This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].
Follow the links below to view the official policy documents or public announcements.
On 24th October, the Regulations on the Protection of Minors in Cyberspace were officially published (the “Regulations”). The Regulations contain detailed and comprehensive provisions on the regulation of network information content, the protection of minors' personal information on networks and the prevention and treatment of minors' internet addiction. For example, the Regulations require that online games, webcasting and other network service providers should provide an operating model for minors; they also emphasise that network product and service providers should use artificial intelligence, big data and algorithmic models to strengthen the identification and monitoring of cyberbullying. . The Regulations stipulate that personal information processors should conduct annual compliance audits of their personal information processing activities regarding minors and report the results of the audits to the Cyberspace Administration of China and other departments.
2. The Ministry of Industry and Information Technology (MIIT) seeks public comments on Implementing Rules for Data Security Risk Assessment in the Field of Industry and Information Technology (for Trial Implementation) (Draft for Comment)
On 9th October, the MIIT issued the Implementing Rules for Data Security Risk Assessment in the Field of Industry and Information (for Trial Implementation) (Draft for Comment), which stipulates that important data and core data processors should complete a data security risk assessment at least once a year (with the results of the assessment being valid for one year), and report or update the assessment report to the industry supervisory authorities within 10 working days of the completion of the assessment. The assessment focuses on whether the purpose, manner and scope of data processing are lawful, legitimate and necessary, as well as the formulation and implementation of data security management systems process and strategies.
On 24th October, the MIIT released the Measures for the Classified and Graded Management of Industrial Internet Security (Draft for Comment), which is open for comments until 22nd November 2023 (the “Measures”). Among other things, the Measures make it clear that industrial Internet enterprises can carry out independent grading, and they need to consider elements such as enterprise scale, business scope, the degree of application of the industrial Internet, the degree of operation of important systems, the degree of mastery of important data, the degree of importance to the development of the industry and industrial chain supply chain security, as well as the impact of the consequences of a cybersecurity incident.
On 18th October, the Beijing Economic and Information Bureau issued the Beijing Chief Data Officer System Pilot Work Programme, selecting 13 pilot units to flexibly set up Chief Data Officers (CDOs) on their own, with the scope of CDO’s responsibilities including promoting the construction of digital government, strengthening data resource management, enhancing guidance and supervision capabilities, improving digital thinking literacy, and promoting the construction of talent teams. At the same time, the Work Programme encourages district-level governments to carry out pilot work in selected subordinate units that can do so, and actively encourages several types of enterprises to set up CDOs.
On 19th October, Shanghai Cyberspace Administration issued Guidelines for Shanghai Website Platforms to Accept and Dispose of Reporting of Online Infringement Information Involving Enterprises (Trial Version), which stresses the need to focus on the protection of legitimate rights and interests of enterprises to be listed and the stabilisation of the market value of the enterprises. It focuses on the acceptance and disposal of counterfeit information that confuses the identity information of the enterprise body, leakage information that infringes on the privacy of entrepreneurs, as well as other information that maliciously interferes with the normal operation and development of the enterprise.
On 8th October, the Guizhou Provincial Meteorological Bureau and the Big Data Development Administration issued the Pilot Work Programme for Reform of Market-based Allocation of Meteorological Data in Guizhou Province (the “Work Programme”). The Work Programme points out the need to promote the conditional and paid use of meteorological data and to promote the trading of meteorological data and other products through the Guiyang Big Data Exchange.
On 24th October, the Ministry of Industry and Information Technology (MIIT) released the 6th batch of APP (SDK) lists of 2023 that infringed on the rights and interests of users. With a total of 22 enterprises involved in the list, issues involved included the illegal collection and use of personal information, APP mandatory, frequent and excessive requests for permissions, and incomplete information in SDK public announcements.
On 18th October, the General Administration of Financial Supervision of Shanxi released three major risk cases, reminding consumers to enhance anti-fraud awareness and to safeguard better their personal information. One case involved a consumer who suffered damage to his rights and interests and credit score because he lent his documents and other information to another person to apply for a loan guarantee. The Superintendent reminds consumers not to lend their identity documents, bank cards, etc., to others, and not to leave their personal financial information on the Internet at will.
On 30th October, the Beijing Cyberspace Administration, in accordance with the Data Security Law, opened a case to investigate the alleged network data security violations of three enterprises in the region, and imposed administrative penalties of ordering correction, warning and a fine of RMB 50,000 on each of them, and a fine of RMB 10,000 on the direct supervisors and other responsible persons. It was found that the three enterprises had failed to fulfil their data security protection obligations, and that there were unauthorised access loopholes in the databases deployed, resulting in the leakage of some data.
Recently, the Shanghai Cyberspace Administration found that there was an unauthorised access loophole in the database of a technology company, and data had been stolen and transmitted abroad. After the notification from the Shanghai Cyberspace Administration, the company still did not carry out timely and effective rectification and deleted the database without authorisation, with the intention of evading punishment. On 11th October, the Shanghai Internet Information Office, in accordance with the Data Security Law, ordered the company to make corrections, issued a warning and imposed a fine of RMB 80,000, and imposed a fine of RMB 10,000 on the company's solely responsible personnel.
The Court of Tianjin Binhai New Area recently concluded a case of unfair competition in which the purchase of an app membership was enough to bypass the "child-friendly mode" of multiple third-party apps in the field of network audio and video (including the apps from the plaintiff) - in skipping and blocking the pop-up window of the entrance of the "child-friendly mode" of third-party apps, the defendant’s app violated the relevant laws and regulations on the protection of minors, and undermined the market order of fair competition and the industry's ecology, constituting unfair competition. Therefore, the court supported the plaintiff's claim in full, and ruled that the defendant should compensate the plaintiff for the economic loss of RMB 3 million.
On 31st October, the Guangdong High Court released a number of typical cases on personal information protection. These cases include public interest litigation for personal information protection, network infringement liability disputes, and personal information protection disputes, which protect personal privacy and information security and regulate commercial promotional behaviours by legally regulating infringements on the rights and interests of personal information. These include the illegal collection and processing of information by internet platforms, infringement of algorithmic operation errors, sending commercial SMS without consent, and illegal collection of face images.
On 16th October, the Xinjiang Uygur Autonomous Region issued the Provisions on the Application of Benchmarks for Discretion in Administrative Penalties for Network Security Management. The Provisions list the basis for penalties and discretionary benchmarks for a total of 24 offences, which are divided into "minor offences, general offences and serious offences", and stipulate detailed rules. For example, illegally obtaining, selling or providing track and trace information, communication content, credit information and property information up to 15~ 30 items constitutes a "general offence" and may trigger a fine of RMB 300,000~700,000; selling or providing track and trace information regardless of the number of items used by others to engage in illegal activities constitutes a "serious offence"; selling or providing information regardless of the number of items used by others to engage in illegal activities constitutes a "serious offence". "Serious offences may trigger a fine of RMB 700,000~1,000,000.
Recently, the Gansu Internet police have carried out special remedial actions in areas where crimes against citizens' personal information are common, such as telecommunication outlets, real estate agents and educational institutions. For example, the Lanzhou public security authorities investigated and dealt with a communications shop that collected and privately used students' personal information to handle phone cards on the grounds of part-time work and imposed a penalty of 10,000 in accordance with the Cyber Security Law.
On 6th October, six property companies in Ningxia were warned and ordered by the local public security authorities to rectify the situation within a certain period due to the hidden danger of information leakage. It was found that a number of property companies' office computers improperly stored a large number of personal information such as home addresses, identity card numbers, and contact information of property owners in the community; data was not encrypted, the office computers did not have passwords, the personal information was not classified and managed, and no encryption and de-identification and other technical measures were taken, and the risk of the owners' personal information being leaked was extremely high.
Recently, Guangdong, Sichuan, Zhejiang and other provincial communications bureaus have issued circulars on the removal of APPs infringing on users' rights and interests, which cover a wide range of categories such as finance leasing, property services, education and technology. The issues involved include the illegal collection of personal information, APP mandatory, frequent and excessive request for permissions, and the difficulty of account cancellation.
On 25th October, the National Data Bureau was inaugurated and administered by the National Development and Reform Commission. The National Data Bureau is responsible for coordinating the promotion of the construction of a data foundation system, coordinating the integration, and sharing of data resources and their exploitation and utilisation, and coordinating the promotion of the planning and construction of digital China, the digital economy, and the digital society. The establishment of the National Data Bureau will promote the accelerated innovation and integration of digital technologies such as the Internet, big data, cloud computing, artificial intelligence and blockchain, realise the in-depth integration of digital technologies with the real economy, and promote the development of the digital economy.
The Ministry of Public Security held the inaugural meeting of the Legal Advisory Committee on Cybersecurity and a special seminar on the legal system of cybersecurity in Beijing from 10th to 11th October. The Legal Advisory Committee on Cybersecurity will strengthen legal research on cybersecurity, crack down on and rectify new types of cybercrime, guard against the security risks of modern technologies and applications, and strengthen comprehensive cyber governance.
Since 25th October, the Hebei Supervision Bureau of the State Financial Supervision and Administration of the People's Republic of China (SFSA) has been carrying out special work to remind banks of "dormant accounts" and to clean up personal insurance "sleeping policies". The term "dormant account" refers to a personal bank account that has not been actively traded for five years or more and still has a balance in the account. "Sleeping policies" refer to policies that have not yet received compensation or maturity benefit payments for insurance accidents or expiry of insurance contracts, or have not yet received cash value payments for suspension or termination of insurance contracts. The reminder helps consumers to understand the opening of their bank accounts, check, use or cancel redundant accounts in a timely manner, and enhance the efficiency of the use of funds.
On 19th October, the Shanghai Stock Exchange released the Guidelines for Data Transaction Security Compliance and the List of Compliance Considerations for Data Transactions, whose compliance requirements include the compliance of the transaction subject, the completeness of the data security management system, the legitimacy of the data source, and the confirmation of the tradability of the data product. To facilitate enterprises' understanding and implementation of compliance assessment, the Guidelines provide a list of compliance considerations to help enterprises efficiently identify compliance and security risks, as well as to facilitate enterprises' cooperation with third-party compliance assessment service organisations.
21.Shanghai Municipal Consumer Protection Commission and Municipal Automobile Sales Association Jointly Launch Compliance Guidelines for Personal Information Protection in Shanghai's Automobile Sales Industry
On 24th October, the Shanghai Municipal Commission for the Protection of Consumers' Rights and Interests and the Shanghai Automobile Sales Association jointly formulated and issued the "Compliance Guidelines for the Protection of Personal Information in the Shanghai Automobile Sales Industry". Among other things, the Guidelines make it clear that the collection of personal information should be closely related to consumer scenarios such as automotive consumer consultation, test drives, ordering, use, auto insurance, finance, and after-sales service, and should not exceed the scope necessary for laws, regulations, and services. At the same time, without the consent of individual consumers or the need for driving safety, information such as vehicle tracks, navigation records, driving records and other information shall not be analysed and evaluated for personal analysis or automatic decision-making.
On 24th October, the Shanghai Municipal Commission of Economy and Information Technology released the "2023 Shanghai Cybersecurity Industry Innovation and Research Achievement Catalogue", which includes three categories of basic technology innovation, application technology innovation and service industry innovation, and covers achievements in the areas of Artificial Intelligence (AI) security, privacy computing, digital identity authentication, software supply chain security, cloud-native security, secure access services, data circulation security, intelligent industrial control security, financial technology security and security operation services. These achievements aim to promote the development of Shanghai’s cybersecurity industry and improve cybersecurity protection capabilities and levels.
On 9th October, Zhejiang Province's Department of Economy and Information Technology announced that it will organise the first batch of enterprise Chief Data Officer (CDO) pilot declaration work. According to the notice, Zhejiang Province will determine several provincial chief data officer pilot enterprises, encourage enterprises to establish the CDO system, unlock the value of data elements, and accelerate digital transformation. Declaring enterprises need to meet the conditions of sound economic management institutions and systems, attach importance to data management work, and have larger-scale data resources.