October has seen new data protection regulations issued by the health and securities authorities with an impact on companies in relevant sectors. National laws on personal information protection and data security are formally included in the legislative plan, which would provide for a comprehensive framework of mandatory data protection obligations in a few years' time. The Ministry of Public Security also set out in its latest regulation the powers of cyber police in inspecting Internet security and the procedures to follow in enforcement actions.

In light of this tightening and increasingly complex regulatory landscape, it is essential to start to assess and update their data protection and cyber security strategies. Implementing preventative compliance measures now will put companies and their Boards in a much stronger and more confident position when mandatory obligations are enforced. In this ebulletin, we outline the changes coming around the corner.

In this briefing we summarise recent updates relating to cybersecurity and data protection in China to give you guidance on, and a comprehensive understanding of, these developments. We focus on three areas: regulatory developments, enforcement developments and industry developments.

Regulatory developments

On 11 September 2018, the Executive Council of Macau completed its discussion on a new Cyber Security Law which is expected to come into effect 180 day after its publication. The new law applies to key infrastructure operators including public departments, institutions and entities, and private entities engaged in transportation, telecommunication, bank and insurance, medication and healthcare and hydropower supply. The law sets out obligations applicable to different aspects and phases of data protection. Under the draft law, penalties of between 50 thousand to 5 million Macau Pataca are proposed for cybersecurity violations.

Second quarter network security threat analysis and work review of 2018 released

On 4 September 2018, China’s Ministry of Industry and Information Technology (MIIT) released its network security threat analysis for the second quarter and a work review of 2018.

According to the report, in the second quarter of this year, a total of 18.41 million cybersecurity threats were identified, of which about 16.83 million were identified by telecommunication infrastructure companies, 30,000 were identified by network security professional organizations and around 1.55 million were identified by the major internet companies, domain name management institutions and network security enterprises.

The report notes some upcoming developments including the release of standards for industrial network security systems, the implementation of pilot security projects and the promotion of best practices.

New provisions relating to trials by Internet Courts took effect on 7 September 2018

China’s Supreme People’s Court has passed provisions relating the trial of cases by Internet Courts which will came into effect on 7 September 2018. The new provisions specify the jurisdiction of the Internet Courts, and refine the online litigation platform mechanism and its relevant procedures (namely for identify confirmation, acceptance of claims, online evidence deposition, online trial and online delivery).

Guiding opinions released on strengthening network security in the power industry

On 21 September 2018, the National Energy Administration issued guiding opinions on strengthening network security in the power industry. These guiding opinions are focused on improving the system of responsibility, as well the supervision and management of the power industry, and further improving levels of security protection.

2018 industry white paper on network security

On 18 September 2018, the China Academy of Information and Communications Technology released an industry white paper on network security which comprehensively analyses the international and domestic development trends in network security. The white paper also looks at future industry developments in network security from six aspects: policy benefits, market focus, service transformation, technological innovation, ecological synergies and talent cultivation.

Feedback sought on model service contract for online trading platforms

On 17 September 2018, the Beijing Municipal Administration of Industry and Commerce released for public comment a draft model service contract for online trading platforms. The contract is mainly for use by online trading platform operators and operators in the platform upon them entering the platform. The contract provides comprehensive provisions on some of the issues that are the cause of controversy between parties with the aim of avoiding or reducing contract disputes.

New regulations on supervision and inspection of internet security issued

On 15 September 2018, the Ministry of Public Security issued new regulations on the supervision and inspection of internet security which will come into force on 1 November 2018. Under the new regulations, public security authorities will have the power to supervise and inspect internet service providers and network users in accordance with specific internet security needs and taking into consideration internet security risks.

Trial national management measures issued concerning the standards, safety and service of health and medical big data

On 15 September 2018, the National Health Commission issued trial national management measures on the standards, safety and service of health and medical big data. Responding to the need for security management of healthcare big data, the measures define the scope of security management, require responsible entities to establish and improve relevant security management systems, operational procedures and technical specifications and to strengthen the construction of safety protection systems.

Proposed Personal Information Protection Law and Data Security Law included in the 13th Standing Committee of the National People’s Congress’s legislative plan

On 7 September 2018, the legislative plan of the 13th Standing Committee of the National People’s Congress was announced. Included among the list of 69 first-class legislative projects which are in a relatively advanced state for consideration during the current term are the Personal Information Protection Law and the Data Security Law. These are expected to profoundly impact the data protection regime in China.

Guidelines issued on classification of data of the securities and futures industries

On 27 September 2018, the China Securities Regulatory Commission issued guidelines, effective immediately, for classification of data of the securities and futures industry. The guidelines help organisations in these industries to effectively identify rational data usage needs and data risks, continually strengthen data security management, establish a sound data management system, take necessary data security protection measures, maintain market security operations, and protect the legitimate rights and interests of investors.

Enforcement developments

The suspect accused of leaking Huazhu hotel’s 500 million personal Information arrested

On 17 September 2018, Huazhu Group issued a notice in the U.S. securities market concerning its investigation of the suspected leaking of Huazhu hotel’s personal data. According to the notice, Huazhu hotel’s personal data was suspected to have been leaked on 28 August 2018. On the same day, Huazhu Group made an official statement to the public and reported the case to the public security agency. The latest information from the public security agency shows that the case has been solved and the suspect who tried to sell the data on the dark internet has been arrested.

On 7 September 2018, the Ministry of Public Security announced ten cases of typical internet crime. These included the illegal intrusion into computer information systems, the sale of information of Zhejiang primary and secondary school students, the use of WeChat reward platforms to disseminate obscene items and organising online gambling.

On 29 September 2018, the Guangdong Higher People’s Court issued a notice to clarify the jurisdiction of the Guangzhou Internet Court. According to the notice, the Guangzhou Internet Court has jurisdiction of over 11 categories of first-instance cases including disputes arising from violations of civil rights such as personal rights and property rights on the internet, and disputes arising from internet service contracts which are signed and performed online.

Regulators meet with 58 Group over platform supervision concerns

On 21 September 2018, the Beijing Municipal Commission of Housing and Urban-Rural Development and the Cyberspace Administration of Beijing interviewed the main responsible person of the 58 Group regarding failings by 58 City, Ganji, and Anjuke to effectively perform their supervision responsibilities which resulted in illegal content appearing on the platform for a long time and to effectively rectify the same. The regulators required the platforms to carry out special rectification immediately and to suspend publishing all information relating to Beijing housing (from 18:00 on 21 September 2018 to 18:00 on 25 September 2018).

Industry developments

On 29 September 2018, a three-day Data Security and Privacy Protection Conference came to an end in Hangzhou. More than 70 experts and scholars from China, the United States, Japan, South Korea and other countries attended. The discussions were focused on policy and legal standards, industry practices, cutting-edge technologies and cross-border data flow policies for data security and privacy protection.

Alibaba releases first implementation guide for data security capacity building

On 29 September 2018, the Alibaba Data Security Research Institute released an implementation guide for data security capacity building, the first in the industry. It provides systematic and specialized guidance with practical solutions for organizations on data security capacity building, covering a wide spectrum of topics including data security structure building, personnel capabilities, system processes, technology tools and domain guides.

On 19 September 2018, the opening ceremony of the 2018 National Cyber Security Promotion Week was held in Chengdu. Top priorities discussed included key information infrastructure protection, implementation of the Cyber Security Law and further establishment and improvements to key information infrastructure protection systems.

Zhejiang’s Internet companies and three major mobile carriers sign Personal Information Protection Proposal with Ali

At the Cyber Security Promotion Week held in Zhejiang province from 17 to 23 September 2018, Zhejiang’s Internet Companies and three major mobile carriers - Zhejiang Telecom, Zhejiang Unicom and Zhejiang Mobile signed up to a personal information protection proposal. The proposal covers six areas including treating user information transparently, protecting user’s control of information, strengthening the self-discipline of enterprises, establishing user information security firewalls, implementing best practices and accepting social supervision.

On 14 September 2018, the Internet Society of China released a form of personal information protection proposal, calling on the industry to pay attention to personal information protection and promote the healthy and orderly development of the industry.

Hong Kong launches the first cyber security information sharing and collaboration platform

On 24 September 2018, Hong Kong officially launched a cyber security information sharing and collaboration platform. The platform is the first cross-industry cyber security information sharing platform in Hong Kong. Platform members can share information with cyber security experts and members from other industries. The public can also obtain alerts and suggestions from experts.