In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on three areas: regulatory developments, enforcement developments, and industry developments.
On 10 April 2019, a new Guide to Internet Personal Information Protection was launched in China as a reference for internet service managing personal information protection. The Guide introduces management mechanisms, technical safeguards and business procedures on personal information protection and can be used as a reference for by personal information possessors to protect personal information during its processing lifecycle. One of the four management mechanisms requires designing and preparing relevant bylaws and documents specifying the general principles and security strategies on personal information protection. These should include descriptions of the service provider’s objectives, scope of protection, principles and the security framework. The Guide was a joint initiative by the Cybersecurity Protection Bureau of the Ministry of Public Security, the Beijing Network Industry Association and the Third Institute of the Ministry of Public Security.
On 1 April 2019, new measures came into force for assessing the business performance of heads of central enterprises. The new measures, introduced by the State-owned Assets Supervision and Administration Commission of the State Council, add a new performance appraisal indicator, namely to establish a major event reporting system, including for cyber security incidents. This means that profits are no longer the only assessment standard for central enterprises with network security management now required in addition to value management.
On 1 April 2019, the Ministry of Industry and Information Technology (MIIT) issued a circular on the launch of a pilot program on electronic verification of identity information about those filing internet content provider record. The MIIT will carry out the electronic verification pilot on ICP filing entities from 1 April 2019 to 31 December 2019. Network access service providers participating in the pilot program can use technical means such as facial recognition, lip reading and action recognition to collect and confirm the real identity of the ICP filing entity.
On 10 April 2019, a special enforcement action called “Guardian Consumption” was launched to fight against violations of consumer personal information across the country. The special enforcement actions were launched by the General Office of the State Administration of Market Regulation and will run from 1 April to 30 September 2019. They focus on combating violations of consumer personal information and creating a safe and secure consumer environment.
On 20 April 2019, the second draft of a new chapter of Civil Code on the right of personality was submitted to the Tenth Session of the Standing Committee of the 13th National People’s Congress for a second review. This draft clearly states that privacy and personal information protection are specifically written as a chapter. The draft includes provisions on the collection of personal information of persons having no or limited capacity for civil acts, such as minors. In such cases, guardian consent is required, except as otherwise provided by laws and administrative regulations.
In response to instant messaging applications being involved in illegal information dissemination, anonymous registrations, fraudulent deceptions and platform services for offline illegal behaviours, the Office of the Central Cyberspace Affairs Commission recently launched a special rectification action on instant messaging tools. It conducted an in-depth inspection and testing of instant messaging applications covering aspects including application display, service orientation, business mode, registration mechanism, information content and group management. The first clean-up action resulted in the closure of “As Neighbour”, “Chat Chat”, “Secret Talk” and other six instant messaging applications, which disseminated pornographic information, or provided promotion and platform services for prostitution and the sale of pornographic materials.
Since December 2018, the Office of the Central Cyberspaces Affairs Commission, jointly with relevant departments, has been implementing a special scheme to tackle applications related to pornography, gambling, malicious programs, illegal games and problematic content. According to a briefing on 12 April 2019, so far, 33,638 illegal applications have been shut down, more than 2.34 million malicious websites links have been blocked, 2,474 obscene pieces of information on social platforms have been removed and 3.64 million illegal accounts have been blocked. The relevant departments will conduct further investigations into the governance of applications’ entry, distribution and dissemination processes and clarify the responsibilities of corporate entities who operate as network access service providers, application distribution platforms and social platforms.
On 18 April 2019, the Xinhua News Agency reported on the interim progress of the inter-department working group handling the special crackdown on the Illegal collection and misuse of personal information by applications. The working group was jointly established by the Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation. , As of 16 April 2019, more than 3,480 violation incidents had been reported, involving more than 1,300 apps. For 30 apps with a large amount of users and serious problems, the working group has sent rectification notices to the operators.
On 18 April 2019, Tianjin Cyberspace Administration announced that administrative penalties had been imposed on the Visual China Group website for transmitting illegal or harmful information contrary to the Cyber Security Law of the People’s Republic of China. The Visual China Group website (domain name: vgg.com) published sensitive and harmful information in a number of pictures it released, in violation of Article 47 of the Cyber Security Law. Under Article 68 of the Cyber Security Law, Tianjin Cyberspace Administration imposed a heavier penalty on the main operator of the website, Han Hua Yi Mei (Tianjin) Image Technology Co., Ltd.
On 19 April 2019, the Wuhan Branch of the People’s Bank of China announced that administrative penalties has been imposed on Bank of Communications International Trust for consulting personal information and company credit information without permission. The fine was 290,000 RMB.
Recently, a former 58.com employee was accused of infringing citizens’ personal information and tried in the Xuhui District People’s Court in Shanghai. The employee, using job seeker resumes that he obtained at work, sold the information privately for his own benefit. He illegally obtained more than 640,000 resumes and earned more than 20,000RMB through sales and gifts. Xuhui District People’s Court found that the former employee had infringed the citizens’ personal information and sentenced him to four years and six months in prison and imposed a fine of 10,000RMB.
The People’s Bank of China Credit Reference Centre recently conducted a pilot test on a new version of a personal credit report which will soon be officially launched. It treats dishonest personal behaviour more seriously. The content of credit information will be improved and the use of personal information will be strictly controlled. Personal credit authorisation agencies should strengthen their legal, compliance and privacy protection awareness. In using personal credit information, they should pay attention to the requirements for personal information privacy protection and prohibit the sale of personal information.
On 15 April 2019, the Ministry of Industry and Information Technology, together with other departments, issued draft guiding opinions on strengthening work on industrial internet safety for public consultation until 30 April 2019. The draft guiding opinions expressly state that enterprises must fulfil their responsibilities in accordance with law, while the government must fulfil supervisory and administrative duties. Two special programs will be launched to improve (i) enterprises’ safety protection capacity and (ii) enterprises’ technical capacity for safeguarding industrial internet safety. The draft guiding opinions also note that, with the focus on supervisory checks and risk assessment of industrial internet safety, efforts will be made to establish and optimise safety management systems and working mechanisms and strengthen safety regulations applicable to enterprises.
On 21 April 2019, the Blue Book of Law-Based Government – Annual Assessment Report on China’s Law-Based Government (2018) was released at the China University of Political Science and Law. The Report recommends extending administrative remedies such as compensation to personal data protection given the concerns in this area. This would result in administrative agencies strengthening security and confidentiality of personal data storage. The report also recommends that the Personal Information Protection Law is introduced as soon as possible to establish a unified law with a mechanism for supervision, penalties and damages compensation.