In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on four areas: regulatory developments, enforcement developments, industry developments and international developments.
On 20 November 2019, the Cyberspace Administration of China issued for public consultation regulations to restrict the publication of information on cybersecurity threats. The draft regulations require research institutions, network security vendors, individual researchers and information publishing platform operators to comply with specified rules before publishing cybersecurity information which may threaten the normal operation of a network (such as those related to computer viruses, cyberattacks and network intrusions and cybersecurity incidents) and may expose a network’s vulnerability (including system vulnerabilities). The draft regulations cover the publication’s content, as well as other matters such as the publishing process and method.
On 11 November 2019, China’s Ministry of Education issued new rules which require all existing mobile educational applications to register and file relevant records between 1 December 2019 and 31 January 2020. The registration and filing requirements apply to both providers and institutional users of mobile educational applications. The filing requirements for providers follow the principles of “uniform national standards, separate implementation by provinces and territories.” Institutional users need to file with the relevant competent education administration for records to which they are affiliated. Providers are first required to complete an Internet Information Services filing and a network security multi-level protection rating filing before completing the registration under these new rules. Users are required to submit information on mobile educational applications which are self-developed and self-selected and those that are required by higher authorities.
On 25 October 2019, the General Administration of Press and Publication issued new rules aimed at preventing minors from become addicted to online games. The rules contain six key measures which: (i) implement a real-name registration system for online game accounts, requiring all online game users to use valid identity information for game account registration; (ii) strictly control the duration of online game usage by minors; (iii) regulate the provision of paid services to minors; (iv) effectively strengthen industry supervision; (v) explore and implement a system for classifying games by appropriate ages; and (vi) strengthen guidance for minors. Where online game companies fail to comply with the new rules, local departments may order compliance within a time limit. If the breach is serious, the companies will be subject to the penalties contained in the laws and regulations, which could include revocation of operating licenses.
On 18 November 2019, China issued new regulations covering online audio and video information services (defined as being services for the production, distribution and dissemination of audio and video information to the public through online platforms such as websites and applications). The regulations, which were issued jointly by the State Internet Information Office, the Ministry of Culture and Tourism and the National Radio and Television Administration, will come into effect on 1 January 2020. The regulations stipulate the cyber security and content security obligations of online audio and video service providers. The regulations also require providers to obtain relevant qualifications as required by law and establish and improve systems for user registration, information release review and information security management.
Organisations and individuals are prohibited from using online audio and video information services and related information technologies to engage in illegal activities or activities that infringe on the legitimate rights and interests of others. Providers whose online audio and video information services have media attributes or social mobilisation functions (or related functions) are required to conduct security assessments.
Providers who use new technologies and applications based on deep learning or virtual reality or similar to produce, release or disseminate audio and video information which is not real must prominently identify the information as such. Providers are required to use technology to identify illegal and non-authentic audio and video content and establish and improve their mechanisms to eliminate rumours.
On 6 November 2019, the National Internet Finance Association of China issued a notice to its members reporting that the national regulatory authorities had discovered that certain internet institutions had been collecting personal information in the name of “big data” in alleged violation of the laws and regulations.
The notice also sets out requirements for members to enhance awareness of the personal information protection requirements when carrying out business. The notice requires that all members must:
conduct activities such as collecting, processing, using and providing personal information in compliance with laws and regulations, and continuously strengthen the protection of personal information;
not collect, process, use or provide consumer personal information without consent;
establish and improve the personal information protection system for the entire life cycle of collection, processing, use and external provision; take effective technical measures to ensure the security of personal information; strengthen the education and training of employees; and strengthen supervision and management of the collection and use of personal information;
conduct self-inspection on personal information protection in a timely manner, conduct investigations on data partners, and immediately rectify any existing problems, and report the situation to the Association; and
fulfil their consumer education obligations and strengthen risk warnings to consumers.
On 26 November 2019, new regulations governing the management of the credit rating industry were issued, which will come into effect on 26 December 2019. The new regulations require credit rating agencies to establish a confidentiality system for credit rating business information. Credit rating agencies and their employees are required to comply with the laws on state secrets, business secrets and personal privacy in respect of information obtained as part of carry out the credit rating business and processing the credit rating database system. Information collected by credit rating agencies in China must be collated, kept and processed in China. When credit rating agencies provide information to overseas organisations or individuals, they are required to comply with the laws and regulations and those of the credit rating industry authorities and business management departments. The regulations were jointly issued by the People’s Bank of China, the National Development and Reform Commission, the Ministry of Finance and the China Securities Regulatory Commission.
On 19 November 2019, the Ministry of Education issued a special governance action plan covering educational mobile internet applications for management service in colleges and universities. The governance actions are targeted at mobile apps for management services that serve education and teaching at colleges and universities and the work and lives of teachers and students (including educational mobile apps that are independently developed or selected by the school and those required by higher authorities). According to the action plan, universities and colleges must strictly control the number of apps and organise ethics and security demonstrations for apps that collect personal biometric information such as faces. Apps that have not been updated for more than half a year are required to be shut down.
The Ministry of Public Security has released details of the typical cases uncovered by the Safe Net 2019 special action initiative which has been underway since January this year. Illegal acts uncovered by the special action mainly include the use of the “dark web” for criminal activity, loan fraud the illegal production, sale and use of pinhole cameras, and the illegal sale of psychotropic drugs online.
The State Administration for Market Regulation has reported details of typical cases involving violations of consumers’ personal information arising from its special law enforcement actions. The illegal acts discovered included real estate companies leaking and selling of property owners’ personal information, consumers being sent commercial information without their consent, using bland phone cards to illegally collect personal information and training centres illegally collecting student parents’ information.
The National Computer Virus Emergency Response Center recently launched a rectification operation targeted at e-commerce platforms. It found that a number of e-commerce platform apps had privacy non-compliance behaviours, had violated the Cyber Security Law or were suspected of collecting personal privacy information beyond the legal scope. Illegal acts identified include apps: (i) collecting personal privacy information without the user’s consent; and (ii) not expressly indicating to users all of the required privacy rights.
Police in Jiangsu Huaian are pursuing action against seven companies suspected of violating individuals’ personal information, allegedly involving more than 100 million citizens’ personal information. Among them, Kaola Credit Service Co., Ltd., a subsidiary of Lakala Payment Co Ltd., is suspected of illegally providing ID card for access by third parties for more than 98 million times, making a 38 million yuan profit. Kaola illegally cached citizens’ personal identity information for access by third-party companies to query for profit. This resulted in the mass leak of personal identity information and ID photos. The police have arrested more than 20 people including the legal representative, chairman, sales, and technology personnel of Kaola Credit Service Co., Ltd.
On 31 October 2019, the Ministry of Industry and Information Technology announced a special rectification action targeting apps which infringe the rights and interests of users. The action will focus on the following issues: (i) collecting the personal information of users in violation of the regulations, including privately collecting personal information and collecting personal information beyond the permitted scope; (ii) illegally using personal information, including privately sharing it with third parties and forcing users to use the targeted push function; (iii) unreasonably asking for user permissions, including prohibiting use if permission is not given, asking for permission frequently or requesting permission in excess of that required; and (iv) setting obstacles for user account logout.
On 19 November 2019, the Supreme People’s Court released a special report on judicial big data looking at the characteristics and trends of cybercrime and the typical cases of telecommunication and cyber fraud crimes. The report analyses cases from 2016 to 2018 and is divided into two parts covering an analysis of the general situation and characteristics of firstly cybercrime cases and secondly cyber fraud cases.
The number of cybercrime cases is increasing year on year, with a total of 48,000 cases during the two years, with the largest number of defendants engaged in either information transmission, computer services or software. The proportion of online fraud cases in fraud crime is also increasing year on year. The virtual tools used by the defendants are mainly WeChat, QQ, and Alipay. Nearly 20% of online fraud crimes occur after obtaining individuals’ personal information.
On 27 November 2019, the National Information Security Standardisation Technical Committee launched a new national standard GB / T 37988-2019 “Information Security Technology，Data Security Capability Maturity Model”. The national standard will be publicly promoted with the aim of improving the data security capabilities of network operators in China. A group of organisations were invited to verify the operability and applicability of the national standard, including organisations with a large amount of data, those with typical data application scenarios and those with distinctive industry characteristics.
On 21 November 2019, the International Council For Commercial Arbitration issued a detailed guide on cybersecurity measures when handling international arbitrations. The protocol has two main purposes: one is to provide a framework for information security measures for individual arbitration matters; the other is to raise people’s awareness of information security in international arbitration. According to the protocol, specific information security measures to be applied in arbitrations should cover the following categories: (i) knowledge and education; (ii) asset management; (iii) access control; (iv) encryption; (v) communication security; (vi) physical and environmental security; (vii) operations security; and (viii) information security incident management.
On 12 November 2019, the European Data Protection Board issued its final guidelines to the extraterritorial application of the General Data Protection Regulation (GDPR)-Guidelines on the Territorial Scope of GDPR (Article 3). The territorial scope of GDPR is mainly judged according to the “establishment” standard stipulated in Article 3, Paragraph 1, and the “targeting” standard stipulated in Paragraph 2. According to the Guidelines, the effectiveness of GDPR depends on the nature of data processing activity, not a particular data controller or data processor. The Guidelines further define the specific application of the above two standards and provide practical guidance on whether the data processing behaviour of non-EU entities is subject to GDPR.
On 13 November 2019, the European Data Protection Board issued the draft Guidelines 4/2019 on Article 25 Data Protection by Design and by Default for public consultation. The Guidelines list key factors to be considered for data protection by design and by default, and provides practical examples for illustration. The Guidelines provide operational guidance for enterprises to carry out data protection by design and by default.