This newsletter summarizes the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at James.gong@twobirds.com.
Legislative Developments
Recently, the Cyberspace Administration of China (the “CAC”) issued the Filing Guidance for the Standard Contract for Personal Information Outbound Transfer (First Edition) (the “SCC Guidance”), which specifies the method, procedures, and materials for contract filing. The aim is to assist and guide data exporters in filing standard contracts for outbound transfer of personal information in a standardized and orderly manner. According to the SCC Guidance, a personal information processor that transfers personal information out of the Chinese mainland by concluding a standard contract with an overseas recipient must file the contract with the local provincial cyberspace administration in accordance with the provisions of the Measures on the Standard Contract for Outbound Transfer of Personal Information (the “SCC Measures”).
2. State Council unveiled revised version of Regulations on Commercial Cryptography
On May 24, the State Council officially published the revised version of the Regulations on the Management of Commercial Cryptography (the “Commercial Cryptography Regulations”), effective from July 1, 2023. The revised version of the Commercial Cryptography Regulations aims: (1) to improve the commercial cryptography management system; (2) to advance the innovation and standardization of commercial cryptography technology; (3) to refine the commercial cryptography testing and certification system; (4) to strengthen the management of the use of cryptograms in electronic certification services and e-government electronic certification services; (5) to regulate the import and export management of commercial cryptography; and (6) to promote the application of commercial cryptography.
On June 2, the Beijing Cyberspace Administration (the “BJCA”) issued Beijing’s Guidance for Filing Standard Contract for Personal Information Outbound Transfer (the “Beijing Guidance”), which provides detailed requirements for the outbound transfer of personal information for enterprises in the city. The guidance requires that the filing subject must be a legal entity and the domestic contract signatory. Personal information processors are also required to conduct a personal information protection impact assessment, which can be done either by themselves or through a third party. Based on the assessment, processors must make necessary rectifications. To complete the filing process, personal information processors must submit a complete set of electronic filing materials, including an official seal, to the designated email address. The BJCA will then examine the materials and provide the results within 10 working days.
Recently, the Shanghai Cyberspace Administration (the “SHCA”) issued the Notice on Filing Standard Contract for Personal Information Outbound Transfer (the “Shanghai Notice”). According to the Shanghai Notice, personal information processors who transfer personal information overseas by concluding a standard contract must file with the provincial cyberspace administration within 10 working days from the effective date of the contract, provided that they meet the conditions outlined in Article 4 of the SCC measures. The SHCA offers consultation services to assist and guide personal information processors in conducting the filing process in a standardized and orderly manner.
Recently, the Ministry of Industry and Information Technology (the “MIIT”) issued the Guidelines for the Construction of Data Security Standard System in the Industrial Sector (2023 Edition) (Draft for Comments) (the “MIIT Guidelines”). Under the MIIT Guidelines, by 2024, the industrial sector is expected to establish a preliminary data security standard system that effectively implements data security management requirements and meets the sector’s data security needs. The MIIT also seeks to promote the application of standards in key industries and enterprises, with more than 30 national, industrial, or group standards for data security set to be developed. By 2026, a relatively comprehensive data security standard system is expected to be formed, fully implementing relevant laws, regulations, and policies. The MIIT guidelines aim to improve the technical level of data security standards and align application effects with international practices. The system is positioned as a fundamental guide to support the industrial sector’s key work in data security. The ultimate goal is to develop more than 100 national, industry, or group standards for data security.
On May 23, the National Information Security Standardization Technical Committee (the “TC260”) issued the Information Security Technology – Implementation Guidelines for Notices and Consent in Personal Information Processing (the “Notices and Consent Guidelines”), which provide detailed methods and procedures for informing individuals of the processing rules and obtaining their consent when processing personal information. The Notices and Consent Guidelines apply to personal information processors in their processing activities and aim to protect the rights and interests of individuals. They also serve as a reference for supervision, inspection, and assessment.
On May 23, the TC260 issued the Practical Guide to Cybersecurity Standards – Personal Information Protection Security Requirements for Facial Recognition Payment Scenarios (Draft for Comments) (the “Facial Recognition Guidelines”), which provide personal information protection requirements for facial recognition payment service providers and premise managers in both indoor and outdoor facial recognition payment scenarios. It is important to note that the Facial Recognition Guidelines do not apply to facial recognition payments made by users on their mobile phones or other smart mobile terminals.
8. Qingdao released Interim Management Measures for Pilot Public Data Operation
Recently, Qingdao released its Interim Management Measures for the Pilot Public Data Operation (the “Qingdao Measures”), which clarify the responsibilities of all parties involved in the pilot program and specify the measures for platform construction, data supply, data management, data application, and data security, as well as the mechanism for evaluation and withdrawal. The Qingdao Measures become effective on June 1, 2023. Moving forward, the city will enhance its effort to promote the pilot program and explore new ways to establish a data infrastructure for data property rights, circulation and transaction, and security management. The goal is to promote the compliant and effective circulation and use of public data to empower the real economy while ensuring the security of public data.
On May 12, the Beijing Municipal Intellectual Property Office released the Management Measures for Data Intellectual Property Registration in Beijing (for Trial Implementation) (the “Beijing Measures”). The Beijing Measures consist of five chapters, covering general provisions, registration content, registration procedures, management and supervision, and supplementary provisions. Under the Beijing Measures, the registration objects for data intellectual property refer to the processed and undisclosed data collections with commercial value, collected by data holders or processors according to the laws, regulations or contractual agreements. The registration subjects for data intellectual property are the individuals or entities who hold or process data according to the laws, regulations or contractual agreements, including natural persons, legal persons, or unincorporated organizations engaged in data collection, storage, use, processing, transmission, supply, and disclosure.
Recently, the Guangdong Computer Information Network Security Association released the group standard titled The Health Medical Data Compliance Circulation Standard (T/GDNS 002 – 2023) (the “Circulation Standard”). The Circulation Standard sets out guidelines for the compliant circulation of health and medical data, including general principles, management systems, circulation frameworks, circulation processes, and circulation supervision requirements. The Circulation Standard also outlines compliance work that covers five key aspects: participating subjects, data content, circulation mechanisms, management systems, and auditing measures. To ensure compliance, measures should be taken throughout the entire circulation lifecycle, from preparation to circulating to completion. These measures include the compliant processing of data, encrypted transmission, tracking, and evaluation of data use.
Enforcement Developments
11. CAC launched special action of “Operation Qinglang” to target key areas with high online traffic
As part of the ongoing “Operation Qinglang” campaign to promote a healthier internet ecosystem in China, the CAC has recently targeted key areas with high online traffic. Website and platform operators are now required to publish announcements about the special action, scroll information about penalized accounts, and establish channels for reporting. The aim is to urge content producers to operate in accordance with the law and deter the use of fake identities as news agencies to spread false news.
12. SHCA announced first two cases approved for outbound data transfer
On May 5, the SHCA announced the first two enterprises that had passed the security assessments for outbound data transfer. As of April 28, the SHCA had fielded more than 3,300 consultation calls, received over 400 applications from organizations in key industries such as finance, retail, business services, automotive, and medical. Among them, about 60 have passed the completeness check and submitted to the CAC for final approval. In addition, the SHCA has offered consultation over a hotline, issued practical guidelines, organized a series of lectures, and conducted extensive research to assist enterprises in the city with their potential applications for security assessments and ensure compliance in their outbound data transfer.
13. Zhejiang Cyberspace Administration announced first two cases approved for outbound data transfer
Recently, the Zhejiang Cyberspace Administration (the “ZJCA”) announced the first two enterprises that had passed the security assessments for outbound data transfer. Since the promulgation of the Measures for Security Assessment of Outbound Data Transfers on September 1, 2022, the ZJCA has implemented several measures to assist enterprises in the province with security assessment declarations in an orderly manner. These measures include opening a declaration channel, formulating and releasing guidelines and Q&As, clarifying the declaration process, content, methods and requirements, offering consultation through a hotline, and organizing training sessions. To date, more than 70 applications have been received, of which 32 have passed the completeness check and been submitted to the CAC for final approval. These applications primarily involve e-commerce platforms, finance, logistics, security, and communication.
14. Jiangsu made breakthrough in security assessment for outbound data transfer
On May 9, the Jiangsu Cyberspace Administration (the “JSCA”) announced China’s first compliant case of data export in cross-border e-commerce, providing practical guidance to promote the safe and healthy development of the industry. Going ahead, the JSCA will strengthen its direction on security assessment declarations for outbound data transfer and promote the adoption of standardized and timely assessment declarations by local enterprises and institutions. The JSCA will also implement the relevant requirements of the SCC Measures and promote standard contract filing to ensure the safe, compliant, and orderly flow of cross-border data. This will fully leverage the role of data elements and contribute to the high-quality development of the digital economy.
15. Hubei announced first batch of filed data security risk assessment institutions
On May 23, according to the Notice on the Filing of Data Security Risk Assessment Institutions in Hubei Province issued by the Network Security and Information Technology Commission Office of the Chinese Communist Party Hubei Provincial Committee, Hubei announced its first batch of seven data security risk assessment institutions after undergoing a process of independent declaration, preliminary review, and expert review.
On May 8, the Beijing Communications Administration conducted a special meeting and training session on data security management for Beijing. The session featured a report on the progress of data security management, along with the promotion of the Pilot Work Plan for Data Security Risk Assessment in the Industry and Information Technology Field and Beijing’s Work Implementation Plan for Data Security Management in the Telecom and Internet Industry for 2023. Representatives from the China Academy of Information and Communications Technology and the China Software Testing Centre also provided information on the standards, procedures, and key considerations for data security risk assessments in the telecom and internet sector.
17. Supreme People’s Procuratorate released typical cases on strengthening online protection for minors
On May 31st, the Supreme People’s Procuratorate released six exemplary cases of prosecutorial authorities strengthening online protection for minors. These cases cover a range of issues, including minors participating in online fraud, minors engaging in excessive internet use, online sexual assault of minors, online privacy protection for minors, and safeguarding minors’ personal information security.
The Beijing Internet Court recently concluded a personal information protection dispute between four plaintiffs, including an individual surnamed Guo, and four defendants, including a Shanghai-based technology company. This was the court’s first case after the promulgation of the Personal Information Protection Law, in which close relatives exercised their rights to access the personal information of the deceased. The court held that, as close relatives of the deceased individual Li, the four plaintiffs had the right to access and copy Li’s relevant personal information. However, the court established that this can only be done when it is necessary and legitimate and that the plaintiffs were not authorized to directly log into Li’s personal account. Although the network service providers had suspended Li’s account, the court found that the plaintiffs were not excluded from exercising their rights through other reasonable channels. Additionally, the court determined that the four defendants did not control the personal information claimed by the plaintiffs, and therefore, their actions did not constitute infringement.
The Beijing Internet Court recently concluded a dispute between an individual surnamed Zheng and a short video company over their network service contract. The court found that Zheng had repeatedly viewed videos featuring minors on the platform operated by the defendant and had published a large number of vulgar comments. Despite receiving several penalties, Zheng continued to violate the platform’s policies. The court ruled that the platform had acted in accordance with the user service agreement and the principle of offering special and comprehensive protection for minors when it banned Zheng’s account and restricted his mobile login ID. As a result, the court rejected all claims made by the plaintiff Zheng.
Industry Developments
20. Gansu released Implementation Opinions on Promoting Development of Data Element Market
On May 29th, Gansu released the Implementation Opinions on Promoting the Development of Data Element Market (the “Gansu Implementation Opinions”). The Gansu Implementation Opinions outline the objectives, key tasks, and supporting measures for the development of the data element market and will serve as a policy framework for the safe circulation, fair trade, and efficient allocation of data elements.
Recently, the Three-year Action Plan for the Construction of a Data Element Industry Cluster in Zhangjiang (2023-2025) (the “Zhangjiang Action Plan”) was released. The Zhangjiang Action Plan proposes to create a closed-loop and open ecosystem centred around the Shanghai Data Exchange, aimed at coordinating functional platforms and industry parks within Zhangjiang Science City to promote the development of the data element industry.
22. BJCA released assessment results of annual reports on auto data security management
On May 8, the BJCA released the assessment results of the annual reports on automobile data security management. The regulator evaluated the annual reports on automobile data security management submitted by 31 companies, including Mercedes-Benz, Audi, Toyota, Baidu, Li Auto, and BAIC. Among these, 10 were rated as excellent and 21 as good. According to the BJCA, it will make further efforts in guiding local carmakers in enhancing data security awareness and conducting complaint data processing activities, with an aim to promote the rational exploitation and utilization of data and the healthy and rapid development of the industry.
23. SHCA published exemplary case of data classfication and grading
On May 23, the SHCA published an exemplary case of data classification and grading, highlighting the Management Mechanism for Data Classification and Grading of the Shanghai Electric Vehicle Public Data Collecting, Monitoring, and Research Center. The case centres around the ongoing work of data classification and grading, and explains the management of organizational structure, role duties, and work process from several perspectives, including the basic principles, management mechanism, management process, and auditing content of data classification and grading. This exemplary case is expected to serve as an important reference for organizations seeking to improve their data classification and grading management practices.
24. SHCA published exemplary case of identification of important auto data
On May 18, the SHCA published an exemplary case of the identification of important auto data, highlighting the Identification Rules for Important Data of the Shanghai Electric Vehicle Public Data Collecting, Monitoring, and Research Center. The case emphasizes the rules for identifying important data and managing catalogues, and explains the approach to determining the index items of important data in datasets and identifying important data from several perspectives, including the practical basis, definition of important data, methods for identifying important data, and catalogues of important data. This exemplary case is expected to serve as an important reference for the identification and management of important data.
25. Guiyang held 2023 China International Big Data Industry Expo
On May 26, the 2023 China International Big Data Industry Expo kicked off in Guiyang, Guizhou Province. The expo, with the theme “Integrating Digital and Real Economies, Unlocking the Future with Computing Power”, was jointly hosted by the National Development and Reform Commission, the MIIT, the CAC, and the People’s Government of Guizhou Province. The event was attended by the relevant department heads of all provinces (regions/cities) and the Xinjiang Production and Construction Corps, as well as industry organization leaders, industry representatives, experts, scholars, and think-tank representatives.
26. Northern Big Data Exchange Centre was officially inaugurated
On May 17, the Northern Big Data Exchange Centre was officially inaugurated at the signing ceremony of the key projects of the 7th World Intelligence Congress. The Northern Big Data Exchange Centre will focus on demand scenarios, standardized processes, and knowledge-based data to innovate the trading mode of knowledge data. Its objective is to “promote compliant and efficient circulation and use of data to empower the real economy”, by transforming the low-value and high-risk transactions of raw data into the high-value and low-risk transactions of knowledge products. The centre’s efforts will assist in the digital and intelligent transformation of the real economy industry.
27. Guangzhou Data Exchange released achievements and innovations
On May 10, the Guangzhou Data Exchange released a series of achievements and innovations in Nansha District, marking a significant advancement for the data industry in the province. The event saw the launch of an integrated computing power resource publishing and sharing platform and nearly 40 data products in 16 key industries. The first trading service centre of the Guangzhou Data Exchange was also unveiled on the same day.
28. Zhongguancun Forum launched its first Data Security Governance and Development Forum
On May 28, the Zhongguancun Forum launched its first-ever Data Security Governance and Development Forum, inviting prominent guests to provide advice and suggestions on data security governance. During the forum, Feng Dengguo, an academician of the Chinese Academy of Sciences, identified data leakage, data destruction, and privacy leakage as the primary threats to data security. Other experts also shared their views on data security governance.
29. First National Data Resource Prosecution Office was inaugurated in WenzhouOn May 18, at the 2023 Data Security Development Conference in Oujiang, Zhejiang Province, the Data Resources Prosecution Office of the People’s Procuratorate of Ouhai District, Wenzhou City, and the China (Wenzhou) Data Security Port Enterprise Inspection Service Centre were officially inaugurated. Through these initiatives, the construction of the China (Wenzhou) Data Security Port will be better supported with improved judicial services and safeguards. Additionally, this move aims to promote compliance in data computing, secure circulation of data elements, and orderly development of the data industry.