MIIT proposes changes to the administration of telecom service licensing

The Ministry of Industry and Information Technology ("MIIT") published the draft revisions to the Administrative Measures for Telecom Service Licensing (the “Draft Revisions”) on 11 April 2017 to solicit public opinions.

Following the reforms on simplifying administrative approval and commercial registration systems, the Draft Revisions remove the requirements for basic telecom service operators and value-added telecom service operators to file records with local telecom authorities after they have obtained the required operation licences. The Draft Revisions also remove the requirements for submitting capital verification reports or name pre-approval certificates.

To facilitate the development of telecom services, the Draft Revisions specify that a licensed operator can authorise its affiliates in which it holds no less than 51% of shares, either directly or indirectly, to operate the licensed telecom services. A licensed operator can also authorise more than one affiliate in the same geographic area to operate the same category of licensed telecom services.

The Draft Revisions introduce the “grey list” and “black list” listing the entities violating telecom regulatory requirements. If an entity is included on either list, such listing will have a negative impact on applications for licences or proposing cooperation with basic telecom service operators.

Please click here for the full text (Chinese only) of the Draft Revisions.

China publishes draft measures regulating cross-border transfer of data

The Cyberspace Administration of China ("CAC") published the Draft Assessment Measures for Transferring Personal Data and Important Data to Overseas Countries (the "Draft") on 11 April 2017 to solicit public opinions.

Under the Draft, "Network Operators", which are defined as the owners or administrators of networks or online service providers, are required to store within the territory of China all personal data and important data that they collect within China. If Network Operators want to transfer such data to overseas countries, they will need to go through security assessments.

While self-conducted security assessments will be sufficient in certain circumstances, Network Operators will be required to apply to the relevant government authorities for a supervised security assessment if (i) the personal data of more than 500,000 individuals is involved; (ii) more than 1000GB data is involved; (iii) the data includes nuclear facilities, chemicobiology, national defence and the military, population health data or includes data relevant to large scale engineering activities, the ocean environment or sensitive geographic information; (iv) the data concerned includes system vulnerability, security protection and other types of cybersecurity information of critical information infrastructure; or (v) it will be a critical information infrastructure operator that transfers personal data or important data to overseas countries.

The Draft also specifies the critical factors to be considered in a security assessment and the circumstances under which no personal data or important data can be transferred to overseas countries.

Compared with the PRC Cybersecurity Law and the other existing regulations on cross-border transfer of data, the scope of this Draft is very broad. If the final version remains unchanged, many organisations might need to re-evaluate and re-design their data hosting plans.

Please click here to read a Law-Now article for more detailed discussion about the Draft.

TC260 publishes the White Paper on Big Data Security Standardisation

The National Information Security Standardisation Technical Committee (“TC260”) published the White Paper on Big Data Security Standardisation (the “White Paper”) on 8 April 2017.

The White Paper provides a general overview of the main regulatory framework of big data in both China and foreign countries, and introduces the undergoing standardisation work for big data security. The White Paper also includes analysis on big data security risks and challenges, as well as examples of big data security projects.

According to the White Paper, TC260 and the National Information Technology Standardisation Committee (“TC28”) will be the leading organisations to formulate big data security standards in China. Currently, around twelve national standards, including “Information Technology—Big Data—Terms” and “Information Technology—Data Transaction Service Platform—Description of Data Transaction”, are being formulated by TC28. TC260 is also in the process of formulating standards including “Information Security Technology—Personal Information Security Specifications”, “Information Security Technology—Big Data Service Security Capability Requirements”, and “Information Security Technology—Big Data Security Management Guidance”. Some of the standards are suggestive, whereas others are mandatory. The standards will further guide the security development of the various big data projects.

Please click here for the full version (Chinese only) of the White Paper.

SAPPRFT publishes the new catalogue for audio-visual program services

The State Administration of Press, Publication, Radio, Film and Television (“SAPPRFT”) published the Classification Catalogue for Online Audio-Visual Program Services (Trial) (the “Catalogue”) on 7 April 2017.

The Catalogue states that the integration and distribution services and content provision services for internet protocol televisions (IPTV), private network mobile TVs, and OTT TVs (where the terminal TVs are connected to the distribution platforms through public networks but can only access the distribution platforms) shall be considered as “private network and directional transmission of audio-visual program services”. The specific categories of such services are not provided in this Catalogue and will be covered in a different catalogue, which has not been published yet.

This Catalogue applies to the production, integration, and distribution of audio-visual programs that are distributed to users through public networks (instead of through private networks or directional transmission), and specifies the classification categories of such services.

The general approach of the Catalogue is consistent with the current regulatory framework for audio-visual program services, under which the programs distributed through private networks or directional transmission and programs distributed through public networks are regulated separately by Regulations on the Administration of Private Network and Directional Transmission of Audio-visual Program Services and Regulations on the Administration of Online Audio-visual Program Services.

Please click here for the full version (Chinese only) of the Catalogue.

CSAA hosts forum discussing the security and development of civilian UVAs in China

The Chinese Society of Aeronautics and Astronautics (“CSAA”), together with several major operators in the unmanned aerial vehicles (“UAV”) industry, hosted the China Civilian UAV Security and Development Forum in April. One of the main focuses of the forum was discussing how technologies and self-discipline in the industry can contribute to the security and development of UAVs in China.

One technical measure proposed is to establish a digital platform, through which UAVs manufactured by different manufacturers can connect and share data. The platform can be used to monitor flight, detect risks and manage other aspects of the UAVs and to realise real-time control. Other technical measures discussed include technologies for setting polygonal regions having a no-fly zone, establishing ADS-B broadcasting pre-warning systems and implementing real-name registration systems.

In the national 13th Five-Year Plan for the Development of a Modern and Integrated Transportation System, the development and use of UAVs are specifically encouraged. During the past years, UAVs have been used for package delivery by major e-commerce operators (e.g. JD) on a trial basis. Following the Interim Regulations on the Management of Civilian UAVs, the government is considering formulating more detailed legal requirements based on developmental trends in technology and the rules recognised by industry operators in practice. 

China publishes the Draft Cryptography Law

The Office of State Commercial Cryptography Administration published the Draft Cryptography Law (the “Draft Law”) on 13 April 2017 as part of the government’s efforts to strengthen the administration of cybersecurity and national security.

The Draft Law mainly governs the manufacture, sales, export and use of encryption products and technologies, which are classified into three categories: critical, common and commercial. Only critical and common encryption products and technologies can be used to protect national secrets, and are prohibited from being imported to other countries. The sales and use of commercial encryption products and technologies might be subject to licensing requirements. In addition, encryption products and technologies used in critical information infrastructures may be subject to security assessments.

Before the issuance of the Draft Law, there were already existing regulations governing commercial encryption products. After the final version of the Draft Law is published, the existing regulations might be revised and there may be additional implementation rules to guide practice.

Please click here to read the full version (Chinese only) of the Draft Law.