This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement, industry and international developments in this area.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected] .

Key highlights

The Cyberspace Administration of China (CAC) issued the draft administrative regulation on network data security, which, if enacted, will become first regulation to be published by the State Council to implement the Personal Information Protection Law (PIPL) and the Data Security Law (DSL) after their enactment, with a higher legal authority over regulations published by the ministries.  

With its focus on data security, the draft regulation has extended the obligations of data processors under the PIPL and DSL and created a wide range of reporting, filing and assessment requirements. In addition to data security, the draft regulation also touches upon wider issues relevant to data protections and internet platforms. We will publish a series of articles on this important draft regulation in January. Please stay tuned.

Shanghai becomes the second first-tier city after Shenzhen to publish its own data regulations (Shanghai Regulations). The Shanghai Regulations share many similarities with its Shenzhen counterpart in its structure and scope but focus more on the utilisation of data to develop local and regional economy. Notably, the Shanghai Regulations have not imposed any penalties on private parties in additional to those available under the existing laws and regulations.

Our Views

Employee Data Protection Series (III): Impact of Personal Information Protection Law on Employer’s Internal Investigations

Employee data protection series (IV): processing a candidate’s personal information during recruitment

Regulatory Developments

On November 14, the draft of Network Data Security Administrative Regulation was issued for public comments, with a deadline of December 13. The draft sets out implementation rules following the PRC Cybersecurity Law, the PRC Data Security Law and the PRC Personal Information Protection Law. It consists of 9 chapters and 75 articles. It is one of the most important draft administrative regulation in the network data security area.

On November 12, the draft of Methods for Classifying Pre-installed Apps on Mobile Smart Terminals was issued by the National Information Security Standardization Technical Committee (TC260) for public comments, narrowing the scope of non-installable applications to Apps with the following functions: system settings, phone calls, text messages, contact managements, time display and application downloads. In addition, only one App can be set as non-installable under each function group.

On November 12, the draft Guidelines for Identifying Personal Information on Instant Messaging Service Platforms was issued by TC260 for public comments, setting out standards for ddifferentiating personal information and non-personal information in instant messaging contexts. Based on the draft guidelines, information sent out to a specific recipient that cannot be retransmitted would be considered as personal information. Information distributed in a group of more than 50 individuals, as well as information that can be retransmitted by group members other than the sender to recipients who are not in the group, shall not be considered as personal information.

On November 25, the Shanghai Data Regulations was formally adopted by the Shanghai Municipal People's Congress and will come into effect on January 1, 2022. Updates compared to the second draft include: authorising government departments to collect data necessary for emergency response; having a municipal data expert committee to carry out security assessments of public data use, etc.

As reported by Shanghai Municipal AMR on November 12, Guidelines for Application of Algorithm in Online Marketing Activities has been issued for trial implementation. The Guidelines refines requirements on fair results of automated decision making in Article 24 of the Personal Information Protection Law by specifying parameter setting, consumer profiling and design of decision rules.

On November 3, China Cyberspace Security Association (the “CSAC”) issued two draft standards for App stores and mobile smart terminals on personal information protection.

App stores are authorized to reject an App if it violates any requirements regarding developer information disclosure, privacy policy, access permission request, and personal information processing activities. Mobile smart terminals are required to strengthen user controls around personal information access, App auto start, device identification code, sensitive permission, storage space, and record and display of processing activities.

Enforcement Developments

On November 10, the National Computer Virus Emergency Response Center spotted 12 illegal e-commerce shopping mobile Apps: 11 Apps didn’t show all privacy permissions requested for; 1 provided personal information to third parties without anonymisation; 1 started collecting personal information before obtaining users' consent; 1 did not provide effective functions to correct and delete personal information and cancel user accounts or set unreasonable conditions for canceling accounts; 2 did not establish and inform personal information security complaint and reporting channels or exceed the promised time limit for handling responses.

On November 3, the Ministry of Industry and Information Technology issued a “Look Back” notice following its previous enforcement actions and reproted on 55 APPs for their illegal processing of personal information, including request of excessive permissions and users’ personal information and deceptive downloads The Apps being reported include marketing leading Apps such as Xiaohongshu, Tantan, 58 Tongcheng and Douban, etc.

On November 3, the Cyberspace Administration of Hainan Province reported illegal collection and use of personal information in 11 mini programs, including “KFC self-service ordering” and demanded corrections within 15 working days. This is the first enforcement operation focusing on mini-programs in China.

On November 2, Zhejiang Provincial AMR held an administrative guidance meeting for platforms to report their progress of self-rectification and emphasized prohibitions on deceptive pricing based on profiling, especially during “Double 11” shopping festival.

On November 5, Zhejiang Provincial Consumer Council held a regulatory talk with the responsible persons of 9 video and audio websites, including Sohu and Aiqiyi, requiring a prominent explanation of premium membership rights before users’ subscription and a reasonable place of cancellation option for consumers to opt out.

On November 11, the Ministry of Industry and Information Technology issued a notice on launching “Operation 524” to enhance public perception of information communication service. The notice puts forward improvement requirements on basic telecommunications enterprises, Apps and App stores, publicize the first batch of internet companies to implement “Double List” and other regulatory requirements in customer responses, privacy policies and displays of permission invocation.

Since November, several regional tax authorities have gradually issued notices to implement the templates issued by the State Taxation Administration, including a consent form for personal information protection and facial recognition notification and its withdrawal application form. The templates are applicable to personal information processing activities at tax service premises, electronic tax bureau and tax payment channels such as self-service terminals.

On November 3, the Wenzhou Intermediate People's Court made a judgment for the plaintiff representing public interests, and requested the defendant Xiao to pay 56,787 RMB as public interest damages for stealing and selling more than 400,000 pieces of personal information and make a public apology to society in the national news media.

On November 24 and 30, Beijing and Shanghai Banking and Insurance Regulatory Commissions imposed consecutive administrative penalties on Bank of Beijing and its Shanghai Zhangjiang Sub-branch for significant breaches of prudent operation, concerning reporting of critical information system emergencies, information security and staff conduct management. The highest single fine amounted to 500,000 RMB and two directly responsible persons were issued lifelong employment ban in the industry.

On November 9, Jiangsu Provincial Consumer Council reported investigation results of 7 e-commerce platforms’ following shared problems and proposed improvement suggestions: default collection of unnecessary information, no easily accessible channels to opt out of personalized display or and unclear de-identification measures in personal information sharing.

Industry Developments

On November 17, China Academy of Information and Communications Technology organized 8 net disk companies including Baidu Netdisk, Tencent Drive and Aliyundrive to sign the Personal Online Disk Service User Experience Guarantee Self-Regulatory Convention in Beijing, promising to provide undifferentiated upload/download rate services for all types of users and smooth complaint channels.