China Cybersecurity And Data Protection: Monthly Update – Sep 2020 Issue.

Regulatory developments

1. Draft regulation on commercial encryption

 

On 20 August 2020, the State Cryptography Administration issued a new draft regulation on the administration of commercial encryption for public comment. This comprehensively revises the current regulations which have been in place since 1999. The Cryptography Law was issued in 2019, which expanded the scope of cryptography regulation. It structures the management system for commercial encryption and contains a market-oriented regulatory mechanism for the industry. Against this background, the scope of the new draft regulation is extended to cover encryption services. It encourages innovation in, and standardisation of, commercial encryption technologies. It also details the testing and authentication system and the electronic authentication system for commercial encryption. In addition it sets out the import licensing regime and export controls for commercial encryption.

 

2. New draft guidelines for developing data security standard systems in the telecommunication and Internet industries

 

On 11 August 2020, the Ministry of Industry and Information Technology issued new draft guidelines for developing data security standard systems in the telecommunications and Internet industries. The draft outlines a framework of standards for data security standard systems and covers four types of standards (basic features, key technologies, security management and key fields) to guide the standardisation process. It sets out preliminary plans which include researching and developing over 20 data security industry standards for the telecommunications and Internet industries by 2021 (and 50 by 2023) and improving existing standards.

 

3. Pilot areas to be set up for cross-border data transfer security management

 

On 12 August 2020, the Ministry of Commerce announced plans to deepen its pilot program on the innovative development of trade in services. The plan proposes pilot programmes on cross-border data transmission security management in certain pilot areas (which include Beijing, Shanghai, Hainan and Xiong’an New Area). The schedule to the plan proposes that security evaluation and data security management mechanism pilot work is carried out for cross-border data flow. It also proposes that special channels are opened up for Internet data in those pilot areas where conditions permit. The Ministry of Industry and Information Technology is to formulate policy safeguards, with the relevant pilot areas responsible for making progress. The plan also proposes exploring a category-based regulation method for cross-border data flow and ensuring the security of cross-border data transmission.

 

4. Consultation on draft methods for determining the boundary of information security critical information infrastructure

 

On 10 August 2020, National Information Security Standardization Technical Committee issued a consultation draft of its methods for determining the boundary of information security technology critical information infrastructure. According to the draft, once determined as a critical business by the competent authority, the critical information infrastructure operators will further analyse the critical business and identify indispensable network facilities and the information systems required for the business’ continuous and stable operation. The draft stipulates the basic principles, models and processes for identifying the boundary of critical information infrastructure, including a method based on information flow.

 

5. Consultation on draft methods for assessing the security protection capability of critical information infrastructure in information technology

 

On 10 August 2020, the National Information Security Standardization Technical Committee issued a consultation draft of its methods for assessing the security protection capability of critical information infrastructure in information security technology. The draft provides assessment models and methods. It aims to help critical information infrastructure operators and cyber security service institutions to evaluate the security and potential risks of critical information infrastructure with a view to enhancing their security protection capabilities.

 

6. Draft national security specification for network data processing

 

On 27 August 2020, the National Information Security Standardization Technical Committee issued a consultation draft of a national standard for the security specification for network data processing. The draft standard includes:

 

• general requirements for data processing in terms of data identification, classification, risk prevention and control, and audit tracing;

• specific requirements for data collection, transmission and storage, processing, publication, targeted push and information synthesis, consulting, correction and deletion of personal information, cancellation of user accounts, and personal information and availability.

 

In particular, the draft stipulates that where domestic users visit domestic websites, such traffic must not be routed abroad.

 

7. Consultations on regulations on short messages and call services

 

On 31 August 2020, the Ministry of Industry and Information Technology issued a consultation draft of new administrative provisions on short messages and call services. The draft provides that no organisation or individual may send commercial short messages or make commercial phone calls to users without their consent or request, or after users have expressly refused to receive such messages or calls. Where users do not give clear consent, this is to be treated as a deemed refusal. Where users who had previously consented subsequently explicitly refuse to receive such messages or calls, such communication must cease.

8. Catalogue of technologies prohibited and restricted from being exported from China

On 28 August 2020, the Ministry of Commerce and the Ministry of Science and Technology issued the catalogue of technologies which are prohibited or restricted from being exported from China. The catalogue adds restrictions on the export of “personalised push technologies based on data analysis”, and also restricts the export of AI technologies, drone technologies and quantum cryptography technologies.

9. Draft guidance issued on strengthening protection of trade secrets and confidential business information in the administrative licensing process

On 14 August 2020, the Ministry of Justice issued draft guidance on strengthening the protection of trade secrets and confidential business information in the process of administrative licensing. The draft guidance defines confidentiality and provides that when applying for administrative licensing, the applicant must clearly specify to the administrative body its trade secrets and indicate the business information that should be kept confidential. The guidance addresses a number of areas including improving the management system for confidential information, strengthening the management of archives containing trade secrets and establishing a mechanism for obtaining confidentiality agreements. It also covers requirements to strictly control the scope of personnel with access to confidential information and take precautions against sharing and disclosing it. The guidance also covers improving the process for objecting to information disclosure.

1. Joint campaigns launched to clean up the online environment for minors

 

On 19 August 2020, the Ministry of Education and five other authorities issued a circular to launch a joint initiative of special actions to control the Internet environment for minors. The circular sets out various objectives including focusing on Internet addiction among minors, rectifying undesirable social behaviour on the Internet and the control of vulgar and harmful information online. The circular calls for strengthened supervision of, and guidance for, Internet enterprises, urging them to strictly fulfil their responsibilities, for example by allocating sufficient resources to inspection and intensifying efforts to audit content involving minors. Enterprises are required to promptly deal with harmful information and report major violations to the competent authorities.

 

2. Eight infringing apps to be removed

 

On 19 August 2020, the Ministry of Industry and Information Technology issued a circular on the removal of infringing apps that have failed to take rectification measures. In July, 58 app companies were listed as infringing upon the users’ rights and interests. By August, eight apps were found to have failed to complete the required rectification. The relevant application stores are required to immediately remove these apps.

Industry developments

1. List of scheduled projects for national network security standards in 2020 published

 

On 11 August 2020, the National Information Security Standardization Technical Committee published the list of scheduled projects for national network security standards in 2020, covering those to be drafted or amended and also research projects for future standards. There are 28 standards on the list to be drafted, including guidelines for data security of online payment services and specifications on personal information security evaluation for mobile Internet applications. There are 13 standards on the list for amendment, including those on the assessment methods for information technology security and the guidelines for classification and rating of information security events. Twenty three research projects are planned for future standards, including on guidelines for security assessment of the 5G supply chain, the security requirements for status management of electronic invoices, the assessment indicators for cyber security insurance underwriting and guidelines for blockchain intelligent contract security.

 

2. 2020 China’s Cybersecurity Annual Conference

 

China’s Cybersecurity Annual Conference took place online in August on the theme of “Dealing with Threats Together”. Sub-forums covered a variety of topics including the interconnection of things and the security challenges in the 5G era, new infrastructure – industrial Internet security, cyber security awareness and digital capabilities and security of the 5G network. This annual conference provides a platform for discussion of technologies and business and aims to promote and improve cyber security.

1. Australian government released cyber security strategy 2020

 

On 6 August 2020, the Australian government released its cyber security strategy 2020. The Australian government will invest $1.67 billion over ten years to achieve their vision of creating a more secure online world. The critical elements of this strategy include proposed legislation and a “strengthened regulatory framework” to ensure the security of critical infrastructure. The strategy points out that the Australian government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of critical infrastructure.

 

2. California Consumer Privacy Law Proposed Regulations take effect after revision

 

On 14 August 2020, the California Attorney General’s office officially approved the California Consumer Privacy Law Proposed Regulations which took effect on the same day. The regulations revise the definition of financial incentives and the requirements for financial incentive notices. The regulations do not allow companies to comply with opt-out requirements by setting up a “do not sell my information” link, but do allow companies to use the fuller “do not sell my personal information” link. After the implementation of the new regulations, the existing exemption time limit for enterprises to collect employee information and business information in the course of operation may be extended.