This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement and industry developments in this area. If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong.
KEY HIGHLIGHTS
The Ministry of Industry and Information Technology (MIIT) released a second draft of the Interim Administrative Measures for Data Security in Industry and Information Technology (Draft Measures) for public consultation. Shortly after the release of the Draft Measures, the MIIT issued a notice selecting a list of regions where the local offices of MIT will run a pilot program of data security management, which shows that the MIIT is committed to completing the pilot program by September this year. We expect that the MIIT will continue to pioneer the implementation of the data security regime and the Draft Measures are likely to be the first sectoral regulation to be finalized under the Data Security Law. The regime established under the Draft Measures will set an example for other sectoral regulators. For more details on the Draft Measures, please read our article at the link below.
We have also seen a continuous trend of provincial governments and legislators strengthening data regulation. Besides, enforcement on apps has remained active in the past a few months.
OUR VIEWS
MIIT Pioneers its Data Security Regime
REGULATORY DEVELOPMENTS
1. The Internet Information Service Algorithm Filing System was launched
On 1 March 2022, the Internet Information Service Algorithm Filing System was officially launched. The official website of the System is https://beian.cac.gov.cn. Article 24 of the Regulations on the Administration of Algorithm Recommendation for Internet Information Services, jointly issued by the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security (PSB) and the State Administration of Market Supervision (SAMR) on 31 December 2021, provides that providers of algorithmic recommendation services with public opinion properties or having social mobilization capabilities shall, within 10 working days of providing services, report the provider’s name, form of service, domain of application, algorithm type, algorithm self-assessment report, content intended to be publicized, and other such information through the Internet information service algorithm filing system, and carry out filing formalities.
On 10 February, the MIIT revised the first version of the Measures for Data Security Management in Industry and Information Technology (for Trial Implementation) (the “Draft Measures”) in accordance with received public opinions and published the updated version of the Draft Measures (the “revised Draft Measures”). The revised Draft Measures provide that the data in the field of industry and information technology includes three main categories (i.e. industrial data, telecommunication data and radio data) and is classified into three levels: general data, important data and core data. Data processors in this sector can subdivide the categories and levels of the data in accordance with the revised Draft Measures. Data processors in this sector should store important data and core data within China, if required by laws and administrative regulations. Where it is necessary to transfer such data outside of China, a data export security assessment should be conducted in accordance with laws and regulations.
3. MIIT issued the Notice on the Pilot Work of Data Security Management in the Industrial Sector
On 21 February, the MIIT issued the Notice on the Pilot Work of Data Security Management in the Industrial Sector (the “Notice”) and decided to expand the scope of the pilot work of data security management in the industrial sector. The Notice requires the local branches of the MIIT to i) earnestly study and implement the Data Security Law and other related laws and regulations, as well as sector-specific requirements on data security management, ii) clarify the data security management departments and persons in charge, and iii) guide industrial enterprises to carry out data security management work.
On 16 February, the MIIT published the Notice on Further Regulating the Pre-Installation Behavior of Mobile Smart Terminal Application Software (Draft for Comments) (the “Notice”) to solicit public opinions. The Notice emphasized that mobile terminal manufacturers should ensure that all pre-installed application software, except for basic function software, can be uninstalled and provide safe and convenient uninstallation methods for users to choose. Mobile terminal manufacturers should also ensure than at most one of the pre-installed application software for the same basic function can be set as uninstallable.
On February 15, eight departments, including the Ministry of Transport, the MIIT, the PSB and the CAC, jointly revised and issued the Notice on Strengthening the Joint Supervision of the Ride-hailing Industry Before, During and After the Event (the “Notice”). The Notice underlines the focus of this joint supervision includes the following violations of laws and regulations by online ride-hailing platform companies: Failure to transmit relevant data and information to the online ride-hailing supervision information interaction platform, the existence of illegal acts such as low-price dumping, fraud, and unreasonable differential treatment of individuals in terms of transaction conditions, and the existence of illegal acts that endanger network security, data security, and infringe on the rights and interests of users’ personal information.
On February 8, the National Information Security Standardization Technical Committee (TC260) released the draft version of the national standard “Information Security Technology Mobile Internet Application (App) Lifecycle Security Management Guide” (the “Guide”) to solicit public opinions. The Guide divides the life cycle of an App into seven phases: requirement analysis phase, development and design phase, testing and verification phase, shelf release phase, installation and operation phase, update and maintenance phase and termination of operation phase.
On February 11, the Legal Working Committee of the Standing Committee of the Heilongjiang Provincial People’s Congress published the Regulations on Promoting the Development and Application of Big Data in Heilongjiang Province (Draft for Comments) (the “Regulations”). The Regulations divide big data into public data and non-public data, and stipulate the rules for using public data and non-public data respectively. The Regulations also provide that the provincial people’s government shall make overall planning, accelerate the cultivation of data element markets, promote the establishment of data trading platforms, encourage and guide the trading of data in accordance with the law, regulate data trading practices, and promote the orderly and efficient flow and application of data resources.
8. Measures on Public Data Openness in Shandong Province will be implemented on April 1
On February 9, the People’s Government of Shandong Province announced the Measures for the Opening of Public Data in Shandong Province (the “Measures”), which will come into effect from April 1, 2022. The Measures define public data as all kinds of data collected and generated by state organs, organizations authorized by laws and regulations to manage public affairs, enterprises and institutions with public service functions, and people’s organizations (collectively referred to as public data providers) in the course of performing public management duties and providing public services in accordance with the law. The Measures point out that public data should be open unless otherwise provided by laws or regulations.
On February 7, the Data Management Bureau of Guangdong Provincial Government Services published the Measures for the Safe Management of Public Data in Guangdong Province (Draft for Comments) (the “Measures”) to solicit public opinions. The Measures propose that public data processors should strength access control, establish a registration and approval mechanism, and keep records when they process important data and core data. Moreover, public data processors should implement security technical measures to prevent the leakage of sensitive personal information, commercial secrets and other information when they use data mining, correlation analysis and other technical means to carry out processing activities.
On February 18, the Regulations on the Protection of Minors in Shanghai Province (the “Regulations”) were passed at the 39th meeting of the Standing Committee of the 15th Shanghai Municipal People’s Congress. The Regulations comes into force on March 1, 2022. The Regulations stipulate that if online product and service providers find that the products and services have induced minors to become addicted to the Internet, endangered the physical and mental health of minors, or infringed on the legitimate rights and interests of minors, they should take necessary measures to remove, block or modify relevant content, functions or rules in order to prevent the spread of information infringing on minors. At the same time, relevant records should be kept and reported to the local branches of the CAC, the PSB and other departments.
11. Supreme People’s Court released the Rules for Online Operation of People’s Courts
On February 22, the Supreme People’s Court held a conference to release the Rules for the Online Operation of the People’s Courts (the “Rules”). The Rules clarify that people’s courts at all levels should develop systems for data classification, data breach incident response and data security review, and follow the principles of “security, necessity and minimum scope” for data sharing, and ensure that data related to online litigation, online mediation and other judicial activities. The Rules also require the courts to ensure that privacy, personal information, commercial secrets and other data in judicial activities such as online litigation and online mediation will not be freely disclosed or illegally provided to others.
On 22 February, the General Office of the State Council issued the Opinions on Accelerating the Expansion of the Application Field of Electronic Certificates and National Interoperability and Mutual Recognition (the “Opinions”). The Opinions indicate that the government will strengthen the security management and supervision of electronic license applications, including the identity authentication, authorization management and personal information protection of the individuals holding and using electronic licenses.
ENFORCEMENT DEVELOPMENTS
On February 23, the Cyberspace Administration of Hainan Province circulated a notice, stating that recently, the Administration organized a technical test on the collection and use of personal information by a batch of apps that have a large number of users in Hainan Province and are closely related to people’s lives. The test results showed that 9 Apps collected and used personal information illegally.
2. MIIT published the first batch of Apps that infringe on users’ rights and interests in 2022
On February 18, the MIIT circulated a notice, stating that the MIIT had recently organized a third-party testing agency to inspect mobile Internet applications. The test found that 107 Apps had not completed rectification and 13 Apps embedded third-party software development kits (SDKs) had irregularly collected user device information.
3. CVREC warned 14 Apps about privacy violations
As reported by Xinhua News Agency on February 16, the National Computer Virus Emergency Response Center (CVERC) recently found that 14 Apps violated the relevant provisions of the Cyber Security Law and the Personal Information Protection Law, and allegedly collected personal information beyond the minimum scope necessary for achieving the processing purposes.
On February 10, the Zhejiang Province’s App Working Group on the Illegal Collection and Use of Personal Information warned 38 Apps that had illegally collected and used personal information. The main problems of these Apps include: failure to clearly indicate the purpose, method, and scope for the collection and use of personal information; violating the principle of necessity to collect personal information that is not related to the services, providing personal information to third parties without obtaining users’ consent, etc.
5. Five Chinese ride-hailing service providers summoned by several regulatory authorities in Henan
It was reported on 16 February that several regulatory authorities in China’s Henan Province jointly interviewed five domestic ride-hailing service providers, including DiDi Global Inc., Jiangnan Chuxing, Quanmin Chuxing, Partake and Cuichi Travel. The interview pointed out that some ride-hailing service providers recently had not only disrupted the fair competition and market order but had also undermined the safety and stability of the sector as well as the legitimate rights of both drivers and passengers. The illegal practices of the above mentioned platforms include deploying opaque pricing models, allocating orders for non-compliant vehicles and drivers, illegal operating inter-city passenger transport routes, and having unscientific dispatching mechanisms which lead to overtime work for employees and fatigued drivers.
On February 27, the Supreme People’s Procuratorate published an article on its official website, stating that more than 2,000 public interest litigation cases in the field of personal information protection were handled in 2021. The procuratorial authorities will continue to intensify their efforts in handling public interest litigation cases to promote the implementation of the Personal Information Protection Law (PIPL). The procuratorial authorities will strictly protect sensitive personal information and focus on the processing of personal information in the fields of education, medical care, employment, pensions, and consumption, as well as large-scale personal information processing involving more than one million people.
On February 24, the PSB announced ten typical cases of the “Breakout” operation that aims to crack down on crimes in the black industrial chain of online accounts, including Guangdong public security organs cracked the case of Chen and others helping information network criminal activities, Jiangsu public security organs cracked the case of Jiang and others illegally obtaining computer information system data, Guangxi public security organs cracked the case of Xie and others infringing on citizens’ personal information, etc.
INDUSTRY DEVELOPMENTS
1. MIIT will strengthen supervision in the field of personal information protection in 2022
On February 28, the State Council Information Office held a press conference. Yaqing Xiao, the head of the MIIT, introduced four aspects as the MIIT’s priorities in 2022: (i) continuing the in-depth supervision on Apps, (ii) urging major Internet companies to establish customer service hotlines to respond to users’ demands, (iii) continuing to carry out aging-friendly and information barrier-free transformation, and (iv) improving the incentive mechanism and accountability mechanism in key areas such as mobile Internet services and personal information protection.
The person in charge of the MIIT said that MIIT will continue to promote the establishment of a classification and grading management system for the network security of industrial Internet enterprises. At present, the MIIT has released the Industrial Internet Security Standard System, and is promoting the establishment of a national standard on Network Security Protection Specification for Internet Platform Enterprises and accelerating the development of more than 10 industrial standards for platform security protection, testing and assessment, and capability evaluation.
3. CBIRC issued a risk reminder on preventing illegal fund-raising in the name of “Metaverse”
On February 18, the China Banking and Insurance Regulatory Commission (CBIRC) issued a risk reminder on preventing illegal fund-raising in the name of “metaverse”. The CBIRC indicated that four major forms of illegal fundraising in the name of “metaverse”, i.e. fabrication of false metaverse investment projects, fraud under the banner of metaverse blockchain games, malicious speculation on metaverse real estate, and disguised engagement in metaverse virtual coins for illegal profit.
It was reported on 17 February that four departments including the National Development and Reform Commission (NDRC), the CAC, the MIIT, and the National Energy Administration responded with a letter, agreeing to start the construction of the national hub node of the national integrated computing power network in Guangdong-Hong Kong-Macao Greater Bay Area.
5. NHC is planning to establish a nationwide unified electronic medical record
It was reported on 17 February that the National Health Commission (NHC) said in its reply to the “Proposal on Promoting Data Sharing of Electronic Medical Record” raised at the fourth session of the 13th National People’s Congress, that the NHC is working on the establishment of a nationwide unified information standard system for electronic health records, electronic medical records, drugs and instruments, public health, medical services and medical insurance.
For further information, please contact:
James Gong, Partner, Bird & Bird
james.gong@twobirds.com
