This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at James.gong@twobirds.com.
Key Highlights
The National Information Security Standardisation Technical Committee (“TC260”) released a draft guide on the requirements for a certification regime that was proposed to foster cross-boundary data transfer in the Greater Bay Area (“GBA”) in an official memorandum entered into between mainland China and Hong Kong SAR. The draft guide sheds some light on the arrangements that have been agreed upon in the memorandum but gives rise to more questions that require clarification. As such, we have taken a deep dive into the draft guide and set out our analysis in the article at the link below. We will soon release our article on the recent guidelines on the GBA standard contractual clauses. Please stay tuned.
The Ministry of Industry and Information Technology (“MIIT”) is the most active amongst all ministries in implementing data security laws and regulations. We take a look at the draft rules on security assessment regime released by the MIIT, which is likely to be the first of such rules to take effect. Please read our article at below link.
Our Views
A Deep Dive into TC260’s Proposed Guide for GBA Cross-Border Data Transfer Certification – Lexology
Follow the links below to view the official policy documents or public announcements.
Legislative Developments
- TC260 invited comments on Practical Guide to Cybersecurity Standard — Requirements for Cross-border PI Protection in the Guangdong-Hong Kong-Macao Greater Bay Area (Draft for Comment)On 1 November 2023, the TC260 issued the “Network Security Standard Practice Guide — Guangdong-Hong Kong-Macao Greater Bay Area Cross-Border Personal Information Protection Requirements (Draft for Comment)” (“Draft Guide”), to promote the safe and orderly cross-border flow of PI in the GBA. The Draft Guide is formulated on the basis of “Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the GBA” (the “Memorandum”), and it is applicable to the cross-border PI processing by PI processors in the GBA in accordance with the GBA Certification mechanism under the Memorandum. The Draft Guide sets out the basic principles and protection requirements in the PI cross-border flow in the GBA. It requires PI processors to comply with the local laws and regulations in the jurisdictions concerned, and requires the PI recipient not to transfer the received PI to a third party outside the GBA.
- Ministry of Finance, the Cyberspace Administration of China (“CAC”) invited public comments on Interim Measures on Data Security Management for Accounting FirmsOn 2 November 2023, the Ministry of Finance and the CAC jointly issued the Interim Measures for Data Security Management of Accounting Firms (Draft for Comments), which stipulates that accounting firms shall implement data classification and grading management appropriate to their business and determine core data, important data and general data in accordance with the provisions of relevant laws and regulations and the data grading and classification standards of the industry in which the audited entity is located, and requires that accounting firm personnel have only the minimum authority necessary to perform data access, data processing, data review and data retention work, and that audit working papers and related data shall not be transferred out of the country as a matter of principle, and if they need to be transferred out of the country, they shall go through the approval procedures in accordance with the relevant government regulations.
- MIIT invited public comments on Guidelines for Discretion Administrative Penalties on Data Security in the Domain of Industry and Information Technology (for Trial Implementation)On 23 November 2023, MIIT issued the Guidelines for Discretion Administrative Penalties on Data Security in the Domain of Industry and Information Technology (for Trial Implementation) (Draft for Comments), which clarifies that administrative penalties are to be imposed under the jurisdiction of the place where the violation occurs, and that no further penalties will be imposed for a single incident. It stipulates that enterprises should establish a data security management system and a responsibility system, and that the government and regulatory bodies will strengthen their supervision and law enforcement efforts with respect to data security.
- Zhejiang Cyberspace Administration issued Zhejiang Province Automobile Data Processing Management RegulationsOn 4 November 2023, the Zhejiang Cyberspace Administration issued Zhejiang Province Automobile Data Processing Management Regulations, proposing that automobile data processors shall obtain separate consent from the PI subject for each item of sensitive PI, and shall not obtain consent for several sensitive PI at one time. The Regulations clarify that the processing of in-cabin data must follow the principle of “default closure”, and the types of automobile data being processed should be directly related to the business functions of the product or service, and that users should be provided with the means to access, copy, and delete PI.
- National Industrial Information Security Development Research Centre issued Group Standard Technical Requirements for Public Data Authorisation Operation PlatformOn 23 November, the National Industrial Information Security Development and Research Center released the group standard Technical Requirements for Public Data Authorisation and Operation Platform (“Standard“). The Standard defines the reference architecture of the public data authorisation and operation platform and clarifies the related technical requirements of the platform in five aspects, including function, performance, operation and maintenance, security and interconnection, around the whole process of data registration, authorisation and circulation. The release of this standard aims to standardise the construction of public data authorisation and operation platforms, unleash the value of public data elements, and promote the healthy development of the digital economy.
- The State Administration for Market Regulation (SAMR) publicly sought opinions on the Interim Measures for Assisting in Law Enforcement Related to Online Transactions (Draft for Comment)On 14 November, SAMR issued the Interim Measures for Assisting in Law Enforcement Related to Online Transactions (Draft for Comment), proposing that market supervision and administration departments may, in accordance with laws and regulations, require platform operators to provide transaction information, such as identity information of the operator on the platform, information on goods or services, payment records, logistics and express delivery, return and exchange of goods, and after-sales transactions, as well as relevant standardised fields.
- Beijing Economic and Information Bureau directs China Information and Communications Technology Institute (CAICT) and Beijing Big Data Exchange to issue Data Cleaning, De-Identification and Anonymisation Business Protocols (Trial)To regulate data processing behaviour and activate the data factor market, on17 November, the Beijing Economic and Information Bureau led the CAICT and the Beijing Big Data Exchange to issue the Data Cleansing, De-identification and Anonymisation Business Protocol (Trial). The protocol stipulates that data cleansing is the guarantee of data availability, data de-identification is the key to data desensitisation, data anonymisation is the enhancement of de-identification. Data anonymisation is not about achieving a perfect, absolute state of anonymity, but rather about reducing identifiability to a level of risk that is acceptable to regulators and organisations. If identifying specific individuals from the processed identifiers requires unreasonable time, effort, or resources, it is not considered to be reversible.
- Chongqing Cyberspace Administration issued Notice on Reporting Data Export DemandOn 15 November, the Chongqing Cyberspace Administration issued the Notice on Reporting Data Outbound Demand, which stipulates that the main objects of reporting are foreign-funded enterprises located in Chongqing Municipality, as well as cross-border financial, cross-border logistics, cross-border e-commerce and other organisations that may have data outbound situations. The scope of data outbound reporting is that the data collected and generated by the organisation in the country is transmitted and stored outside the country (including Hong Kong, Macao and Taiwan), or the data is stored in the country but can be queried, retrieved, downloaded and exported by institutions, organisations and individuals outside the country.
- Hangzhou Municipal Government invited public comments on Hangzhou Digital Trade Promotion Regulations (Draft)On 8 November, the Hangzhou Municipal Government invited public comments on the “Regulations on Promoting Digital Trade in Hangzhou (Draft)”, which stipulates that relevant departments should take measures to encourage domestic and foreign digital trade market players to set up their headquarters or regional headquarters, research and development centres and data centres in Hangzhou, and to help market players enhance their international competitiveness in the fields of cloud computing, network communication and industrial interconnection.
- Guangdong Province Government released Three-Year Action Plan for Building the Digital Bay AreaOn 21 November, the Guangdong provincial government released the three-year action plan for building the “Digital Bay Area”, exploring the construction of a “Hong Kong-Macao Data Special Zone”, supporting the construction of national data exchanges through the Guangzhou and Shenzhen data exchanges, accelerating the convenient flow of data elements in the GBA, promoting the establishment of unified data asset registration rules in the GBA, exploring the authorised operation of public data, and realising the integration and application of public data with social data.
- Guangxi Zhuang Autonomous Region Government issued Interim Measures for the Management of Market-based Development of Data Elements in GuangxiOn 13 November, the Government Office of Guangxi Zhuang Autonomous Region issued the Interim Measures for the Management of Market-oriented Development of Data Elements in Guangxi. The Measures state that governments at or above the county level should incorporate the market-oriented development of data elements into their national economic and social development plans. It aims to promote the classification, hierarchical ownership, authorised use and market-based circulation and transaction of public data, enterprise data and PI. It also aims to create a national-level data trading platform for the ASEAN region.
- Hubei Province Development and Reform Commission seeks public comments on Interim Measures for the Management of Data Transactions in Hubei ProvinceOn 7 November, the Hubei Provincial Development and Reform Commission publicly solicited comments on the Interim Measures for the Management of Data Transactions in Hubei Province, proposing that data trading venues, under the guidance of provincial development and reform departments, should build a unified trading platform for the province’s data elements and promote transactions within data trading venues. The products of the transactions include data products, data services and computing resources.
- Guizhou Province issues Administrative Measures for Data Element Registration Services in Guizhou Province (for Trial Implementation)On 15 November, the Guizhou Provincial Government issued the Guizhou Province Data Element Registration Service Management Measures (Trial), which aims to protect the legitimate rights and interests of registered subjects and activate the potential of data elements. The Measures stipulate that data element registration services shall be organised and implemented in accordance with the procedures of application, acceptance, verification, online publication, objection handling and issuance of certificates. In principle, registration certificates are valid for two years.
- Guizhou Province publicly invited comments on the Catalogue of Projects Entering Public Resources Trading Centres in Guizhou Province (2023 Supplement)On 10 November, the Guizhou Provincial Government invited public comments on the Catalogue of Transaction Items Entered into Public Resource Transaction Centres in Guizhou Province (2023 Supplement), which proposes to include data elements in the scope of the Catalogue of Public Resource Transactions. This catalogue covers a range of items such as data resources, algorithmic models, arithmetic resources, data products and service transaction projects (including government procurement projects).
- Zhejiang Wenzhou Finance Bureau issued Trial Opinions on Exploring Data Asset Management PilotOn 7 November, the Wenzhou Municipal Finance Bureau issued the Trial Opinions on Exploring Data Asset Management Pilot, proposing the gradual establishment of a mechanism for collecting revenue from authorised operations of public data, and exploring the gradual inclusion of authorised operations of public data into the scope of government state-owned resources (assets) paid use.
- TC260 published Network Security Standard Practice Guidelines — Network Security Product Interconnection Asset Information Format (Draft for Comment) and Network Security Standard Practice Guidelines-Network Security Product Interconnection Alert Message Format (Draft for Comment)On 28 November, TC260 published for comment the above drafts, which provide a common asset information format, an extended asset information format and an alarm information format for the interconnection of cybersecurity products that can be used to guide the design, development, application and testing of interconnection functions of cybersecurity products.
- China Internet Finance Association releases 9 Group Standards, including Financial Data Asset Management GuidelinesOn 16 November, the China Internet Finance Association released nine group standards, including the Financial Data Asset Management Guidelines. The topics of the nine standards focus on financial data governance, digital transformation, digital credit, and fintech application and self-regulation management. Among them, the Financial Data Asset Management Guidelines proposes the classification, inventory and evaluation methods of financial data assets, which is conducive to deepening data governance in the financial industry and promoting the digital transformation of financial institutions.Enforcement Developments
- The Supreme People Procuratorate releases Blue Book on Prosecutorial Public Interest Litigation for PI ProtectionOn 4 November, the Supreme People’s Procuratorate issued the Blue Book on Procuratorate Public Interest Litigation for PI Protection. The Blue Book reviews the development process of public interest litigation for the protection of PII and summarises its working characteristics and advantages. It also reviews the practice of PII protection litigation in key areas such as Beijing, Hebei, Shanghai, Zhejiang, Chongqing and Guangdong, and summarises its effectiveness. The Blue Book focuses on key issues such as illegal collection of PI by mobile applications, facial recognition, and privacy in delivery labels, and suggests prospects for the regulatory path.
- Beijing High Court Releases White Paper on Trial of Crimes Against Citizens’ PIOn 15 November, the Beijing High Court released the White Paper on the Trial of Crimes Involving the Infringement of Citizens’ Personal Information (2018 – 2023), noting that the number of cases involving the infringement of citizens’ PI has fluctuated, with a slight increase this year, and the criminal penalties are generally lighter. In terms of the characteristics of the offence, the main features include a prominent proportion of PI related to personal and property security, the largest proportion of telephone numbers and identity documents in the information elements, and an increase in the size of the PI involved in the cases.
- Beijing Municipal Bureau of Supervision conducts special action to optimise platform agreementSince June 2023, the Beijing Municipal Bureau of Supervision has been conducting a special operation to optimise platform agreements. As of 17 November, a total of 135 platform enterprises have been directed to amend and optimise their agreements. Since the launch of the special action, the main agreements that platform companies have optimised include adding a way to withdraw consent to accept commercial information, clarifying through the content of the agreement that users can decide whether to accept such commercial information, and optimising the terms and conditions for collecting user information for screencasting and operator streaming free services.
- Shanghai Cyberspace Administration held a series of lectures on data export security assessment policyOn 30 November, the fourteenth session of the Data Export Security Assessment Policy Lectures was held in Shanghai, where the Shanghai Cyberspace Administration provided information on the current situation of acceptance of data export security assessment declarations and introduced relevant laws and regulations and considerations for declaration materials. Experts from the Shanghai Information Security Evaluation and Certification Centre focused on the implementation of data export risk self-assessment and report writing. During the Q&A session, they responded to and answered questions from company representatives on the inbound processing of overseas data, outbound processing of scientific research data and the reporting obligations of third-party platforms.
- Hangzhou Internet Court releases Ten Typical Judicial Suggestions involving PI protection, AI face changingOn November 24, the Hangzhou Internet Court issued ten judicial suggestions on topics like PI protection, algorithmic model enhancement, and AI face changing. For example, it advised express delivery companies to expedite the use of electronic waybills adhering to PI protection norms and explore de-identification of these waybills to minimize PI leakage risk.
- Zhejiang Wenzhou public security network security department dealt with a case involving the infringement of citizens’ PIOn 13 November, a pharmacy data analyst was found selling sales data on the dark web, resulting in a significant data breach. The Wenzhou Cyberspace Administration has taken criminal action against the analyst. The responsible person in the pharmacy, which lacked a comprehensive data security system and failed to implement necessary security measures, was fined RMB 100,000 by the Wenzhou authority.
- Yunnan Xishuangbanna Cyberspace Administration interviewed the person in charge of the Applications enterprise that violates the collection of PIOn November 10, the Xishuangbanna Cyberspace Administration Department legally confronted a local application operator suspected of unauthorized PI collection. The company was urged to rectify its illegal activities, improve employee training, and fulfill its PI protection responsibilities effectively.
- MIIT Issues Circular on Application (SDK) for Infringing on Users’ Rights and InterestsOn 17 November, the MIIT released the 7th batch of 2023 Applications (SDKs) that infringed on users’ rights and interests, with a total of 13 companies on the list, and the issues included illegal collection of PI, mandatory, frequent, and excessive permission requests by applications, and deceptive, misleading and coercive users.
- Shanghai Cyberspace Administration and Municipal Supervision Bureau carry out on-site inspections in key business districtsOn November 14, the Shanghai Cyberspace Administration conducted inspections in key business districts. It discovered some restaurants, using QR code ordering, were frequently enticing customers to join memberships and asking for precise location data. A children’s training institution lacked a specific privacy policy for minors under 14 and was forcefully requesting precise location data.
- CAC released a notice on launching the “Clear and Purify” special actionOn 17 November, the CAC issued a notice on the launch of the “Clear and Purify” special action to cleanse the Internet of toxic online behaviour. The special operation will focus on key platform types such as social media, short videos and live streaming, and target seven prominent issues, including maliciously posting PI such as names and ID numbers, inciting attacks and verbal abuse, and cracking down on illegal accounts, groups and online forums, as well as illegal feature settings.
- Beijing Cyberspace Administration and other four departments to carry out the 2023 annual automotive data security management reporting workOn 21 November, the Beijing Cyberspace Administration launched the 2023 Report on Automotive Data Security Management in Beijing. The reporting targets are automotive data processors registered in Beijing and engaged in significant data processing activities. These include automobile manufacturers, parts and software suppliers, distributors, repair facilities and travel service companies. Reporting includes the submission of the annual automotive data security management report for 2023, risk assessment reports, and a summary table of automotive data processors’ information.Industry Developments
- The CAC Releases Announcement on the Third Batch of Domestic Financial Information Service Institutions’ Reporting NumbersOn 21 November, the CAC issued the announcement of the third batch of reporting numbers of domestic financial information service institutions, requiring financial information service institutions to display their reporting numbers in prominent places of the services and products they provide, and to link to the reporting system website (http://fisbaobei.ifcert.cn) for users to check and verify.
- The second Global Digital Trade Expo was successfully organised, with the National Data Authority (NDA) Director discussing data infrastructure for the first timeOn 23 November, the second Global Digital Trade Expo was successfully held, and the Director of the National Data Bureau delivered a speech, making an analytical discussion for the first time on the concept, connotation, and capability of data infrastructure. Liu Liehong Data Infrastructure, from the perspective of unlocking the value of data elements, is a new type of infrastructure that is supported by facilities such as networks and computing power, and provides society with integrated services for data aggregation, processing, circulation, application, operation and security. It encompasses a comprehensive system of hardware, software, open-source protocols, standards, mechanism designs and other organic components.
- The Price Division of the National Development and Reform Commission (NDRC) and the Preparatory Group III of the NDA convened a symposium on improving the price formation mechanism for public dataOn 9 November, to promote the efficient and compliant dissemination and use of public data, the Price Department of the NDRC and the National Bureau of Statistics held a symposium on improving the pricing mechanism of public data. They listened to the opinions of the Price Monitoring Center of the NDRC, the Credit Reference Center of the People’s Bank of China, relevant banks and enterprises on how to speed up the establishment of a pricing mechanism in line with the characteristics of public data elements and promote the paid use of public data for digital development under the guidance of the government.
- China Internet Development Report 2023 and the World Internet Development Report 2023 Blue Book were releasedOn 8 November, the China Internet Development Report 2023 and the World Internet Development Report 2023 Blue Book were released at the 2023 World Internet Conference in Wuzhen. The China Internet Development Report 2023 focuses on highlighting new developments in China’s internet industry over the past year, including the prominent role of digital infrastructure, leading indicators such as the scale of 5G, IPv6 and total computing power, and the strong momentum of digital economy development, which has become an important engine for stable growth and transformation. Based on a global perspective, the World Internet Development Report 2023 aims to assess the development of the global Internet industry objectively and scientifically. It highlights that information infrastructure construction has gradually become the focus of attention for major countries and emphasises how information technology innovation is leading social transformation. Emerging technologies such as AI and quantum computing are entering the fast lane of development, while global technology cooperation is facing challenges and disruptions.
- Beijing Data Infrastructure System Pioneer Zone launchedOn 12 November, the Beijing Data Infrastructure System Pioneer Zone was launched. The programme for the establishment of the Pioneer Zone highlights the need to build a national blockchain network hub. Through a new type of distributed data sharing and circulation infrastructure, it will support the construction of a national blockchain network, facilitate the secure, trustworthy, and orderly circulation of data elements, and help seize the commanding heights of digital economic development.
- Beijing Municipal Bureau of Economy and Information Technology encouraged enterprises to carry out data asset registrationOn 17 November, the Beijing Municipal Commission of Economy and Information Technology and the Beijing Municipal Finance Bureau released the Implementation Guidelines for the Beijing High-End Industry Development Fund in 2023 (Third Batch). The guidelines encourage enterprises to register data assets, conduct data transactions and engage in data asset-related activities on the Beijing International Big Data Exchange. It also encourages enterprises to open up data assets to society for the first time through data training bases, AI data annotation platforms, authoritative websites or other channels. Subsidies will be provided for various types of activities.
- Shanghai Consumer Protection Commission and Chain Store Association jointly launched Compliance Guidelines on PI Protection for Shopping at Supermarkets in Shanghai MunicipalityOn 6 November, the Shanghai Consumer Protection Commission and the Chain Store Association jointly issued the Shanghai Guidelines for the Protection of Personal Information in Supermarket Shopping. The guidelines state that when supermarket operators collect and process consumers’ sensitive PI, such as ID card number and location history, through applications or mini-programs, or provide the processed PI to third parties, they should simultaneously inform consumers of the purpose and necessity of the collection and obtain separate consent from consumers. Supermarket operators should ensure that consumers can change the scope of the consent granted, revoke consent and delete their accounts as they wish, and should not impose unnecessary or unreasonable conditions.
- The first “enterprise credit data” outbound scenario passed data outbound security assessmentRecently, the “Overseas Enterprise Credit Information Query Platform” of Qichacha Technology Co, Ltd, located in the Suzhou area, passed the CAC’s data outbound security assessment, becoming the first data outbound compliance case in the field of enterprise credit information query in the country. This is important for improving the level of data outbound security governance and provides practical guidance for the domestic commercial information industry in terms of data outbound security assessment.
- China’s first telecoms data zone went live on Guiyang Big Data ExchangeOn 10 November, the first national telecommunications data zone was launched on the Guiyang Big Data Exchange. The initial phase of the telecommunications data zone includes 13 telecommunications data products, covering various types such as data capabilities, AI capabilities, platform capabilities, high-performance computing and more. The aim is to accelerate the aggregation of various telecommunications data and address the issues of ownership, processing rights and product operation rights related to telecommunications data resources.
- Hainan’s first enterprise passed standard contract (SCCs) filing for PI exportRecently, Hainan Xingchuang Internet Medicine Co., Ltd. submitted the application materials for the SCCs filing of PI outbound. These materials have passed the SCC filing review of Hainan Provincial Cyberspace Administration. This record project is the first approved PI SCCs filing project in Hainan, marking the establishment of the PI outbound SCCs filing system in Hainan. At the same time, it has also achieved compliant outbound PI for Hainan Free Trade Port, bringing data-driven innovation to the cross-border service business in Hainan.
- Hunan’s first enterprise passed SCCs filing for PI exportRecently, two PI outbound SCCs submitted by Flex Technology (Changsha) Co., Ltd. passed the SCCs filing review organised by the Hunan Provincial Cyberspace Administration. It is the first company in Hunan Province to achieve compliant PI outbound through the establishment of SCCs, marking the official start of the SCCs filing work for PI outbound SCCs in Hunan Province.
On 7 November, Tongxiang Zhenxing Urban Construction File Service Company and Zhejiang Yunshi Digital Construction Technology Research Institute Co., Ltd. carried out the data intellectual property rights transaction of “Intelligent Site Environment Management Analysis Data” and obtained the first data intellectual property rights transaction certificate in the construction field in the province. This is the first single transfer of ownership of data intellectual property rights in the province, which is an effective application of data intellectual property rights transformation on the ground.