China – Cybersecurity And Data Protection: Monthly Update – November 2022 Issue.

This newsletter summarizes the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe to our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com. 

Legislative Developments

1. MIIT issued Measures for Administration of Filing of Cyber Product Security Vulnerability Collection Platforms On 25 October, the Ministry of Industry and Information Technology (MIIT) issued the Measures for the Administration of Filing of Cyber Product Security Vulnerability Collection Platforms (the “Filing Administration Measures”), which will come into effect on 1 January 2023. The Filing Administration Measures provide for the definition of cyber product security vulnerability collection platforms, filing methods, information required for filing, and filing procedures.
2. Shanghai Insurance Association issued Cybersecurity Insurance Service Specifications Recently, under the guidance of the Shanghai Banking and Insurance Regulatory Bureau, the Shanghai Insurance Association released the first set of association standards for cybersecurity insurance service providers in China, Cybersecurity Insurance Service Specifications (the “Service Specifications”). The Service Specifications aim to establish a uniform set of standards for insurance companies in their cybersecurity insurance operations including underwriting, risk control, and claims services.
3. Rizhao released Public Data Management Measures On 10 October, the Office of the Rizhao Municipal People’s Government issued the Rizhao Public Data Management Measures, which provide for the definition and principles of public data management, the requirements for public data processing activities, the requirements for public data security management and supervision, and the duties and responsibilities of the relevant parties.
4. TC260 released 14 national standards for automotive and voice recognition data processing activities On 14 October, 14 national standards under the supervision of the National Information Security Standardization Technical Committee of China (TC260) were officially released and will come into effect on 1 May 2023. These national standards cover areas such as cybersecurity, communication security, and data security in the fields of automotive, voice recognition, face recognition, network payment, and genetic identification.
5. TC260 issued Information Security Technology – Basic Security Requirements for Pre-Installed Applications on Smartphones (Draft for Comments) On 9 October, TC260 released Information Security Technology – Basic Security Requirements for Pre-Installed Applications on Smartphones (Draft for Comments) (the “Security Requirements”). The Security Requirements specify the requirements for security technology and security management of pre-installed and third-party pre-installed applications.
6. Zhejiang released local standards for data asset confirmation (draft for comments)

On 25 October, the Department of Finance of Zhejiang Province issued the Guidelines for Data Asset Confirmation (the “Guidelines”) and solicited opinions from the public. The Guidelines aim to provide information and guidance for data asset confirmation in the initial, subsequent, and termination stages.

Enforcement Developments

1. Shenzhen Securities Regulatory Bureau reported loopholes in network security risk management of securities company leaving its OA system under injection attack On 11 October, the Shenzhen Securities Regulatory Bureau reported a cybersecurity case, in which the Office Automation (OA) system of a securities company within the jurisdiction came under injection attack due to loopholes in the risk management of the company’s network security. The Shenzhen Securities Regulatory Bureau found upon inspection that the penetration testing and loophole repairing mechanism of the company was incomplete and that the mechanisms for network security monitoring and response need to be improved. Moreover, the company’s high rate of IT staff loss also exacerbated the situation as the departure of the personnel responsible for the IT system led to flaws in the management of the technical authority. According to the Shenzhen security regulator, securities and futures business institutions in the jurisdiction should attach great importance to network security by implementing network and information security responsibility plans and strengthening IT staffing support to enhance the capability to prevent and control network security risks.
2. Cyberspace Administration of Shanghai reported about technology company fined for violation of Data Security Law On 13 October, the Cyberspace Administration of Shanghai (Shanghai CAC) reported a data security case, in which a technology company’s mishandling of government data and failure to take measures to ensure data security made it vulnerable to data leakage. The Shanghai CAC, in accordance with the Data Security Law of the People’s Republic of China, has ordered the company to rectify, with a warning issued and an administrative penalty of CNY50,000 imposed.
3. Guangxi Communications Administration reported 6 Apps infringing on users’ rights and interests On 8 October, the Guangxi Communications Administration released a list of problematic APPs after engaging a third-party testing agency to inspect 50 APPs in Guangxi. Among them, 23 Apps were found to have infringed on users’ rights and interests and were involved in issues such as “the illegal collection of personal information”, “the collection of personal information beyond the prescribed scope”, and “mandatory, frequent, and excessive requests for permissions”. The Guangxi Communications Administration has required in writing the relevant App operators to rectify within a set time limit. So far, there are still 6 Apps that have not completed the rectification.
4. Guangdong High People’s Court released typical case on personal information protection On 31 October, the High People’s Court of Guangdong Province publicized a batch of typical cases on personal information protection to mark the first anniversary of the Personal Information Protection Law. There were two criminal and four civil cases released, which cover various issues including infringement of citizens’ personal information, “excessive collection” of personal information, the exercise of rights to access and duplicate personal information, and the use of personal information by network platforms. 

Industry Developments

1. Bank of Beijing granted the first data asset pledge loan in China On 12 October, the Bank of Beijing City Sub-centre Branch granted its first loan of CNY 10 million to RocKontrol Technology Group Co Ltd. backed by pledges of the borrower’s digital assets. The bank said that the loan was made based on detailed knowledge of the company’s business and thorough analysis of the asset appraisal report of its data asset quality and value.
2. Hangzhou piloted chief data officer system Recently, Hangzhou City of Zhejiang Province piloted the Chief Data Officer program by appointing chief data officers and digital officials in 115 municipal departments and municipal state-owned enterprises in the city. The program aims to “build a team of government officials with digital thinking skills, digital knowledge, and technical competence needed for digital transformation”. Under the system, the chief data officers should be responsible for the establishment of department platforms, project application and development, system building and management, digital resource reuse, data processing and governance, data security, and assessment and evaluation.
3. CAICT issued Key Points on Security Protection against Ransomware Attacks On 17 October, the China Academy of Information and Communications Technology (CAICT) released Key Points on Security Protection against Ransomware Attacks (the “Key Points”), which call for efforts to strengthen emergency response and security measures against ransomware attacks, particularly in fields of high risks. It is stressed in the Key Points that risk prevention measures should be implemented beforehand, the emergency response should be timely and adequate in the event of ransomware attacks, and cybersecurity reinforcement measures should be taken in post-incident reviews, with security services in place.