In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on three areas: regulatory developments, enforcement developments, and industry developments.

Our insights

China Cybersecurity and Data Protection − China’s first regulation on children’s online privacy

Regulatory developments

1. Public consultation on guidelines on development of industrial big data

On 4 September 2019, the Ministry of Industry and Information Technology issued draft guidelines on the development of industrial big data for public consultation. The draft guidelines set 2025 as the goal for completing the industrial big data resource system, integration system, industrial system and governance system. The draft guidelines propose measures covering four areas (i) building resource systems for industrial big data and cultivating production factors; (ii) expanding the industrial big data integration system and exploring its application potential; (iii) establishing a robust data industrial system and stimulating industrial innovation; and (iv) improving the industrial big data governance system and further securing development.

2. Shanghai government implements rules on openness of public data

The Shanghai municipal government has implemented new rules on public access to public data, which took effect on 1 October 2019. Public management and service institutions will provide public data to the public in the form of original, machine-readable and socially reusable data. Data is classified into non-open data, conditional open data and unconditional open data. For conditional open data, entities sharing such data are required to sign a data utilisation agreement with those qualified persons authorised to access the data and are required to track and supervise its use. For the sharing of non-public data, the municipal department of economic information, together with relevant industry authorities, can formulate the applicable standards and carry out pilot demonstrations.

3. Draft network ecological governance regulations issued for public consultation

On 10 September 2019, the Cyberspace Administration of China issued draft regulations covering network ecological governance for public consultation. The draft regulations clarify the rights and obligations of participants of the network ecology including network information content producers, service platforms and service users, and network industry organisations. Network information content service platforms are required to establish network ecological governance mechanisms, improve mechanisms for reviewing information releases and follow-up comments and undertake activities including webpage ecological management, real-time inspection and emergency response and disposal of network rumours and illegal product marketing.

4. Public consultation on regulatory measures to promote the development of the network security industry

On 27 September 2019, the Ministry of Industry and Information Technology issued for public consultation draft regulatory measures to promote the development of the network security industry. The measure propose three goals by 2025, namely (i) cultivating a group of cybersecurity enterprises to achieve annual revenues of more than RMB2 billion; (ii) forming a number of internationally competitive cybersecurity backbone enterprises; and (iii) value of the cybersecurity industry reaching over RMB 200 billion. The main steps to achieving this include making breakthroughs in developing the key technologies for cybersecurity; actively innovating the cybersecurity service model; jointly creating a cybersecurity industry ecology; vigorously promoting the application of cybersecurity technologies; and accelerating the construction of cybersecurity infrastructure.

5. Improvements to the registration and management requirements for telephone users’ real names

On 26 September 2019, the Ministry of Industry and Information Technology issued a notice on further improvements in respect of the registration and management of telephone users’ real names. The notice proposes a number of specific measures to strengthen management from the perspective of foundation management, prevention measures and technical supervision. Telecom companies are required to implement in full the face recognition and comparison technical measures in all channels from 1 December 2019 such that customers will have access only after face recognition and comparison are satisfactorily completed.

Enforcement developments

1. Ministry of Water Resources requires rectification to resolve cybersecurity failings

Since August 2019, the Ministry of Water Resources had been conducting a cybersecurity inspection (including a cybersecurity penetration test and on-site inspection) of its directly affiliated entities. Some units were found to have not properly implemented the management measures for water resources network security posing a potential threat to cybersecurity. Affected entities were required to take effective measures to rectify the issues before the end of September 2019.

2. Data companies investigated by the police

Since the beginning of September 2019, a number of data companies such as Moxie Data, Xinyan Technology, and Tianyi Credit have been investigated by the police, with relevant personnel taken into custody. Some industry insiders believe that this law enforcement initiative is mainly aimed at companies which use web crawlers to collect personal information which they then use to collect debts employing strong-arm tactics. As a result of the police investigations, many data and financial companies have stopped operating or using web crawler businesses. The police have not yet announced their findings.

3. Ministry of Industry and Technology targets the ZAO app for data security issues

On 3 September 2019, the Ministry of Industry and Information Technology reported that the “ZAO” app’s privacy policy was non-compliant, posing data leakage risks. Executives from the app company were interviewed and required to carry out self-inspection and rectification to ensure strict compliance with all relevant laws, regulations and orders from competent authorities. The app must only collect and use users’ personal information legally, and was required to revise the terms of use and strengthen the protection of network data and user personal information. At the same time, the Ministry of Industry and Information Technology noted that it is necessary to strengthen the safety assessment requirements for new technologies and new businesses, and take effective measures to prevent the potential risks arising from telecommunications frauds.

4. List of non-compliant applications published for second quarter of 2019

On 19 September 2019, the Ministry of Industry and Information Technology published on its website the list of applications found to have problems in the second quarter of 2019. Among them are 32 well known apps such as Dida Travel, Meituan Takeaway, YY, Douyu live stream, Mango TV and Ziroom. The issues identified include (i) collecting and using user personal information without the user’s consent; (ii) failure to provide any account deletion services; (iii) failure to publish any user personal information collection and usage rule; (iv) forced bundled promotion of other application software; (v) failure to inform users of the channels for inquiry or correcting information; and (vi) malicious fee-charging.

5. Guangdong police carry out unified cybersecurity inspections

From 22 to 28 September 2019, the Guangdong police organised unified cybersecurity law enforcement inspections within the province involving remote inspections and on-site inspections. They focused on core business systems of key industries such as energy, transportation, finance, subways and water as well as key portal websites, internet data centres, cloud platforms and application platforms. As a result, the police rectified 1,206 safety issues (of which 639 were high risk), shut down 222 websites with outstanding problems, deleted 16,344 pieces of illegal information, suspended 5,871 illegal and harmful applications, served 422 rectification notices and penalised 353 entities. As a next step, the Guangdong police will focus on strengthening their cybersecurity enforcement on critical information infrastructure.

6. Jiangsu internet police publish summary of typical internet security cases

On 23 September 2019, the internet security office of Jiangsu province reported that it had dealt with 6,467 administrative cases. Of these, it had issued warnings to 4,387 individuals or entities, issued fines totalling RMB3.74 million, confiscated RMB110,000 in illegal profit, arrested 185 individuals, suspended 140 illegal network operations and closed or terminated more than 1,000 applications. The cases mainly involved activities including: (i) hacking attacks as a result of failing to establish a cybersecurity management system and lacking technical protection measures; (ii) failing to formulate emergency plans for cybersecurity incidents; and (iii) providing network access or transaction services to users without verifying their identity.

Industry developments

1. 2019 China Cybersecurity Week − Cybersecurity Standards and Industry Summit Forum was held in Tianjin

The opening ceremony of the 2019 China Cybersecurity Week − Cybersecurity Standards and Industry Summit Forum was held in Tianjin on 16 September 2019. The China Cybersecurity Week has been held annually since 2014. The Internet Security Expo, Cybersecurity Technology Summit Forum, and Cybersecurity Theme Day and other events were held from 16 to 22 September 2019.

2. White paper on China’s cybersecurity industry unveiled

On 18 September 2019, the China Academy of Information and Communications Technology issued its fourth white paper on China’s cybersecurity industry. This white paper continues to track and analyse domestic and international industry progress from the perspective of scale, structuring, government policy, enterprise development, technological progress, and personnel training. It also focuses on industry trends and analyses and predicts the development of industrial internet security, cloud security, zero-trust security, “artificial intelligence + security” and 5G security.

3. White paper on IPv6 network security released

On 18 September 2019, the China Academy of Information and Communications Technology issued a white paper on IPv6 network security. This white paper (i) examines the current status of IPv6 development from the perspective of cybersecurity; (ii) analyses and discusses the security risks and countermeasures in upgrading to the next generation internet; (iii) prioritises existing urgent cybersecurity work; and (iv) explores the key development directions of IPv6 security products and services.

4. The Beijing Internet Court issues white paper on its trial cases

On 3 September 2019, the Beijing Internet Court issued a white paper which covers its development since it was established on 9 September 2018 and lists ten of the typical internet cases it has tried.

5. The 2018 − 2019 China internet of things development annual report released

On 7 September 2019, the China Economic Information Service released its 2018 − 2019 annual report on China’s internet of things development. The report shows that the scale of China’s internet of things industry exceeded 1.2 trillion yuan in 2018 and its income increased by 72.9% compared with the previous year.