China passes Cryptography Law
The PRC Cryptography Law has been passed and adopted. It will take effect from 1 January 2020.
Under the Cryptography Law, cryptography refers to technologies, products, and services that employ specified transformation methods to encrypt information or carry out security authentication. Cryptography is classified into key cryptography, ordinary cryptography and commercial cryptography.
Key cryptography and ordinary cryptography constitute state secrets and are regulated as such.
As for commercial cryptography products, if they have a potential impact on national welfare, people’s livelihood, or public interest, they shall be regulated as critical network equipment and specialized cybersecurity products, and must pass the relevant testing and certification. If they will be used for the protection of critical information, they must also pass special security assessments in accordance with the PRC Cybersecurity Law. The relevant government authorities will publish a list of commercial cryptography products that are subject to import and export controls.
Foreign invested enterprises will be treated equally as domestic enterprises during the development, manufacture, and sales of commercial cryptography products, and are encouraged to engage in technical cooperation during investment in China. No government authority is allowed to force a transfer of commercial cryptography technology.
Please click here for an unofficial English translation of the Cryptography Law.
MIIT publishes special action plan to combat personal data infringements via APPs
The Ministry of Industry and Information Technology (the “MIIT”) published a special action plan to strengthen the enforcement of data protection requirements. The following constitute non-compliance activities of an APP operator: (i) collecting personal data without data subjects’ consent; (ii) collecting excessive personal data beyond the scope reasonably related to the provision of the underlying services; (iii) sharing personal data with third parties without data subjects’ consent; (iv) not allowing data subjects to disable targeted advertising; (v) refusing to provide the APP services if data subjects disagree on excessive collection of personal data; (vi) repeatedly asking for data subjects’ consent on the collection of certain types of personal data even if the data subjects have already refused; and (vii) setting unreasonable obstacles for date subjects to de-register their APP accounts.
The special action also focusses on the operators of APP stores or other channels via which APPs are distributed. These operators are also subject to the obligation to check whether the APPs distributed via their channels are compliant with the personal data protection requirements.
The special plan started on 1 November and will end on 20 December 2019.
A new draft of the Personal Information Security Specification is issued for public opinion
The currently valid “GB/T 35273-2017 Information Technology – Personal Information Security Specification” (“2017 Specification”) took effect from 1 May 2018. Although the 2017 Specification is not a legally binding regulation but only suggestive, it sets out the detailed implementation requirements following the general personal data protection principles under the Chinese laws and is considered as the best practice that data controllers are encouraged to adapt in China. As of today, two drafts of the new version of the Personal Information Security Specification (including one published on 1 February 2019 and the latest one published on 22 October 2019) have been published to solicit public opinions, which introduce many important changes to the 2017 Specification.
In particular, the following changes are proposed by the latest draft published in October: (i) data subjects shall not be forced to agree to collect personal information on the grounds of improving service quality or user experience, developing new products, or enhancing security performance; (ii) during data sharing, the recipient has the obligation to clarify with the provider whether the sharing has received the consent of data subjects, as well as the scope and methods of the sharing; (iii) the data controller shall establish convenient channels for data subjects to de-register accounts, handle data subjects’ request to delete personal data within a reasonable period that in principle is shorter than 15 days, and refrain from requesting more personal data during such processes for identification verification purposes; and (iv) a data controller shall inform data subjects of the identification of its joint controller and their respective responsibilities and obligations regarding data protection; otherwise it shall bear the liability resulting from the joint controller’s non-complaint activities.
Please click here for the full text (Chinese only) of the latest draft.
New judicial interpretation clarifies the circumstances where a network operator might be subject to criminal liability
The Supreme People’s Court and Supreme People’s Procuratorate jointly published a judicial interpretation on 25 October 2019, which provides detailed explanations on the elements of the “crime of refusing to perform cyber security management obligations” under Article 286 of the PRC Criminal Law. According to this interpretation, a network operator or online service provider commits this crime if it fails or refuses to perform its cybersecurity management obligations after being ordered to do so by the relevant government authorities, and thus cause certain consequences or damages.
Examples of such non-compliant activities include: (i) distribution of more than 200 illegal videos; (ii) distribution of illegal information to more than 2000 user accounts; (iii) clicks of illegal information for no less than 50,000 times; (iv) disclosure of more than 500 pieces of personal travel, tracking, communication content, credit or asset information; (v) disclosure of more than 5,000 pieces of personal accommodation, communication record, health, transaction and other information that might affect personal or proprietary security; (vi) disclosure of more than 50,000 pieces of personal information other than information described in (iv) and (v) above; (vii) failure to keep most user logs or obtain authentic personal identification from users; and (viii) damages to information networks used in the provision of communication, energy, traffic, water conservation, finance, education, medical and other public service areas and thus severely affecting social benefits.
Please click here for the full text (Chinese only) of the interpretation.
Simplified application procedures for certain VATS licences are introduced in free trade zones
The State Council launched a trial program in the free trade zones in China, to further eliminate or simplify the administrative licensing or permit requirements applicable to a company registered in the free trade zones. A list with more than 500 items have been published, which covers all the sectors and business activities for which an administrative licence or permit is required.
In particular to the operation licences for Category II value-added telecom services (which include online data processing and transaction processing services, domestic multi-party communication services, storage and forwarding services, call centre services, information services and coding and protocol conversion services), the applicants within the free trade zones can now make commitments regarding whether they have satisfied the qualification requirements and obtain the licences directly, without the need to submit complex supporting materials. The authorities will keep monitoring the business operation of the licence holders and revoke the licences if they breach the commitments or fail to demonstrate the required qualifications.
The same regulatory approach is also adopted in the free trade zones for the licences in respect of printing operations, audio-visual products production, electronic publications production, and publications distribution.
Please click here for a full list (Chinese only) of the simplified application items.