This e-bulletin summarises the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement, industry and international developments in this area.

Our highlights

The draft Personal Information Protection Law which started its formal legislative approval process in mid-October 2020 has been released for public consultation. Upon its enactment, the new law will have a far-reaching impact on the protection of individuals’ rights to their personal information as well as the business and compliance practices for companies. Please see our full briefing for further information –

What you need to know about China’s draft Personal Information Protection Law

Regulatory developments

1. Draft Personal Information Protection Law issued for public comment

On 3 October 2020, the draft Personal Information Protection Law was deliberated for the first time by the Standing Committee of 13th National People’s Congress. The Standing Committee discussed the need for the law to protect personal information, with strengthened legal protection needed to maintain the sound ecology of cyberspace and promote the healthy development of the digital economy. The draft law focuses on key aspects of personal information protection and introduces stricter requirements for the processing of sensitive personal information and cross-border transfers. The draft law is also intended to have extraterritorial effect in order to fully protect personal information within China. It provides for a maximum fine of RMB 50 million or 5% of the previous year’s turnover for personal information right infringements, with breaches to be recorded in the public credit records.

2. Law on Protection of Minors extended to cover internet use

On 17 October 2020, the Law on the Protection of Minors was amended to add Internet-related protection provisions for minors. The amended law prohibits online products or services that result in addiction. It requires online service providers (such as online game and online live streaming providers) to include functions such as time and permission management and use restrictions in their products to control minors’ use of their services. Online service providers are also required to take necessary measures in a timely manner to stop instances of online bullying. The revised law also requires online service providers to set out the responsibilities of guardians and contains reporting obligations if a minors’ rights and interests are infringed.

3. Public consultation on measures for supervision and administration of online trading

On 20 October 2020, the State Administration for Market Regulation sought public comments on its draft measures for the supervision and administration of online trading. These update the earlier measures (issued by the former State Administration for Industry and Commerce) which were aimed at implementing the E-commerce Law and further regulating online transactions. This latest draft includes additions such as the basic principles for regulating online transactions and developing services. It contains new standards for online transaction operators on registering market players and on the disclosure of information. The measures also set out the requirements for submitting and providing information and data during online transactions. They also set out standards for the collection and use of users’ information and the protection of online consumers’ rights and interests.

4. Consultation on revised administrative provisions on information services provided through internet users’ accounts

On 15 October 2020, the Cyberspace Administration of China sought public comments on draft administrative provisions relating to information services provided through internet users’ accounts. These are aimed at promoting the orderly development of such information services and maintaining a sound network ecology, as well as safeguarding the rights and interests of individuals and other legal persons. This draft sets out general provisions and detailed guidance covering service platforms for public accounts, operators of public accounts, and supervision and administration of the platforms. It also sets out regulations on false information and false data flows. In addition, it prohibits producers and operators of public accounts from fabricating information and requires them to establish early warning systems and mechanisms for screening and eliminating false information. It also prohibits them from manipulating accounts opened on multiple platforms or generating false data flows.

5. Hangzhou legislates to prohibit forced use by households of fingerprint and facial recognition technology

On 26 October 2020, draft regulations on property management were passed in Hangzhou. These expressly stipulate that property service providers must not force property owners to accept methods to access to shared facilities and equipment which require bio-information such as fingerprints and facial recognition. This is the first time that a legislation has been drafted which is aimed at regulating the use of facial recognition technology in residential communities. While regulations on property management in Beijing, Anhui and other provinces do deal with personal information protection, they do not currently specifically address the mandatory use of fingerprints, facial data and other biological information.

Enforcement developments

1. Circular issued on the network security inspections in the telecommunications and internet industries

On 12 October 2020, the Ministry of Industry and Information Technology issued a circular on network security inspections for the telecommunications and internet industries. The hidden dangers of network security risks are to be investigated and eliminated with the inspection results published. The circular also seeks to eliminate the risks in basic telecommunications enterprises, Internet enterprises and domain name registration management and service agencies. Inspections will target critical information infrastructure and important network units in the telecommunications and Internet industries, as well as the information systems they carry. This will include the 5G network infrastructure, Internet of Things platforms, and information service platforms for online car-hailing services. The inspections will focus on how cyber security management has been implemented, the technical measures taken for cyber security protection and any major hidden risks in the network.

2. Six banks fined more than RMB 40 million for infringing consumers’ personal information

On 21 October 2020, the People’s Bank of China reported that it has investigated several financial institutions for infringing consumers’ rights as regards their financial information. Breaches include violations of the Anti-Money Laundering Law and the illegal disclosure of consumers’ personal information. Warnings were issued to the relevant persons and fines imposed on six banks including the Jilin Jiangbei Sub-branch of the Agricultural Bank of China. The total fines amounted to more than RMB 40 million.

3. CAC publishes third batch of infringing websites under its “Qinglang” campaign

On 14 October 2020, the Cyberspace Administration of China (CAC) published details of the third batch of infringing websites discovered as a result of its “Qinglang” campaign. They include four educational Apps that contained pornography or irrelevant content, three other educational Apps with games, live broadcasts, films or TV plays irrelevant to learning, and three Apps commonly used by teenagers that contained obscene pornography. The CAC interviewed the relevant persons, ordering that they rectify issues and cease their infringing functions within a prescribed time limit. The CAC has stated that it is committed to cracking down on illegal conduct that damages the legitimate rights and interests of children in China as well as their physical and mental health.

4. 320,000 Apps tested during crack down on illegal collection of personal information by Apps

On 22 October 2020, the Ministry of Industry and Information Technology reported that it had completed its technical testing of 320,000 Apps in domestic mainstream App stores. This resulted in recommendations for more than 1,100 enterprises to rectify issues. 246 Apps were named for failing to complete the required rectifications within the time limit. In the past two years, the Ministry has implemented a number of consecutive special actions in response to issues with the illegal collection of personal information by Apps and as part of its commitment to further strengthening the protection of personal information.

5. MIIT publishes details of fifth batch of Apps that had infringed users’ rights and interests

On 27 October 2020, the Ministry of Industry and Information Technology (MIIT) published details of the fifth batch of Apps that had infringed users’ rights and interests and urge the 131 Apps had not completed the required rectification measures to do so by 2 November 2020. Most of the infringements noted in this batch related to input methods, travel and e-commerce. In addition, some App stores and mobile App distribution platforms failed to fulfil their management responsibilities. MIIT also discovered that some SDK enterprises had illegally collected users’ personal information.

6. Lawsuit against operator for deleting disk data dismissed

On 30 October 2020, the China Court website reported that it had dismissed a privacy lawsuit relating to clearing of disk data. The case related to the use of an old mobile phone number by the plaintiff to apply for an online storage account in 2011. In 2016 the holder of the mobile number changed and it was subsequently reactivated by the telecommunication company three years later. The new owner logged in to the plaintiff’s online storage using the phone number and cleared the plaintiff’s data, which the plaintiff claimed violated his right to privacy. However, the court held that while the disk data constituted personal privacy, the company had not infringed his right to privacy because the company could not identify the person logging in and the plaintiff had failed to exercise his duty of care with respect to custody of his account.

7. Decision of “Daily Fresh” case: valid privacy policy but SMS cancellation fee to be borne by the platform

On 22 October 2020, the Beijing Internet Court released its judgement on the “Daily Fresh” case. The plaintiff had filed a lawsuit claiming, among other things, that the user agreement and privacy policy of “Daily Fresh” was invalid and requesting the company was to compensate her for the 1 cent fee she had paid to cancel her subscription via SMS. The court held that that the privacy clause in the standard contract signed was valid, but that the SMS cancellation fee should be borne by “Daily Fresh”.

8. Vipshop under investigation for potentially leaking users’ information

On 18 October 2020, China National Radio reported that many consumers had received fraudulent phone calls from “Vipship Customer Service”. These calls would accurately recite information including consumer names and order numbers and would then ask for bank card details. The consumers believe that their personal information was leaked by Vipshop and the police have commenced their investigation. Vipshop is cooperating with the police and has urged its relevant partners to investigate and fix any loopholes identified.

Industry developments

1. Implementing plan for Shenzhen Demonstration Zone

On 11 October 2020, the General Office of the Central Committee of the Communist Party of China and the General Office of the State Council issued a implementing plan for pilot programs in Shenzhen Demonstration Zone. The plan proposes to give full play to the value of data as a factor for production. In particular, the plan proposes to promote digital currency as one of the key aspects in the innovative development of the capital markets. The plan requires improvements to the data property rights system and a data privacy protection system to be established. It also proposes open sharing of government data and the establishment of a data platform for the Guangdong-Hong Kong-Macao Bay Area.

2. Network security standards for Internet of vehicles planned

On 16 October 2020, the Ministry of Industry and Information Technology announced that it will formulate additional security policies to ensure the network security of the Internet of vehicles. This was announced in its response to proposals on the promotion of security risk assessments for the Internet of vehicles. It will also evaluate the network security of the Internet of vehicles, and improve the standards to further guarantee the security of data of the Internet of vehicles.

International developments

1. Singapore’s Safer Cyberspace Masterplan 2020 issued

On 6 October 2020, the Cyber Security Agency of Singapore released Singapore’s Safer Cyberspace Masterplan 2020. The plan builds on the 2016 Singapore Cybersecurity Strategy and adds new policies and objectives to establish a safer and more reliable cyber security ecosystem. The plan sets out three key objectives: protecting the core infrastructure of Singapore, protecting cyberspace activities and improving Singapore citizens’ awareness on cyber security and their capabilities. The masterplan is to be implemented over the next two years from 2021, with the support from the Singapore Infocomm Media Development Authority and certain mobile network operators.

2. Malaysia’s Cybersecurity Strategy 2020 – 2024 launched

On 12 October 2020, the Malaysian government launched the Malaysian Cybersecurity Strategy 2020-2024 to improve the level of cybersecurity in Malaysia. The strategy includes five key elements covering (1) effective governance and management; (ii) strengthening legislative framework and enforcement; (iii) catalysing world class innovation, technology, R&D and industry; (iv) enhancing capacity & capacity building, awareness and education; and (v) strengthening global collaboration. Under the pillars sit specific strategies (12 in total) which and then broken down into 35 action plans and 113 procedures aimed at combatting any form of cyber attacks. The Prime Minister of Malaysia stated that the strategy is necessary to improve Malaysia’s capabilities in effectively dealing with cybersecurity issues and strengthen national governance and management of cybersecurity by improving critical information and telecommunication technology infrastructure.

3. Australia releases guidance to defend against malicious use of tor network

On 19 October 2020, the Australian government released guidelines entitled Defending Against the Malicious Use of the Tor Network. The Tor network is a system that hides the address of a user’s IP protocol through encryption and a series of self-described anonymous and private connections. The Tor network provides the user with multiple source locations from which the user can engage in malicious activities against its targets. The guidelines proposes that it is necessary to determine whether the Tor network is used legally by implementing the challenge-response test and using Transport Layer Security connections.

4. EU Parliament adopts legislation initiatives for Artificial Intelligence

On 20 October 2020, the European Parliament put forward legislative proposals for Artificial Intelligence (AI). The European Parliament is set to become a global leader in AI development by being one of the first to recommend ethical, civil liability and intellectual property aspects for AI rules. The European Parliament has stated that it is necessary to provide legal certainty for developers and implementers of AI which will facilitate AI-related investments. It is also important to create a level playing field globally for the regulation and competition of the AI industry to promote its long-term development.