In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on four areas: regulatory developments, enforcement developments, industry developments and international developments.

Our highlights

Regulatory developments

Enforcement developments

Industry developments

International developments

Our highlights

TC260, the committee responsible for drafting cyber and data protection national standards, has issued drafts of a number of important standards for public consultation. In particular, the draft non-mandatory guidelines on notices and consent for processing personal information provide detailed guidance on whether and how data subjects should be notified and consent can be obtained. The draft standards on collection of personal information by mobile applications are the third draft released since August 2019. These come amid a backdrop of intensive enforcement actions against internet companies and mobile app service providers, and show the cautiousness of the committee faced with intensive discussions and lobbying efforts. We encourage those impacted by these standards to submit their comments to TC260 by the deadline of 20 March 2020.

Regulatory developments

1. TC260 issued draft national standards for public comment

On 20 January 2020, the National Information Security Standardization Technical Committee (TC260) issued drafts of several national-standard documents for public comment. These included the Information Security Technology – Guideline on the Security of Cloud Computing Services and the Information Security Technology - Working Mode of Packet Cipher Algorithms, covering cloud computing services, information security and other fields. In addition, the Guideline on Consent to Notification of Personal Information provides detailed explanations of the basic principles, execution methods and other aspects of notification and consent for data collection, and specifies the circumstances under which consent may be waived from notification. The Basic Standards for the Collection of Personal Information by Apps defines the basic requirements for apps to collect personal information, and includes an appendix listing the minimum required information for 30 common service types, including map navigation, online car-hailing, instant messaging and online community.

2. Self-regulation convention for offline payment industry on facial recognition trialled

On 20 January 2020, the Payment and Clearing Association of China issued a self-regulation convention for the offline payment industry on facial recognition which came into effect immediately on a trial basis. The convention requires members to establish a security management mechanism for facial information throughout its life cycle, to respect the wishes of users as to face payment services, and protect users’ legitimate rights and interests. Members are also required to establish a risk management system covering all aspects of payment to ensure trading security.

Enforcement developments

1. Zhejiang campaign targets personal information and data security performance by internet enterprises

On 10 January 2020, the Public Security Department of Zhejiang province has launched a campaign to rectify and improve the performance of internet companies regarding their security of personal information and data. The campaign will focus on six main aspects, including company inspection, company self-assessment and rectification, illegal App crackdown, security examination, punishment of personal information crimes, and strengthening of management system.

2. National Computer Virus Emergency Response Centre identifies illegal and irregular acts by mobile applications

The National Computer Virus Emergency Response Centre’s recent internet monitoring special action, “Safe Net 2020”, identified privacy failings by a number of mobile applications. The illegal or irregular behaviors discovered included: (i) collecting personal privacy information without the user’s consent; or (ii) failing to expressly notify users of all privacy rights being requested. The Emergency Response Centre circulated a notice identifying the mobile applications concerned.

3. MIIT meets with three mobile communication resale enterprises over reported fraud calls and texts

On 17 January 2020, the Cybersecurity Administration of Ministry of Industry and Information Technology (MIIT) held face-to-face meetings with three mobile communication resale enterprises to address the problem of the sharp increase in the number of alleged fraud calls and text messages reported. The enterprises were required to conduct a thorough investigation and take effective measures to eliminate issues and prevent telecom network fraud.

Industry developments

1. Online conference on strengthening the personal information protection in the Big Data era

On 10 January 2020, the National Committee of the Chinese People’s Political Consultative Conference held a remote online conference in Beijing on “Strengthening the Protection of Personal Information in the Big Data Era”. Conference attendees noted the rapid development of the Internet and the digital industry and that the legal system needs urgent improvement to protect personal information, with legislation needing to be put on the legislative agenda. Other observations included that more efforts should be taken to (i) crack down on illegalities and irregularities, and (ii) provide guidance to enterprises on establishing internal management and control mechanisms.

International developments

1. White House releases the guidance for the regulation of artificial intelligence applications

On 7 January 2020, the White House published a draft memorandum on guidance for the regulation of artificial intelligence (AI) applications. This sets out ten principles that government agencies must follow when drafting regulations relating to AI applications which are categorized as follows: (i) public trust in AI; (ii) public participation; (iii) scientific integrity and information quality; (iv) risk assessment and management; (v) benefits and costs; (vi) flexibility; (vii) fairness and non-discrimination; (viii) disclosure and transparency; (ix) safety and security; and (x) interagency coordination. The draft memorandum is aimed at reducing barriers to the development and application of AI technology and promoting its growth and innovation.

2. Indonesia’s draft Personal Data Protection Act commences official rreview procedure

On 28 January 2020, the Ministry of Communication and Information Technology of Indonesia announced that its draft Personal Data Protection Act has now been submitted to the Indonesian House of Representatives for official review. Once passed, it will become the national standard for the protection of personal data in Indonesia and the personal data of Indonesian citizens abroad. Additionally, the new law will apply to both public and private sectors, including individuals and corporations, and both legal and non-legal entities.

3. South Africa’s Protection of Personal Information Act to come into force in 2020

The Protection of Personal Information Act of South Africa will come into force in the second quarter of 2020, having been published back in 2013. It is aimed at ensuring that all institutions in South Africa collect, process, store and share personal information in accordance with its rules, and will be held accountable should they abuse or compromise personal information in any way.

4. Facebook faces collective user lawsuit arising from facial recognition technology

Facebook users in the US state of Illinois recently sued Facebook, accusing the company of violating the state’s biometric privacy laws by taking unauthorised facial data from photos taken by millions of state users in its photo tagging service “Tag Recommendations”. While Facebook initially defended the allegations, on 29 January 2020 it stated that it would pay $550 million to resolve the issue.