China Cybersecurity And Data Protection: Monthly Update – June 2020 Issue.

This e-bulletin summarises the latest developments in cybersecurity and data protection in China. We will focus on four areas: regulatory, enforcement, industry and international developments.

Our highlights

The newly enacted Civil Code enshrines the right to privacy and the principles of personal information protection. It defines personal information and provides and sets out the legal basis for personal information processing, the obligations on the personal information processors, the rights of individuals to their personal information and the duties on administrative bodies. Despite raising a number of questions, which we hope will be addressed in the awaited Personal Information Protection Law, it paves the way for future legislation in this area.
 

The newly-published catalogue of commercial encryption products for certification and the relevant certification rules pave way for implementing the certification regime contemplated in the Encryption Law. When purchasing commercial encryption products set out in the catalogue, companies should ensure that the products have been certified.

China’s Civil Code lays foundation for data protection

New regulation strengthens cyber supply chain security in China

1. Civil Code enacted
 

On 28 May 2020, the Civil Code of the People’s Republic of China was adopted at the third session of the 13th National People’s Congress. The Civil Code strengthens the protection of personal information, stating that personal information of natural persons is protected by law. Organisations or individuals collecting information must ensure its information security, and must not illegally collect, use, manipulate, transmit, trade, provide or disclose personal information.
 

2. Personal information protection law to be formulated
 

On 25 May 2020, the Standing Committee of the National People’s Congress issued its future work plan to formulate new laws on biosecurity, personal information protection and data security. The Legislative Affairs Commission of the Standing Committee also announced on 14 May 2020 that an initial draft of the personal information protection law had been prepared, which will be submitted to the Standing Committee for review once finalised.
 

3. Data security and protection of personal privacy to be strengthened
 

On 25 May 2020, the Supreme People’s Court released a report which stressed the importance of protecting digital copyright and digital products in cases concerning artificial intelligence and copyright of online games. The Supreme People’s Court aims to strengthen data security and protection of personal privacy, and will impose heavy penalties on breaches which infringe on a citizens’ personal information. It aims to focus on cases concerning unauthorised access to a users’ address book through mobile applications and the abuse of personal credit data by online credit platforms. It will also apply the “notice to delete” rule as appropriate, and order online platforms which disseminate defamatory remarks about others to delete relevant message where requested.
 

4. Catalogue and rules on commercial cryptographic products issued
 

On 9 May 2020, in order to implement the encryption law and establish a comprehensive certification system for commercial cryptographic products, the State Administration for Market Regulation and the State Cryptography Administration jointly issued a catalogue and new rules on certifying commercial cryptographic products. The catalogue sets out 22 categories of products that require certification, including smart tokens and smart cards, and lists out the product descriptions and the basis for certification. The rules stipulate the basic principles and requirements for the certification of commercial cryptographic products mentioned in the catalogue.
 

5. Opinion issued on industrial big data
 

On 13 May 2020, the Ministry of Industry and Information Technology issued a guidance opinion on the development of industrial big data (a general term for data on the full life-cycle of products and services in the industrial sector). Examples in the guidance include data generated and used by enterprises in research and development, design, production, manufacturing, operations and management, maintenance services, as well as data in industrial Internet platforms. The guidance also sets out the Ministry’s key roles, including promoting the accessibility of the data interfaces of industrial equipment, promoting the compatibility of industrial communication protocols, and investigating industrial data resources. Another key task for the Ministry is to speed up the integration of multi-source heterogeneous data, so as to build a solid foundation for the overall digital transformation of the industry.
 

6. Pilot on value-added telecommunications services launched in free trade zone
 

On 18 May 2020, the Ministry of Industry and Information Technology announced a pilot plan to open up value-added telecommunications services in a pilot free trade zones in China. The notice requires foreign invested enterprises applying to operate a service business to locate their service facilities and place of registration within the pilot free trade zone. Such enterprises will be permitted to set up business-related accelerator server nodes throughout China, but only for the purpose of their own services and not for distribution of the network business. Internet service providers will be limited to operating in the pilot free trade zone, while other businesses may be permitted to expand throughout China.
 

7. Consultation on technical requirements for automotive information security
 

On 14 May 2020, the National Technical Committee of Auto Standardisation issued a draft consultation paper on general technical requirements for automotive information security. The consultation paper addresses areas such as principal requirements, systemic defence strategy and technical protections.
 

8. Guidelines published on information technology, big data and data classification
 

On 12 May 2020, the State Administration for Market Regulation and the National Information Security Standardisation Technical Committee published 12 national standards on the topic of information technology, big data and data classification, which have been published on the national online publication system.

1. Eight banks fined for issues in the examination and analysis technology systems
 

On 9 May 2020, the China Banking and Insurance Regulatory Commission announced that six state-owned banks and two joint-stock banks were fined a total of RMB17.7 million failings in their examination and analysis system technology systems relating to the quality and transfer of data. All of the banks were penalised for omitting or incorrectly reporting key and notifiable fields, as well as failures to report details of sub-account records. Seven of the banks failed to report the details of sub-account data, and six banks failed to report information on capital and transactions. Four of the banks failed to report the quantities of financial management products and credit asset transfer operations.
 

2. Circular issued on apps’ infringement of user rights
 

On 15 May 2020, the Ministry of Industry and Information Technology issued a circular on the infringement of users’ rights and interests by certain mobile apps. The Ministry has recently engaged third-party agencies to inspect mobile apps, and has ordered the relevant mobile app operators to rectify any issues identified. All rectification measures were required to be completed by 25 May 2020, with 16 apps having pending rectifications. The circular notes that app operators delaying their rectification measures will be penalised in accordance with the law.
 

3. Campaign to rectify infringing acts by mobile apps

On 16 May 2020, the Ministry of Public Security reported the outcome of its investigation into app operators, finding that 386 had collected citizens’ personal information in breach of the law. The apps span sectors including consulting, supplementary learning, fiction, news and entertainment. In summary, 97 out of the 386 app operators received administrative penalties; 192 apps received rectification orders; and 51 apps were removed from app stores.
 

4. Report on enforcement against infringing apps released

On 26 May 2020, the inter-department government working group tasked with cracking down on apps which illegally collect and use personal information issued a report detailing its enforcement work. The report highlights its work in formulating technical specifications, handling reported content and evaluation by professional institutions. Other related tasks include its supervision of rectification work by app operators where issues have been identified, as well as the comprehensive promotion and deepening of governance by the working group. Quoting data from multiple sources, the report objectively analyses the developments and trends in personal information protection, including the major issues encountered, the capability of enterprises, public awareness and social impact. These demonstrate the effectiveness of the working group’s enforcement. Finally, the report contains a summary of its enforcement work in 2019, and sets out specific recommendations to take its enforcement work forward.
 

5. 2020 “clean” cyber campaign launched
 

On 22 May 2020, the Cyberspace Administration of China launched an eight-month “clean” campaign. covering all online communication channels and platforms with a view to cleaning up illegal information online. The campaign aims to strictly enforce the law against online platforms and to publicly expose infringement cases. The campaign is a fundamental and long-term part of network management. The Cyberspace Administration will step up its enforcement efforts to establish a comprehensive, long-term management mechanism to curb the spread of illegal information online.
 

1. Report on the development of China’s Internet
 

On 8 May 2020, the China Internet Information Centre in Beijing released the 45th statistical report on the development of the Internet in China. The report discusses developments in 2019 and early 2020, covering aspects including Internet infrastructure, the size and structure of Internet users and Internet applications. The report also covers developments in Internet governance, the Internet industry and technology, and Internet security.
 

2. Guide to national standards on cyber security issued
 

On 14 May 2020, the National Information Security Standardisation Technical Committee and the China Electronic Technology Standardisation Institute jointly issued a guide that sets out the national standards on cyber security. The areas covered include the use of passwords, authentication and authorisation, information security assessments, communication security, information security management, cloud computing and big data security. The guide also interprets the published national network security standards from the perspective of basic introduction, the main contents and the application.

1. Report on digital economy issued by the G20
 

On 5 May 2020, the G20 Digital Economy Task Force met to consider the “G20 Roadmap Toward a Common Framework for Measuring the Digital Economy” report. The task force discussed measures to monitor trends in the digital economy, focusing on jobs, skills and growth and the effects on them. The report will provide a conceptual framework for measuring the digital economy and the task force shared views and challenges, based on experiences, to help inform policy and identify future action areas.

2. Investigation on privacy complaints regarding Zoom
 

On 11 May 2020, the Chairman of the US Federal Trade Commission indicated that it was looking into privacy-related complaints against Zoom Video Communications Inc. Uninvited strangers intruding into web video conferences on the Zoom app has negatively impacted certain users. Zoom software has been banned by some companies and government agencies, such as NASA, the FBI and Google, and some schools in New York and Singapore have also restricted its use.
 

3. Facebook settles privacy dispute for $550 million
 

On 9 May 2020, Facebook users requested the US courts to approve a US$550 million settlement in their class-action lawsuit relating to biometric data obtained through a photo-tagging tool. According to their lawyers, class members will recover only 15% to 30% of a potential individual claim, each receiving between US$150 to US$300.