In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on three areas: regulatory developments, enforcement developments and industry developments.

  • Regulatory developments
  • Enforcement developments
  • Industry developments

Regulatory developments

  1. Proposed revisions to the national standard on personal information security prohibit bundled collection authorisationsOn 1 February 2019, China’s information security standardisation administration proposed draft amendments to the existing recommended national standard on personal information security which came into effect on 1 May 2018. The proposed amendments add new provisions on personalised displays/advertising and third-party access management, as well as new provisions distinguishing basic and extended business information collection. Bundled authorisations to collect information are to be prohibited, with explicit authorisations required from users for each application. The draft amendments are open for public comment until 3 March 2019.

  2. First blockchain-related regulation sets security protection requirements for information service providersOn 10 January 2019, the Cyberspace Administration of China published new regulations which will apply to blockchain information service providers which came into effect on 15 February 2019. The regulations require blockchain information service providers to be responsible for information security management and to establish and improve management systems such as user registration, information auditing, emergency response and security protection. New products, applications and functions published by blockchain service providers must also be reported to the competent cyberspace administration and will be subject to a safety assessment.

  3. Social network platform information identification standards published for public commentOn 1 February 2019, China’s information security standardisation administration issued draft standards on social network platform information identification for public comment. The standards provide guidance on managing information identification for social network platforms. Under the proposed regime, social network platform operators will be required to formulate strategies for user identity management and information release security management. The proposals also require management processes for information identification generation, usage, storage, transmission and destruction. The deadline for public comment is 18 March 2019.

  4. The second draft of the tort liability chapter of the civil code published for public consultationOn 4 January 2019, a second draft of the tort liability chapter in China’s civil code was published for public comment. This proposes tortious liability for internet infringement error notifications. Article 970, paragraph 4 of the draft provides for the person who makes an error notification to be liable if it causes damage to the internet user or the internet service provider.

  5. Special governance measures introduced on illegal collection and use of personal information by applicationsOn 23 January 2019, four government departments jointly announced the launch of special governance measures to tackle the illegal collection and use of personal information by applications. The special governance measures will apply nationwide until December 2019. Application operators are required to take effective measures to strengthen personal information protection, and the relevant authorities are required to strengthen supervision and enforcement against the illegal collection and use of personal information.

  6. Special action underway to clear harmful information from the networkOn 3 January 2019, China’s Cyberspace Administration launched a special action targeting network ecology governance, to remove harmful information from the network. The special action targets twelve categories of negative and harmful information, such as pornography, violent content, and internet rumours, found on various websites and mobile applications. As of 21 January 2019, more than 7.097 million items had been cleaned up. The special action will continue for six months.

  7. The Ministry of Public Security issues rules for evidence collection of electronic data in criminal casesOn 2 January 2019, the Ministry of Public Security issued new rules for public security authorities in relation to the collection of electronic data as evidence in criminal cases. The rules are split into five sections covering (i) general rules, (ii) rules on the collection and extraction of electronic data, (iii) inspection and investigation of electronic data, (iv) inspection of electronic data by commissioned parties, and (v) identification of electronic data. The Rules came into force on 1 February 2019.

  8. 54 telecommunications industry standards submitted for approvalOn 25 January 2019, the Ministry of Industry and Information Technology published 54 telecommunications industry standards for public comment prior to formal adoption. The standards cover areas such as Internet Access Log Retention Testing Method Part 1: Internet Service Provider-Cable. The deadline for public comments is 5 March 2019.

  9. Hangzhou publishes security management specification for governmental data sharingOn 16 January 2019, the Hangzhou data management bureau issued specifications on security management for sharing governmental data. These came into effect on 30 January 2019. The specifications set out security requirements for the collection, transmission, storage, processing, sharing and destruction of data.

Enforcement developments

 

  1. The Ministry of Public Security summarises special actions under “Internet Clearance 2018” and “Internet Clearance 2019” On 22 January 2019, the Ministry of Public Security held a teleconference to summarise the special action under “Internet Clearance 2018” and to roll out the special action under “Internet Clearance 2019”. The ministry emphasised the continued crack down on violations to personal information, hacker attacks and other network crimes to effectively guarantee personal safety and safeguard personal property.

  2. Cyberspace Administration interviews social application companies Recently, the Cyberspace Administration has interviewed responsible persons at four new social application companies, namely Wechat Version 7.0, Chat Po, Toilet MT and Multi-flash. The companies have been instructed to implement and improve their security procedures and carry out security assessments as required by law.

  3. Cyberspace Administration cleans up over seven thousand non-compliant mobile applications Since September 2018, the Cyberspace Administration has been working with other relevant ministries and departments to clean up non-compliant mobile applications. The authorities found malicious charges, information theft, bundled software or other high-risk infringements in 7873 mobile applications which have been removed or cleaned up. Telecom operators, cloud service providers and domain name management agencies were urged to close down relevant services.

  4. Authorities warn malwares used to steal personal information The National Internet Emergency Response Centre recently issued a warning about 134 malwares which have been used to steal users’ personal information. The malwares were found to have secretly uploaded users’ messages and address books to designated mailboxes, received and executed instructions contained in short messages from designated mobile phones and secretly forwarded new short messages received by users to designated mobile phone numbers while deleting the original messages in users’ inboxes.

  5. Privacy theft and other issues found in ten mobile applications The National Computer Virus Emergency Response Centre recently detected ten malicious mobile applications in the mobile application publishing platform, including Bull’s eye and Jewels. The main infringements involved malicious charging, privacy theft, malicious dissemination, fraud, and hooliganism.

  6. Special meeting convened on internet finance and network lending risk regulation On 10 January 2019, at a conference on internet finance and network lending risk regulation, leadership working groups met to review progress on rectification work and to agree priorities for 2019. The meeting found that the overall risk level of the network lending industry has declined significantly, but the hidden risks are still relatively complex and the related compliance is still very difficult.

  7. Guangdong publishes a report of its special action against cybercrime On 8 January 2019, the Department of Public Security in Guangdong Province released a report on its special action against cybercrime. The report focused on cracking down on network fraud, pornography, gambling and other network dark and grey industries. A total of more than 5,000 cybercrime cases were detected, more than 21,000 suspects were arrested and more than 730 million pieces of personal information were seized.

  8. Beijing police uncover case of internet use to sell user data Recently, Beijing authorities found that more than 470 million pieces of user data suspected to have come from the 12306 railway booking website had been sold through the internet. Following an online investigation by the task force, a suspect was successfully identified and arrested. The suspect has been detained on suspicion of infringing personal information and the case is under further investigation.

Industry developments

  1. Convention on collecting and using network data and user personal information On 8 January 2019, the Internet Society of China issued a new convention on collecting and using network data and user personal information. As the first signatories, Huawei and other signatory companies announced their accession to the convention, guaranteeing the security of network data and user personal information, effectively protecting users’ legitimate rights and interests, and strictly abiding by relevant national laws, regulations, policies and standards to jointly promote the sustainable, healthy and orderly development of the industry.

  2. White paper on blockchain security published In January 2019, the China Academy of Information and Communications Technology released a white paper on blockchain security. The white paper analyses the security of blockchain from a technical framework perspective. It uses statistical data from major security events over the years to analyse the current security situation of the blockchain industry. It also analyses the security risks to the industry and puts forward countermeasures to manage these.

  3. Tencent releases its annual report on information leakage in 2018 Tencent Security officially released a report on information leakage as the no. 1 threat to enterprise information security in 2018. The report analyses in detail the threat to the company’s internet assets, and discloses four major dark market transactions which erode data security: dark-net information sales, credential stuffing, etc. The report also provides suggestions for companies and individual users to guard against the risks of information leakage.

  4. Tencent Beacon publishes a white paper on anti-advertising fraud in 2018 In January 2019, Tencent Beacon and the Miaozhen Systems jointly released a white paper on anti-advertising fraud in 2018. The white paper points to the overall level of dark industry activity in 2018 being basically the same as in 2017, maintained at about 15%. With the continuous standardisation and upgrading of the internet, retail investors operating in the dark industry have essentially been eliminated, and the trend of collectivisation has become more obvious.