In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on four areas: regulatory developments, enforcement developments, industry developments and international developments.
- Our highlights
- Regulatory developments
- Enforcement developments
- Industry developments
- International developments
The Cybersecurity Administration of China (CAC) and three other ministries issued new measures for determining whether a mobile application unlawfully collects personal information, against the backdrop of intensive enforcement campaign throughout the year. The new measures provide guidance for companies to help them assess whether their mobile applications fall foul of data protection laws and understand how the authorities make decisions in assessing mobile applications.
The CAC has also issued the first dedicated regulations targeted at clamping down on harmful content on internet. These new regulations prohibit content generators, content service platforms and the users of internet content services from producing, disseminating, copying or publishing harmful content.
The State Cryptography Administration (SCA) issued two public notices to clarify the following issues arising as a result of the enactment of the Encryption Law (click here for our e-bulletin for further details): (i) the existing blanket permit-based export and import control over commercial encryption will remain effective until the new import and export control lists on commercial encryption are issued; and (ii) from 1 January 2020 the SCA will replace the mandatory issue of certificates for commercial encryption products with a mostly voluntary certification system to be conducted by third-party testing and certification institutions.
On 28 November 2019, the Cyberspace Administration of China, together with four other departments, jointly issued new guidance to help identify instances of illegal collection and use of personal information by mobile internet apps. This follows cases of excessive personal information collection and other breaches. The guidance converts the general legal requirements into practical guidance, with specific guidance on: (i) failing to publish collection and use rules; (ii) failing to indicate expressly the purpose, method and scope of the collection and use of personal information; (iii) collecting and using personal information without users’ consent; (iv) collecting personal information unrelated to the services provided; (v) providing personal information to others without consent; and (vi) failing to provide functionality to enable personal information to be deleted or corrected, or failing to publish complaint and reporting methods. The new guidance not only fills the gap in respect of operating rules, but also provides guidelines for app operators to carry out self-inspections and make any necessary corrections and provides a reference for the supervisory authority.
On 15 December 2019, the Cyberspace Administration of China issued new regulations governing online information, which will take effect on 1 March 2020. The new regulations focus on improving the ecological structure of online information from the source, further refining some of the general requirements for online content set out in the Cyber Security Law. The regulations stipulate the types of information that will be encouraged or prohibited by producers.
The new regulations also set out the obligations and responsibilities of online information producers, service platforms and users. For example, the regulations prohibit illegal activities such as cyber violence and account manipulation. The new regulations also emphasise cooperation among agencies and require the cyberspace administration and other authorities to establish and improve working arrangements between them such as for information sharing and joint law enforcement.
On 30 December 2019, the State Administration of Encryption, the Ministry of Commerce and the General Administration of Customs jointly announced transitional arrangements to apply from the commencement of the new Encryption Law on 1 January 2020 until publication of the commercial encryption import and export list. The announcement provides that until the list is published, the import and export of commercial encryptions will continue to be subject to the current licensing conditions and procedures. Once the list has been published, the import and export of commercial encryptions will be subject to the separate regulations made by the Ministry of Commerce, State Encryption Administration, and General Administration of Customs.
On 30 December 2019, the State Administration of Market Regulation and the State Encryption Administration jointly issued an announcement which amends the management regime for commercial encryption. The new rules dispense with the approval procedures for all types and models of commercial encryption. The rules also promote a uniform authentication system and adopt measures to encourage obtaining certification for commercial encryption. From 1 January 2020, the State Encryption Administration will no longer accept applications for types and models of commercial encryption and has ceased to issue Commercial Encryption Model Certificates. As of 1 July 2020, any certificates that have been issued will automatically expire.
On 27 December 2019, the People’s Bank of China commenced a public consultation on draft measures to protect financial services consumers. The draft measures contain a specific chapter on systems to protect consumers’ financial information. They require consumer financial institutions to collect and use consumer financial information only where it is lawful, justified and necessary and with the explicit consent of the consumer. Additionally, financial institutions must not exclude or restrict the right of financial consumers to enquire about, delete or modify their financial information through the formatting of clauses, notices or statements. Financial institutions are required to establish a management system for using consumer financial information with hierarchical authorisation at the core. Where consumer financial information is collected for marketing, to improve user experience or for market research, financial institutions must establish appropriate self-selection mechanisms for consumers.
On 28 December 2019, the Civil Code was published for public comment. The earlier draft contained a definition of privacy, being a private space, private activities, and private information that natural persons do not want to expose to others.
On 17 December 2019, the Ministry of Industry and Information Technology commenced a public consultation on draft guidelines on classifying industrial Internet enterprises’ cyber security. The guidelines apply to the classification of industrial enterprises that use the industrial Internet (应用工业互联网的工业企业). The guidelines propose three principles that need to be followed in classification: (i) correlate the classification of the enterprise with the degree of industry cybersecurity impact; (ii) combine industry guidance with local regulation; and (iii) combine the enterprise’s self-assessment with territory verification. The guidelines also set out the main factors that need to be considered in classification, such as the degree of the industry cybersecurity impact and the size of the enterprise. Enterprises that satisfy more criteria should be classified based on their business activities.
On 4 December 2019, the People’s Bank of China issued new regulations on the management of mobile financial application software. The regulations specify four requirements to protect personal financial information:
collecting and using personal financial information must be lawful, justified and necessary and the purpose, method, and scope of collection must be clearly stated and user’s consent must be obtained;
measures such as data encryption, access control, secure transmission and signature verification should be taken;
sensitive information must be deleted immediately after use, and personal financial information should not be retained after the software is uninstalled; and
the app must not violate laws and regulations or the user agreement, and must not leak or illegally sell or provide personal financial information to others.
In addition, the new regulations also emphasise the need for financial institutions to establish and improve their risk monitoring and management mechanisms for mobile software, to improve their complaint handling mechanisms and strengthen industry self-discipline management.
On 10 December 2019, the Cyberspace Administration of China required two image providers, IC Photo and Visual China Group to suspend their services and conduct a thorough rectification exercise. The administration announced that the two agencies had illegally provided Internet news information services without permission and cooperated with overseas companies in relation to news information services without security assessment.
On 19 December 2019, the Ministry of Industry and Information Technology released its first list of 41 mobile apps that had infringed users’ rights, which included Tencent and SINA Sports. The illegal acts identified include apps illegally collecting and using personal information, unreasonably asking for user permissions or setting obstacles for user account logout. The mobile apps were required to complete rectification measures by 31 December 2019, failing which the Ministry may take further action.
On 29 November 2019, the Communications Administration of the Ministry of Industry and Information Technology interviewed 18 mobile resale companies concerning spam messages which had seriously disturbed users over an extended period. The Communications Administration noted that some mobile resale companies had ignored their responsibility and the interests of users, and had ineffective management systems for spam messages.
On 20 December 2019, the App Special Governance Working Group published information about 61 apps which still have issues with the collection and use of personal information. The issues identified include: (i) providing user information [such as IMEI number and geographic location of user equipment to third parties through the SDK embedded in the apps without users’ consent or anonymization; (ii) failing to notify users of the purpose when asking for permission to collect personal information such as call, storage and location; and (iii) continuing to frequently ask permission after users have expressly refused, interfering with the user’s normal use.
On 9 December 2019, the Ministry of Transport issued a new scheme to develop big data in comprehensive transportation by 2025, which aims to promote the deep integration of big data and comprehensive transportation. The scheme proposes five main goals: (i) consolidate the foundation for big data development; (ii) promote big data sharing and openness; (iii) promote big data innovation and applications; (iv) strengthen big data security; and (v) improve big data management systems. In addition, the scheme also proposes: (i) improving data security measures, by promoting the classification and hierarchical management of data in the field of transportation, strengthening the protection of important data and personal information, and formulating rules and regulations for data hierarchical security management and data desensitisation; and (ii) ensuring the security of national critical data, by comprehensively identifying and sorting key national data resources in the field of transportation, and integrating important data protection into the security planning for key information infrastructure in transportation.
On 13 December 2019, the Ministry of Public Security and Baidu jointly released a report on cybercrime prevention and governance in 2019. The report is divided into four parts covering: (i) the scale and distribution of the cyber “black industry”; (ii) the types and characteristics of traditional cybercrime, including telecom fraud, malicious programs and data hijacking; (iii) the types and characteristics of new cybercrime; and (iv) suggestions on the governance of the cyber “black industry”.
On 20 December 2019, a spokesman for the Legislative Affairs Commission of the Standing Committee of the National People’s Congress, stated at a press conference that the committee will formulate a new Personal Data Protection Law and Data Security Law in 2020.
On 26 December 2019, the China Academy of Information and Communications Technology published a research report on the development status of the China-ASEAN cyber security industry. It is the first white paper focusing on international cooperation in the field of security and is divided into five parts: (i) the current state of development of the China-ASEAN security industry; (ii) the status of China’s cyber security industry; (iii) the status of the ASEAN cyber security industry; (iv) the problems and opportunities facing China-ASEAN cooperation; and (v) observations and suggestions. The report also summarises the current development trends of cyber security cooperation between China and ASEAN countries in terms of market cooperation, technical exchanges, and talent development.
On 22 December 2019, the Macau Cybersecurity Law came into effect within the Macau Special Administrative Region. The Macau Cybersecurity Law sets out details of those responsible for cyber security management, the organisational framework of the cyber security system, cyber security obligations and penalties for breaches. It provides the legal basis for establishing a cybersecurity precautionary management system in Macau. On the same day, the Cybersecurity Incident Alert and Response Center commenced operation, with the aim of tackling cybersecurity emergencies and enabling Macau to enter a new era of cybersecurity protection.
On 4 December 2019, India Personal Data Protection Bill was approved by the Union Cabinet and introduced in the current session of Parliament, bringing India one step closer to passing the personal data protection law. The bill offers broad guidelines on the collection, storage, and processing of personal data, emphasises the consent of individuals, and stipulates relevant penalties and compensation. The bill classifies data into three categories:
Critical personal data: the government will define certain personal data as critical personal data, which may not be transferred outside of India.
Sensitive personal data: sensitive personal data includes data relating to health, religion, sex life, political beliefs, and biometric and genetic data (passwords have been removed from this draft), which may be transferred outside of India, but must be stored in India. To process sensitive personal data outside of India, explicit consent from data fiduciaries is necessary.
Personal data: personal data not falling into the above two categories, which may be stored and transferred entirely outside of India.
In addition to this, the bill also entitles data subjects to the right to be forgotten and the right to erasure, rectification and data portability. Companies which fail to comply with the bill may face penalties of a minimum of Rs 50 crore or 2% of their global revenue and a maximum of Rs 150 crore or 4% of their global revenue. The responsible person may also face imprisonment for up to three years.
On 4 December 2019, the European Data Protection Board commenced a public consultation on a draft of Guidelines 5/2019 on the criteria of the right to be forgotten in search engines cases under the GDPR (part 1). The deadline for submitting comments and feedback is 5 February 2020. The Guidelines focus on two questions: (i) the grounds of the right to be forgotten under GDPR; and (ii) the exceptions to the right to be forgotten under Article 17.3 of GDPR.
On 6 December 2019, the Federal Trade Commission (FTC) issued an opinion finding that Cambridge Analytica had engaged in deceptive practices to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. Cambridge Analytica must delete all data it collected from Facebook users and must not make misrepresentations about the extent to which it protects the privacy and confidentiality of personal information.