This newsletter summarizes the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Key Highlights

On 7 July, the Cyberspace Administration of China (“CAC”) released the Measures of Security Assessment for Data Export (the “Measures”), which will take effect on 1 September 2022. Data processors are allowed six months to complete any rectification required for compliance with the Measures. Despite the ambiguities and issues that could prove to be problematic in implementation, the security assessment has now become an enforceable requirement for certain data processors in China. With the tight timeframe for compliance with the Measures, data processors should start to take actions immediately. We have given our recommendations in our article.

On 21 July, the CAC issued its penalty decision to Didi Global Inc. (“Didi”) after over 12 months’ investigation since it launched a cybersecurity review over Didi and two other companies last July (for our comments on the cybersecurity review regime, please click here). The penalties include a fine of RMB 8.026 billion on Didi and a fine of RMB 1 million on each of the Chairman and CEO. The penalty decision shows the determination of the CAC to enforce the data protection and cybersecurity laws.

It is the first major enforcement case since the enactment of the Data Security Law and the Personal Information Protection Law (the “PIPL”) last year. It also marks one of the first cases where the CAC launched the cybersecurity review and may also be the first case that hits the maximum fines allowed under the PIPL since the law came into force. Moreover, the fact that the penalty was imposed on a non-China entity appears to suggest that the CAC applied the laws via the extra-territorial effect and also gives rise to the speculation that the CAC calculated the fine based on the group turnover and took into account the Chinese entities controlled by Didi using the “variable interest entity” structure.

The decision to launch cybersecurity review on Didi last year has prompted over twenty Chinese companies to apply to the CAC for cybersecurity review before they launch their IPOs overseas. Didi also announced delisting from the New York Stock Exchange in May this year. To date, the rectification actions ordered by the CAC have not been completed.

Our Views

China Released Measures of Security Assessment for Data Export: dust settled?

Legislative Developments

1. CAC issued Measures of Security Assessment for Data Export

On 7 July, the CAC issued the Measures of Security Assessment for Data Export (the “Measures”), which will take effect soon on 1 September 2022. The Measures include specific provisions on the definition of data export, scenarios subject to security assessment for data export, main contents of the security assessment, procedures of the security assessment and responsibilities of the competent authorities.

2. Standing Committee of NPC: Specific regulations related to Personal Information Protection Law, such as security assessment of personal information export, are being formulated

On 28 July, the Publicity Department of the Central Committee of the Communist Party of China held a series of press conferences themed “China in the Past Decade” to introduce the country’s historic achievements in promoting the rule of law. Xu Anbiao, a member of the Standing Committee of the National People’s Congress (NPC) and the deputy director of the Legislative Affairs Commission, stressed at the conference that the relevant authorities have already issued or are working on formulating specific regulations related to the Personal Information Protection Law, such as the management of image capturing in public spaces, the management of personal information security and the security assessment of personal information export.

3. State Council released 2022 Legislative Work Plan, covering proposed Regulations on Network Protection of Minors and Network Data Security Management

On 14 July, the State Council released the Legislative Work Plan of the State Council for the Year 2022 (the “Legislative Plan”). According to the Legislative Plan, there are 16 laws to be submitted and 26 laws to be prepared to be submitted to the Standing Committee of NPC for deliberation. In addition, there are 16 administrative regulations proposed to be enacted or amended and 11 administrative regulations to be prepared to be enacted or amended. In terms of legislation on cybersecurity, data protection and personal information protection, the Legislative Plan explicitly mentions relevant plans for the Regulation on the Network Protection of Minors and the Regulation on Network Data Security Management.

4. SAMR and another two departments issued Implementation Opinions on Carrying out Cybersecurity Services Certification (Draft for Comments)

On 21 July, the State Administration for Market Regulation (SAMR), together with the CAC and the Ministry of Public Security (MPS), issued the Implementation Opinions on Carrying out the Cybersecurity Services Certification (Draft for Comments) (the “Implementation Opinions”) for public comments. According to the Implementation Opinions, a certification directory for cybersecurity services will be created and when necessary, adjusted and a cybersecurity services certification technical committee will be set up. In addition, the Implementation Opinions note that cybersecurity certification services should possess the expertise to engage in cybersecurity service certification activities and should be established in accordance with the law subject to approval by SAMR with the consent of the CAC and the MPS.

5. CBIRC to strengthen security of credit card transactions and protection of personal information

On 7 July, the China Banking and Insurance Regulatory Commission (CBIRC) and the People’s Bank of China issued the Notice on Further Promoting the Standardized and Sound Development of Credit Card Business (the “Notice”). The Notice comprehensively regulates the credit card business and requires banking institutions to strictly enforce the legal and regulatory requirements of data security and personal information protection in all aspects of the credit card business.

6. Recommended National Standard of Information Technology - Security Techniques - Code of Practice for Protection of Personal Information in Public Clouds was approved and issued

On 11 July, SAMR and the Standardization Administration of China issued the No. 8 of 2022 National Standards Announcement of the People’s Republic of China, which includes the national standard of Information Technology - Security Techniques - Code of Practice for Protection of Personal Information in Public Clouds (the “Code of Practice”). The Code of Practice falls under the supervision of the National Information Security Standardization Technical Committee and will come into effect on 1 February 2023.

7. Xiamen issued its Data Regulation of Special Economic Zone (Draft) for public comments

On 12 July, the Standing Committee of the People’s Congress of Xiamen issued the Data Regulation of the Xiamen Special Economic Zone (Draft) (the “Regulations”) for public comments. The Regulations stipulate the rules for accessing, sharing and disclosing public data resources, the rules for data asset assessment, statistics accounting and trading in the data element market, the data security protection obligations of data processors, the assessment, alerting and inspection of data security risks, the applications and development of the digital industry as well as the relevant legal responsibilities.

8. Shanghai issued Implementation Measures for Management of Data Trading Venues (Draft for Comments)

On 6 July, the Shanghai Municipal Commission of Economy and Informatization issued the Shanghai Implementation Measures for the Management of Data Trading Venues (Draft for Comments) (the “Implementation Measures”) for public comments. The Implementation Measures will serve as the underlying guideline for the operation of the Shanghai Data Exchange, which opened on 25 November 2021. The Implementation Measures consist of five chapters including 29 articles and help to clarify the concepts of data, data trading, data trading venues and data trading service providers. More specifically, it sets out the procedures and requirements for the establishment, alteration and termination of data trading venues, the basic requirements for services, management, capital settlement and prohibitions in the operation of data trading venues, as well as the supervisory responsibilities, methods and measures of the competent authorities in relation to data trading venues.

Enforcement Developments

1. CAC fined Didi 8.026 billion CNY

On 21 July, the CAC issued a news release stating that Didi Global Inc. (“Didi”) had violated China’s Cybersecurity Law, Data Security Law and Personal Information Protection Law. The CAC said that the facts of the violations are clear, the evidence is conclusive, the circumstances are serious and the nature is vile. Therefore, the cybersecurity regulator decided to impose a fine of 8.026 billion CNY on Didi and a personal fine of 1 million CNY each on Didi’s Chairman and CEO Cheng Wei and President Liu Qing.

Didi was found to have committed 16 law violations covering eight aspects: (1) the illegal collection of screenshot information from users’ phone albums; (2) the excessive collection of users’ clipboard and App list information; (3) the excessive collection of passengers’ information about facial recognition, age, job, family relationships and hailing address; (4) the excessive collection of precise location (latitude and longitude) information; (5) the excessive collection of drivers’ education information and the storage of drivers’ unredacted ID number information; (6) the analysis of passengers’ travel intentions, city of residence and non-local business/travel information without clearly informing the passengers; (7) frequently request of irrelevant “phone call permissions” when offering ride-hailing service; and (8) failure to accurately and clearly explain the purpose of processing 19 types of personal information such as users’ device information.

In addition, the CAC said that a previous cybersecurity review also found that Didi had engaged in data processing activities that seriously affected national security and violated other laws and regulations such as refusing to comply with explicit requests from the regulators and intentionally evading supervision.

2. MPS reported 3 administrative punishment cases under Personal Information Protection Law

On 29 July, the Cybersecurity Bureau of MPS reported 3 administrative punishment cases conducted by the Jiangsu Provincial Public Security Bureau in relation to personal information protection. The cases involved the collection of users’ personal information for genetic testing applications, the capturing of facial photo information by high-definition cameras at sales offices and the collection of members’ personal information by delivery and courier Apps. According to the report, since the start of this year, the Jiangsu Provincial Public Security Bureau has handled a total of 1,072 administrative cases on network violations such as “failure to fulfil the obligation to protect personal information”.

3. Higher People's Court of Zhejiang Province listed 10 typical cases on citizens’ personal information infringement

On 4 July, the Higher People's Court of Zhejiang Province listed 10 typical cases on citizens’ personal information infringement, which were selected from relevant cases concluded by the courts in the province in recent years. The 10 cases involved a variety of crimes such as stealing personal information using web crawlers, illegally selling property owners’ personal information and illegally obtaining and selling students’ education information.

4. Hangzhou Internet Court: Users should first claim their rights from the platform in case of personal information breaches before bringing the case to court

It was reported on 12 July that the Hangzhou Internet Court, in a ruling on a personal information protection dispute, clarified that to determine whether a personal information claim meets the admissibility criteria, the court shall take into account the following factors: (1) whether the personal information processor has established a mechanism for accepting and processing requests from individuals to exercise their personal information rights; (2) whether the personal information subject has submitted a request to the personal information processor and the personal information processor has refused the request.

5. Court in Guangdong ruled its first civil public interest litigation case on personal information protection involving facial recognition

On 11 July, the Guangzhou Internet Court issued its ruling on Guangdong’s first civil public interest litigation case on personal information protection involving facial recognition. The 4 defendants in the case were found to have illegally bought and sold sensitive personal information such as high-definition ID card photos and numbers and sold dynamic facial recognition videos generated from photos for profit. The Court ruled that the 4 defendants should immediately stop the infringement, pay public interest damages, make public apologies and compensate for the damage by their conduct.

6. Company in Guangzhou was punished by police for failing to fulfil its data security protection obligations

On 26 July, the Guangzhou Municipal Public Security Bureau reported that a technology company in Guangzhou was fined 50,000 CNY in an administrative case for data security breaches. The company failed to fulfil its data security protection obligations in relation to an App system developed by it, resulting in security loopholes exploited by attacks and putting 10 million pieces of citizens’ personal information at risk. This is among the first batch of cases in which the Data Security Law was applied by the police in the province.

7. Chongqing issued first “pre-litigation preservation” ruling on personal information in public interest litigation

It was reported on 19 July that the First Intermediate People’s Court of Chongqing Municipality recently issued a special decision for a public interest protection case upon the request of the First Branch of the People's Procuratorate of Chongqing Municipality. The ruling demanded the assistance of the Chongqing Branch of China Unicom to immediately freeze more than 1,200 Unicom mobile phone numbers that were being used illegally. Since the Personal Information Protection Law came into force last November, this is the first reported civil public interest litigation case on personal information brought by the Chongqing procuratorial authority acting as public interest litigants on behalf of public interest in the field of personal information rights and the first “pre-litigation preservation” ruling in relation to personal information enforced upon the suggestions from the Chongqing municipal procuratorate.

8. Ningbo police cracked a major case on citizen personal information infringement

It was reported on 25 July that the Ningbo municipal police recently solved a major case on citizen personal information infringement. The criminal gang concerned was found to have planted “Trojan horses” in more than 100 e-commerce cloud warehouses and illegally obtained more than 5 million pieces of express waybill data. involving an aggregate amount of 30 million CNY. The Ningbo municipal police have arrested 37 people of the criminal gang in 21 cities in 10 provinces including Guangdong and Chongqing, impounded 38 computers and 52 mobile phones as tools for committing the crimes and seized three Trojan horse programmes.

9. CVERC detected 15 illegal mobile Apps

It was reported on 6 July that the National Computer Virus Emergency Response Centre (CVERC) recently detected through Internet monitoring 15 mobile Apps that were not compliant with privacy regulations. The problematic Apps were found to have excessively collected privacy personal information.

10. CVERC detected 17 illegal mobile Apps

It was reported on 29 July that CVERC recently detected through Internet monitoring 17 mobile Apps that were not compliant with privacy regulations. The problematic Apps were found to have excessively collected personal private information.

11. Shanghai launches Cybersecurity and Data Security Inspection for the Telecom and Internet Industry

On 7 July, the Shanghai Communications Administration decided to launch the 2022 Cybersecurity and Data Security Inspection for the Telecom and Internet Industry. The inspection targets public network information services such as basic telecommunication enterprises, Internet enterprises and domain name registrars. The inspection focuses on the critical information infrastructure, important network units and information systems of relevant network operating entities

12. Anhui Province launches Cybersecurity and Data Security Inspection for the Telecom and Internet Industry

On 18 July, the Anhui Communications Administration decided to launch the 2022 Cybersecurity and Data Security Inspection for the Telecom and Internet Industry. The inspection targets all types of enterprises providing communication and Internet services to the public in Anhui Province. The inspection focuses on the grading and filing of communication network units, vulnerabilities and other risks, data security protection, personal information protection and cybersecurity protection of industrial Internet enterprises.

13. Shanghai Communications Administration reported 26 illegal mobile Apps

On 26 July, the Shanghai Communications Administration issued the first list of problematic Apps in 2022 after engaging a third-party testing agency to inspect the Apps in Shanghai for infringement of users’ rights. The inspection found that 51 Apps were involved in “illegal collection of personal information”, “illegal use of personal information” and “mandatory, frequent and excessive requests for permissions”. Until now, there are still 26 Apps that have not completed the rectification.

14. Anhui Communications Administration reported 13 illegal mobile Apps

On 5 July, the Anhui Communications Administration announced that it had recently conducted an inspection of Apps in Anhui Province and found 26 Apps illegally collected and used personal information. Until now, there are still 13 Apps that have not completed the rectification.

15. Hainan Provincial CAC summoned the operators of 3 illegal mobile Apps

On 28 July, the Hainan Provincial CAC reported 3 APPs that have yet to rectify their problems after being warned by the cybersecurity regulator. The Apps concerned include “All-round Cleaning Housekeeper”, “Salad Russian” and “Morning and Evening Weather” and have been removed from App stores across the Internet. At the same time, the Hainan Provincial CAC summoned the persons in charge of these Apps according to the law.

16. China Merchants Securities was “double punished” by CSRC for cybersecurity incident

On 12 July, the China Securities Regulatory Commission (CSRC) decided to take the administrative measure of issuing warning letters to China Merchants Securities and the relevant responsible persons and required it to carry out comprehensive rectification. China Merchants Securities were found to have violated the relevant regulations in a cyber security incident where the design and upgrade of the information system were not fully validated and tested and the upgrade rollback plan was not sound and complete. This is the first time CSRC imposes “double punishment” on a securities firm for a cybersecurity incident.

17. Bank of Chengdu was fined 1.946 million CNY for violations of credit information security and financial consumer protection regulations

On 15 July, the Bank of Chengdu was warned and fined 1.946 million CNY by the People's Bank of China Chengdu Branch for violations that come in 8 types, including infringing on consumers’ personal information rights, failing to perform its obligations under the regulations to identify customers and violating the regulations on credit information security management and reporting.

Industry Developments

1. The National Cultural Big Data Trading Center started to recruit and contract with market participants

On 18 July, the National Cultural Big Data Trading Center (Data Supermarket) established by the Shenzhen Cultural Assets and Equity Exchange started to recruit and contract with market participants for the trial operation period. The National Cultural Big Data Trading Center is a unified underlying technology platform to trade cultural resources data and cultural digital content. It is expected to play a leading role in navigating the development of digital assets markets, especially the cultural digital collectibles marketplaces in China.

2. 2022 Beijing Cybersecurity Conference kicked off in Beijing

On 13 July, the 2022 Beijing Cybersecurity Conference was held in Beijing. The conference consisted of the Security Strategy Summit and the Beijing Winter Olympics “Zero Accident” Dialogue, in which renowned cybersecurity experts, academicians, Olympic technical directors and Olympic sponsors from China and abroad exchanged their views on topics including global cyberspace security, the “zero accident” experience of the Beijing Winter Olympics and informatization and cybersecurity of sports events.