This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. Regulations on the Protection of Minors in Cyberspace published, detailing the obligation of network services providers to safeguard the rights of minors' information

On 24th October, the Regulations on the Protection of Minors in Cyberspace were officially published (the “Regulations”). The Regulations contain detailed and comprehensive provisions on the regulation of network information content, the protection of minors' personal information on networks and the prevention and treatment of minors' internet  addiction. For example, the Regulations require that online games, webcasting and other network service providers should provide an operating model for minors; they also emphasise that network product and service providers should use artificial intelligence, big data and algorithmic models to  strengthen the identification and monitoring of cyberbullying. . The Regulations stipulate that personal information processors should conduct annual compliance audits of their  personal information processing activities regarding minors and report the results of the audits to the Cyberspace Administration of China and other departments.

2. The Ministry of Industry and Information Technology (MIIT) seeks public comments on Implementing Rules for Data Security Risk Assessment in the Field of Industry and Information Technology (for Trial Implementation) (Draft for Comment)

On 9th October, the MIIT issued the Implementing Rules for Data Security Risk Assessment in the Field of Industry and Information (for Trial Implementation) (Draft for Comment), which stipulates that important data and core data processors should complete a data security risk assessment at least once a year (with the results of the assessment being valid for one year), and report or update the assessment report to the industry supervisory authorities within 10 working days of the completion of the assessment. The assessment focuses on whether the purpose, manner and scope of data processing are lawful, legitimate and necessary, as well as the formulation and implementation of data security management systems process and strategies.

3. The Ministry of Industry and Information Technology (MIIT) Released the Measures for the Classified and Graded Management of Industrial Internet Security (Draft for Comment)

On 24th October, the MIIT released the Measures for the Classified and Graded Management of Industrial Internet Security (Draft for Comment), which is open for comments until 22nd November 2023 (the “Measures”). Among other things, the Measures make it clear that industrial Internet enterprises can carry out independent grading, and they need to consider elements such as enterprise scale, business scope, the degree of application of the industrial Internet, the degree of operation of important systems, the degree of mastery of important data, the degree of importance to the development of the industry and industrial chain supply chain security, as well as the impact of the consequences of a cybersecurity incident.

4. Beijing Economic and Information Bureau issued the Beijing Chief Data Officer System Pilot Work Programme, fully implementing the government's chief data officer system

On 18th October, the Beijing Economic and Information Bureau issued the Beijing Chief Data Officer System Pilot Work Programme, selecting 13 pilot units to flexibly set up Chief Data Officers (CDOs) on their own, with the scope of CDO’s responsibilities including promoting the construction of digital government, strengthening data resource management, enhancing guidance and supervision capabilities, improving digital thinking literacy, and promoting the construction of talent teams. At the same time, the Work Programme encourages district-level governments to carry out pilot work in selected subordinate units that can do so, and actively encourages several types of enterprises to set up CDOs.

5. Shanghai Cyberspace Administration issued the Guidelines for Shanghai Website Platforms to Accept and Dispose of Reports of Online Infringement Information Involving Enterprises (Trial Version)

On 19th October, Shanghai Cyberspace Administration issued Guidelines for Shanghai Website Platforms to Accept and Dispose of Reporting of Online Infringement Information Involving Enterprises (Trial Version), which stresses the need to focus on the protection of legitimate rights and interests of enterprises to be listed and the stabilisation of the market value of the enterprises. It focuses on the acceptance and disposal of counterfeit information that confuses the identity information of the enterprise body, leakage information that infringes on the privacy of entrepreneurs, as well as other information that maliciously interferes with the normal operation and development of the enterprise.

6. Guizhou Provincial Meteorological Bureau and Big Data Development Administration issue the Pilot Work Programme for Reform of Market-based Allocation of Meteorological Data in Guizhou Province

On 8th October, the Guizhou Provincial Meteorological Bureau and the Big Data Development Administration issued the Pilot Work Programme for Reform of Market-based Allocation of Meteorological Data in Guizhou Province (the “Work Programme”). The Work Programme points out the need to promote the conditional and paid use of meteorological data and to promote the trading of meteorological data and other products through the Guiyang Big Data Exchange.

Enforcement Developments

7. Ministry of Industry and Information Technology (MIIT) releases notification of APP (SDK) that infringes on users' rights and interests

On 24th October, the Ministry of Industry and Information Technology (MIIT) released the 6th batch of APP (SDK) lists of 2023 that infringed on the rights and interests of users. With a total of 22 enterprises involved in the list, issues involved included the illegal collection and use of personal information, APP mandatory, frequent and excessive requests for permissions, and incomplete information in SDK public announcements.

8.The Shanxi Supervisory Bureau of the Financial Supervisory Authority issued three major risk cases to remind financial consumers to strengthen personal information protection

On 18th October, the General Administration of Financial Supervision of Shanxi released three major risk cases, reminding consumers to enhance anti-fraud awareness and to safeguard better their personal information. One case involved a consumer who suffered damage to his rights and interests and credit score because he lent his documents and other information to another person to apply for a loan guarantee. The Superintendent reminds consumers not to lend their identity documents, bank cards, etc., to others, and not to leave their personal financial information on the Internet at will.

9. Beijing Cyberspace Administration imposes administrative penalties on three companies for failing to fulfil data security protection obligations

On 30th October, the Beijing Cyberspace Administration, in accordance with the Data Security Law, opened a case to investigate the alleged network data security violations of three enterprises in the region, and imposed administrative penalties of ordering correction, warning and a fine of RMB 50,000 on each of them, and a fine of RMB 10,000 on the direct supervisors and other responsible persons. It was found that the three enterprises had failed to fulfil their data security protection obligations, and that there were unauthorised access loopholes in the databases deployed, resulting in the leakage of some data.

10. Shanghai Cyberspace Administration punished a technology company for unauthorised deletion of data leakage after transmission outside the country

Recently, the Shanghai Cyberspace Administration found that there was an unauthorised access loophole in the database of a technology company, and data had been stolen and transmitted abroad. After the notification from the Shanghai Cyberspace Administration, the company still did not carry out timely and effective rectification and deleted the database without authorisation, with the intention of evading punishment. On 11th October, the Shanghai Internet Information Office, in accordance with the Data Security Law, ordered the company to make corrections, issued a warning and imposed a fine of RMB 80,000, and imposed a fine of RMB 10,000 on the company's solely responsible personnel.

11. Tianjin court: buy "members" to bypass the "child-friendly mode", illegal App was awarded compensation

The Court of Tianjin Binhai New Area recently concluded a case of unfair competition in which the purchase of an app membership was enough to bypass the  "child-friendly mode" of multiple third-party apps in the field of network audio and video (including the apps from the plaintiff) - in skipping and blocking the pop-up window of the entrance of the "child-friendly mode" of third-party apps, the defendant’s app violated the relevant laws and regulations on the protection of minors, and undermined the market order of fair competition and the industry's ecology, constituting unfair competition. Therefore, the court supported the plaintiff's claim in full, and ruled that the defendant should compensate the plaintiff for the economic loss of RMB 3 million.

12. Guangdong High Court Releases Typical Cases on Personal Information Protection

On 31st October, the Guangdong High Court released a number of typical cases on personal information protection. These cases include public interest litigation for personal information protection, network infringement liability disputes, and personal information protection disputes, which protect personal privacy and information security and regulate commercial promotional behaviours by legally regulating infringements on the rights and interests of personal information. These include the illegal collection and processing of information by internet platforms, infringement of algorithmic operation errors, sending commercial SMS without consent, and illegal collection of face images.

13. Xinjiang Uygur Autonomous Region Issued Provisions on the Application of Benchmarks for Discretion in Network Security Management Administrative Punishment

On 16th October, the Xinjiang Uygur Autonomous Region issued the Provisions on the Application of Benchmarks for Discretion in Administrative Penalties for Network Security Management. The Provisions list the basis for penalties and discretionary benchmarks for a total of 24 offences, which are divided into "minor offences, general offences and serious offences", and stipulate detailed rules. For example, illegally obtaining, selling or providing track and trace information, communication content, credit information and property information up to 15~ 30 items constitutes a "general offence" and may trigger a fine of RMB 300,000~700,000; selling or providing track and trace information regardless of the number of items used by others to engage in illegal activities constitutes a "serious offence"; selling or providing information regardless of the number of items used by others to engage in illegal activities constitutes a "serious offence". "Serious offences  may trigger a fine of RMB 700,000~1,000,000.

14. Gansu net security heavy rectification infringement of citizens' personal information crime

Recently, the Gansu Internet police have carried out special remedial actions in areas where crimes against citizens' personal information are common, such as telecommunication outlets, real estate agents and educational institutions. For example, the Lanzhou public security authorities investigated and dealt with a communications shop that collected and privately used students' personal information to handle phone cards on the grounds of part-time work and imposed a penalty of 10,000 in accordance with the Cyber Security Law.

15. Six property companies in Ningxia punished for improper protection of personal information

On 6th October, six property companies in Ningxia were warned and ordered by the local public security authorities to rectify the situation within a certain period due to the hidden danger of information leakage. It was found that a number of property companies' office computers improperly stored a large number of personal information such as home addresses, identity card numbers, and contact information of property owners in the community; data was  not encrypted, the office computers did not have passwords, the personal information was not classified and managed, and no encryption and de-identification and other technical measures were taken, and the risk of the owners' personal information being leaked was extremely high.

16. Multi-provincial communications bureaus issued circulars on taking down APPs that infringe on users' rights and interests (Related links: Guangdong Province, Sichuan Province, Zhejiang Province)

Recently, Guangdong, Sichuan, Zhejiang and other provincial communications bureaus have issued circulars on the removal of APPs infringing on users' rights and interests, which cover a wide range of categories such as finance leasing, property services, education and technology. The issues involved include the illegal collection of personal information, APP mandatory, frequent and excessive request for permissions, and the difficulty of account cancellation.

Industry Developments

17. The National Data Authority was officially inaugurated and is responsible for coordinating the promotion of data base systems

On 25th October, the National Data Bureau was inaugurated and administered by the National Development and Reform Commission. The National Data Bureau is responsible for coordinating the promotion of the construction of a data foundation system, coordinating the integration, and sharing of data resources and their exploitation and utilisation, and coordinating the promotion of the planning and construction of digital China, the digital economy, and the digital society. The establishment of the National Data Bureau will promote the accelerated innovation and integration of digital technologies such as the Internet, big data, cloud computing, artificial intelligence and blockchain, realise the in-depth integration of digital technologies with the real economy, and promote the development of the digital economy.

18. Ministry of Public Security Establishes Cybersecurity Legal Advisory Committee

The Ministry of Public Security held the inaugural meeting of the Legal Advisory Committee on Cybersecurity and a special seminar on the legal system of cybersecurity in Beijing from 10th to 11th October. The Legal Advisory Committee on Cybersecurity will strengthen legal research on cybersecurity, crack down on and rectify new types of cybercrime, guard against the security risks of modern technologies and applications, and strengthen comprehensive cyber governance.

19. The General Administration of Financial Supervision organises special work to remind banks of "dormant accounts".

Since 25th October, the Hebei Supervision Bureau of the State Financial Supervision and Administration of the People's Republic of China (SFSA) has been carrying out special work to remind banks of "dormant accounts" and to clean up personal insurance "sleeping policies". The term "dormant account" refers to a personal bank account that has not been actively traded for five years or more and still has a balance in the account. "Sleeping policies" refer to policies that have not yet received compensation or maturity benefit payments for insurance accidents or expiry of insurance contracts, or have not yet received cash value payments for suspension or termination of insurance contracts. The reminder helps consumers to understand the opening of their bank accounts, check, use or cancel redundant accounts in a timely manner, and enhance the efficiency of the use of funds.

20. The Shanghai Stock Exchange issued the Guidelines for Data Transaction Security Compliance and the List of Compliance Considerations for Data Transactions

On 19th October, the Shanghai Stock Exchange released the Guidelines for Data Transaction Security Compliance and the List of Compliance Considerations for Data Transactions, whose compliance requirements include the compliance of the transaction subject, the completeness of the data security management system, the legitimacy of the data source, and the confirmation of the tradability of the data product. To facilitate enterprises' understanding and implementation of compliance assessment, the Guidelines provide a list of compliance considerations to help enterprises efficiently identify compliance and security risks, as well as to facilitate enterprises' cooperation with third-party compliance assessment service organisations.

21.Shanghai Municipal Consumer Protection Commission and Municipal Automobile Sales Association Jointly Launch Compliance Guidelines for Personal Information Protection in Shanghai's Automobile Sales Industry

On 24th October, the Shanghai Municipal Commission for the Protection of Consumers' Rights and Interests and the Shanghai Automobile Sales Association jointly formulated and issued the "Compliance Guidelines for the Protection of Personal Information in the Shanghai Automobile Sales Industry". Among other things, the Guidelines make it clear that the collection of personal information should be closely related to consumer scenarios such as automotive consumer consultation, test drives, ordering, use, auto insurance, finance, and after-sales service, and should not exceed the scope necessary for laws, regulations, and services. At the same time, without the consent of individual consumers or the need for driving safety, information such as vehicle tracks, navigation records, driving records and other information shall not be analysed and evaluated for personal analysis or automatic decision-making.

22. Shanghai Municipal Commission of Economy and Informatisation Releases 2023 Catalogue of Shanghai's Network Security Industry Innovation and Research Achievements

On 24th October, the Shanghai Municipal Commission of Economy and Information Technology released the "2023 Shanghai Cybersecurity Industry Innovation and Research Achievement Catalogue", which includes three categories of basic technology innovation, application technology innovation and service industry innovation, and covers achievements in the areas of Artificial Intelligence (AI) security, privacy computing, digital identity authentication, software supply chain security, cloud-native security, secure access services, data circulation security, intelligent industrial control security, financial technology security and security operation services. These achievements aim to promote the development of Shanghai’s cybersecurity industry and improve cybersecurity protection capabilities and levels.

23. Zhejiang organisation to carry out the first batch of enterprise data officer pilot enterprises in Zhejiang Province to declare work

On 9th October, Zhejiang Province's Department of Economy and Information Technology announced that it will organise the first batch of enterprise Chief Data Officer (CDO) pilot declaration work. According to the notice, Zhejiang Province will determine several provincial chief data officer pilot enterprises, encourage enterprises to establish the CDO system, unlock the value of data elements, and accelerate digital transformation. Declaring enterprises need to meet the conditions of sound economic management institutions and systems, attach importance to data management work, and have larger-scale data resources.