This newsletter summarizes the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement and industry developments in this area.
This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement and industry developments in this area. If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at James.gong@twobirds.com.
Key highlights
On 29 April 2022, the National Information Security Standardization Technical Committee (“TC260”) released the draft Technical Specification for Certification of Personal Information Cross-border Processing (“Draft Specification”) for public consultation. The Draft Specification is the first step that has been taken toward establishing the Certification Regime introduced by the PIPL. Some essential elements of the Certification Regime are left not addressed, such as the accredited certification bodies, the certification procedure and the effective period of the certification, which we expect to be covered by future regulations and guidelines.
On 29 April 2022, the China Securities Regulatory Commission (“CSRC”) released the draft Administrative Measures for Cybersecurity in Securities and Futures Industry (《证券期货业网络安全管理办法(征求意见稿)》) (“Draft Measures”) for public consultation. The Draft Measures are the reaction of CSRC to tightened cybersecurity and data protection requirements under the regulatory framework established by the CSL, the DSL and the PIPL. The CSRC is joining its fellow financial regulators in implementing these requirements in the financial industry. The financial institutions in the securities and futures industry as well as their IT suppliers should keep themselves abreast with the development and be prepared for the new requirements that will be implemented in the near future.
Please read our articles at the links below for more details.
Our Views
China Health and Medical Data Protection (I): Human Genetic Resources Information
China’s Certification for Personal Information Export: Underway?
China will Tighten Cybersecurity in Securities and Futures Industry
Regulatory Developments
On 29 April, the National Information Security Standardization Technical Committee (TC260) released the Practice Guideline for Network Security Standards – Technical Specification for Certification of Personal Information Cross-border Processing Activities (Draft for Comments) (the “Certification Technical Specification”) for public comments. The Certification Technical Specification provides practical guidelines on the establishment of the certification mechanism in accordance with Art. 38 of the Personal Information Protection Law (PIPL). The Certification Technical Specification describes the basic principles, legal constraints, organizational management, cross-border processing rules, impact assessment, and protection of the rights and interests of individuals in the context of the certification mechanism.
2. The Cybersecurity Management Measures for the Securities and Futures Industry (Draft for Comments) was released
On 29 April, the China Security Regulatory Commission released the Cybersecurity Management Measures for the Securities and Futures Industry (Draft for Comments) (the “Measures”) for public comments. The Measures put forward requirements on cybersecurity supervision and management system, cybersecurity operation, data security coordination and management, cybersecurity emergency handling, cybersecurity critical information infrastructure protection, cybersecurity promotion and development, supervision and management and legal responsibility, etc.
3. MIIT and other 5 departments issued the Guidance on further strengthening the security system of new energy vehicle enterprises
On 8 April, the Ministry of Industry and Information Technology (MIIT) and other five departments jointly issued the Guidance on further strengthening the security system of new energy vehicle enterprises (the “Guidance”). The Guidance pointed out that new energy vehicle enterprises should improve the cybersecurity protection system, implement the real name registration of Internet-of-vehicle cards and vehicle product security vulnerability management, strengthen network security protection, strengthen data security protection, and implement personal information security protection.
4. The Information security techniques – Guidelines for the assessment of Information security Controls (Draft for Comments) and other 3 national standards were released
On 7 April, TC260 secretariat issued a notice to solicit public comments on three national standards, namely the Information security techniques – Guidelines for the assessment of Information security Controls (Draft for Comments), the Information security technology – Information security management for inter-sector and inter-organizational communications (Draft for Comments), and the Information security technology—Security capability requirements for big data services (Draft for Comments).
5. The Information Security Technology – Basic Requirements for Collecting Personal Information in Mobile Internet Applications and other 10 information security technology national standards were released
On 15 April, according to the Announcement on National Standards of the People’s Republic of China (2022 No.6) issued by the State Administration for Market Regulation and the Standardization Administration, 10 national standards prepared by TC260, including the Information Security Technology – Basic Requirements for Collecting Personal Information in Mobile Internet Applications, the Information Security Technology-Cyber-Data Process Security Specification, the Information Security Technology – Information Security Risk Assessment Method, will be published in the “National Standards Full Text Public System” within 20 working days after the release of the Announcement.
6. The China Banking and Insurance Regulatory Commission issued the Notice on Further Strengthening Financial Support for the Development of Small and Micro-sized Enterprises in 2022
On 8 April, the China Banking and Insurance Regulatory Commission issued the Notice on Further Strengthening Financial Support for the Development of Small and Micro-sized Enterprises in 2022 (the “Notice”). The Notice provides a series of requirements for data security and privacy protection for banks and insurance institutions, including improving internal data management system, strengthening the construction of information systems, enhancing data security and privacy protection, and conducting security assessment in advance to ensure the legality of third-party data sources.
7. The State Council issued the Opinions on Establishing Unified Domestic Market
On 10 April, the State Council issued the Opinions on Establishing Unified Domestic Market (the “Opinions”). Opinions aim to accelerate the cultivation of data elements market, establish and improve basic systems and standards in relation to data security, rights protection, cross-border transfer management, transaction circulation, open sharing, security certification, and promote data resources development and utilization.
8. The Practice Guide for Network Security Standards – Information System Disaster Backup Practice Guidelines (Draft for Comments) was released
On 26 April, TC260 secretariat released the Practice Guide for Network Security Standards – Information System Disaster Backup Practice Guidelines (Draft for Comments) (the “Guidelines”) for public comments. The Guidelines propose security measures that organizations can take in terms of requirement analysis, functional design, operation and maintenance for service providers and service demanders.
9. The China Security Regulatory Commission released 4 financial industry standards
On 15 April, the China Security Regulatory Commission released 4 financial industry standards, namely the Data Model for Securities and Futures Industry Part 4: Fund Company Logic Model, the Carbon Financial Products, the Mobile Internet Application Design Specification for Securities and Futures Industry for the Elderly, and the Mobile Internet Application Design Testing Specification for Securities and Futures Industry for the Elderly.
Enforcement Developments
1. CAC carried out “Qinglang – 2022 Algorithm Comprehensive Management” special action
On 8 April, the Secretary Bureau of the Cyberspace Administration of China (CAC) issued the Notice on The Implementation of the “Qinglang – 2022 Algorithm Comprehensive Management” special action. From April 8, 2022 to the beginning of December 2022, the CAC will take the lead to carry out work in five aspects, namely, organizing self-checks and self-corrections, carrying out on-site inspections, supervising the record-filing of algorithms, clarifying responsibilities of subjects, and ordering rectification of problems within the prescribed time limit, so as to strengthen the comprehensive management of algorithms for the Internet information services, and effectively promote the implementation of the Provisions on the Administration of Algorithm-generated Recommendations for Internet Information Services.
2. CAC carried out “Qinglang – Network Violence Special Management Action”
On 24 April, the CAC announced the “Qinglang – Network Violence Special Management Action”, focusing on the 18 influential website platforms where network violence prone to more frequent for the whole chain of management. The person in charge of the CAC said that, to facilitate the whole management process, this special action would be carried out by establishing and improving the monitoring and identification, real-time protection, intervention and disposal, traceability and responsibility, publicity and exposure measures, etc. The website platforms are required to establish and improve the identification and early warning mechanism, refine the classification standards of network violence information, timely filtering of net violence content, establish and improve the real-time protection mechanism of network violence victims, strengthen publicity and guidance, etc., to strictly prevent the spread of network violence information.
3. The Supreme People’s Court released 9 typical civil cases of judicial protection of personality rights
On 11 April, the Civil Division of the Supreme People’s Court released nine typical civil cases of judicial protection of personality rights. Through a series of cases, including a case involving the infringement on the right to personality by “AI company software”, a case involving the infringement on the privacy right of neighbors by face recognition devices and a civil public interest lawsuit involving illegal sale and purchase of personal information, the Supreme Court clarified that the unauthorized use of artificial intelligence software to create virtual characters constitutes infringement, the installation of visual doorbells at a close distance constitutes infringement on the privacy right of neighbors, and large-scale illegal trading of personal information infringes on the right of personality and social public interests.
4. CCTV disclosed an important case of spying and illegally providing high-speed railway data for overseas enterprises
On 13 April, the CCTV Focus Interview program “Miscalculated Data Trading” disclosed an important case of spying and illegally providing high-speed railway data for overseas enterprises. The data collected and provided by the domestic enterprises involved in the case for the overseas enterprises contained sensitive railroad GSM-R signals, and the relevant data was identified as intelligence by the state secrecy administration. The behavior of the domestic enterprises was an illegal act strictly prohibited by the Data Security Law (DSL), the Radio Management Regulations and other laws and regulations. The acts of the legal representative, sales director and salesman of the domestic enterprise involved in the case are suspected of the crime of spying and illegally providing intelligence for foreign countries as stipulated in Art. 111 of the Criminal Law. The relevant persons were arrested by the Shanghai State Security Bureau on December 31, 2021. This case is the first case in which the data involved was identified as intelligence since the implementation of the DSL, and the first case in China involving the security of high-speed rail operation that endangers national security.
5. MIIT will continue to enhance its enforcement actions to protect personal information
On 14 April, the State Council Information Office held a press conference on the progress of combating and managing telecommunication network fraud crimes. At the conference, the director of the Cybersecurity Bureau of the MIIT responded to the issue of excessive collection of personal information and announced that in 2022, the MIIT would continue to enhance its enforcement actions in the following areas, i.e. improving the management system, continuing to carry out special campaign, protecting the rights and interests of users, and carrying out collaborative management.
On 21 April, the State Post Bureau, the Ministry of Public Security, the CAC jointly held a teleconference to deploy a six-month special action of personal information security management in the field of post and express. The teleconference pointed out that efforts should be made to ensure that the infringement on citizens’ personal information crime in the field of post and express has been significantly curbed; to crack down illegal acts in the field of post and express, such as telecommunications fraud, empty package “click farming”; to vigorously promote the application of virtual security numbers, privacy waybill, network identity authentication and other technologies; to strengthen the security of critical information infrastructure protection; to establish and improve cybersecurity monitoring and warning and cybersecurity incidents emergency response plan.
April 14 news, recently, the People’s Court of Shunyi District concluded the first case involving criminal infringement on citizens’ personal information and incidental civil public interest lawsuit in Beijing. The People’s Procuratorate of Shunyi District filed a criminal infringement on citizens’ personal information and incidental civil public interest lawsuit against defendant Li for trading more than 9 million pieces of personal information. The court sentenced Li to three years’ imprisonment and a fine of 110,000 CNY for infringement on citizens’ personal information. In addition, the defendant was sentenced to compensate 106,859.84 CNY for the loss of citizens’ personal information, to delete the stored information, and to deliver public apologies in the media.
On 20 April, the MIIT released the Notice on App Infringing on Users’ Rights and Interests (3rd batch in 2022, 23rd batch in total) (the “Notice”), notifying 37 apps that have infringed on users’ rights and interests. According to the Notice, by the time the Notice was released, there were still 37 apps that had not completed rectification.
On 18 April, the Beijing Communications Administration issued the Notice on the Special Action for Comprehensive Management on the App in Beijing in 2022 (the “Notice”). The Notice announced a six-month special action for the comprehensive management on the App in Beijing. The special action involves four types of entities, including App store operators, App operators, basic telecommunication enterprises and Internet access service providers. The entities concerned shall carry out self-testing and self-investigation based on relevant standards, such as the Measures for the Determination of the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations, the Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications and the Provisions on the Administration of Network Products Security Vulnerabilities. From April, the Beijing Communications Administration would carry out random testing for Apps under its jurisdiction, notify the Apps with non-compliant test results, and require the relevant entities to carry out rectification.
10. The National Computer Virus Emergency Response Center found 17 illegal mobile Apps
On 24 April, the National Computer Virus Emergency Response Center recently found that 17 mobile Apps have privacy non-compliant acts through Internet monitoring, which violate the Cybersecurity Law, the PIPL and other relevant provisions, and are suspected of collecting personal privacy information beyond the scope. The problems involved include: not expressing all privacy rights applied for to users; starting to collect personal information before obtaining users’ consent; not providing effective functions for correcting and deleting personal information and canceling users’ accounts, or setting unreasonable conditions for canceling users’ accounts; not establishing and announcing personal information security complaints and reporting channels, or exceeding the time limit for promised processing responses.
On 24 April, a press conference on the development of intellectual property rights in China 2021 was held. At the conference, the Director of the National Intellectual Property Administration introduced that they would recognize and protect the reasonable income of data processors, taking into account data security, public interest and personal information protection. In addition, the National Intellectual Property Office has launched data intellectual property protection pilot projects in Zhejiang, Shanghai and Shenzhen.
On 22 April, the administrative punishment information published by the Business Administration Department of the People’s Bank of China Chengdu Branch showed that Jincheng Consumer Finance and Xinwang Bank were both punished for violating the regulations on credit information collection, provision, enquiry and other related regulations, among which Xinwang Bank was fined 200,000 CNY.
On 26 April, the China Banking and Insurance Regulatory Commission issued the Notice on the Prominent Problems of Data Quality of the Banking and Insurance Institutions’ Supervisory Information System for Equity and Related Transactions (the “Notice”). The Notice showed that the Banking and Insurance Institutions’ Supervisory Information System for Equity and Related Transactions and the Commercial Bank Equity Supervision Information System identified that some banking and insurance institutions had prominent problems such as data misreporting, omission and concealment, including untimely reporting, inaccurate data filling and inappropriate data penetration.
Industry Developments
1. The first cross-border data hosting service platform in China put into use
On 14 April, the Beijing Data Hosting Service Platform developed by the Beijing International Data Exchange has been officially put into use, becoming the first data hosting service platform that can support the cross-border circulation of enterprise data in China. The platform provides services such as data hosting, desensitization output, fusion calculation, file building and filing. The platform enables data and model system encryption before post-hosting, sensitive data approval before post-circulation, and guarantees the safety of data cross-border circulation.
On 20 April, the China Academy of Information and Communications Technology released the Data Center White Paper (2022) (the “White Paper”). The White Paper points out that China’s data center industry continues to develop and grow steadily in overall scale and market revenue and have strong market demand. The data center industry related policies have been continuously improved to comprehensively promote the development of data centers in a low-carbon, high-quality and collaborative innovation way. The innovation of data center technology continues to be active, and green, low-carbon, efficient and intelligent data center technology innovations are emerging.
3. MIIT issued the Industrial Internet Task Force Work Plan for 2022
On 13 April, the MIIT issued the Industrial Internet Task Force Work Plan for 2022 (the “Work Plan”). The Work Plan points out that in 2022, the Office of the Industrial Internet Task Force will work on six aspects, i.e. network system strengthening action, platform system strengthening action, data aggregation empowerment action, key standard development action, security strengthening action, and stimulating the potential of data elements.
On 25 April, the CAC, the National Development and Reform Commission, and the MIIT jointly issued the Work Arrangement for Further Promoting IPv6 Scale Deployment and Application in 2022 (the “Work Arrangement”). The Work Arrangement describes ten key tasks, i.e. strengthening network bearing capacity, enhancing terminal support capacity, optimizing the performance of application facilities, expanding industry convergence applications, accelerating the transformation of government applications, promoting the deployment of commercial applications, strengthening innovation and ecological construction, promoting the development of standards and specifications, strengthening security, and strengthening coordination.
On 15 April, the Beijing Municipal Bureau of Economy and Information Technology solicited public comments on the Action Plan for the Opening of the Whole Industry Chain of Beijing’s Digital Economy (Draft for Comments) (the “Plan”). The Plan strives to accelerate the process of data factorization, carry out data asset registration and evaluation, accelerate the development of connected cars, digital healthcare, digital finance, smart cities and other industries, establish cybersecurity and data security assessment mechanisms, and develop full life-cycle data compliance guidelines.
On 20 April, the General Office of Shanghai Municipal People’s Government issued a notice on the Implementation Plan for the Standardization of Urban Digital Transformation in Shanghai (the “Plan”). The Plan specifies five key tasks for the standardization of Shanghai’s digital transformation, namely improving the basic standards that support the overall situation, improving the economic digital transformation standards for integrated development, improving the digital transformation standards for people’s livelihood, improving the digital transformation standards for fine management governance, and building a standardization work pattern that adapts to the new development stage.
On 15 April, the Equipment Industry Development Center of the MIIT issued the Notice on The Development of Automotive Software Online Upgrade for The Record (the “Notice”). In accordance with the Notice, filing requirements apply to the automobile manufacturers who have obtained the road motor automobile production access license, as well as their automobile products with OTA upgrade function and their implementation of OTA upgrade activities. The entities of the application shall be the automobile manufacturers. Enterprises can fill in the record information and related supporting materials through the “automotive software online upgrade filing system” (https://ota.miit-eidc.org.cn/).
For further information, please contact:
James Gong, Partner, Bird & Bird
james.gong@twobirds.com
