In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on three areas: regulatory developments, enforcement developments, and industry developments.

Regulatory developments

1. Cyberspace Administration of China releases draft regulations to protect children’s personal information

On 31 May 2019, the Cyberspace Administration of China released draft regulations on its website collection of children’s personal information online. The regulations are intended to protect the legal rights of children and create a proper network environment for the healthy development of children. The regulations are open for public comment until 30 June 2019.

2. Cyberspace Administration of China releases draft measures on data security management

On 28 May 2019, the Cyberspace Administration of China issued draft rules on data security management aimed at safeguarding national security and public interests. The proposed new measures apply to data collection, as well as data security protection and supervision and seek to protect the legal rights and interests and safeguard the security of personal information and important data. The Measures for Data Security Management are open for public comment until 28 June 2019.

3. Cyberspace Administration of China releases draft measures setting out network security review procedures

On 21 May 2019, the Cyberspace Administration of China issued draft measures with a view to improving the security and controllability of key information infrastructure and safeguarding national security. The measure set out network security review requirements for key information infrastructure operators focused on preventing network security risks, enhancing transparency and protecting intellectual property rights. The measures are a joint initiative between the Cyberspace Administration of China (CAC) and 11 other government ministries including MIIT, NDRC, PBS, etc. The Measures for Network Security Review are open for public comment until 24 June 2019.

On 13 May 2019, the State Administration for Market Regulation and Standardization Administration of China held a press conference to announce various revisions to the national standards governing network security protection. These included the release of the newly revised Basic Requirements for Cybersecurity Graded Protection of Network Security Technologies, Requirements for Cybersecurity Graded Protection of Information Security Technologies and Security Design Requirements for Cybersecurity Graded Protection of Information Security Technologies. The publication of these key technical standards marks that the regime of technical standards for MLPS has been established, which has removed the technical obstacles for implementing the MLPS.

5. Public consultation underway on guidance to identify unlawful collection and use personal information by applications

On 5 May 2019, the Chinese government’s special governance working group on applications released a circular setting out draft guidance on methods to identify the illegal collection and use by applications of personal information. Targeting problems reported in the application-specific governance process, the guidance clearly defines violations and provides references for application evaluation. The guidance identifies seven situations which would amount to illegal collection and use of personal information by applications. Under each of those, the guidance sets out circumstances that would demonstrate that one of these had occurred. For example, a lack of rules on collection and usage of personal information would amount to illegal conduct. Circumstances demonstrating that include there being no policy on the application or the application requiring more than four clicks to access the policy.

6. Draft measures released on data security management for Tianjin

On 8 May 2019 the Internet Information Office of Tianjin released draft regulations for data security management in the city which were open for public consultation until 15 May 2019. The regulatory measures aim to strengthen data security management, establish a sound system of data security and promote the development and application of big data.

Enforcement developments

1. First case concerning WeChat Plug-in

On 9 May 2019, the first prosecution concerning programs and tools for intrusion and illegal control over computer information systems commenced. It is reported that Prosecutor v Yuan and others is the first case in Jiangxi concerning a WeChat plug-in. The prosecutor is allegeing that Yuan and his employees developed “Charming”, “Original Power”, “Cute Diamond” and “Duolaimi” without the authorisation or consent of Tencent, and by doing so, achieved functions prohibited by WeChat, such as modifying the WeChat location. The chief procurator of the Ganzhou Economic and Technological Development Zone People’s Procuratorate appeared in Court to serve as a prosecutor. The case will be decided at a future date.

2. Jiangsu cyber police investigate first case concerning a pick-up artist website

On 9 May 2019, Jiangsu’s cyber police announced the first case against a person for releasing illegal pick-up artist information. The defendant had been selling illegal pick-up artist tutorials. The relevant websites and online groups have been ordered to close, and all illegal pick-up artist courses have been removed. The defendant was sentenced to five days detention and a fine of 50,000 Yuan. 

3. Xinning cyber police investigate neglect of cybersecurity protection obligations

On 8 May 2019, Xinning’s cyber police investigated a website for its lack of network security protection. The cyber police investigation found illegal information concerning gambling on the website and summoned the legal representative and person in charge of website security to cooperate in the investigation. The investigation found that the website had not established any management rules or operational procedures on cyber security, and had not taken any measures to safeguard security nor taken responsibility for such obligations.

Industry developments

1. Chinese drone manufacturer responds to US warning on information security

On 21 May 2019, the manufacturer of most drones used in US and Canada, Dajiang Innovation, responded to the warning issued by US Department of Homeland Security’s claiming that Chinese-manufactured drones were sending sensitive information to the manufacturer (which could be accessed by the government). Dajiang Innovation responded that all data produced, saved and transferred whilst using its products belonged to the users themselves.

2. Toutiao and TikTok to publish early-warning information

On 10 May 2019, the National Alert Information Release Center announced that it had reached a strategic cooperation arrangement with ByteDance. This will enable over 2,000 Alert Information Release Centers to disseminate content via Toutiao and TikTok, which will accelerate the efficient and accurate publication of early warning information.