In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on three areas: regulatory developments, enforcement developments, and industry developments.
China Cybersecurity and Data Protection – a major overhaul of the proposed data localisation regime.
The National People’s Congress has published a draft of a new Cryptography Law which is open for public comment until 2 September 2019. The draft law covers the mechanisms for the administration of cryptography related work. It sets out three different categories of cryptography (key, ordinary and commercial cryptography) which are administered in different ways. The law includes measures for promoting and safeguarding cryptography development. Chapter 3 of the draft law deals with the commercial cryptography system. It provides that commercial cryptographic products which are categorised as key network devices and cybersecurity products, and commercial cryptographic services offered for key network devices and cybersecurity products, will be subject to a compulsory certification mechanism. In addition, the draft provides that any key information infrastructure must use commercial cryptography, which must pass a security assessment and national security review. Further, certain commercial cryptography will be subject to import approval and an export control mechanism. The draft law also sets out the legal liability regime.
On 22 July 2019, the Cyberspace Administration of China (together with three other departments) jointly issued new guidelines on assessing the safety of cloud computing services. The safety assessment focuses on the credibility of cloud platform operators and their operations, the background of the staff of cloud service providers, the safety of the supply chains of cloud platforms, the safety management capabilities and the practicability of data migration. The assessment results will be valid for up to three years.
On 22 July 2019, the General Office of the Cyberspace Administration of China issued draft administrative measures for public consultation on credit information of dishonest persons offering Internet information services. Providers and users of Internet information services that have had their websites shut down or business licenses revoked for online violations will be placed on a blacklist. Among other penalties, those on the blacklist may be restricted from accessing the Internet, using online information services or re-entering the industry for three years. Blacklisted individuals can apply for early removal of their names from the blacklist upon taking remedial action and stopping the further spread of disinformation.
On 12 July 2019, the Ministry of Education, together with six other government departments, unveiled implementing opinions to regulate after-school online training. The opinions set a target of the end of December 2019 to complete a survey of the record-filing status quo of after-school online training programs and agencies, and the end of December 2020 to establish a nationally-unified regulatory system. To this end, the opinions outline measures in three areas for: (i) operating the record-filing examination system; (ii) carrying out the survey and ordering any rectification; and (iii) improving the regulatory mechanism. After-school online training agencies are required to submit relevant record-filing materials to the provincial education department at their place of domicile after having obtained an Internet content provider license, and the network security protection level grading certificate and evaluation report.
On 8 July 2019, the Standardization Administration issued the schedule for its second batch of recommended national standards for 2019. Under the plan, the National Information Security Standardization Technical Committee is responsible for a total of five national standards relating to cybersecurity and data protection, including to formulate four new standards and revise one set.
On 16 July 2019, in order to assess further the collection and use of personal information by applications, the Application Security Working Group issued a notice on supervising personal information collection and promoting rectification to 40 application operators. The notice pointed out that there are 40 applications that contravene the requirements for collecting and using personal information and fail to disclose valid contact information. The application operators are required to rectify the non-compliances within 30 days and submit a rectification report to the working group.
On 8 July 2019, the National Computer Virus Emergency Response Center reported that it had monitored ten illegal mobile applications during its 2019 clean-up campaign. The main hazards posed by these apps included malicious deduction, privacy theft and gambling.
On 1 July 2019, the Ministry of Industry and Information Technology conducted a random inspection of 106 Internet services provided by 100 Internet companies. The spot check revealed that 18 Internet companies failed to show users the rules for collecting and using personal information, did not inform users of the channels for correcting information and did not provide any means for account cancellation. The ministry ordered the companies to rectify the issues. Technical tests were also conducted on applications available on 50 application stores. 33 pieces of software were found to be illegal, involving infringements such as illegal collection and use of personal information or forced promotion of other application software. The illegal software has been shut down and further rectification ordered.
On 1 July 2019, the General Office of the Ministry of Industry and Information Technology released a special action plan for boosting the capacity to protect network data security in the telecommunications and Internet sectors. First, intensive efforts will be made to carry out compliance assessments, special rectification programs and supervisory checks in relation to data security. Basic telecom enterprises and key Internet businesses will be required to ramp up their whole process management of network data security and take prompt corrective actions to remove major security risks like data leakage and data misuse. By the end of October, data security checks of all basic telecom enterprises, 50 key Internet businesses and 200 mainstream applications are to be completed. Second, a network data security safeguarding system will be established for these sectors. The special action plan outlines tasks to be carried out in five areas, including increasing the pace for improving systems and standards concerning network data security and carrying out compliance assessments and special rectification programs.
On 11 July 2019, the Internet Society of China officially launched a complaint system for cyber information. This is a third-party complaint channel under the guidance of the Ministry of Industry and Information Technology which has been constructed and will be operated by the China Internet Association. The complaint system is an important way to protect the legitimate rights and interests of users, promote industry self-discipline and societal supervision and support governmental supervision. Since its trial operation on 8 April 2019, it is reported that the complaint system has effectively handled user complaints in a timely manner.
On 22 July 2019, in order to consolidate further its cyberspace governance, the Heilongjiang Cyberspace Administration investigated and took action against seven illegal websites and WeChat official accounts based on daily checks and anonymous reports.
On 9 July 2019, the Shanghai Cyberspace Administration found that the operating companies of two applications did not implement the required technical measures to protect citizens’ personal information, failed to make the required filings with the public security organs, did not establish a network security protection management system and did not implement network security protection measures. In accordance with the relevant regulations, the Shanghai Cyberspace Administration imposed administrative penalties of one and three months respectively on the illegal enterprises.
On 11 July 2019, the Internet Society of China released the 2019 China Internet Report. The report reviews and analyses the development of various Internet industries, including network audio and video, online games, the mobile application market and network travel.
On 13 July 2019, the Yunnan Cyberspace Administration, together with key information infrastructure protection departments in key industries and fields, organised a pilot study on the security protection of critical information infrastructure in Yunnan Province involving important industries and enterprises. The pilot was established under the guidance and support of the Cyberspace Administration of China and involved cooperation with relevant domestic enterprises, scientific research institutions and social organizations, such as Tencent, to conduct research and exploration on critical information infrastructure boundary identification and other issues. Based on continuous practice and improvement, the first version of the research report was released.
On 8 July 2019, the China Academy of Information and Communications Technology issued a report on foreign-invested telecom companies. According to the report, at the end of June, a total of 146 foreign-invested telecom companies had obtained telecom licenses, including 103 from the Ministry of Industry and Information Technology and 43 from the Shanghai Telecom Administration (for enterprises registered in the Shanghai Free-Trade Zone).
On 9 July 2019, a total of eleven leading Chinese Internet portals, including Alibaba, Tencent and Baidu, signed a responsibility letter to prevent telecom and cyber fraud. The letter stresses establishing and improving the system of telecom and cyber fraud prevention, including strengthening the mechanism to close illegal accounts. The letter plans to establish and improve the fraud risk inspection and early warning and rapid response mechanism. The letter requires the annual report of the enterprise’s telecommunication business operations to include information on the implementation of their responsibility for preventing telecom and cyber fraud. The event was organized by the cyber security administration of the Ministry of Industry and Information Technology, the criminal investigation bureau of the Ministry of Public Security and the network comprehensive coordination management and law enforcement supervision bureau of the Office of the Central Cyberspace Affairs Commission.