MIIT issues Guiding Opinions on Strengthening Security of the Industrial Internet

The Ministry of Industry and Information Technology (“MIIT”) issued Guiding Opinions on Strengthening Security of the Industrial Internet (“Opinions”) on 15 April 2019.

The Opinions provide the general goals of security of the industrial internet initiative. The preliminary goal is to establish a security safeguarding system of the industrial internet by the end of 2020. By 2025, the security safeguarding system shall be improved and perfected.

The Opinions state that the major tasks of this initiative shall include the following:

  1. Promoting enterprise responsibility for the security of the industrial Internet;
  2. establishing standards of security of the industrial internet;
  3. improving the protective level of the enterprise for the industrial internet;
  4. strengthening the data security of the industrial internet;
  5. establishing national security technical methods for the industrial internet;
  6. improving the capacity of public services of the industrial internet; and
  7. promoting the security technology innovation and industrial development of the industrial internet.

Please click here to read the full text (Chinese only) of the Circular.

MIIT issues Circular on further strengthening IP Address Recordals

MIIT issued Circular on Further Strengthening IP Address Recordals (“Circular”) on 11 April 2019.

The Circular requires that all IP address allocation entities shall conduct records on resource, allocation and usage of IP Address on MIIT designated systems completely, accurately and timely. All entities shall establish and improve their IP Address recordal mechanism, and shall designate specific responsible persons for IP Address issues.

In respect of internet service providers (“ISPs”) they shall strengthen access to resource management, and must not use unrecorded or a partially recorded IP address to provide internet service for users. ISPs shall conduct ordinary business self-inspections. If an ISP identifies any usage of unrecorded or partially recorded IP Addresses, it shall cut off said internet access and report it to its local competent authorities.

Please click here to read the full text (Chinese only) of the Circular.

MPS issues Guidelines on Internet Personal Information Security Protection

The Ministry of Public Security (“MPS”) issued Guidelines on Internet Personal Information Security Protection (“Guidelines”) on 10 April 2019.

These Guidelines aim to “implement the PRC Cybersecurity Law, guide personal information holders in their efforts to establish and improve the management and technical measures on the protectioncitizens’ personal information, effectively guard against personal information abuses, and safeguard network data security and the lawful rights and interests of citizens”. However, the relationship between these Guidelines and the existing personal information protection regulatory and standards system led by the Cyberspace Administration of China and the National Information Security Standardisation Technical Committee are unclear.

Compared to the draft issued on 30 November 2018, the Guidelines include various amendments,

  1. the Guidelines remove the Level 3 requirements under Classified Information Security Protection Scheme, instead, the Guidelines require that personal information processing systems shall meet the corresponding security management requirements stipulated under GB/T 22239 Information Security Technology – Baseline for Classified Cybersecurity Protection .
  2. the Guidelines provide additional requirements regarding cloud platforms. Personal information domestically stored within a cloud platform shall remain within the territory of China, and if any personal information needs to be transferred overseas, it must comply with relevant national regulations.
  3. In respect of personal information applications, the Guidelines provide that prior explicit consents from the users are compulsory if an application of a user profiling service may bring legal consequences to the users.
  4. In respect of identity verification, personal information processing systems and devices shall use a combination of two or more authentication technologies to identify the users, and one of them shall contain cryptographic techniques.

Please click here to read the full text (Chinese only) of the Guideline and click here to read our previous article on the draft Guidelines.

NRTA issues Regulations on Programmes for Minors

The National Radio and Television Administration (“NRTA”) issued Regulations on Programmes for Minors (individuals under the age of 18) (“Regulations”) on 3 April 2019.

The Regulations provide that programmes for persons under the age of 18 (“Programmes”) shall include radio TV programmes and internet audio-visual programmes, which minors are major participants or major targets. The Regulations expressly prohibits all illegal or improper content contained in all programmes for minors.

The Regulations, among others, provide detailed requirements and impose obligations to internet audio-visual programmes service institutions (“Institutions”). Institutions shall establish specific Programmes, which are clearly labelled as such. Institutions shall apply content review prior to broadcasting and shall be able to cut off improper content during live shows. Institutions shall establish a minors protection mechanism and name a designated person to carry out the pre-content review. If a guardian of a minor does not permit any image or information uploaded, the guardian is entitled to notify and require the Institutions to delete, block or unlink the content. Institutions shall also establish complaints channels for the Programmes uploaded by internet users and establish social review systems of these Programmes.

Please click here to read the full text (Chinese only) of the Regulations.

SAMR issues Notice on Further Regulating Internet Advertisements

The State Administration for Market Regulation (“SAMR”) issued the Notice on Further Regulating Internet Advertisements (“Notice”) on 22 March 2019.

The major targets of the Notice are the portals, search engines and e-commerce platforms with great social influence, and the applications and new media accounts. The Notice focuses on sectors such as medicals, pharmaceuticals, health food, real estate and financial investments. The Notice requires that local authorities crackdown on false and illegal internet advertisements. In respect of illegal internet advertisements, the following shall be strictly regulated:

  1. Advertisements for medicals, pharmaceuticals, medical equipment, health food, etc. released without examinations and approval.
  2. Advertisements for medicals, pharmaceuticals, medical equipment, health food advertisements that contain assertions or guarantees of efficacy or safety, illegally stating cure rates, efficiency, or advertising with endorsements or certificates.
  3. Food and health food advertisements which exaggerate the efficacy of products, or promote disease prevention and treatment functions.
  4. Financial investment, collections, merchant advertisements, which promise future returns, or expressly or imply guarantee risk free investments.
  5. Real estate advertisements, which commit future appreciation or return on investment, or misleading publicity of transportation, commercial, cultural and educational facilities in real estate projects.
  6. Advertisements that impede social public order, violate social good practices, and cause adverse social impacts.
  7. Other false and illegal Internet advertisements that the public reacts strongly to.

Please click here to read the full text (Chinese only) of the Circular.

China releases Security Certification Measures for Mobile Apps

The SAMR and the Cyberspace Administration of China released the Security Certification Measures for Mobile Internet Applications (“Measures”) on 13 March 2019. The Measures took effect on 15 March 2019.

The Measures includes eight chapters, covering the scope of application, criterion for certification, the model for certification, proceedings of certification, the validity term of the certification, the use and management of the credentials and the certification marks, and liabilities of the certification.

The Measures apply to the data security certification for mobile internet applications (“Apps”). The criterion of the certification is the national standard No. GB/T 35273, being the Information Security Technology – Personal Information Security Specification. The model of the certification covers three stages: (1) technical verification, (2) on-site inspection and (3) post-certification supervision. The applicant for the certification should be the network operator who provides customers with services via Apps (“App Operator”). The App Operator should be incorporated and registered with the Administration for Market Regulation. The App Operator is not permitted to file the application for the certification in the event of the following circumstances: (1) the App Operator breaches the relevant law and regulation; (2) the App Operator has committed any serious data security incidents within 12 months of the application; (3) a similar certification held by the applicant is under the revocation period; or (4) other circumstances that are provided by the certification institution. According to the Measures, the applicant of the certification, i.e. the App Operator should be liable for the authenticity and legality of the application documents and samples. In addition, the certification cannot exempt the App Operator from the legal liability relating to the relevant Apps.

Please click here to read the full text (Chinese only) of the Measures.