Key highlights – our comments on the cybersecurity probe into DiDi and the draft of the revised Measures on Cybersecurity Review

In early July, the Cyberspace Administration of China (CAC) announced that it had initiated cybersecurity review on three companies, namely DiDi, Boss Zhipin and Full Truck Alliance, and during the review the three companies are not permitted to register new users in order to “prevent spreading of risks”. In addition, the CAC also orders application stores to remove DiDi’s application due to “serious violations in collecting and using personal information”. Notably, all of the three companies were listed in the United States in June 2021.

There are very few details available to the public about the proposed cybersecurity review except for the fact that it has been initiated. The cybersecurity review is one of measures contemplated under the Cybersecurity Law (CSL) in order to ensure supply chain security of the critical information infrastructure (CII) through a review of the procurement of network product and services that may impact national security. One of the reasons why it had not been invoked till recently is that the scope of CII has not been identified. Although the CSL requires the State Council to publish regulations on the protection of CII, the CAC only released a draft regulation in July 2017. The guidance on identifying CII as contemplated in the draft regulation has never been published. Without knowing whether the information facilities are considered CII, it is almost impossible put the security review and all the other relevant CII protection measures into practice. The State Council seems to have been aware of this, and has included the regulation on CII protection in their legislative agenda for 2019, 2020 and 2021. We hope this regulation will finally be published this year.

In the absence of CII identification guidance, the first question here is how DiDi is identified as an operator of CII. Although it might meet the criteria set out in the general definition of CII under the CSL, we expect that at least a identification procedure should be followed to justify the decision, and it is unclear whether DiDi was aware of the fact that it was considered a CII operator before the decision for cybersecurity review was made.

Another question is which network product or service procured by DiDi has impacted national security. There is no indication in the announcement by the CAC, and it remains to be seen how the CAC will interpret and assess the procurement on national security.

There are also questions on the enforcement measures. The regulation on cybersecurity review does not empower CAC to take any enforcement measures alongside the initiation of the review. In terms of penalties, the CSL only permit the authority to order the CII Operator to cease using the relevant network products or services, and to impose a fine of up to 10 times of the purchase amount on the CII operator and a fine of up to RMB 100,000 on the persons responsible, if the CII operators use the unauthorised products or services. The CSL provision also allow the authorities to require network operators to take technical or other necessary measures to prevent contain harm in the event of a cybersecurity incident. In this case, DiDi has been ordered to stop registering new users, and the CAC may rely on such provision to take the measures, although the announcement does not mention that a cybersecurity has occurred.

As the Data Security Law (DSL) is not enforceable yet, CAC is not able to invoke any measures provided thereunder if there is any allegation concerning DiDi’s data (especially important data) processing activities. The national security review regime proposed under the DSL is even further from becoming enforceable. The CAC does not specify the data protection laws and regulations pursuant to which it ordered the removal of DiDi application from application store. Considering that the Personal Information Protection Law (PIPL) is yet to be enacted, it is likely that the decision is based on the CSL and the relevant regulations on processing of personal information by mobile applications.

As discussed, the factual basis for CAC’s decisions remains unclear. It is worth pointing out that at this point, there is still a very limited number of enforceable laws and regulations in cybersecurity and data protection that the authority can actually rely on for their enforcement actions. The CSL and the cybersecurity review regulation are the most readily available from an enforcement perspective at this point.

CAC seems to have realized the inadequacy of the current regulations. On 10 July 2021, the CAC released a draft of the revised Measures on Cybersecurity Review for public consultation. Notably, the revised draft has extended the scope of cybersecurity review to cover data processing activities of data processors that may impact national security. The extension is apparently intended to implement the national security review on data processing activities as contemplated under the DSL.

The revised draft has special focus on listing of companies outside China that process core data, important data and large amount of personal information. Any operator that processes personal information of over 1 million users must apply to the CAC for cybersecurity review before the operator is listed outside China. The CAC will assess the risks of CII, core data, important data or personal data being “influenced, controlled or maliciously used” by foreign governments if an operator is listed outside of China. The revised draft also includes China Securities Regulatory Commission (CSRC) as one of the ministries responsible for the review.

The revised draft is apparently targeted at companies, such as DiDi, which have launched or going to launch their initial publish offering outside China and at the same time process a large amount of personal information, important data or even core data within China. One critical question is that if the listing of a company is considered to have impacted national security after review what actions the CAC and CSRC will take, e.g. whether the company will be order to delist. For the companies that plan to be listed outside China, the cybersecurity review will bring great uncertainty to their listing process and could potentially affect their decision as to the place of listing.

An interesting point is whether a listing in Hong Kong will be subject to the cybersecurity review. The revised draft uses the term “listing outside China”, instead of the traditional expression of “overseas listing” used in the context of securities laws which usually includes Hong Kong listings. It is unclear whether this indicates that Hong Kong listings are excluded from the scope of review, and CAC should clarify this point in their final draft.

Data processing and cybersecurity compliance are now under closer scrutiny by the government. Although there are still questions surrounding the decisions on Didi, and the revised Measures on Cybersecurity Review is still in a draft, no doubt companies, especially the technology companies, should pay more attention to their compliance with data and cybersecurity laws, in anticipation of the upcoming DSL, PIPL and the implementing regulations. Companies that process important data or sizable amount of personal information or operate CII should particular heed the regulations and actions of CAC.

Our views

If you would like to know more about the cybersecurity review, please click below link to read our previous article on the Measures on Cybersecurity Review published in June 2020.

New regulation strengthens cyber supply chain security in China

If you would like to know more about the newly-enacted Data Security Law, please click below link to read our comments.

What to know about China’s Data Security Law

Regulatory developments

1.Data Security Law promulgated, and will come into effect on 1 September

On 10 June 2021, the Standing Committee of the 13th National People’s Congress voted through the Data Security Law after a third reading, which will become enforceable from 1 September 2021. Compared with the second draft, key changes in the final version are: (i) the commission will establish a coordination mechanism for national data security (Mechanism), and the Mechanism will coordinate relevant ministries to draft the catalogue of important data and strengthen the acquisition, analysis, research and early warning of risk information; (ii) a new concept of “core data” of the state is introduced, which is defined as data relevant to national security, national economic lifeblood, important livelihood of people and significant public interest. Core data will be subject to an even more rigorous protection regime; (iii) personal information processing activities shall comply with Data Security Law as well as relevant laws and regulations

2. Notice on Strengthening the Network Security of Vehicle Networking was released for public consultation

On 22 June, the Ministry of Industry and Information Technology (“MIIT”) issued the Notice on Strengthening the Network Security of Vehicle Networking for public consultation. This Notice consists of four aspects: strengthening the network security protection of the vehicle networking, strengthening the security protection of the platform, ensuring data security, and strengthening security vulnerability management. It aims to guide basic telecommunications enterprises, intelligent connected vehicle operation enterprises, and intelligent connected vehicle production enterprises to strengthen the network security management of the vehicle networking (intelligent connected vehicle), accelerate the improvement of the ability of guaranteeing cybersecurity, and promote the healthy development of the vehicle networking industry.

3. Notice on Strengthening the Management of Name Registration of Vehicle Networking Cards was released for public consultation

On 11 June, MIIT issued the Notice on Strengthening the Management of Name Registration of Vehicle Networking Card for public consultation. According to this Notice, the MIIT is responsible for the organization, management and overall promotion of nationwide name registration of vehicle networking cards. Vehicle enterprises are responsible for the name registration of the vehicle networking cards of vehicles produced and sold by them pursuant to the relevant requirements of the competent authorities. The Vehicle enterprises shall establish strict management systems for the purchase, use and name registration of the vehicle networking cards, build name registration management platforms of vehicle networking cards, and improve the user information protection system. This notice also provides that telecom enterprises should strengthen the management of basic resources of vehicle networking cards.

4. Vehicles Networking Security Standard System Construction Guide was released for public consultation

On 21 June, MIIT issued the Vehicles Networking Security Standard System Construction Guide for public consultation. This Guide points out that efforts should be made to build the cybersecurity standard system of the vehicles networking, so as to provide support for the safe and sustainable development of the vehicles networking industry. By the end of 2023, basic network security standard system of the vehicles networking shall be built, and by 2025, a relatively complete network security standard system of the vehicles networking shall form. This Guide elaborates the construction ideas, construction contents and implementation scheme of the network security standard system of the vehicles networking.

5. “Internet Medical and Health Information Security Management Regulations (Draft for Comments)” was released for public consultation

On 4 June, the Statistic and Information Centre of the National Health Commission issued the “Internet Medical and Health Information Security Management Specification (Draft for Comments)”, an industry standard, for public consultation. It specifies the regulations and security requirements for the overall framework of information security management of Internet medical and health, management of information security related party, management of information security process, management of information security data, management of information security technology, and management of information security organization, and it is applicable to information security management in Internet medical and health activities carried out by organizations and individuals in China.

6. Basic Requirements for Multi-level Protection of Cybersecurity in Radio and Television was released

On 21 June, the Science and Technology Department of the National Radio and Television Administration released the Basic Requirements for Multi-level Protection of Cybersecurity in Radio and Television, which has been reviewed and approved by the National Radio, Film and Television Standardization Technical Committee. Basic Requirements for Multi-level Protection of Cybersecurity in Radio and Television was formulated by the relevant entities organized by the National Radio and Television Administration, which stipulates the general requirements and extended requirements for the security of objects from the first level to the fourth level of classified protection objects in radio and television network security and the requirements for security expansion.

7. Ministries published Opinions on Several Issues Concerning the Application of Law in Handling Criminal Cases Such as Telecommunications and Network Fraud

On 17 June, the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security issued Opinions on Several Issues Concerning the Application of Law in Handling Criminal Cases Such as Telecommunications and Network Fraud (“Opinions”). The Opinions clearly stipulate the identification of the crime location of telecommunications and network fraud, the situation of trying the cases together, illegal possession of credit cards, the crime of fraud, the crime of infringing on citizens’ personal information, and the crime of forging identity documents, which are conducive to further clarification of legal standards, and severely punishing telecommunication network and fraud crimes in accordance with the law.

Enforcement developments

1. Cyberspace Administration of China reported that 129 apps collected and used personal information illegally

On 11 June, Cyberspace Administration of China (“CAC”) reported 129 apps widely used by the public, including Keep, Joyrun, Xiaomi Sports, Jinri Toutiao, Tencent News, Nike, Zhenai.com, etc., covering the field of sports, news information, webcast, app store, and women’s health. These apps collected personal information unrelated to the services, violating the necessity principle and the Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, collect and use personal information without the users’ consent, and do not provide the function of deleting and correcting personal information and the channels for filing complaints.

On June 8, MIIT issued a notification of apps that violate users’ rights and interests (the fifth batch in 2021, the 14th batch in total). Previously, MIIT organized a third-party inspection agency to inspect mobile apps, requiring relevant companies to make rectifications. 291 apps had not finished the rectification until June 8, and there were problems like illegal collection of personal information in these apps. These APPs should complete the rectification and implementation work before June 16. If rectification is not finished within the time limit, MIIT will take disposal measures in accordance with laws and regulations.

3. Four ministries of Beijing jointly carry out the special treatment of App cybersecurity in 2021

On 12 June, the Beijing branch of CAC, Beijing Public Security Bureau, Beijing Market Supervision Bureau, and Beijing Communications Administration issued a notice on the launch of special governance of app cybersecurity in Beijing in 2021, and decided to carry out a special governance action on the illegal collection and use of personal information of apps in the city from the date of issuing the notice to November, requiring app operators to collect and use personal information in accordance with laws and regulations, be responsible for the security of the collected personal information, and take effective measures to strengthen personal information protection. This special action is based on the Cyber Security Law, Notice on Issuing the Methods for Identifying the Collection and Use of Personal Information in Violations of App Laws and Regulations, Notice on Issuing the Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Apps, etc., to provide in-depth control of the illegal collection and use of personal information by App operators.

4. Four ministries of Zhejiang Province jointly launched a special treatment for the illegal collection and use of personal information by App in 2021

On 1 June, Zhejiang Cyberspace Administration Office, Zhejiang Public Security Department, Zhejiang Market Supervision Bureau, and Zhejiang Communications Administration issued an announcement on the jointly launch of a special treatment for illegal collection and use of personal information by apps from June to December in 2021. This special treatment focuses on apps that have a large number of users, are closely related to people’s lives, or are complained by citizens. Relevant departments will carry out specific rectification for apps that have hidden security hazards such as illegal collection and use of personal information and causing personal information leakage.

5. MIIT and the Ministry of Public Security issued a notice on the rectification of fraudulent phone cards, Internet of Things cards, and associated Internet accounts

On 2 June, MIIT and the Ministry of Public Security issued a notice on clearing and rectifying fraudulent phone cards, Internet of Things cards, and associated Internet accounts, requiring people who illegally handle, rent, sell, buy, and hoard of phone cards and Internet of Things cards and relative person of Internet accounts, as of the date of this notice, to stop related activities, and cancel related phone cards, Internet of Things cards, and related Internet accounts before the end of June 2021. Relevant departments will fight against illegal handling, renting, and selling, buying and hoarding phone cards, Internet of Things cards, and associated Internet accounts in accordance with the law.

Industry developments

1. The pilot work for identity authentication and security trust in vehicles networking was launched

On 8 June, the General Office of MIIT issued a notice on launching a pilot program for identity authentication and security trust in vehicles networking. The pilot direction consists of four aspects: vehicle-to-cloud safe communication, vehicle-to-vehicle safe communication, vehicle-to-road safe communication, and vehicle-to-device safety communication. Basic telecommunications companies, Internet companies, automobile manufacturers, electronic parts companies and other entities can apply for pilot projects for Internet of vehicles networking authentication and security trust. MIIT will select projects that fulfil the requirements of carrying out the pilot work. The pilot entities should take the key responsibilities of cybersecurity, improve the corporate cybersecurity management system, and implement cybersecurity protection requirements.

2. E-commerce platform enterprises undertake to strictly implement relevant requirements for spam message governance

On 11 June, the Information and Communications Administration Bureau of the Ministry of Industry and Information Technology held an administrative guidance meeting, at which the Ministry of Industry and Information Technology warned e-commerce platform enterprises to standardize the sending of short messages in marketing and strengthen industry self-discipline. Alibaba, JD, PDD and other major e-commerce platform enterprises have made a solemn commitment to strictly implement the relevant requirements on garbage information control, conduct comprehensive self-inspection and self-correction, improve the management system, optimize user services, ensure the achievement of tangible results in a short time, and constantly enhance the sense of gain, happiness and security of the vast majority of users.

International developments

1. Biden Signed Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries

On 9 June, President Biden signed Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries, repealing and superseding three executive orders aimed at prohibiting transactions with TikTok, WeChat, and eight other communications and finance-technology software applications. The decision mainly includes the following three aspects: enabling the United States to take strong measures to protect sensitive data of the United States; developing standards for identifying software applications that may pose unacceptable risks, and further developing plans to protect sensitive personal data against potential threats posed by certain connected software applications.

On 18 June, EDPB and EDPS issued a Joint Opinion on the proposal for a Regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence (Artificial Intelligence Act). (Artificial Intelligence Act) In the Joint Opinion, EDPB and EDPS issued a call for a total ban on the use of AI in public places to automatically recognize human features, such as faces, but also on other biological or behavioral signals such as gait, fingerprints, DNA, and voice.

3. Version 2.0 issued by EDPB on “Supplemental Measures” Guide to Standard Conditions of Contract

On 18 June, EDPB updated the Supplemental Measures Guide to the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation published on June 4 as a follow-up to the Schrems II decision of the European Court of Justice. It provides a number of steps to be followed, potential sources of information, and examples of supplemental measures that could be implemented to assist senders in the complex task of assessing third countries.

4. Recognition by the EU of the UK Data Protection Rules

On 28 June, the EU recognized that Britain’s privacy rules are commensurate with EU rules, a key step that will allow the flow of data between the EU and the UK to continue after Brexit. Meanwhile, the EU added a “sunset clause” to set a four-year term for the decision. If during this period, the UK has major differences with the EU on data standards, the European Commission may intervene.

5. HiQ’s Grabbing of LinkedIn User Information Case Requested A New Trial

On 14 June, the US Supreme Court asked the lower courts to review the case regarding the grabbing of LinkedIn User Information by hiQ. An earlier decision held that LinkedIn should not prohibit competitor hiQ Labs from collecting personal information from LinkedIn users’ public personal information. LinkedIn believes that the use of “robots” for large-scale grabbing of personal information would pose a serious threat to user privacy. Rival hiQ Labs argues that it does not sell user information and that LinkedIn’s lawsuit is aimed at monopolizing public data, hurting the openness and innovation of the Internet. Although hiQ Labs does not sell user information captured, for LinkedIn, the “user privacy risk” associated with data being captured by various crawler tools does exist. In April, it was reported that the archive of data captured from 500 million LinkedIn resumes was sold on a hacker forum.

6. Google plans to remove the third cookie by the end of 2023

On 25 June (Thursday, local US time), Google announced that its Chrome Internet browser would stop supporting a user-tracking technology called third-party cookies by the end of 2023, nearly two years after its original time frame for early 2022. Under pressure from privacy regulators and advocates, Google had previously announced that it would remove cookies, which many companies in the advertising industry use to track individuals and target ads. Google said the delay would give publishers, the advertising industry and regulators more time to familiarize themselves with the new technology it is developing and testing to continue to target ads after cookies exit.