China publishes new rules regulating internet news services

The Cyberspace Administration of China (“CAC”) published the Administrative Provisions on Internet News Services (the “Provisions”) on 2 May 2017. The provision of internet news services within the territory of China will be subject to the regulatory framework of the Provisions.

Under the Provisions, ‘news’ is broadly defined as reports and commentary on politics, the economy, military affairs, diplomacy and other social public affairs, as well as reports and commentary on emergencies or crises. Internet news services include three categories, namely news collection, editing and distribution services, news republishing services, and news distribution platform services. The Provisions do not provide a definition for specific categories of news services.

In order to provide internet news services through websites, applications, forums, blogs, public subscription accounts, instant messages or live broadcasting, the provider must obtain a ‘Licence for Internet News Services’ for the relevant service categories (the “Licence”). Foreign invested enterprises are not able to obtain the Licence. All cooperation between licensed providers and foreign invested enterprises must pass the security assessments conducted by the CAC. In addition, news collection and editing services cannot be funded by private capital.

The main concern in relation to the Provisions is the lack of a clear definition between news and other types of information. In theory, a significant amount of information can fall within the broad definition of news under the Provisions. In practice, however, it is not likely that all generation and distribution of such information will be regulated as news services.  More detailed explanation and further guidance in this regard are expected to be provided in due course by the government authorities.

Please click here to read the full text (Chinese only) of the Provisions.

China publishes security review measures for network products and services

The CAC published the Security Review Measures for Network Products and Services (Trial) (the “Measures”) on 2 May 2017. The Measures provide important implementation rules following the PRC Cybersecurity Law and will take effect from the same date as the PRC Cybersecurity Law on 1 June 2017.

According to the Measures, if national security could be affected by any network products or services purchased for public communication and information services, energy, transportation, water conservancy, finance, public services, electronic government systems and other important industries and sectors, or purchased by the operators of other critical information infrastructure (“CII”), such network products or services must pass cybersecurity reviews. Whether national security will be affected by a particular network product or service will be decided by the government authorities responsible for the protection of CII.

A cybersecurity review will focus on whether network products or services are secure and controllable. The main considerations include the risks of being illegally controlled or disturbed, the risk of data loss or breach and other risks involved in the manufacturing process and in supply chains.

The government will establish a cybersecurity review committee and a cybersecurity review office to formulate policies and organise security reviews. It will also designate qualified third-party institutions to conduct the specific reviews. The results of the cybersecurity reviews will be published periodically.

Please click here to read a Law-Now article for more detailed discussion and analysis.

China publishes judicial interpretation of the criminal offence of infringing personal data

The Supreme People’s Court and the Supreme People’s Procuratorate published the Interpretation on Several Issues related to the Application of Laws in Criminal Cases concerning Infringement of Citizens' Personal Data (the “Interpretation”) on 9 May 2017. The Interpretation will take effect from the same date as the PRC Cybersecurity Law on 1 June 2017.

The Interpretation focuses on two criminal offences under Article 253 of the PRC Criminal Law namely the ‘illegal sale or provision of personal data’ and ‘illegally obtaining personal data’. The Interpretation reiterates the principle that the act of obtaining, selling or providing personal data in violation of the applicable laws, regulations and administrative rules concerning personal data protection (such as providing legally obtained personal data to third parties without obtaining the data subjects' consent) can, in certain circumstances, result in criminal liability. The Interpretation specifies the circumstances and the relevant scope of legal liability. For example, if a party illegally obtains, sells or provides to others more than fifty pieces of track, whereabouts, communication content, credit information or financial information, the party can be punished by a fixed term of imprisonment of a maximum of three years. The standards are clear and are expected to provide guidance in deciding future criminal cases.

According to the Interpretation, if a party operates websites or communication groups for illegally obtaining, selling or providing personal data, if the circumstances are serious, such party can commit the offence of ‘illegal use of information networks’. If a party refuses to perform its cybersecurity obligations and such refusal results in a personal data breach with serious consequences, the party can commit the crime of ‘refusing to perform cybersecurity management obligations’.

Please click here to read the full text (Chinese only) of the Interpretation.

Draft measures for security assessments of new online services is published for public comments

The Ministry of Industry and Information Technology published the Draft Administrative Measures for Security Assessments of New Online Services (the “Draft”) on 8 June 2017 to solicit public opinions.

If a telecom service operator uses the internet to provide (i) any telecom services that are within its licensed business scope and are not previously provided online, or (ii) any telecom services that are not included in the Classification Catalogue of Telecom Services by using new technologies on a trial basis, then the underlying telecom services provided will be considered to be “New Online Services” under the Draft.

If a telecom operator intends to make any New Online Services available to the public online, then the operator will be required to conduct security assessments on the New Online Services. A security assessment will include personal data protection, cybersecurity protection, network information security and management systems. A security assessment can either be conducted by the operator itself or by professional assessment institutions. The operator will also report the assessment results to the relevant telecom administrative authorities. If a telecom service operator has been operating a New Online Service for 3 years, it will no longer be required to conduct security assessments in accordance with the Draft.

Please click here to read the full text of the Draft.

The Catalogue of Critical Network Equipment and Specialised Network Security Products is published

According to Article 23 of the PRC Cybersecurity Law, critical network equipment and specialised network security products must satisfy the national standards and mandatory requirements, and be safety certified by a qualified establishment or meet the requirements of a safety inspection, before being sold or provided.

A week after the Cybersecurity Law took effect, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the Certification and Accreditation Administration together published the Catalogue of Critical Network Devices and Specialised Network Security Products (First Batch) (the “Catalogue”) on 9 June 2017.

The Catalogue identifies the general categories of critical network equipment and specialised network security products, which include router, exchanger, server (rack-mounted), programmable logic controller (PLC), data backup machine, firewall (hardware), web application firewall (WAF), intrusion detection system (IDS), intrusion prevention system (IPS), security isolation and information exchange product (gatekeeper), anti-spam product, network comprehensive audit system, network vulnerability scan product, security database system, and site recovery product (hardware). The Catalogue further specifies the scope of each category. A piece of equipment or product will only constitute a critical network equipment or specialised network security product if it falls within the scope.

Please click here to read the full text of the Catalogue.