TC260 issues draft Information Security Technology-Personal Information Security Specification

The National Information Security Standardisation Technical Committee (“TC260”) issued the Information Security Technology-Personal Information Security Specification (draft) (“Specification”) on 1 February 2019. The finalised version of this Specification will replace the 2017 version of the Specification.

Compared with the 2017 version, the Specification adds rules relating to personalised display and opt-out aggregation of personal information collected for different business functions, prohibition of forced personal information collection, third-party access management, record keeping of personal information processing activities and Appendix C1-C3 on basic business functions and extended business functions. The Specification also revises rules relating to exceptions to obtaining consent, requirements to identify responsible departments and personnel and methods for preserving personal information subjects’ option to give or withhold consent.

In respect of the requirements on personalised display, the Specification echoes the requirements stipulated in the E-commerce Law of the People’s Republic of China recently enforced on 1 January 2019 whereby if an e-commerce operator personalises search results of goods or services, it shall also provide another search result option without personalisation to users. In respect of personal information collection, the Specification expressly states that a personal information controller shall not collect personal information by forced ways. In respect of third party access management, if a personal information controller allows a third-party goods or services provider to access the personal information, the personal information controller shall control and supervise the third-party providers to protect personal information.

Please click here to read the full text (Chinese only) of the Specification.

CSRC issues Regulation Measures on Registration of IPO Listed in Sciences and Technology Innovation Board

The China Security Regulatory Commission (“CSRC”) issued the Regulation Measures on Registration of IPO Listed in Sciences and Technology Innovation Board (trial) (draft for comments) (the “Draft Registration Measures”) on 30 January 2019. Compared with existing listing rules of other listing boards, the Draft Registration Measures simplify the IPO procedures and reduce the IPO requirements, while also strengthening the obligation of information disclosure.

The keynote of the Draft Registration Measure is that the IPOs on the Sciences and Technology Innovation Board (the “STI Board”) will apply for registration procedures instead of filing and approval. The filing and approval system will continue to apply for Issuers on existing listing boards, while the STI Board will start to apply registration procedures separately and independently.

In respect of qualifications for an IPO on the STI Board, among others, the company that intends to list on the STI Board (each an “Issuer” and together the “Issuers”) does not need to fulfil the current requirements of being profitable, covering up deficits or having a minimum percentage of their overall assets as intangible assets.

Compared with exiting listing rules of other listing boards, the Draft Registration Measures impose higher information disclosure requirements on Issuers. The Issuers must disclose any information, which may have significant influence on investors. Issuers shall, based on their own business situation, disclose potential adverse events. If an Issuer has not been profitable yet, the Issuer shall fully disclose the reasons for not being profitable and its effects. If an Issuer has arrangements of special voting rights, the Issuer shall disclose and remind investors of the detailed arrangements, the relevant risks and the influence on corporate governance of the special voting rights.

The Draft Registration Measures provide various special rules for the underwriting business and the sponsor system of an IPO on the STI Board. Unless stipulated in the Draft Registration Measures, the underwriting business and sponsor business of an IPO on the STI Board shall follow the Regulations on Securities Issuance and Underwriting and Regulations on Sponsor Business of Security Issuance and Listing, respectively.

Please click here to read the full text (Chinese only) of the Draft Measures.

CSRC issues Measures on Continuous Regulation of Companies listed on the Sciences and Technology Innovation Board

The CSRC issued the Measures on Continuous Regulation of Companies Listed on the Sciences and Technology Innovation Board (trial) (draft for comments) (“Draft Regulation Measures”) on 30 January 2019. The Draft Regulation Measures provides special rules for all companies listed on the STI Board (each a “Company” and together the “Companies”).

As the STI Board adopts the registration procedures mentioned in the above topic, the continuous regulations are much stricter than existing rules of other listing boards. In respect of corporate governance, the Draft Regulation Measures provide that if a Company has special voting rights arrangements, it may still go public on the STI Board, which is different from other exiting listing requirements. A Company shall fully perform its information disclosure obligations. If disclosure of certain pieces of information may damage the interests of the Company or mislead its investors, the Company may decide to hold back the information on the condition that the insiders of the information promise in writing to keep the information confidential. A Company shall disclose any risk factors, which may have material adverse effect on the Company.

In respect of share lock-up post-IPO, which refers to preventing original shareholders from selling their shares for an agreed period following the IPO, the Draft Regulation Measures provide special rules. If a Company has not been profitable prior to the IPO, the lock-up period of the shares held by specific shareholders, which includes the controlling shareholder, the ultimate shareholders, directors, supervisors, members of management and core technical staffs, shall be extended. The lock-up period of core technical staffs shall be extended. The Draft Regulation Measures also optimise equity incentive systems to encourage Companies to establish equity incentive plans. In addition, if a Company would like to conduct M&A, it shall fulfill the registration requirements of the Shanghai Stock Exchange and the CSRC and the target company shall comply with the industry or technology requirements of the IPO and shall have synergistic effect with the Company. In addition, the Draft Regulation Measures also provide stricter rules on termination of listing for Companies. If a Company triggers any standards or indices of termination of listing, it shall be terminated from the STI Board directly.

Please click here to read the full text (Chinese only) of the Measures

CAC issues Circular on crackdown of illegal collection and use of personal information on Applications

The Cyberspace Administration of China (“CAC”), jointly with three other relevant competent authorities, issued the Circular on Crackdown of Illegal Collection and Use of Personal Information on Applications (“Circular”) on 25 January 2019.This announces that the crackdown period for the illegal collection and use of personal information on application will continue for one year from January 2019.

The Circular provides that application (each an “App” and together the “Apps”) operators (each an “Operator” and together the “Operators”) must strictly perform obligations stipulated in the Cybersecurity Law of the PRC when collecting and using personal information. Operators shall:

  1. Take effective measures to strengthen personal information protections;
  2. Only collect personal information which is necessary for the service provided;
  3. Provide concise and clear personal information collection rules and obtain active consent from the users of Apps (“Users”);
  4. Not force Users to authorise any collections or use of personal information by way of default setting, bundling or stopping installations of Apps; and
  5. Not collect or use personal information illegally or by contravening the agreements with Users.

If an Operator:

  1. Collects personal information forcibly or excessively or without Users’ consent;
  2. Does not take proper measures to prevent leakage of personal information; or
  3. Illegally sells or provides personal information to other parties.

The relevant competent authorities will impose administrative punishments on the Operator. If an Operator commits any criminal offense, potential criminal liabilities may also be imposed.

Please click here to read the full text (Chinese only) of the Measures.

CAC issues Administrative Provisions for Blockchain Information Services

The CAC issued the Administrative Provisions for Blockchain Information Services (“Provisions”) on 10 January 2019.The Provisions came into effect on 15 February 2019.

Compared with the draft of the Provisions published on 29th December 2017, there are not many significant amendments provided in this final version. The Provisions (alike the draft) expressly impose various security obligations on blockchain information services providers. These include:

  1. Establishing and improving the security management mechanism on users’ registrations; information reviews; emergency plans and security protections;
  2. Being equipped with technology suitable for the services;
  3. Establishing management rules and platform conventions;
  4. Implementing real identification authorisation requirements;
  5. Punishing any users of blockchain information services who breach the rules and conventions; and
  6. Not providing any illegal or improper information by way of its services.

Please click here to read the full text (Chinese only) of the Provisions and here for our previous article on the draft Provisions.

CNSA issues Regulation Measures on Platforms of Network Short Videos

The China Netcasting Services Association (“CNSA”) issued the Regulation Measures on Platforms of Network Short Videos (“Regulation Measures”) on 9 January 2019.

The Regulation Measures provide general requirements for network short video platforms (each a “Platform” and together the “Platforms”). Platforms shall obtain an audio video service permission (“AVSP”) and conduct business within the permitted scope. Prior to any broadcasting, all short videos, including but not limited to titles, introductions, bullet comments and reviews, must be reviewed by Platforms. Platforms shall possess enough reviewers suitable for the quantity of their short videos, and all reviewers must be trained by the relevant competent authorities at provincial level.

In accordance with the Regulation Measures, Platforms are responsible for verifying the identities of persons or institutions who upload short videos on Platforms. For uploading persons (user-generated content, abbreviated as “UGC”), Platforms shall verify their personal identity information; for uploading institutions (professionally-generated content, abbreviated as "PGC"), Platforms shall verify their organising institution bar code information.

Prior to allowing the upload of network short videos, Platforms must sign contracts with UGCs and PGCs, which shall reflect the requirements set forth in the Regulation Measures. Platforms must ensure that the content uploaded by PGCs is within the scope permitted by the AVSP of PGCs. If a PGC does not possess or obtain an AVSP, the uploaded videos can only be used as source material on the Platform.

Platforms will also be required to adhere to IP protection responsibilities. Platforms must comply with the relevant requirements of news programs, they must not re-post political or social news short videos uploaded by UGCs and must not re-post the aforementioned contents created by a PGC that does not possess or obtain a permission for internet news services. Platforms must also not re-post any content prohibited or not approved by the State. The Regulation Measures further require Platforms to establish a protective mechanism for minors and take technical measures to restrict minors from spending too much time online.

Please click here to read the full text (Chinese only) of the Regulation Measures.

MIIT issues the Action Plan of the Internet of Vehicles Industry

The Ministry of Industry and Information Technology (“MIIT”) issued the Action Plan of the Internet of Vehicles Industry (“Action Plan”) on 28 December 2018.

In accordance with the Action Plan, the Internet of Vehicles (“IoV”) industry refers to a new form of industry which fully integrates the automotive, electronics, information communications, and road and transportation industries.

There will be two stages to the Action Plan: the first stage will begin the integration of an effective IoV industry by 2020.The second stage post-2020 will aim to develop the domestic IoV industry into a world-leading industry.

In order to achieve these goals, the Action Plan focuses on various tasks:

  1. To break through the crucial technologies of the IoV, push to establish decision control platforms and strengthen the R&D of radio communication technologies, such as LTE-V2X and 5G-V2X;
  2. To improve the standard systems, grant the usage permissions of frequencies and promote the testing and certifying systems and applications of the IoV in special areas;
  3. To develop the infrastructure construction required for the IoV, including the communication infrastructure, such as LTE-V2X and 5G-V2X, big data, cloud platforms and smart roads infrastructures; and
  4. To develop integrated applications, improve the penetration rate of the IoV and strengthen the security safeguard systems.

Please click here to read the full text (Chinese only) of the Action Plan.

CAC issues new Regulations on Financial Information Services

The Cyberspace Administration of China (“CAC”) issued the Regulations on Financial Information Services (“Regulations”) on 26 December 2018, which will come into effect on 1 February 2019.

Under the Regulations, financial information services refer to services rendering information and/or financial data that may affect the financial market to users that engage in financial analysis, financial transactions, financial decision-making or any other financial activity. It is specifically clarified in the Regulations that the concept of financial information services under the Regulations is different from the concept of news agencies services, which are regulated separately.

The Regulations provide major requirements for financial information service providers (each a "Provider” and together the “Providers”) to meet:

1. License requirements: if a Provider would like to conduct internet news information services, statutory concessions or financial business which requires filings, it must obtain the relevant licenses 2. Professions’ requirements: Providers must possess a management team suitable for their services and establish relevant service standards to regulate the review, storage, security and intellectual property (“IP”) rights of the information. Providers must also hire adequate professionals suitable to their respective service scope to review the financial information and ensure the accuracy, objectivity and legitimacy of the information;; and 3. Information traceability requirements: Providers must explicitly identify the source of the information and ensure that the wording, images, videos and audio of financial information are all traceable.

The Regulations explicitly list improper and illegal information which must not be transmitted by Providers. If any information provided by a Provider contains content prohibited by the Regulations, the Provider must cut off transmission of such information immediately, remove any improper content, keep a complete record of the emergency disposal and report it to the competent authorities.

Please click here to read the full text (Chinese only) of the Regulation.

MIIT issues the Guiding Opinions on Promoting the Development of the VR Industry

MIIT issued Guiding Opinions on Promoting the Development of the Virtual Reality ("VR”) Industry (“Opinions”) on 25 December 2018.

The Opinions aim to promote the research and development of fundamental theories, the shared technologies and the application technologies of VR, with the aim of establishing a VR industry in full by 2020 and becoming the global leader of the VR industry by 2025.

The main target of the work plan includes breakthrough of crucial technologies such as near-eye display technology, perceptual interaction technology, rendering processing technology and content production technology. In respect of the VR productions supplement, the Opinions focus on enriching various kinds of productions, such as whole machine equipment, perceptual interaction equipment, content collection and production equipment, developing tool software, industry solutions and distribution platform. In addition, the Opinions intend to facilitate the application of VR technologies across various industries, such as manufacturing, education, culture, health and trade.

With the support and assistance of leading enterprises, industry organisations and financial institutions, the Opinions will help boost the establishment and development of VR public service platforms to optimise the eco-system of VR industry. The Opinions also mention the establishment of standard systems within the VR industry, speeding up the development of crucial standards and beginning the testing and certifications process for VR.

Please click here to read the full text (Chinese only) of the Opinions.

CSRC issues Regulation Measures on Information Technology of Security Fund Operating Institutions

The China Security Regulatory Commission (“CSRC”) issued the Regulation Measures on Information Technology of Security Fund Operating Institutions (“Measures”) on 19 December 2018, which will come into effect on 1 June 2019.

The Measures apply to domestic security companies approved by the CSRC and the funds companies which manage public investment funds (each an “Operating Company” and together the “Operating Companies”), and the information technology service institutions (“IT Service Institutions”) that provide information technology services to security and fund companies.

In accordance with the information technology governance requirements stipulated in the Measures, a board of directors shall be in charge of information technology goals and strategies of its respective Operating Company. Whilst the management teams of these Operating Companies shall implement the relevant goals. Each Operating Company shall establish an information technology committee, which is in charge of establishing and reviewing the plans, budgets and projects of information technology. Operating Companies shall name a Chief Information Officer who shall be responsible for information issues and must meet the requirements set out in the Measures.

In respect of risk management, the Measures provide that Operating Companies shall establish a risk management system alongside launching new business systems, which must be suitable for the complexity of its operating activities and risk level. Operating Companies shall conduct internal inspections prior to launching new activities backed by information technologies, they must establish effective monitoring systems and they must properly deal with risk issues. Unless stipulated by other laws or regulations, Operating Companies shall receive the transaction directives of clients only through information systems operated by themselves.

Operating Companies shall organise data into different levels based on the importance and sensitivity of the data, and differ the management measures of the data respectively. Operating Companies shall protect the information safety of data and prevent the leakage and damage of such data. Operating Companies shall also record the usage of data and monitor the implementation of confidential agreements with IT Service Institutions. Further prohibitions are placed on Operating Companies, as they must not collect irrelevant information on their client, purchase or utilise data obtained illegally or without a clear source or, offer client information to any other institutions.

In respect of the relationship between Operating Companies and IT Service Institutions, although Operating Companies may entrust IT Service Institutions for the provision of products or services, the Operating Company will be the liable party for any breach of the Measures. Operating Companies shall choose IT Service Institutions which have been filed and listed by the CSRC and must not entrust IT Service Institutions to operate important information systems or daily security management systems independently. IT Service Institutions that provide services to the Operating Companies must not conduct activities prohibited by the Measures.

Please click here to read the full text (Chinese only) of the Measures.