In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to give you guidance on, and a comprehensive understanding of these developments. We focus on three areas: regulatory developments, enforcement developments and industry developments.

Regulatory developments 

1. CAC issues provisions to assess security of internet information services

On 15 November 2018, the Cyberspace Administration of China (CAC) and the Ministry of Public Security issued provisions for assessing the security of internet information services, effective from 30 November 2018. The provisions require internet information service providers to conduct security self-assessments in five circumstances including where a service provider puts an information service online or adds a new feature that may have an effect on public opinion or activities.

2. National standards for electronic certificates released

On 16 November 2018, China’s regulators officially released six national standards for electronic certificates which will be implemented from 1 January 2019. The standards cover electronic certificates for (1) metadata specification, (2) API specification for share services, (3) the overall technical framework, (4) file technology requirements, (5) identifier specification and (6) catalogue information specification.

3. Guidelines on internet security of personal information released for public consultation

To implement the cybersecurity law, the Ministry of Public Security has issued draft guidelines on internet security protection of personal information. The guidelines were issued on 30 November 2018 for public consultation. The guidelines cover topics including management mechanisms, technical measures and business processes relating to personal information security protection.

4. Customs offices to be given access to cross border e-commerce payment data

On 8 November 2018, the General Administration of Customs issued an announcement enabling access to payment data in respect of cross border e-commerce platforms effective from 1 January 2019. The announcement requires cross-border e-commerce platforms participating in retail import businesses to provide access to payment data to customs offices for inspection and verification.

5. Pilot work plan for government websites

On 9 November 2018, the State Council released a pilot work plan for government websites. The work plan proposes compiling platform construction standards and sets out the requirements for the classification, format and interface of various information and data on the platform, as well as enhancements to security protection and protection levels.

6. Work plan issued on special action against harassing phone calls

On 2 November 2018, the Ministry of Industry and Information Technology issued a work plan on special action against harassing phone calls. Under the work plan, telecommunications infrastructure enterprises are required to strengthen management of communication resources and subscribers; call centre enterprises are required to standardise call centre businesses; and relevant internet companies are required to remove harassing software.

Enforcement developments 

1. Seven telecommunication companies (including Alibaba Cloud, Tuniu and Ctrip) required to carry out network security rectification measure

On 26 November 2018, the Cybersecurity Administration of the Ministry of Industry and Information Technology announced the results of its on-site inspections of seven telecommunications companies and ordered each of them to carry out rectification measures. The purpose of the inspections was to check the companies’ operations for compliance with relevant laws including the Cybersecurity Law and regulations on network security and on the protection of the personal information of telecommunications and internet users. The seven companies involved were Nanjing Tuniu Technology Co., Ltd., Alibaba Cloud Computing Co., Ltd., Shanghai Dilian Network Technology Co., Ltd., Zhengzhou GAINET Computer Network Technology Co., Ltd., Shanghai Ctrip Commerce Co., Ltd., Wuhan Great Wall Broadband Network Service Co., Ltd., Chengdu Xiwei Digital Technology Co., Ltd. The companies were ordered to rectify the problems discovered during the inspection. 

2. CAC investigates we-media platforms 

On 12 November 2018, CAC interviewed the representatives of Tencent’s WeChat, Sina Weibo and other we-media platforms and raised serious concerns about negligence on the part of management and their failure to take responsibility for their platforms. On 14 November 2018, CAC further interviewed representatives from a total of ten we-media platforms (namely Baidu, Tencent, Sina, Toutiao, Sohu, Netease, UC headlines, Yidianzixun, Phoenix and Zhihu). CAC has made it clear that all we-media platforms are required to bear responsibility for the chaotic situation in the industry.

3. Beijing Communications Administration cleans up and strengthens regulation of internet access services

The Ministry of Industry and Information Technology has specified special action required to clean up and strengthen the regulation of internet access services. To implement this, the Beijing Communications Administration has conducted on-site inspections on more than ten enterprises, including Tencent, Baidu and Dr. Peng. As a result, administrative penalties have been imposed on Baidu for violations of the administrative measures applicable to licensed telecommunication business operators and Baidu has been included in the negative list for operations in the telecoms business.

4. The central bank pursues Bank of China for failings on individual credit information

On 19 November 2018, the Shangluo Branch of the Bank of China faced disciplinary action by the central bank due to its violations of interim measures in respect of databases of individual credit information. The credit management of the branch was not able to meet the requirements in the interim measures relating to risk prevention and control.

5. Shenzhen cyber police takes action against cybersecurity protection failings

From 10 November to 16 November 2018, the Shenzhen Public Security Bureau carried out inspections on a number of entities as part of its responsibilities for internet security supervision and inspection. These inspections resulted in rectification orders for ambertime World University and Shenzhen Huayang Xintong Technology Development Co., Ltd and administrative penalties for the websites hosted by each of Shenzhen Zongheng Information Technology Co., Ltd. and Pacific Business Solutions (China).

6. CAC deletes nearly 10,000 we-media accounts in special action

In conjunction with other relevant departments, CAC has taken special action to clean up and rectify we-media accounts considered by the authorities to promote disorder and chaos. Since 20 October 2018, more than 9800 we-media accounts have been deleted in accordance with the regulations.

7. MIIT report on the quality of telecommunications services

On 6 November 2018, the Ministry of Industry and Information Technology (MIIT) issued a report on the quality of telecommunications services. According to the report, MIIT had conducted random checks on 65 internet services of 62 internet companies. It was found that 12 internet companies (including Suning.com Group Co., Ltd.) had failed to notify users of the rules for collecting and using personal information and the channels for inquiring about and correcting information, and failed to provide account cancellation services. These 12 enterprises are required to implemented rectification measures under MIIT’s supervision.

Industry developments

1. White paper on the protection of personal information of telecoms and internet users

On 28 November 2018, the China Academy of Information and Communications Technology released a white paper on protecting the personal information of telecoms and internet users. The white paper sets out the current situation of personal information protection for Android users which is reported as not optimistic. 95% of the applications implant advertisements or use personal information in a way which is inconsistent with the permissions obtained.

2. Guide on security inspection and evaluation of critical information infrastructure launched under pilot scheme

On 8 November 2018, the National Information Security Standardization Technical Committee launched a guide on security inspection and the evaluation of critical information infrastructure under a pilot program. The pilot program aims to verify the suitability and operability of the contents of the guide and to gain experience in security inspection and evaluation of critical information infrastructure.

3. China Consumers Association finds apps over-collect users’ personal information

On 28 November 2018, the China Consumers Association released a report evaluating the personal information collection and privacy policy of 100 apps in Beijing. According to the report, the permissions listed by 91 out of the 100 apps studied appeared to over-collected personal information. Apps named as having these problems include Industrial and Commercial Bank of China, China Construction Bank, Alipay and NetEase Lottery.

4. “Personal Information Protection in the Big Data Era” forum held in Wuzhen

On 8 November 2018, a sub-forum of the 5th world internet conference was held in Wuzhen focusing on personal information protection in the Big Data era. The forum was hosted by the Supreme People’s Procuratorate of China and was divided into three themes: the responsibility and the role of procuratorate, the application and improvement of criminal and civil laws in the judicial protection of personal information, and the joint responsibility of regulators, internet service providers and relevant practitioners. The purpose of the forum was to exchange opinions, to jointly prevent and combat criminal infringements of personal information, and to create a safe and reliable ecological environment for data.

5. Warning issued about nine illegal mobile apps

The National Computer Virus Emergency Response Centre recently identified nine illegal mobile applications, including ScreenHero and Green Corps, and issued a warning as to their harmful effects. Their main hazards caused by these applications include incurring malicious charges, privacy theft, malicious dissemination, fee consumption and rogue behaviour.