This e-bulletin summarises the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement, industry and international developments in this area.

Our highlights

In late April, we saw the second reading of the proposed Personal Information Protection Law (PIPL) and Data Security Law (DSL) by the Standing Committee of the National People’s Congress, which marks a step closer to the enactment of these two milestone legislations. We have prepared an e-bulletin on the key changes in the second draft. Please click below link for further reading.

Our views

Key changes in the second draft of Personal Information Protection Law and Data Security Law

Regulatory developments

1. PIPL was released for public consultation

On 29 April 2021, the China National People’s Congress released PIPL for public consultation. The key changes of the Personal Information Protection Law (Second Review Draft) are as follows. The first is the inclusion of an additional legal basis for processing personal data which is if it is “within a reasonable scope in accordance with the provisions of this law”. Next, the revised draft PIPL stipulates that personal information processors shall provide individuals with convenient methods to withdraw their consent and the withdrawal of their consent shall not affect the effectiveness of personal information processing activities that have been carried out before this withdrawal. Further, there are new regulations in relation to the obligations of large Internet platforms for protecting personal information. The draft PIPL also consolidate the provisions in relation to cross-border transfer of personal information which shall be for either business needs or for judicial or law enforcement authorities. In addition, the revised PIPL also includes new provisions on the protection of the personal information of deceased individuals. Finally, the revised PIPL has clarified the burden of proof from the individual to the data processor in civil personal infringement cases

2. DSL was released for public consultation

On 29 April 2021, the China National People’s Congress released the DSL for public consultation. The DSL includes revised regulations that the state will establish a data classification and grading protection system and determine important data catalogues to strengthen the protection of important data. Further, all regions and ministries will decide specific catalogues of important data within their own regions, departments, and related industries and fields in accordance with relevant regulations. Among others, the DSL states that to carry out data processing activities, it is necessary to establish and improve the security management system which is based on a network multi-level protection scheme to aid in the strengthening of data security protection. The export and security management measures of important data collected and generated by critical information infrastructure operators shall be subjected to the Cybersecurity Law. On the other hand, the the export and security management measures of important data collected and generated by other data processors will be formulated by the National Cyberspace Administration of China in conjunction with relevant ministries of the State Council. For cross-border transfers of data, data processors shall only transfer such local data to a foreign judicial and law enforcement body upon approval of the competent authority, failure to obtain approvals shall result in penalties for the data processors.

3. The national standard of Safety Requirements for Collecting Data of Connected Vehicles was released for public consultation

On 28 April 2021, the Secretariat of the National Information Security Standardization Technical Committee released the national standard of Safety Requirements for Collecting Data of Connected Vehicles for public consultation. In terms of data transmission, except for specific data, without the consent of the person whose data is collected, connected vehicles shall not transmit data containing personal information to outside of the vehicle through network or physical interface. Connected vehicles shall not transmit the audio, video, image and other data collected in the car cabin and the data processed by them to the outside of the vehicles through the network or physical interface. In terms of data storage, the vehicle location and trajectory-related data collected by the connected vehicles shall not be stored for more than 7 days in the in-vehicle storage device and the telematics service platform (TSP). In terms of exporting data, the data of road, building, terrain, traffic participants and other data collected from the connected vehicles’ external environment through cameras, radars and other sensors, as well as the data related to vehicle location and trajectory, are not allowed to be transferred out of the country. If data such as connected vehicles’ driving status parameters and abnormal warning information need to be exported, the exporter shall comply with relevant national regulations. If a connected vehicle transmits data overseas through encryption, it should provide information such as the data format and encryption method of the transmission, and provide relevant data content as required when the regulatory authority conducts spot checks and verification.

4. The People’s Bank of China issued the Financial Data Security: Data Life Cycle Security Specification

On 8 April 2021, the People’s Bank of China issued the Financial Data Security Data: Life Cycle Security Specification (the Specification), which stipulates the security principles of financial data life cycle, requirements of protection, organizational guarantee, information system operation and maintenance guarantee. The Specification establishes a security framework covering the process of data collection, transmission, storage, use, deletion and destruction, and stipulates that the internal transmission of data that falls at and above a “level three” category shall adopt data encryption, secure transmission channels or secure transmission protocols for data transmission. In principle, data that falls at and above a “level three” category should not be transmitted outside the financial institutions. If the transmission is really necessary, it should be approved and authorized in advance, and technical measures should be taken to ensure confidentiality. The Specification is to provide guidance to financial institutions to carry out electronic data security protection work, and provide a reference for third-party evaluation institutions to carry out data security inspection and evaluation.

5. The Ministry of Industry and Information Technology issued the Interim Provisions on the Protection and Management of Personal Information in Mobile Internet Applications (Draft for Public Consultation)

On 26 April 2021, the Ministry of Industry and Information Technology (MIIT) issued the “Interim Provisions on the Management of Personal Information Protection and Management of Mobile Internet Applications (Draft for Public Consultation)” (the Provisions) for public consultation. The deadline to provide comments was on 26 May 2021. The Provisions aims to strengthen the protection of personal information in mobile Internet applications (APP), regulate personal information processing activities in APPs, and promote the reasonable use of personal information. Personal information processing activities from APPs carried out within the territory of the People’s Republic of China shall comply with these regulations. The key highlights of the Provisions are: (1) defines the scope of application and the subject of supervision, (2)establishes the two important principles of “informed consent” and “minimal necessity”, (3) details main responsibilities and obligations that APP development operators, distribution platforms, third-party service providers, terminal enterprises and network access service providers shall perform in the personal information processing activities in APPs and (4) puts forward four requirements for APPs including complaints and reports, supervision and inspection, handling measures and risk warnings.

6. Administrative Measures for Online Live Marketing (on Trial)

On 23 April 2021, the seven national ministries jointly issued the Administrative Measures for Webcast Marketing (on Trial) (the Measures) which came into force on 25 May 2021. The Measures requires that live marketing platforms establish and improve mechanisms and measures on the following: (1) account and live marketing function registration and cancellation, (2) information security management, (3) marketing behaviour regulations, (4) minor protection, (5) consumer rights protection, (6) personal information protection, (7) network and data security management, etc. The live marketing platforms shall take necessary measures to ensure the security of the personal information processed by them. The live marketing platforms shall consolidate the information security management of the links in the live, QR code and other jump services to prevent information security risks.

7. The National Healthcare Security Administration issued the Notice on Issuing Guidance Opinions on Strengthening Cyber Security and Data Protection

On 9 April 2021, the National Healthcare Security Administration issued the Notice on Issuing Guiding Opinions on Strengthening Network Security and Data Protection (the Notice), which clearly defines the guiding ideology for strengthening network security and data protection. The Notice puts forward six major measures to strengthen network security management. These include: (1) introducing the main responsibilities of entities in charge of network security, (2) improving the network security supervision and management mechanism, (3) strengthening the security protection of critical information infrastructure, (4) consolidating the capability of protecting the network security by technology, (5) improving capabilities of network security situational awareness, early warning and coordination and (6) improving emergency response capabilities for emergent network security incidents. In terms of the strengthening of data protection, these measures are (A) implementing security management throughout the life cycle of data (B) implementing hierarchical and classified management, (3) strengthening the protection of important data and sensitive fields, (4) strengthening data security approval management, (5) implementing the jurisdiction of data security, (6) promoting safe sharing and use of data; and (7) establishing a sound data security risk assessment mechanism.

8. The Ministry of Transport issued the Administrative Measures for the Sharing of Transport Data in Government Affaires

On 6 April 2021, the Ministry of Transport issued the Administrative Measures for the Sharing of Transport Data in Government Affairs (the Administrative Measures) to standardize the sharing of transportation data in government affairs. Transportation government data is defined as various non-confidential data, documents, materials, charts, etc. that are collected, generated, obtained, recorded and preserved in electronic form in accordance with the law, directly or through a third party, by government departments in the course of performing their duties. The Administrative Measures has six chapters and 26 articles, and contains the scope of application, the sharing management system and division of responsibilities of government transport data, requirements and procedures of compiling, releasing, updating and managing of catalogues as well as the methods of provision and acquisition of government data.

9. The National Information Security Standardization Technical Committee released ten national standards and information security technology drafts for public consultation

In April 2021, the National Information Security Standardization Technical Committee issued the “Information Security Technology: Security Evaluation Specification for Mobile Internet Application (APP) Personal Information”, “Information Security Technology: SDK Security Guide for Mobile Internet Application (APP)”, “Information Security Technology: Technical Specifications for Government Network Security Monitoring Platform”, “Information Security Technology: Evaluation Requirements for Information System Password Application”, “Information Security Technology: Evaluation Specification for Personal Information De-identification Effect Classification”, “Information Security Technology: Technical Requirements for Edge Computing Security “, “Information Security Technology: Basic requirements and Guidelines for IPSec VPN Security Access”, “Information Security Technology: Security Requirements for Voiceprint Recognition Data”, “Information Security Technology: Security Requirements for Gait Recognition Data” and “Information Security Technology: Security Requirements for Face Recognition Data.” These ten drafts provide guidance and reference for third-party evaluation agencies, competent regulatory authorities and related operators in related fields.

Enforcement developments

1. The Ministry of Industry and Information Technology issued a notice of APPs that infringed users’ rights and interests (No.4th batch of 2021, Sum. the 13th batch)

On 23 April 2021, the MIIT issued a notice of APPs that infringed users’ rights and interests. The MIIT authorised a third-party testing agency to inspect mobile phone application software, and focused on urging games and tools companies with problems to make rectifications. To date, 93 APPs have not completed the rectifications exercise. In the first quarter of 2021, there were issues found in Tencent App Store, Mi App Store, OPPO App Store, Huawei App Store, and Vivo App Store. These issues included laxed shelf reviews, the inventory issues thoroughly cleaned, and the registrations and verifications of the information of APPs’ developers and operators were inaccurate, which misled users to mistakenly download the APP. The MIIT has urged relevant platform companies to carry out comprehensive rectification and strictly monitor compliance.

2. The Ministry of Industry and Information Technology removed 60 APPs

On 6 April 2021, the MIIT notified 60 apps that had not yet completed rectification in accordance with the Cybersecurity Law and the Interim Provisions on the Management of Pre-setting and Distribution of Mobile Smart Terminal Application Software (MIIT Xinguan [2016] No. 407) and other laws and normative documents. Pursuant to the authority provided under these laws and regulations, the MIIT removed those APPs for failure to rectify its issues. Further, the relevant application stores shall immediately remove the infringing application software in their stores upon publication by MIIT of the notice.

3. Zhejiang Communications Administration issued a notice of APPs that infringed users’ rights and interests (the third batch in 2021)

On 16 April 2021, Zhejiang Communications Administration issued a notice of APPs that infringed users’ rights and interests. For the51 APPs that had not completed the rectification measures, these will need to be completed before 25 April. If the rectification measures were not completed within the time limit, the Zhejiang Communications Administration will deal with the APPs in accordance with laws and regulations. Most of the issues involved in the APPs related to failure to express the purpose, method and scope of the collection and use of personal information, the collection of personal information beyond the scope, mandatory, frequent, and excessive requests for permissions, etc.

4. Three real estate companies were fined RMB 250,000 for using the face recognition system

From 14th to 19th April 2021, Ningbo Market Supervision Administration imposed a fine of RMB 250,000 on three real estate companies (the Parties). The Parties had installed face recognition systems of varying brands at their sales offices. The distributors would report the information of customers introduced by distributors to the parties in advance, and the reported information would be uploaded to the face capture system. The system would automatically store the facial biometric information of all customers who visited the sales office. The manner in which the Parties utilised the face recognition system were as follows: (1) when a customer introduced by a distributor officially signs a sale purchase agreement , the Parties collected the customer’s facial biometric information and ID card information through the face authentication machine, and the system automatically gathered the previously reported information related to the customer and the facial biometric information collected by the visiting sales office under the customer’s name and (2) if the time of the customer’s first visit to the sales office corresponded to the time reported by the distributor, the Parties settled the commission to the distributor accordingly.

5. The judgement of the second instance in the first case of face recognition

On 9 April 2021, the Hangzhou Intermediate People’s Court issued the judgement of the second instance of the service contract dispute between Guo Bing and Hangzhou Wildlife World Co., Ltd (Wildlife World). Further to the original judgment, the second judgement included a judgment to Wildlife World to delete the fingerprint identification information submitted by Guo Bing when he applied for the annual fingerprint card. The background of this case was that on 27 April 2019, Guo Bing had purchased the Wildlife World Double Annual Card and left relevant personal identification information together with entering fingerprints and taking photos. Later, Wildlife World adjusted the entry method by annual cards from fingerprint recognition to face recognition, and sent a text message to Guo Bing to notify him of the change, requesting activation of the face recognition method. The negotiation between the two parties failed, which led to a dispute in this case. The Hangzhou Intermediate Court found that Wildlife World wanted to activate and process the photos it had collected into face recognition information, which exceeded the purpose of prior collection and violated the principle of legitimacy. Therefore, the facial feature information including the photos submitted by Guo Bing when applying for the card should be deleted. Further, inview of the fact that Wildlife World stopped using fingerprint recognition gates, which made it impossible to use the originally agreed method for entering the park, Guo Bing’s fingerprint recognition information should also be deleted.

6. The Supreme People’s Procuratorate released 11 typical cases of public interest litigation on the protection of personal information by procuratorial organs

On 22 April 2021, the Supreme People’s Procuratorate issued a typical case of public interest litigation on the protection of personal information by procuratorial organs. Among the 11 typical cases issued by the Supreme People’s Procuratorate, administrative public interest litigation cases were in relation to supervision of personal information and the disclosure of government information of administrative organs in the fields of education, market supervision, public security, cyberspace, agriculture and countryside, and involved personal information leakage in express delivery, medical institutions, off-campus training institutions, etc. Civil public interest litigation cases were in relation to Internet companies’ illegal collection of personal information, and consumption fraud. Public interest civil cases collateral to criminal proceedings were related to the illegal acquisition and transaction of personal information through different means such as technical software, property services, etc. In addition to fighting against criminal acts that infringe on citizens’ personal information, the procuratorial organ also filed a claim against the network operators as co-defendants and demanded these co-defendants to bear the responsibility for public welfare damage.

7. The first case in our country of a telecom operator’s refusal to perform cyber security obligations was pronounced

On 26 April 2021, Xinhuanet released news on the country’s first case of a telecom operator’s refusal to perform cyber security obligations. The virtual operator Yuante (Beijing) Communication Technology Co., Ltd. (Yuante Company), knowing that Ya Feida Company illegally sold a large number of phone cards and used phone cards to engage in illegal and criminal activities, still provided them with a large number of phone cards, and did not adhere to the regulation requirements of setting up high-level authorities. It provided convenience for various illegal and criminal activities, and was suspected of refusing to perform the obligation of information cyber security management. Its chairman and some senior executives were sentenced to fixed-term imprisonment or detention ranging from one year and four months to one year and ten months by the court of first instance. This is the first national case in which a telecommunications operator in our country has been sentenced for inadequate supervision of the real-name system of mobile phone cards, resulting in serious consequences for telecommunications network fraud.

Industry developments

1. Meituan and other platforms participated in the special survey of “Taking Advantage of Users Using Acquired Big Data” to report usage and management of users’ data

On 8 April 2021, the Guangzhou Municipal Market Supervision Bureau of Guangdong Province, in conjunction with the Guangzhou Municipal Commerce Bureau, held a special survey called “Taking Advantage of Users Using Acquired Big Data” and an administrative guidance committee for regulating fair competition market order. 10 Internet platform companies including Vipshop, JD.com, Meituan, Ele.me, Missfresh, Fresh Hema, Ctrip, Qunar, ON TIME, Didi reported data usage and management of users, and put forward suggestions on the supervision of data use. The representatives of the platform companies signed the Platform Enterprises’ Commitment to Maintain a Fair Competitive Market Order, and made promises to the society not to illegally collect and use personal information of customers, and not to take advantage of users by using acquired big data.

2. Tencent released “white paper 2021 on Tencent privacy computing”

On 21 April 2021, Tencent released “Tencent privacy computing white paper 2021”, which describes the basic concept, technical system, roles and drawbacks of privacy computing in data security and compliance. Privacy computing is a kind of technology and system that is jointly calculated by two or more participants. The participants cooperate to perform joint machine learning and joint analysis on their data without disclosing their own data. Privacy computing application is conducive to the protection of personal information security, and helps enterprises fulfill their data protection obligations in the process of data cooperation. Privacy computing is expected to become a technical tool for data compliance and privacy protection in the process of data collaboration, but it still needs to clarify the user authorization mechanism and pay attention to data security risks.

3. Internet platform companies disclose the Promises to Operate in Compliance with Laws and Regulations to the public

On 13 April 2021, the State Administration for Market Regulation, together with the Cyberspace Administration of China, and the State Taxation Administration held an administrative guidance meeting with Internet platform companies. In response to the prominent problems in the field of platform economy, such as the forced implementation of “piking one from two” and other outstanding issues, the meeting put forward “five strict preventions” and “five guarantees”, which clearly imposes requirements for all Internet platform companies to conduct comprehensive self-inspection and self-examination within one month and complete rectification. From April 14th to 16th, the State Administration for Market Regulation announced Promises to Operate in Compliance with Laws and Regulations of Internet platform companies that participated in the meeting. The promises of Internet platform companies include the collection and use of personal information in accordance with the law, the protection of personal information security, and strengthening the reviews of advertising information.

International developments

1. Booking.com was fined 475,000 euros for delay in reporting data breach

On 2 April 2021, the Dutch Data Protection Agency (DPA) imposed a fine of 475,000 Ruros on Booking.com because it violated the GDPR’s requirement to report data breaches within 72 hours. In December 2018, criminals obtained personal information such as the names, phone numbers, and addresses of more than 4,000 people who booked hotel rooms from Booking.com, as well as information on more than 300 credit cards. Booking.com was informed of the data breach on 13 January 2019, but did not report it to the DPA until 7 February, which was 22 days too late.

2. Apple’s app tracking transparency framework officially came into effect

On 26 April 2021, Apple’s application tracking transparency framework came into effect. Applications shall ask for the user’s permission in order to track users or access their device’s Identifier for Advertisers (IDFA). When an app wants to follow users’ activities to share information with third parties such as advertisers, a window will appear on our Apple device to ask for users’ permission to do so. If users say no, the app shall stop monitoring and sharing users’ data information. The use of the application tracking transparency mechanism has been questioned. The opposing view is that it may harm the interests of other companies, especially advertising companies. Developers and advertising technology companies may also track users through other techniques.

3. The European Commission released Proposal for a Regulation laying down harmonised rules on artificial intelligence

On 21 April 2021, the European Commission issued the Proposal for a Regulation laying down harmonised rules on artificial intelligence (Proposal). This first of its kind legal framework on AI will guarantee the safety and fundamental rights of people and businesses. The Proposal divides the AI systems into four categories of risk: (1) unacceptable risk, (2) high risk, (3) limited risk, and (4) minimum risk. Among them, AI systems intended to be used for the ‘real-time’ and ‘post’ remote biometric identification of natural persons are deemed as high-risk systems. AI systems with high risk levels will be subject to strict obligations before they can be put on the market, including establishing adequate risk assessment systems and providing detailed documentation containing all information necessary on the system and its purpose for authorities to assess its compliance.