This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement, industry and international developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at James.gong@twobirds.com.
KEY HIGHLIGHTS
The Cyberspace Administration of China (CAC) continues to tighten its regulation of the internet industry and published a draft regulation on use of deep synthesis in the internet information services for public consultation. The draft regulation requires deep synthesis service providers to review the data used for deep analysis and make sure that the service is not used to produce illegal or harmful results. The CAC also updated the regulation on mobile applications by releasing a draft for public consultation, which, amongst others, added specific obligations of personal information protection on providers of mobile application services.
The National Information Security Standardisation Technical Committee (TC260) released the draft guidance for identifying important data which is a key concept under the Data Security Law (DSL). This is the second draft that has been made public, which has seen a significant change to the previous draft. Whilst this may serve as a reference for identifying important data as recommended national standards once it is officially adopted, we would like to note that it is the government ministries that are charged under the DSL with the responsibilities of publishing catalogues of important data.
Local governments in Shanghai, Shenzhen and Zhejiang have published more regulations and standards on data protection and administration, indicating a continuous trend of growing local data regulation.
The People’s Bank of China issued hefty fines to several banks (including responsible personnel) for violating data processing rules. In 2022, we expect that the central bank will take more enforcement actions against data-related violations.
REGULATORY DEVELOPMENTS
On January 28, Cyberspace Administration of China (CAC) issued the Provisions for the Administration of Deep Synthesis Internet Information Services for public comments (“Provisions”). The Provisions require service providers of deep synthesis to adopt technical or manual methods to review the input data and synthesis results as well as to take measures such as warning, restriction of functions, suspension of services, closure of accounts against relevant users of deep synthesis service.
On January 5, CAC issued the amended Provisions on Administration of Information Services of Apps for public comments (“Provisions”). The Provisions have been amended in accordance with the Cybersecurity Law (CSL), Personal Information Protection Law (PIPL), Data Security Law and other laws and regulations. The Provisions require App providers to verify the identity of users who apply for account registration, and not to provide relevant services to users who refuse to provide real identity information or register falsely. According to the Provisions, App distributing platforms should file with CAC of local province, autonomous region or municipality within 30 days of business operation.
On January 19, the People’s Bank of China (PBoC), China’s Banking and Insurance Regulatory Commission (CBIRC) and the China Securities Regulatory Commission (CSRC) jointly issued the Measures of Due Diligence on the Clients of Financial Institutions and Retention of Client Identity Information and Transaction Records (“New Measures”). Compared with the Measures on the Administration of Client Identity Identification and Materials and Transaction Recording of Financial Institutions published in 2007, the New Measures expand the scope of applicable, revise the client identity authentication mechanism in non-face-to-face business relationships, the information sources that financial institutions should obtain, and the means and application of client information updates.
4. TC260 issued Guideline for Important Data Identification for public comments
On January 13, TC260 issued the Guideline for Identification of important data for public comments (“Guideline”). The Guideline clarifies basic principles and considerations of important data identification, and the format of important data description. Specifically, the Guideline requires that important data should be identified from the perspectives of national security, economic operation, social stability, public health and safety, etc. Notably, data that is important or sensitive only to the organization itself is not considered important data, such as data related to the internal management of an enterprise.
On January 29, CAC, the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security and the Certification and Accreditation Administration of the P.R.C jointly released the Announcement on security certification and security test results of critical network equipment and cybersecurity specialized products (“Announcement”). The Announcement indicates that security certification or testing will be conducted by qualified institutions, and a list of products that meet the mandatory requirements of relevant national standards will be published and updated from time to time.
6. TC260 issued Requirements of Cybersecurity Workforce for public comments
On January 17, TC260 issued the Basic Requirements for competence of cybersecurity workforce for public comments (“Requirements”). The Requirements provide the knowledge and skill requirements applicable to all kinds of cybersecurity workforce and are applicable to the selection, training, evaluation and management of cybersecuirty workforce by various types of organizations, such as party and government organs, network operators, education and research institutions and other organizations, etc.
On January 7, State Post Bureau issued the Measures for Administration of Express Delivery Market for public comments (“Measures”). The Measures prohibit express delivery enterprises from confirming package receipts on behalf of users without their consent or delivering packages to terminal service facilities such as smart express boxes and express service stations without permission. The Measures also require that encryption, de-identification and other security technical measures shall be taken to protect the security of the waybill information, and the identity information of natural persons shall not be completely displayed. No unit or individual may illegally use or resell express waybills.
8. CSRC issued Specifications for Security Testing of Apps in Securities and Futures Industry
On January 7, CSRC issued the Specifications for Secuirty Testing of Apps in Securities and Futures Industry (“Specifications”). The Specifications clarify the general requirements and detection methods of security testing for Apps in the securities and futures industry, and are applicable to information security testing services, security testing and evaluation of Apps, and the design and development of automated security testing tools. The formulation and implementation of the standard will unify the industry’s security requirements for mobile Internet applications, improve the security of mobile Internet applications, enhance the mobile business information security capabilities of industry institutions, and effectively prevent related security risks.
9. Zhejiang Province passed Regulations of public data
On January 21, the People’s Congress of Zhejiang Province has passed and issued the Public Data Regulations (“Regulations”), which will officially come into force on March 1. The Regulations provide that public management and service agencies shall not to provide original public data to third parties and shall not force repeated identity verification by collecting biometric information such as fingerprints, irises and facial images.
On January 28, the People’s Procuratorate of Shanghai Yangpu District issued the data compliance guidelines for enterprises (“Guidelines”). The Guidelines require enterprises to strengthen data compliance management on aspects of data compliance management system, data risk identification, data risk assessment and disposal, data compliance operation and security, etc. The Guidelines clarify that the compliance department shall be set up directly by the board of directors and not be performed by legal departments. The top management of the enterprise takes full responsibility for data compliance and shall ensure that the implementation and effectiveness of data compliance are included in the internal personnel performance appraisal system of the enterprise.
On January 15, Shenzhen Administration of Market Regulation issued the Implementation Standards of Administrative Penalty Discretion in Shenzhen Special Economic Zone Data Regulations (“Standards”). The Standards refine the penalty clauses related to data trading, unfair competition and algorithmic discrimination in Shenzhen Special Economic Zone Data Regulations which are effective from Jan 1, 2022.
On January 12, Zhejiang Administration of Market Regulation issued a provincial local standard, namely DB33/T2426-2022 Specification for Management of Public Data Element (“Specification”). The Specification stipulates the attributes, composition and management requirements of public data elements, and will be applicable to the management and use of public data elements by administrative organizations, civil groups, enterprises, public institutions, social organizations and other public management and service institutions at all levels.
ENFORCEMENT DEVELOPMENTS
1. MIIT announced key points of 2022 App governance
On January 20, the spokesperson of the MIIT said at a press conference of the State Information Office, that the MIIT will focus on supervision covering App stores, SDKs, terminal enterprises and key Internet enterprises and deepen the “524” campaign (i.e. information and communication service perception improvement action) in 2022.
2. CAC initiated “Qing Lang” Operation across Chinese New Year
On January 24, CAC decided to launch a one-month special campaign called “Qinglang – 2022 Chinese New Year Network Environment Improvement”. The campaign focuses on Internet violence, fandom culture, wealth flaunting and money worship, feudal superstition and other harmful Internet culture, especially on key pages.
3. Xiaohongshu fined 300,000 yuan for violations of Minors Protection Law
As reported by Credit China news on January 14, the Huangpu District Administration of Culture and Tourism in Shanghai imposed an administrative penalty of RMB 300,000 on the Xiaohongshu APP in accordance with Article 127 of the Minors Protection Law. Previously, Xiaohongshu was suspected of leaking minors’ privacy and insufficient censorship of content, as reported by CCTV in December 2021.
4. NRTA cleaned up 383,900 online short video accounts
As reported by National Radio and Television Administration (NRTA) on 11 January, it has tackled “fake positive information” “children celebrities” and cleaned 383,900 illegal accounts and 1,024,400 illegal short video programs on more than 10 Internet platforms, including Douyin and Kuaishou since October 2021.
5. BOB Shanghai branch manager fined 100,000 yuan for credit information violations
On January 5, the Shanghai branch of PBoC imposed a fine of RMB 2.55 million on the Shanghai branch of the Bank of Beijing for violating regulations on the collection, provision, inquiry and related management of credit information, and imposed a fine of RMB 100,000 on the president of the Shanghai branch of the Bank of Beijing.
6. Chongzuo branch of China Agricultural Bank fined 11425,000 yuan
On January 12, the Nanning branch of PBoC imposed a fine of RMB 11.4 million on the Chongzuo branch of China Agricultural Bank for failing to implement real-name management regulations, risk monitoring requirements and client identity storage and illegal use of personal financial information, and imposed a fine of RMB 110,000 on the president of the Chongzuo branch of China Agricultural Bank.
7. East Asia bank fined 16.74 million yuan for illegal credit information management
On January 6, PBoC fined East Asia bank RMB 16.74 million and ordered it to correct within a time limit for violating the bank’s credit information collection, provision, inquiry and related management regulations.
8. CVERC warns 20 Apps about privacy violations
As reported by Xinhua News Agency on January 19, the national computer virus emergency response center (CVERC) found 15 mobile Apps violating the CSL and the PIPL. Among them, 14 Apps do not explicitly apply for all privacy permissions to users; 2 Apps began collecting personal information before obtaining users’ consent; 4 Apps do not provide effective functions of correction, deletion of personal information and cancellation of user account, or set unreasonable conditions for cancellation of user account; 5 Apps failed to establish and publish personal information security complaints and reporting channels, or exceeded the promised time limit for handling and replying.
9. MPS issued 10 typical cases of crime of violating citizens’ personal information
On January 8, the Ministry of Public Security announced the top 10 typical cases of crimes infringing on citizens’ personal information in 2021, which are: 1) Jiangsu public security authorities cracked the case of He who illegally obtained citizens’ personal information; 2) Hubei public security authorities cracked the case of Xu and others who illegally obtained citizens’ personal information by using the plug-in program; 3) Anhui public security authorities cracked the case of Wu and others who illegally obtained the personal information of the elderly to promote fake health products; 4) Jiangsu public security authorities cracked the case of Guan and others who illegally obtained citizens’ personal information; 5) Fujian public security authorities cracked the case of Xie and others who stole Internet users’ shopping information by using Trojan horse; 6) Liaoning public security authorities cracked the case of Shi and others who illegally obtained citizens’ information to register game accounts and sell them to minors; 7) Guangdong public security authorities cracked the case of a company that illegally obtained citizens’ personal information to commit fraud; 8) Jiangsu public security authorities cracked the case of a company illegally obtained citizens’ personal information; 9) Zhejiang public security organs cracked the case of Li and others who illegally obtained citizens’ express information; 10) Jiangsu public security authorities cracked the case of Zhang and others who illegally obtained citizens’ personal information.
10. CAICT issued Compliance Guidance of Facial Information Processing
On January 18, the Trusted Face App Guardian Project released the Compliance Guidance of Facial Information (“Guidance”) Processing jointly which is compiled by the China Academy of Information and Communications Technology and a number of organizations. The Guidance focuses on key industries such as finance, security, education, transportation, people’s livelihood and government affairs, smart home, and provides a comprehensive review of the full life cycle compliance points and practical cases of face information processing.
INDUSTRY DEVELOPMENTS
1. Beijing Fourth Intermediate court issued Annual Report and 10 typical cases
On January 13, the Fourth Intermediate People’s Court of Beijing released its Annual Report on Internet Civil and Commercial Trials (2020-2021) and ten typical cases. The report summarizes the main violations related to personal information security and App governance, as well as the judicial difficulties in civil infringement cases.
For further information, please contact:
James Gong, Partner, Bird & Bird
james.gong@twobirds.com