In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on three areas: regulatory developments, enforcement developments, and industry developments.
On 23 August 2019, the Cyberspace Administration of China issued its new Regulation on Protection of Children's Personal Information Online, which will come into force on 1 October 2019. The regulation defines children as minors under 14 and requires network operators, among other things, (i) to obtain consents from children's guardians when collecting, using, transferring and disclosing children's information; (ii) to set tailored personal information protection rules and user agreements for children; and (iii) to designate a member of staff responsible for the protection of children's personal information.
On 1 August 2019, a new regulation on the protection of big data was approved by the Standing Committee of People's Congress of Guizhou Province. The new regulation provides rules on big data covering aspects including security liabilities, supervision, support and protection and legal liabilities. It will come into force on 1 October 2019.
On 21 August 2019, the 2019 list of proposed national standards on cyber security was issued by the National Information Security Standardization Technical Committee. The list sets out proposals for new standards to be developed on information security technology in areas including: (i) requirements for in-car internet devices; (ii) methods for identifying the boundaries of critical information infrastructure; and (iii) specifications for data security management certification. The list also proposes amending various information security technology standards including the handbook on security of cloud computing services. It also sets out certain standards earmarked for further study including research on a standards system for data security and specifications for identifying important data.
On 9 August 2019, the Cyberspace Administration of China clarified the security assessment requirements for blockchain information service providers. It clarifies that corporations have two ways to conduct the security assessment. The first is to entrust an evaluation agency accredited by the Certification and Accreditation Administration of China to conduct the security assessment. The second is to conduct a self-assessment of the security risk on the blockchain information service, and submit the self-assessment report through the National Cyber Security Management Service Platform (www.beian.gov.cn) in accordance with relevant regulatory requirements. This provides blockchain information service providers with welcome clarification as to the meaning of Article 9 of the Management Measures on the Blockchain Information Service, which provides that "if the blockchain information service provider develops and supplies new products, new applications or new functions, it shall report to the provincial internet information offices for security assessment in accordance with relevant regulations".
On 8 August 2019, the National Information Security Standardization Technical Committee issued a draft specification on on the collection of personal information by applications for public consultation. Annex A to the specification standard lists the minimum information to be collected by 21 widely-used applications including those for online taxi and online pay. Annex B lists the minimum authorisation requirements for these applications.
On 14 August 2019, the National Information Security Standardization Technical Committee released for public consultation a revised draft of a new national standard for key network equipment and cyber security products. The first draft was consulted on in May 2019.
On 28 August 2019, new guidelines on strengthening the security of industrial networks were jointly released by the Ministry of Industry and Information Technology and nine other government departments. The guidelines set two goals: (i) by the end of 2020, the security system framework for industrial networks will be established; and (ii) by the end of 2025, there will be fully-fledged institutional mechanisms, significantly improved technologies and scaled security industries. A complete and reliable security system for industrial networks will be established.
In terms of institutional mechanisms (a) the security management systems for industrial networks, including a supervision and inspection mechanism, an information sharing and notification mechanism, and an emergency response mechanism, will be established; (b) a mechanism for allocating responsibilities and liabilities will be established; (c) at least 20 urgently needed security standards for industrial networks will be formulated, including standards for equipment, platforms and data; and (d) a security assessment system for industrial networks will be designed and established.
In terms of technical means, initially the support platform for the security technology of national industrial networks, the basic resources databases and the security test verification environment will be established. In terms of industrial development, in the key areas including automotive, electronic information, aerospace and energy, at least twenty pilot projects will be formed for innovative and practical safety products and solutions. A number of industrial networks security companies with core competitiveness will also be fostered.
On 12 August 2019, the Shanghai Municipal Government issued management measures for a pilot free trade zone in the Lingang Special Area of China (Shanghai). The regulations provide that the Lingang FTZ will focus on key areas such as integrated circuits, artificial intelligence, biomedicine and the headquarters economy. It will also pilot data security assessments for cross-border flows, data protection capability certification, data circulation backup reviews, cross-border data circulation, transaction risk assessments and other data security management mechanisms.
On 22 August 2019, the chapter in the Civil Code on personality rights was submitted for its third reading in the National People's Congress. The draft chapter fosters protection of the right to privacy and personal information. It revises the definition of privacy to the following: "the private space, activities and information that individuals are reluctant to disclose to others". Protection of personal email addresses and location data have also been added to the draft chapter. In addition, a new clause has been added to extend the scope of the chapter to the processing of personal information (which includes using, refining, transferring, providing and publication activities).
On 1 August 2019, the National Development and Reform Commission consulted on implementation measures to manage information security failures by companies in the transport and logistics industries. The measures seek to blacklist delivery companies for personal information security failures and penalise them according to the existing joint industry memorandum of understanding.
Under the new measures, delivery companies will be blacklisted for the following where significant harm is caused to personal information security: (i) collecting and using personal information against relevant laws, regulations and agreements; (ii) leaking, tampering and destroying personal information collected; or (iii) providing personal information to a third party without consent from the personal information subject.
On 16 August 2019, the Ministry of Water Resources issued new measures to manage cyber security risks in the water resources industry. The measures address issues identified during a cyber-security attack simulation earlier this year. The measures are oriented around problems and cover areas including planning and construction of cyber security, internet operation security, emergency response protocols, supervision and liability. The measures provide targeted and effective solutions for the issues found during the simulation, 41.5% of which were caused by failures to simultaneously implement appropriate cyber-security measures at the planning and construction phase. The other 58.5% of the issues were due to insufficient management at the operation phase.
On 2 August 2019, police in Nanjing City announced that a provincial government official had been arrested for infringing personal information. The investigation alleges that the deputy director of the Information Office of the Provincial Administration for Market Regulation had used his position to download and sell detailed personal information of legal representatives of companies, and together with two accomplices had made a profit of RMB300,000.
On 29 August 2019, the internet security office of Jiangsu province reported that it has dealt with 4,774 administrative cases. Of these, it has publicly rectified 56 high-profile issues, issued warnings to 4,387 individuals or entities, issued fines of RMB2.23 million, confiscated RMB60,000 in illegal profit, arrested 136 individuals, suspended 105 illegal network operations, and closed or terminated more than 900 applications. The fifth batch of typical cases it has reported mainly involved activities including illegally obtaining personal information, collecting personal information beyond the range of consent, failing to patch system security vulnerabilities and spreading illegal information.
A middle school in Nantong City, Jiangsu Province has been fined RMB30,000, and the person directly responsible was fined RMB10,000, for the failing to perform their legal obligations to ensure internet security in violation of Article 21 of the Cyber Security Law. In July 2019, the Nantong police found the school’s website had been hacked and pornographic information was uploaded to the website.
On 9 August 2019, the China Academy of Information and Communications Technology issued a White Paper on artificial intelligence data security. Starting from the concept of data security of artificial intelligence, the White Paper proposes a framework for data security of artificial intelligence for the first time. Based on an analysis of the security risk and the application of artificial intelligence data, the White Paper summarises the current status at home and abroad, and makes recommendations on the issues in China.
On 30 August 2019, the China Internet Network Information Center issued its latest statistical report on the internet development in China. The report analyses China’s internet development in the first half of 2019 in different areas including the construction of internet infrastructure, the size and structure of internet users, the development of internet applications and internet applications for governmental use and cyber security. The report shows that 55.6% of internet users have not encountered cyber security issues during the first half of 2019, an increase of 6.4% compared to the corresponding period last year. The report also notes that during the first half of 2019, the National Computer Network Emergency Response Technical Team detected and removed 40,000 non-compliant Chinese websites including 222 government websites, and helped to deal with around 49,000 cyber security incidents, representing a year-on-year reduction of 7.7%.
On 19 August 2019, the China Academy of Information and Communications Technology issued a White Paper on the security and compliance of SDK. The White Paper focuses on third-party SDK and analyses the types and markets of certain widely-used third-party SDK. The White Paper also analyses the major security issues existing in third-party SDK and the compliance issues that emerge when third-party SDK providers cooperate with application developers. Through research into the practices in the EU and US, the White Paper provides tailored recommendations on the issues from China’s perspective in various respects including regulation, corporate responsibility, technical standards and industry disciplines.
On 13 August 2019, the National Computer Network Emergency Response Technical Team unveiled its report on China’s Cyber Security in the first half of 2019. The report gives an overview on the cyber security status of China’s internet covering numerous issues including malware, risk of bugs, mobile internet security, website security, cloud platform security, industrial system security and internet finance security. The report shows that, compared to the same period last year, the number of (i) general purpose [“zero-day” vulnerabilities; (ii) incident-type vulnerabilities reported in key information infrastructures; (iii) tampering incidents; (iv) implanted backdoors and (v) counterfeit websites in China increased, while other types of monitored activities reduced or remained unchanged. The report also suggests that personal information and important data are exposed to a high risk of leakage. Numerous vulnerabilities pose significant security risks to China’s cyber security with DDoS attacks targeted at key websites and targeted attacks using phishing emails frequently occurring.
On 29 August 2019, the Internet Society of China (ISC) issued its 2019 list of standards requiring them to be drafted and submitted for approval before 31 October 2019. The list includes standards for prevention of harmful online content from minors, cybersecurity-related AI data labelling, etc.