​In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on three areas: regulatory developments, enforcement developments, and industry developments. 

Regulatory developments 

  • New regulations on prohibition of abuse of dominant market position published for public commentsOn 30 January 2019, China's antitrust authority launched a consultation paper on new regulations which, for the first time, cover the dominant market position of business operators engaged in internet and intellectual property sectors. The new regulations will take "managing relevant data" into consideration in determining market position. The Regulations on the Prohibition of Abuse of Dominant Market Position (Consultation Paper), issued by the Administration for Market Regulation, was open for public comments until 1 March 2019.
  • Self-assessment guide on collection and use of personal information by applications releasedOn 1 March 2019, China's cross-department special governance working group on illegal personal information collection by applications released its self-assessment guide on the collection and use of personal information by applications. Application operators can refer to the guide to self-examine their collection and use of personal information, and actively improve the level of personal information protection. The special governance working group was set up by the National Information Security Standardization Technical Committee, the China Consumers Association, the Internet Society of China and the Cybersecurity Association of China.
  • Personal information violation complaint account officially launched on WeChatOn 1 March 2019, a WeChat official account was launched to enable online users to report personal information violations. The account, named“Application Personal Information Violation Complaint" (ID: app_grxxjb) allows reports of the following: applications with no privacy policies; over-collection of personal information unrelated to the business; mandatory or frequent requests for user's permissions unrelated to the business functions, bundled requirements for user's permissions, harassment of mobile contacts, absence of account cancellation functions, unreasonable terms, absence of personal information deletion or revision functions etc.This measure is being promoted by the special governance working group on illegal personal information collection by applications and has been designed to achieve an improved complaint reporting mechanism, which is one of the key initiatives in the "Notice on the Special Governance on Illegal Collection and Use of Personal Information by Applications" issued in January.

Enforcement developments 

  1. National Computer Virus Emergency Response Centre discovers ten unlawful mobile applications Recently, the National Computer Virus Emergency Response Centre discovered ten unlawful mobile applications through its internet monitoring which were available in application stores. The applications include "Caijisong Mobile(财急送移动版)" and "Fotoplace". The main risks associated with these unlawful applications include privacy theft, fraud, hooliganism and gambling.

  2. Report on 2018 Q4 telecommunication service quality - 43 apps removed from store On 27 February 2019, the Ministry of Industry and Information Technology released its latest telecommunications service quality report for the fourth quarter of 2018. This shows that 43 problematic applications were detected during that period and removed from the store, including applications like "Wannengkan (万能看)" and "xiaoneiwai(校内外)" which were found to collect and use personal information without users' consent. In addition, “Beikezhaofang (贝壳找房)”, “Fish Fighting(斗鱼)”, “ZBJ.com” and other 14 internet enterprises were cited by the Ministry for poor levels of personal information protection and urged to rectify matters, including through disclosing user's personal information collection and use rules, updating information on enquiry channels and providing account cancellation services.

  3. 23 applications interviewed by Shanghai Cyberspace Administration are reassessed In October 2018, the Shanghai Cyberspace Administration sample tested 23 applications for personal information collection and use compliance. The 23 enterprises were asked to comply with rectification measures and have recently been reassessed. As of mid-January 2019, these applications have revised 158 of the authorisations previously labelled as "unreasonable authorisation" and 98 authorisations labelled "reasonable yet risky". Six "unreasonable" authorisations and 98 "reasonable yet risky" authorisations remain. Among them, DianPing and ELeMe continue to obtain unreasonable authorisations from users.

  4. China's Insurance Regulatory Commission has interviewed several banks over personal information collections through applications At a news conference on 25 February 2019, the State Council Information Office revealed that several banks have been using applications to collect personal information and privacy terms. The vice president of the China Insurance Regulatory Commission, Mr. Liang Tao, confirmed that the Commission has interviewed the executives of those banks and asked them to adjust and correct their practices.

  5. Shanghai Communications Administration publishes details of typical cybersecurity breach cases Recently, the Shanghai Communications Administration published details of typical cases of cybersecurity breaches. The reported cases included: (i) a network security incident in a stainless-steel pipe company's networked information system resulting in an order to suspend the internet information services; (ii) a media company and a network technology company faced which administrative penalties for failing to take corrective measures against the risk of security breaches; (iii) two internet companies which faced administrative penalties for failing to perform website filing procedures; and (iv) an online travel agency company which had serious security risks in storing tourist information.

  6. Special winter vacation anti-vice measures implemented and details of typical cases published On 25 February 2019, the Cyberspace Administration of China reported that special anti-vice and pornography measures were introduced during the winter vacation period aimed at protecting young people. These measures involved comprehensive investigations of the publications market and cultural management sites around campuses and strengthened network inspection and monitoring, focusing on the dissemination of harmful information in the fields of learning and education applications, online games, online literature, online comics and internet portals. The anti-vice and pornography department has provided details on seven typical cases from their investigations to inform, warn and act as a deterrent for others. The cases reported included “Baidu Tieba” being used to spread obscene pornographic comics and the "Homework Super Assistant" learning app being used to spread harmful information.

Industry developments

  1. Shanghai Cyberspace Affairs Office publishes annual report on network security On 18 February 2019, the Shanghai Cyberspace Affairs Office published its 2018 annual report analysing network security. According to the report, it monitored 2,796 websites from 2,323 companies in 2018 and issued warnings about eight network security issues including website vulnerabilities, webpage tampering, phishing, malware and denial of service attacks. 523 network security alerts were sent to 431 companies.

  2. Data leak of an AI security company exposed Recently, an artificial intelligence company, Shenzhen SenseNets Technology LTD., suffered a massive data leak. It is reported that more than 2.5 million pieces of personal data could be obtained and 6.8 million pieces of data are suspected to have been leaked, including identity card information, face recognition images and image shooting locations.