This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.
Key Highlights
In August 2024, China continued its efforts in the fields of data security, data flow, and digital transformation, aiming to enhance overall levels through strengthened management and international cooperation, ensuring personal information security, promoting orderly data flow, and efficient utilisation of data:
- Data Security: The State Council and other departments have successively issued or passed a series of drafts or regulations, once again emphasising the classification and graded protection of data, intending to clarify the responsibilities of various entities and implement a series of security measures. The Ministry of Finance and other departments have issued a series of documents, further proposing requirements for data security in different fields. These fields include, but are not limited to, standardising the basic functions and service management of accounting software, managing the full lifecycle of big data security and privacy in the tourism industry, and ensuring the security of data processing and data interfaces on internet platforms, to ensure data security in different fields.
- Data Flow: The China-EU cross-border data flow exchange mechanism was formally established, with its first meeting led by the Cyberspace Administration of China (“CAC”) and the European Commission’s Directorate-General for Trade. The meeting facilitated frank, in-depth, and constructive discussions on specific issues related to cross-border data flow and the regulatory framework for data flow between enterprises. Meanwhile, the Beijing CAC also introduced management measures and the negative list, focusing on enhancing cross-border data flows’ facilitation and security management. Specific rules and classification standards were formulated for automotive, pharmaceuticals, retail, civil aviation, and artificial intelligence sectors, promoting efficient and secure data flow.
- Digital Transformation: The CAC and other departments have issued a series of guidelines and documents aimed at promoting the coordinated transformation and development of digitalisation and greening. These efforts are intended to advance the healthy development of accounting data informatisation and provide institutional guarantees for the comprehensive promotion of electronic voucher accounting data standards. Additionally, the Ministry of Industry and Information Technology (“MIIT”) has begun soliciting exemplary cases of annual digital transformation in the manufacturing industry to encourage enterprises to implement digital upgrades.
Legislative Developments
1. The State Council reviewed and approved draft regulation to eusure classified and graded protection of network data (30 August)
Premier Li Qiang presided over a State Council executive meeting, during which the Network Data Security Management Regulations (Draft) was reviewed and approved. The State Council outlined the necessity for implementing classified and graded protection of network data as well as security measures, clarifying the responsibilities of various entities and security boundaries, such as the data security officer and the data security management agency. Furthermore, the State Council underscored the importance of ensuring the orderly and free flow of data in accordance with the law, thereby creating a good environment for promoting high-quality development of the digital economy and scientific, technological and industrial innovation.
The national standard Security and Privacy Protection Requirements for Tourism Big Data (Draft) has been released for public comment. This standard specifies the general security objectives for tourism big data, as well as the lifecycle management of security and privacy protection, operational management of security and privacy protection, monitoring management of security and privacy protection, and aspects of big data security in typical tourism application scenarios. Based on the sharing and security needs of tourism data, this standard categorises tourism big data into five levels and requires the formulation of specific graded protection requirements and operational procedures covering the entire lifecycle of data collection, transmission, storage, provision and disclosure, use and processing, and decommissioning for different levels of data, to further clarify the privacy protection requirements for tourism big data.
3. Ministry of Finance revised work rules to promote electronic accounting vouchers (7 August)
The Ministry of Finance revised the Work Rules for the Development of Accounting Information Systems, aimed at regulating accounting work in the digital economy environment, promoting the sound development of accounting informatisation, and improving the quality of accounting information. This document further clarifies the principles regarding the storage of accounting information data abroad and provides practical examples. For instance, if an entity establishes a branch overseas and its data servers are deployed abroad, it must maintain electronic accounting data backups within the country, with a backup frequency of no less than once a month. The electronic accounting data backed up domestically should be able to independently meet the needs of the entity’s accounting work and financial supervision requirements when the overseas servers are not functioning properly. This provides a practical reference for the overseas management of accounting data for relevant enterprises.
4. Ministry of Finance regulated basic functional moduels of accounting software, ensuring the security of accounting data (7 August)
The Ministry of Finance revised the Rules for Basic Functions and Services of Accounting Software, aiming to standardise the basic functions and services of accounting software and improve the quality of accounting software and related services. This specification requires accounting software to possess characteristics such as openness, scalability, and flexibility, and to adhere to the national standards for electronic voucher accounting data. It outlines relevant regulations from five aspects: the input, processing, output of accounting data, as well as the security and services of the software. By specifying the functional modules that accounting software should include, such as data input, compatibility with electronic original vouchers, and customizable auxiliary accounting items, it emphasizes that the operation and processing of accounting software must meet data security requirements, including confidentiality, integrity, reliable storage, and the requirement for domestic backups of cross-border data.
5. TC260 proposed security requirements to regulate data processing of Internet platform outages (7 August)
The TC260 issued the Cybersecurity Standard Practice Guide – Security Requirements for Data Processing during Internet Platform Outages (Draft) to standardise data processing activities of Internet platform outages, ensuring data security and promoting the reasonable, and effective use of data in accordance with the law. The requirements stipulate that internet platform operators shall issue a notice regarding the disposal of personal information and proactively delete personal information upon outage. It also clarifies the security requirements for personal information processing through transfer, continued retention, or entrustment methods. Additionally, the requirements emphasise the processing of important data shall comply with the requirements for disposal reporting and deletion.
The TC260 issued the national standard Data Security Technology—Data Interface Security Risk Monitoring Methods (Draft), which aims to specify methods for monitoring data interface security risks, including approaches, content, and processes, and clarifies the key monitoring points at each stage of data interface security risk monitoring. This standard proposes that automated or semi-automated methods, such as traffic mirroring, log detection, and active probing, can identify technical data security risk sources, such as data interface vulnerabilities and abnormal data interface provisions. It aims to provide further risk identification, monitoring alerts, and reporting and handling methods through the monitoring of these risk sources.
The Ministry of Ecology and Environment (“MEE”) is seeking public comments on the Classification and Coding of Ecological and Environmental Information (Draft), aimed at ensuring the orderly processing and exchange of environmental information and guiding the compilation of ecological environment information resource directories and the classification and grading of ecological environment data. This standard specifies the basic principles, classification methods, coding rules, and related requirements for the classification and coding of ecological environment information. It categorizes information into four levels across eighteen categories, including comprehensive governance, technological support, natural ecological protection, and water ecological environment, and develops corresponding codes. It tailors relevant normative principles for different types of ecological environment information to promote resource integration and sharing.
8. Beijing issued measures to enhance the facilitation of cross-border data flows (30 August)
The Beijing CAC, in collaboration with two other departments, issued the Measures for the Facilitation of Cross-border Data Flows in Beijing, with 18 specific measures across four areas: streamlining compliant data outbound channels, refining service measures, optimising regulatory measures, and strengthening safeguard measures. These measures effectively address common challenges in current cross-border data operations, promoting the establishment of a comprehensive management system based on the model of “Pilot Free Trade Zone as a Pioneer + City-wide Facilitation Reform + Dynamic Assessment and Optimisation Mechanism,” and enhance the management level of cross-border data flow facilitation services in Beijing.
9. Beijing released negative list and management measures to regulate the process of data export of Beijing Pilot Free Trade Zone (26 August)
The Beijing CAC and two other departments issued theManagement Measures for the Negative List of Data Export in the China (Beijing) Pilot Free Trade Zone (Trial) and the 2024 Negative List for Data Export Management. The measures outline the process for data processors to use the negative list, which includes submitting an application, recording, and compliant exit. They also refine rules for identifying important data, proposing 13 categories and 41 subcategories for classification. The negative list focuses on urgent data exit needs and key industries, initially covering automotive, pharmaceuticals, retail, civil aviation, and AI. It details 23 business scenarios and 198 specific fields to help enterprises identify requirements and adjusts thresholds for personal information exit assessments.10. Shanghai proposed regulations for authorised operation management of public data (16 August)
This regulation defines the meanings of terms related to the authorized operation of public data, specifying that such operations should adopt both overall and sector-specific authorizations. It requires the district data authority to establish a unified management platform for public data operations across the region. Additionally, the document outlines the selection process for operating entities, qualification requirements, key contents of authorisation agreements, and the application and provision requirements for public data. It mandates that operating entities process public data within the authorized scope, create public data products, and emphasises the security responsibilities of both the authorizing and operating entities in these activities. It also clarifies conditions for termination of authorisation and management requirements for operational assessments. The regulation encourages operating entities to explore mechanisms for redistributing benefits from public data resources and sandbox regulatory mechanisms, as well as initiatives like data asset registration and innovative applications, aiming to cultivate Shanghai’s data factor market and promote high-quality development of the digital economy..
Enforcement Developments
11. Bank of Communications International Trust fined 1.2 million yuan for data security risks (16 August)
The NFRA Hubei Bureau publicly disclosed an administrative penalty, imposing a 1.2 million yuan fine on Bank of Communications International Trust Co., Ltd. The penalty was issued for several violations, including establishing an inadequate data governance system, and omissions or errors in regulatory data submissions.
12. Ministry of Public Security released 4 typical cases of crackdown on cyberbullying and defamation in the sports sector (15 August)
The Ministry of Public Security announced four typical cases of cracking down on illegal activities in the sports sector. Two of these cases involve the dissemination of defamatory information about table tennis players and coaches on social media platforms, while the other two cases pertain to online violence against athletes through public fabrication or insults on these platforms. The cybersecurity department of the public security authorities places great importance on addressing the online chaos of defaming others and spreading rumors via the internet, and continues to work with relevant departments to rigorously combat illegal activities in this area.
13. Shanghai summoned 6 coffee enterprises regarding improper collection of personal information (7 August)
The Shanghai CAC, in collaboration with the Shanghai Market Supervision Administration, launched a special rectification campaign on personal information protection in coffee consumption scenarios. The authorities initially conducted legal training and compliance guidance for 24 key coffee enterprises and issued case analyses addressing 6 common violations related to personal information collection, urging companies to conduct self-inspections and rectify problems. Upon review, it was found that 6 companies had not completed the rectification process adequately. The Shanghai CAC, along with the Shanghai Market Supervision Administration, summoned the responsible parties of these 6 companies, issuing stern criticism for issues such as missing, inaccurate, or incomplete privacy policies, forced or frequent inducements to collect precise location data, forced or induced membership enrolment, and failure to provide options to disable targeted advertising.
14. Jiangxi released a typical case related to sending commercial messages without consent (5 August)
The Jiangxi Provincial High People’s Court published the Top Ten Typical Cases on the Implementation of the Civil Code by Courts in Jiangxi Province for 2023, including cases related to e-commerce and personal information protection. In case five, “Cao vs. a Cultural Communication Company in Jiangxi on Personal Information Protection Dispute”, the court held that the phone number in question was personally identifiable as it was registered in the plaintiff’s real name and could be used to identify the plaintiff. Without evidence of the text message content provider, both the platform port provider and the platform operator were deemed personal information processors. Since the plaintiff’s personal information was processed and commercial text messages were sent without notification and consent, which was ruled as a violation of the plaintiff’s personal information rights, for which the defendants were held jointly liable. This case provides a valuable reference for legally regulating commercial promotion practices and protecting personal information rights.
15. Shanghai summoned relative enterprises regarding improper collection of personal information by vending machines (1 August)
The Shanghai CAC and other departments summoned 3 relevant enterprises and the metro operator over issues with vending machines in Shanghai subway stations that induced the use of facial recognition for payments and failed to fulfil notification obligations, thereby improperly collecting personal information. The Shanghai CAC requested that the companies conduct self-inspections and rectifications, comprehensively develop and improve internal management systems and operational procedures, and ensure compliance with the “notice-consent” and data minimisation principles for personal information processing. The companies were also urged to enhance internal learning and training on personal information protection laws and regulations.16. Guangzhou reaffirmed the standard of whether the cross-border sharing of consumers’ information complies with contract necessity (15 August)
During the “Rule of Law Guangzhou, Setting Sail”—themed interview activity for the 2024 Guangzhou Rule of Law Construction Publicity Month, the Guangzhou Internet Court emphasised its ruling in a cross-border personal information case. The court ruled that an international hotel’s practice of sharing consumers’ personal information with all its commercial partners and marketing departments exceeded what was necessary for the performance of the contract, posing potential risks to personal rights. Consequently, the hotel was held liable for civil infringement. This case further clarified the standard of review for the “necessity for contract performance” rule in cross-border personal information processing, thereby promoting the standardisation of personal information outbound activities.
Industry Developments
17. CAC issued implementation guidelines for coordinated digital and green transformation (27 August)
The CAC, in collaboration with nine other departments, issued the Implementation Guidelines for the Coordinated Transformation of Digital Development and Green Growth to guide various departments, regions, and industries in promoting coordinated transformation. The guidelines focus on transforming and upgrading energy resources, industrial structure, and consumption patterns, thereby promoting green economic and social development. The guidelines establish two major directions for coordinated transformation: one is to promote the green and low-carbon development of digital industries, facilitating the green transformation of critical sectors such as data centres, communication base stations, and electronic information products; the other is to leverage the innovation capabilities of digital technology enterprises to promote the green transformation in nine key sectors, including power, mining, metallurgy, petrochemicals, transportation, and construction. Additionally, the guidelines outline a three-part strategic layout for the coordinated transformation and innovation, focusing on foundational capabilities, integrated technological systems, and industrial frameworks, thereby driving high-end, intelligent, and green industrial development.
18. 2024 China International Big Data Industry Expo held in Guiyang (28 August)
The 2024 China International Big Data Industry Expo was held in Guiyang, themed ‘Symbiosis of Data and Intelligence: Creating a New Future for High-Quality Development of the Digital Economy.’ The expo invited relevant national ministries to release a series of industry research reports, technical standards, and typical case studies. It focused on three directions: new tracks in the digital economy, foundational data systems, and data empowerment, facilitating industry exchanges on topics such as industrial development, data space, international cooperation, artificial intelligence, digital transformation, and data circulation. The event attracted nearly 150 enterprises, promoting business negotiations and cooperation through various product presentations and experiential activities.
19. China-EU Cross-Border Data Flow Exchange Mechanism formally established (27 August)
The first meeting of the China-EU Cross-Border Data Flow Exchange Mechanism was held via video conference. Wang Jingtao, Deputy Director of the CAC, and Sabine Weyand, Director-General of the European Commission’s Directorate-General for Trade, attended the opening ceremony and delivered speeches, officially announcing the establishment of the exchange mechanism. The meeting facilitated frank, in-depth, and constructive discussions on specific issues related to cross-border data flow and the regulatory framework for data flow between enterprises. Led by the CAC and the European Commission’s Directorate-General for Trade, the mechanism will promote China-EU cross-border data flows through meetings and exchanges of relevant policies and practices.
20. MIIT solicited 2024 Typical Cases of Digital Transformation in Manufacturing (14 August)
The MIIT was organising the collection of typical cases for the digital transformation of the manufacturing industry in 2024. The aim is to guide manufacturing enterprises to deeply understand the significant importance of digital transformation, stimulate their enthusiasm for implementing digital upgrades, and encourage the sharing of successful experiences in digital transformation. Through these collected cases, the ministry intends to further clarify practical standards that comply with national laws, regulations, and relevant policy requirements, allowing innovative, representative, exemplary, and effective cases to gain widespread reference and promotion.
21. Shenzhen issued regulations to advance digital transformation of SMEs (12 August)
The Shenzhen Small and Medium-sized Enterprises (“SMEs”) Service Bureau released the Shenzhen SME Service Bureau Digital Service Providers Support Plan Operational Procedures, designed to regulate the implementation of the support plan for digital service providers catering to SMEs in Shenzhen. The objective is to enhance the management and effectiveness of special funds, cultivate a group of high-quality digital service providers, and promote the high-quality digital transformation of SMEs in Shenzhen.
22. Guangzhou launched the authorized operation of public data (5 August)
The press conference for the achievements of the market-oriented allocation reform of data elements in Guangzhou was successfully held. The Guangzhou Municipal Bureau of Government Services and Data Management, representing the municipal government, signed a relevant agreement with Guangzhou Digital Technology Group Co., Ltd. This agreement entrusts Guangzhou Data Group Co., Ltd. with the operation of public data in the city, marking the full launch of public data authorized operations in Guangzhou. This initiative introduces a pioneering ‘separation of operations and business’ model for public data authorized operations in the country. It specifies that institutions responsible for public data operations will not participate in data product development, with 100% of the operational rights for data products belonging to data merchants, aiming to cultivate a fair competition, multi-party participation, and benefit-sharing ecosystem for the development and utilization of public data.
23. Dalian Data Industry Co., Ltd. inaugurated to promote data element marketisation reform (2 August)
At the “Activating the Value of Data Elements and Cultivating New Productive Forces” forum, the Dalian Data Industry Co., Ltd. officially launched and signed an agreement of public data authorised operation with the Dalian Data Administration. Dalian Data Industry Co., Ltd. will leverage the advanced experience and technological expertise of central state-owned enterprises to integrate Dalian’s data resources, promote deep integration of the digital and real economies, and focus on public data operation and value extraction, providing efficient and precise data support and services across industries.
24. Shanghai forms strategic partnership with global alternative data standards maker (1 August)
The Shanghai Data Exchange signed a strategic cooperation agreement with a leading European alternative data aggregation platform. The two parties will establish a cooperative mechanism for two-way data flow on overseas platforms. Through a series of interconnection initiatives, including regulatory alignment, demand-supply matching, and information sharing, the partnership aims to help global enterprises expand cross-border data flow businesses, enhance the safety and convenience of data delivery, and promote global data circulation and transactions. And it will provide global enterprises with broader, more diversified data services, technical services, and comprehensive solutions.