This e-bulletin summarises the latest developments in cybersecurity and data protection in China. We will focus on four areas: regulatory, enforcement, industry and international developments.
The Data Security Law starts the formal journey through the legislative process of as the first law dedicated to data security in China. If enacted, it will have a profound impact on data security practices in China as well as on those foreign organisations and persons processing data from China. The deadline for submitting comments is 16 August 2020. Given its importance, we encourage entities to submit comments on the law through the online portal1 and keep abreast of developments.
On 3 July 2020, the Standing Committee of the National People’s Congress of China released a consultation draft of the data security law. The draft includes seven chapters, covering general provisions, data security and development, the data security system, data security protection obligations, the security and openness of government data legal liability and supplementary provisions. The draft law seeks to establish a regime for data security, including data management by way of data classification, risk assessments and emergency planning, with an early warning mechanism. The draft law also clarifies the responsibilities of organisations and individuals to comply with data security and protection requirements. It emphasises the need safeguard data security, balanced with measures to support the promotion and development of data security. Lastly, the draft law sets out institutional measures to safeguard the security of, and promote the openness of, government data.
On 12 June 2020, the People’s Government of Zhejiang Province issued interim measures in relation to opening up access to, and the security of, public data in the province. This is the first piece of provincial legislation on this issue. The measures cover opening public access to data, how the data can be used and the security requirements. The measures also cover supervision of the regime and liabilities for breaches.
On 3 June 2020, the People’s Government of Hubei Province issued regulations which protect the personal information of staff, students and their parents or guardians as part of school safety. The regulations, the first of their kind in China, require schools to strengthen the protection of personal information collected in the course of daily management and teaching activities. In particular, personal information must not be illegally provided or sold to others.
On 29 June 2020, the Cyberspace Administration of China reported that following the regulations on online content coming into effect, most website and platform operators had carried out self-assessments and had taken rectification action to comply with the regulations. The campaign has brought noticeable improvements. To address common issues, website and platform operators removed 330 million messages with pornographic, vulgar or fraudulent content, and blocked over 3.675 million illegal accounts. For example, Tencent carried out a campaign to address illegal information including malicious marketing, pornography, violent content and online rumours. It intercepted 2.625 million articles involving malicious marketing and suspended 2,842 accounts.
On 2 June 2020, the Hangzhou Internet Court published its judgment on an unfair competition case between Tencent and two technology companies. The two defendant companies were ordered to cease their illegal conduct and compensate Tencent with damages and reasonable expenses of around RMB 2.6 million. This case is the first unfair competition case to recognise the WeChat’s data ownership. The judgment determined that internet platforms can enjoy different kinds of interests over users’ information controlled by them, and also clarified the extent of the platforms’ rights and interests over the data.
On 19 June 2020, the Jiangsu Jiangnan Rural Commercial Bank was fined RMB 300,000 by the Jiangsu bureau of insurance and banking regulation under Article 46(5) of the banking supervision law for serious inadequacies in cybersecurity protection measures.
On 5 June 2020, the Cyberspace Administration of China (together with the National Office Against Pornography and illegal Publications, the Supreme Court, the Ministry of Industry and Information Technology of China, the Ministry of Public Security, the Ministry of Culture and Tourism, the State Administration for Market Regulation and the State Administration of Press, Publication, Radio, Film and Television) launched a six-month campaign to regulate the live webcasting industry. These departments will research and develop rules and regulations to promote the robust development of the industry, and explore the feasibility of classifying and categorising live webcasting. Other responsibilities include establishing an evaluation system for webcasting hosts, cracking down on illegal live webcasting and holding relevant live webcasting platforms accountable to encourage more positive content online.
On 23 June 2020, local cyberspace administration offices and other relevant departments inspected the content on 31 major live streaming platforms. The investigation found vulgar content and content with other issues on Huya TV and nine other live streaming platforms. The platforms were required to meet with the regulators and were penalised depending on the extent of violations. Penalties included stopping updates to the main channel, suspending new users’ registration, ordering rectification action within certain time limits, and holding the relevant responsible persons liable.
On 25 June 2020, the Beijing cyberspace administration office ordered Sina Weibo to ban the posting of a video by the Beijing News, which was reported to be misleading, interpreting content out of the context and creating confusion in addressing the COVID-19 situation. The video was said to have disrupted the orderly dissemination of online content, adversely impacting social order.
On 10 June 2020, the Ministry of Industry and Information Technology of China announced that it had conducted an investigation into mobile apps’ infringement of users’ rights in accordance with the cybersecurity law, telecommunication regulations, and regulations on the protection of personal information in telecommunications. The Ministry highlighted that the investigation was in response to recent China Central Television news which exposed the issue. The relevant app operators were required to rectify the problems before 17 June 2020 or face relevant penalties under with the applicable regulations.
On 11 June 2020, the Jiangyin local office of the State Administration for Market Regulation investigated a case concerning illegal collection of personal information involving more than 140,000 data items. An educational institution providing private cultural training mainly for primary and secondary school students had obtained their personal information through unidentified channels in 97 different schools in the city. The institution had breached consumer protection law and was fined RMB 300,000.
On 5 June 2020, the China Council for the Promotion of International Trade commenced a public consultation on a draft management guide for online retail platforms. The guide sets out the compliance requirements for data management by retail platforms. It clarifies the principles for collecting consumer information, requiring consumers to be informed of the purpose, manner, scope, process and use of the data collected, and the measures to preserve confidentiality. The guide also regulates the collection, storage, use, transfer and destruction of consumer information, as well as the disclosure of policies addressing consumer privacy. Other aspects in the guide include the mechanisms for reviewing information use, management of computer information systems, and training procedures for technicians to ensure the security of consumer information.
On 19 June 2020, it was reported that the web tracking data of BlueKai had leaked due to one of its servers being left unsecured and without a password, resulting in billions of records becoming accessible. The exposed information includes names, home addresses, email addresses and other identifiable user data. The data also revealed sensitive information about users’ web browsing activities – from purchases to newsletter subscriptions. Given the volume of data on the server, this is one of the largest cybersecurity incidents of 2020. BlueKai has not disclosed whether it has issued a warning to the US or international regulators regarding the incident.
On 1 June 2020, the Dubai International Financial Centre (DIFC) data protection law No. 5 of 2020 (DIFC Law No. 5 of 2020) was enacted, which came into effect on 1 July 2020. The law provides a framework that will help DIFC to obtain recognition from the European Commission, the United Kingdom and other jurisdictions, easing the data transmission compliance requirements for DIFC businesses.
On 10 June 2020, Kohl’s Department Stores, Inc. agreed to pay a civil penalty of US$220,000 to settle the Federal Trade Commission’s allegations that the Wisconsin-based retailer violated the Fair Credit Reporting Act by refusing to provide complete records of transactions to consumers whose personal information was used by identity thieves. In addition to the civil penalty, Kohl’s is required to provide the identity theft victims with access to business transaction records related to the theft within 30 days. The company must also post a notice on its website informing identity theft victims about how to obtain records related to identify theft, and certify that it has reached out to victims who were unlawfully denied access to such records in the past.