In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on three areas: regulatory developments, enforcement developments and industry developments.

Regulatory developments

1. Draft national standards released on information security including draft Personal Information Security Standards

On 25 June 2019, eight new national standards relating to personal information security and other matters were released for public consultation by the Secretariat of the National Information Security Standardization Technical Committee. These include new national standards on information system password application; requirements and assessment specifications for industrial internet platform security; trusted computing specifications; protective requirements for biometric identification information; general technical requirements for smart home security; specifications for personal information security; personal information security engineering guidelines; and technical specifications for security processors.

2. New draft network security vulnerability management regulations released for public comment

On 18 June 2019, the Ministry of Industry and Information Technology and other relevant departments released draft regulations on network security vulnerability management for public comments. The Network Security Vulnerability Management Regulations are intended to implement the Cybersecurity Law and strengthen the management of network security vulnerability.

3. Draft measures for assessing outbound security of personal information released for public comment

On 13 June 2019, the Cyberspace Administration of China and other relevant departments consulted the public on proposed draft measures on assessing outbound security of personal information. The draft Measures for the Assessment of Outbound Security of Personal Information are intended to protect personal information security, safeguard cyberspace sovereignty, national security and public interest, and protect rights and interests under the Cybersecurity Law.

4. Consultation commenced on implementation measures for network critical equipment security

The Ministry of Industry and Information Technology has drafted implementation measures for network critical equipment security which are open for public comment. These draft measures, released on 4 June 2019, are intended to be issued in the form of a normative document.

5. Technical Committee issues practical guidance on internet security for mobile internet applications

On 1 June 2019, the National Information Security Standardization Technical Committee released a network security practice guide for mobile internet applications covering essential information for basic business functions. The technical committee organized institutions and experts to publicize the guidance entitled “Internet Security Practical Guideline – Essential Information Specification for Basic Operation Functions of Mobile Internet Applications” (App Specification).

Enforcement developments

1. Shanghai People’s Procuratorate symposium on enhanced compliance by applications when collecting personal information and recommendations issued

On 20 June 2019, the Shanghai People’s Procuratorate held a symposium for applications on how to enhance compliance when collecting personal information. Before the symposium, the Shanghai Procuratorate issued recommendations to ten application operators concerning problems detected during the investigation requiring them to strengthen protection of users’ personal information.

2. 2019 Network Market Supervision Special Action (Network Sword Action) Plan issued

On 17 June 2019, the members of the inter-ministerial Joint Conference on Network Market Supervision launched the 2019 Internet Market Supervision Special Action (Net Sword Action) from June to November. This special action plan is aimed at implementing the spirit of the Party’s meetings and carrying out the work of the inter-ministerial Joint Conference on Network Market Supervision. The overall goals include implementing the E-commerce Law, standardising e-commerce entities’ qualifications and implementing e-commerce operator responsibilities. The special action will crack down strongly on prominent problems in the online market with a view to maintaining a good network market order.

3. Anhui authorities crack down on violations of consumer personal information

On 13 June 2019, Anhui’s Administration for Market Regulation announced that it would carry out a special action to protect consumers and crack down on violations of consumer personal information. This action is aimed at protecting the legitimate rights and interests of consumers in the province and creating a safe and secure consumer environment.

4. The Ministry of Public Security reported typical cases from the “2019 Clean Network” Special Action

On 13 June 2019, the Ministry of Public Security revealed the typical cases found during the “2019 Clean Network” Special Action. It was reported that the Public Security Departments of Beijing, Zhejiang and Fujian had successfully countered a criminal gang that used illegal software to seize public resources of a hospital and given early-warning of hundreds of violent criminal cases. It was also reported that authorities had successfully destroyed an illegal “fourth party payment” platform that provided payment channel for online gambling groups.

5. First fine levied in Zhejiang province under Cybersecurity Law for the violations of personal information

On 3 June 2019, a woman from Cangnan was fined 100,000 Yuan by the Cangnan police for violating the Cybersecurity Law, the first case of its kind in Zhejiang province. The woman illegally obtained and infringed others’ personal information by purchasing more than 1000 registered accounts of Tencent.

Industry developments

1. Sixth batch of 520 websites publicised contact details for reporting illegal internet information

On 24 June 2019, the Internet Information Reporting Centre organised 520 websites to publicise the contact details for reporting illegal internet information on these websites. After publication, the Reporting Centre will supervise and inspect of the websites’ reporting work, further strengthen the accountability of the websites, ensure reporting channels operate smoothly and promptly accept netizen reports in order to effectively protect the rights of netizens and promote and build shared cyberspace governance.

2. Beijing News reporters found excessive personal information permissions in 24 out of 50 common applications

From 10 to 17 June 2019, reporters from the Beijing News selected 50 commonly used applications based on criteria set out in the App Specification issued by the National Information Security Standardization Technical Committee, and measured the authority requested and the scope of information collection. The reporters found that requests by 24 out of 50 applications exceeded the scope set in the App Specification. For example, Zhilian requested authorisation to access the camera, location and address book and Baihe requested authorisation to access the address book.

3. Shanghai Jiao Tong University responded within 24 hours to 8.4 TB email data leak

On 10 June 2019, according to an article quoted by foreign media ZDNet, a Shanghai Jiao Tong University database leaked 8.4 TB of email metadata due to improperly configured public access rights. Shanghai Jiao Tong University received notification one day after it was discovered and the leak was repaired within 24 hours.