This newsletter summarizes the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Key Highlights

On 18 November 2022, the State Administration for Market Regulation and the Cyberspace Administration of China jointly issued an announcement to implement personal information protection certification regime and published the implementing rules, which provide the personal information processors with a way to assess their own personal information protection level with accreditation from independent third-party institutions. The certifications rules establish the framework of the certification regime but lack many key details to render the regime workable. We expect implementing rules to be published in 2023 to provide for such details.

Our Views

China Rolls out Personal Information Protection Certification Regime

Legislative Developments

1. TC260 issued Practice Guideline for Cybersecurity Standards - Safety Certification Specification for Cross-border Processing Activities of Personal Information V2.0 (Draft) for public comments

On November 8, the Secretariat of the National Information Security Standardization Technical Committee (TC260) issued Practice Guideline for Cybersecurity Standards - Safety Certification Specification for Cross-border Processing Activities of Personal Information V2.0 (Draft) (the "Guideline") for public comments. Article 38 of the Personal Information Protection Law stipulates that personal information can be provided to foreign countries through personal information protection certification, and the Guideline is of great value in guiding personal information processors to regulate cross-border data processing activities.

2. CAC issued Notice on Implementation of Personal Information Protection Certification

On November 18, the State Administration of Market Regulation and the Cyberspace Administration of China (CAC) issued the Notice on the Implementation of Personal Information Protection Certification (the “Notice”). In the Notice, the CAC encourages personal information processors to improve their personal information protection capabilities through certification and issued the Rules for the Implementation of Personal Information Protection Certification (the "Rules"). Certification organisations engaged in the certification of personal information protection need to be approved to carry out relevant certification activities in accordance with the Rules.

3. TC260 issued National Standard of Information Security Technology - Network Security Service Capability Requirements for public comments

On November 9, the National Information Security Standardization Technical Committee (TC260) issued National Standard of Information Security Technology - Network Security Service Capability Requirements (the "Standard") for public comments. In addition to setting specific requirements for network security service providers, the Standard is applicable to guiding network security service providers in building network security service capacity as well as evaluating their level of capability. As a reference document, the Standard can also be used by government agencies and operators of critical information infrastructure when selecting a provider of network security services.

4. Ministry of Industry and Information Technology issued Opinions on Promoting Standardized and Healthy Development of Cybersecurity Insurance (Draft) for public comments

On November 7, the Ministry of Industry and Information Technology, in conjunction with the China Banking and Insurance Regulatory Commission, issued Opinions on Promoting the Standardized and Healthy Development of Cybersecurity Insurance (Draft) (the "Opinions") for public comments. Cybersecurity insurance is a new form of insurance that covers cybersecurity risks. It has become a valuable tool for transferring and preventing cybersecurity risks, and for helping enterprises better manage cybersecurity risks.

5. TC260 issued National Standard of Information Security Technology - Framework for Critical Information Infrastructure Cybersecurity Response System for public comments

On November 17, the National Information Security Standardization Technical Committee (TC260) issued the National Standard of Information Security Technology - Framework for Critical Information Infrastructure Cybersecurity Response System (the "Standard") for public comments. The Standard provides the framework for critical information infrastructure cybersecurity emergency response system, which is applicable to critical information infrastructure operators to establish a sound cybersecurity emergency response system and carry out cybersecurity emergency response activities and can also be used as a reference for other parties involved in the protection of critical information infrastructure security.

6. CAC issued Notice on Effectively Strengthening Governance of Cyber Violence

On November 2, the State Administration of Market Regulation and the Cyberspace Administration of China (CAC) issued the Notice on Effectively Strengthening the Governance of Cyber Violence (the "Notice") to effectively improve net violence governance and further implement the responsibilities of website platforms. The Notice states that the local cyberspace administration shall establish and improve the early warning and prevention mechanism of net violence, strengthen the protection of net violence victims, strictly prevent the dissemination of net violence information, and enforce punishments in accordance with the law.

7. CSRC issues 7 financial industry standards including Guidelines on Data Security Management and Protection for Securities and Futures Industry

On November 14, the China Securities Regulatory Commission (CSRC) issued and published seven recommended standards for the financial industry, which shall come into effect from the date of publication, including (1) the Internal Interface of Securities and Futures Industry Institutions - Securities Trading, (2) the Core Terms for Securities Industry Registration and Settlement, (3) the Guidelines for Data Security Management and Protection in Securities and Futures Industry, (4) the Guidelines for Continuity Management of Information Technology Services in Securities and Futures Industry, (5) the Over-the-counter Common Transmission Interface, (6) the Specifications for Customer Information Exchange of Securities Companies, and (7) the Investor Appropriateness Management of Securities Operation Institutions - Investor Assessment Data Requirements.

8. Standing Committee of Beijing Municipal People’s Congress issued Regulations on Promotion of Digital Economy in Beijing

On November 25, the 45th meeting of the Standing Committee of the 15th Beijing Municipal People's Congress adopted the Regulations on the Promotion of Digital Economy in Beijing (the "Regulations"). The Regulations aim to strengthen the development of Beijing's digital infrastructure, cultivate data element markets, promote digital industrialization and industrial digitization, improve digital economy governance, promote digital economy development, and establish Beijing as a benchmark city for the digital economy in the world. The Regulations will come into effect on January 1, 2023.

9. Standing Committee of Henan Province People’s Congress issued Henan Province Network Security Regulations

On November 26, the 36th meeting of the Standing Committee of the 13th Henan Province People’s Congress adopted the Henan Province Network Security Regulations (the "Regulations"). The Regulations are applicable to the construction, protection and supervision of network security, as well as to network use, network data processing and other activities in Henan Province. The Regulations specify the security protection obligations of important information system operators, network data processors, network operators, personal information processors and other organisations, and as well as their corresponding legal responsibilities. The Regulations will come into force on June 1, 2023.

Enforcement Developments

1. Liaoning Banking and Insurance Regulatory Commission: Panjin Bank was fined 1.4 million yuan for sensitive data leakage risk

On October 28, the Liaoning Banking and Insurance Regulatory Commission fined Panjin Bank RMB 1.4 million in accordance with Article 46 of the Banking Supervision and Administration Law of the People's Republic of China for "seriously failing to comply with regulatory requirements, exposing sensitive data information to leakage, failing to take responsibility for outsourcing management, and concealing information system emergencies". The administrative penalty amounted to RMB 1.4 million.

2. CAC released a number of illegal apps that violated personal information rights and interests

On November 3, the Cyberspace Administration of China (CAC) released a list of 135 illegal and unlawful apps, including "Chaofan Cleaning Housekeeper", in accordance with the Personal Information Protection Law and the Method for Identifying the Illegal Collection and Use of Personal Information by Apps. Among the 135 apps, 55 were taken down for asking for non-essential permissions, sharing precise location information with third parties without individual consent, lack of privacy policies, and collecting and uploading users’ address books in excess of the scope. The other 80 apps were ordered to complete the rectification within one month, and those that failed to complete the rectification within the timeframe would be removed.

3. Prosecution authorities have handled 8,361 public interest litigation cases relating to personal information protection since 2019

In November, the Supreme People's Procuratorate released data showing that since 2019, a total of 8,361 public interest litigation cases in the field of personal information protection have been handled by national prosecutorial authorities, indicating a year-on-year growth trend. In accordance with the public interest litigation provisions of the Personal Information Protection Law, the Supreme People's Procuratorate has issued the Notice on Implementing the Personal Information Protection Law and Promoting Public Interest Litigation on Personal Information Protection, and the Notice on Strengthening the Collaboration between Criminal Prosecution and Public Interest Litigation Prosecution to Combat Telecommunication Network Crimes and Strengthen Judicial Protection of Personal Information, which focus on the use of the public interest litigation system to crack down on personal information infringement that seriously damages public interest.

4. Hainan Cyberspace Administration banned 23 apps for illegal collection of personal information

On November 23, the Cyberspace Administration of Hainan Province has reported 23 applications that violated the Mobile Internet Application Information Service Management Regulations and ordered the relevant operators to rectify the problems within a set timeframe.

5. Beijing Communications Administration reported 22 problematic apps

On November 24, the Beijing Communications Administration reported 20 apps with problems such as infringement of users' rights and security risks and ordered all the app operators to fully rectify these issues. The authority also removed 2 apps that had not been rectified within the set timeframe. In accordance with the Ministry of Industry and Information Technology's Notice on the Special Rectification Action to Crack Down on APP Infringement of Users' Rights and Interests, the Beijing Communications Administration has continued to carry out special rectification activities for app privacy compliance and network data security.

Industry Developments

1. Guangdong Cyberspace Administration opened a data exit security assessment declaration channel

On November 1, in order to standardize and conduct security assessment declaration for cross-border data transfer in the province, the Cyberspace Administration of Guangdong Province officially opened up the declaration channel, published the scope of application, mode, process, materials list, and consultation telephone on its official website, and began to receive the declaration materials submitted by the province's data processors.

2. Shanghai Cyberspace Administration issued Q&As on cross-border data transfer security assessment declaration

On November 3, the Cyberspace Administration of Shanghai released the first batch of answers to the questions it has been frequently asked. The questions include (1) the method to declare cross-border data transfer security assessment and to submit declaration materials, (2) the requirements for sending materials by courier, (3) the method to consult on security assessment declaration, (4) the requirements of declaration materials and for declaration handlers, (5) whether there is a designated third-party organization that can assist data processors, (6) the completeness check work cycle of provincial Internet information departments, (7) whether the processor is notified in writing, (8) whether there is a limit on the number of times to resubmit the declaration after the declared materials are returned, etc.

3. Zhejiang Cyberspace Administration issued Q&As on cross-border data transfer security assessment declaration

On November 22, the Cyberspace Administration of Zhejiang Province released answers to the questions it has been frequently asked. The questions include (1) the method to declare cross-border data transfer security assessment, (2) how to submit the declaration materials and to consult on the declaration of security assessment, (3) the requirements of the declaration materials and for the declaration handlers, (4) whether there is a designated third-party organization can assist data processors, (5) the completeness check work cycle of the provincial network information department, (6) whether there is a limit on the number of times to submit a declaration, (7) the scope of personal information and important data, (8) the type of outbound behaviour, (9) data localization requirements, (10) whether the outbound activities completed before September 1 need to be declared, etc.

4. TC260 released White Book on Standardization of Data Element Circulation

On November 25, the Working Group on Big Data Standards of the National Information Security Standardization Technical Committee (TC260) released the White Book on Standardization of Data Element Circulation (2022) (the “White Book”). The White Book examines the general framework of the data element circulation process including relevant policies and regulations. It comments on the current situation and the development trend, the standard system and other development status, and provides suggestions for standardizing the circulation of data elements.

5. Local cyberspace administrations to conduct 2022 annual automotive data security management reporting

In November, the cyberspace administrations in Beijing, Shanghai, Zhejiang, and Shandong have issued notices to conduct the 2022 annual automotive data security management reporting. According to the notices, automobile manufacturers, parts and software suppliers, dealers, maintenance and transportation service providers, and other automotive data processors shall submit a report on their management of automotive data security for 2022 by December 15, 2022. For these purposes a template has been provided. It varies from place to place how reports should be submitted.

6. State Post Bureau issued Notice on Effectively Strengthening Promotion and Application of Encrypted Labels for Mails and Couriers

In November, the State Post Bureau issued the Notice on Effectively Strengthening the Promotion and Application of Encrypted Labels for Mails and Couriers (the "Notice"). The Notice points out that enterprises should use encrypted labels and other user information de-identification technologies in accordance with the standard requirements such as the Express Electronic Waybill and the Requirements for the Protection of Personal Information of Mail Users and Regulations for the Administration of Personal Information Security of Users of Mailing Services. Failure to do so could result in law enforcement inspections, an order for correction, or regulatory interviews.