihu.com for its illegal actions.
Industry Developments
On 9 December 2021, CNCERT/CC jointly released the “Monitoring and Analysis Report on the Illegal and Illegal Collection and Use of Personal Information by Apps”, which summarized the illegal collection and use of personal information by Apps found in the specialised movement and platform monitoring, including: mandatory and excessive collection of personal information; the problem of “informed consent” for small and medium-sized Apps; and violations in SDK collection and account cancellation.
2. Didi announced delisting from NYSE and launches preparations for HKSE listing
On 3 December 2021, Didi,inc. issued an announcement saying, “After careful study, the company is starting the process of delisting from the NYSE with immediate effect and initiating preparations for listing in Hong Kong.” This was its first public statement on the issue of an overseas listing since the regulator launched a data security investigation into Drip. On 2 July of the same year, Cybersecurity Review Office said it would conduct a network security review of Didi and stop new user registrations, and on 5 July, 25 Apps of Didi were taken offline by CAC for “serious violations of the law on the collection and use of personal information”.
3. Guangzhou Haizhu issues the country’s first data broker pilot work programme
On 10 December 2021, the People’s Government of Haizhu District, Guangdong Province, issued the “Pilot Work Plan for Data Brokers in Haizhu District, Guangzhou”, which is the first pilot work plan for data brokers in China, opening up a new model to promote data circulation and trading in addition to the “centralized” data trading platform.
On 14 December 2021, CCA released Evaluation Report on 50 Apps’ Account Cancellation and Automated Recommendation Unsubscription. The evaluation results show that the main problems in the cancellation of APP accounts are: no explicit cancellation conditions; unreasonable cancellation conditions and processes; manual cancellation audit acceptance, commitment time frame is too long (more than 15 working days) or unknown; cannot be directly cancelled through APP water draining, etc. The main problems with automated recommendation unsubscription are: the APP does not provide users with a way to close automated recommendations; the way to close the APP is too hidden, etc. In response to the problems found in this evaluation, the CCA will also send a deadline for rectification suggestions and conduct interviews with the APP companies respectively. If the enterprises concerned fail to rectify the problems in time, the CCA will carry out follow-up supervision in accordance with the law.
5. MIIT organises a pilot project on data security management in the industrial sector
On 14 December 2021, MIIT issued a notice to organize a pilot project on data security management in the industrial sector. The pilot working group will mainly select large and medium-sized enterprises covering raw materials industry, equipment industry, consumer goods industry, electronic information manufacturing, software and information technology services and other fields for the pilot. Pilot content should be industrial data security management, protection and assessment of the three mandatory and data security product application promotion, security monitoring and exit security management of one of the three options.
For further information, please contact:
James Gong, Partner, Bird & Bird
james.gong@twobirds.com