This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement, industry and international developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].
We have seen some important developments in identification of important data and core data, and data classification under the Data Security Law. A draft guidance on identifying important data was made public, which sets out the identification principles as well as a list of important data in different sectors.
Despite being a non-mandatory standard, the guidance requires organisations to submit the identification results to local and sectoral regulators. The National Information Security Standardisation Technical Committee (TC260) also released a draft guidance on data classification and grading, which divides data into three classes, namely public data, personal information, and legal person data, and five levels according to their importance, namely public, internal, sensitive, important and core.
Notably, the Ministry of Industry and Information Technology (MIIT) is the first sectoral ministry that has published draft regulations for identifying important data and core data. Under the draft regulation, entities in the industrial and telecom sectors are required to first divide the data into different classes (i.e. research data, production operation data, management data, operation maintenance data, business service data and personal information), and then divide data into three levels, i.e. ordinary, important and core. The draft regulation also confirms that organisations should file the catalogue of important data and core data with the local MIIT. It is not clear how the different level systems proposed by the MIIT and TC260 will reconcile.
The automotive industry has seen further scrutiny from MIIT, whereby automobile manufacturers are required to step up their cybersecurity and data security measures and conduct self-inspection on such measures. This is the latest move after a series of regulations released by MIIT to tighten cybersecurity and data security this year and could be an indication of further enforcement actions.
The Cyberspace Administration of China (CAC), jointly with eight other ministries, issued their opinion on regulating algorithms used by internet information services. It proposes to establish a comprehensive regulatory regime of algorithms in three years’ time and confirms that algorithms will be subject to a security assessment and a mandatory filing requirement.
On 30 September, the People's Bank of China (PBoC) issued the Measures for the Administration of the Credit Reporting Business (the "Measures"), which will come into force on 1 January 2022. As a supporting regulation to Regulation on the Administration of Credit Investigation Industry, the Measures focus on the protection of personal information and clarify guidance on the collection, collation, storage, processing, provision and use of credit information. Noteworthy requirements are: Big data analysis and risk control services provided for financial institutions will also be recognized as credit business. For institutions that were not qualified but engaged in credit business before the implementation of the Measures, the PBoC has granted a transitional period until the end of June 2023, during which substantial inspections will be conducted.
2. Identification Guide of Key Data (Draft for Comment) was released
On 23 September, the draft of "Information Security Technology- Identification Guide of Key Data" (the "Guide") was released. The Guide proposes characteristics of key data, and clarifies the basic principles and procedures of key data identification. The Guide will be of direct reference to all regions and industries in developing catalogues of key data of their own and related fields, and will also provide guidance for the implementation of multi-level classified and important data protection regime under Article 21 of the Data Security Law (“DSL”).
On September 30, the Secretariat of the ISC released the "Cybersecurity Standard Practice Guide - Data Classification Guidelines" for public consultation, which proposes rules for identifying three types of data: personal information, legal person data and public data, as well as the classification rules for five levels of data, including core, important, sensitive, internal and public, degrading according to confidentiality.
On September 30, MIIT issued the Measures for the Administration of Data Security in Industry and Information Areas (Provisional) ("Measures") for public consultation, which proposes a specific regulatory framework for industrial data security, including the scope of industrial data, telecommunication data and respective processors, 3 sectoral regulators, regulatory means covering data security review, proactive enforcement and complaint handling mechanism, relevant administrative and criminal liability and credit punishment mechanisms. Noteworthy, the criteria for identifying core data under the Data Security Law (“DSL”) is also specified under the Measures.
5. MIIT issued Notice on the Self-Inspection of Automotive Data Security and Cybersecurity
On September 13, the Equipment Industry Development Center of MIIT issued a Notice on the Self-Examination of Automotive Data Security and Cybersecurity (the “Notice”) and released the Automotive Data Security and Cybersecurity Self-Inspection Form (the “Form”). The Notice requires each automobile vehicle manufacturer that qualified as a road motor vehicle manufacturing enterprise to conduct self-inspection and fill out the Form on automobile data security, cybersecurity, online software upgrades and driver assistance functions in accordance with the law, and to submit the Form to the Equipment Industry Development Center by October 12.
6. MIIT issued Notice on Strengthening the Cybersecurity and Data Security of V2X
On September 16, MIIT issued Notice on Strengthening the Cybersecurity and Data Security of V2X (the “Notice”). The Notice proposes that intelligent connected vehicle (“ICV”) manufacturers should take effective technical protection measures to prevent risks such as data breach, destruction, loss, tampering, misuse and abuse, cooperate with supervision and inspection and provide necessary technical support where necessary. It further strengthens the security responsibilities of the enterprises of ICVs.
On September 13, MIIT released the Administrative Measures for Record-filing of the Platforms for Collection of Security Vulnerabilities in Network Products (the "Measures"). As a supporting regulation of the Provisions on the Administration of Network Product Security Vulnerabilities, this Draft proposes systematic requirements for the registration, filing, information changes and cancellation procedures of online and to-be online platforms collecting security vulnerabilities.
8. MIIT Network Security Threat Information Sharing Platform goes live
On September 1, the Network Security Threat Information Sharing Platform (the “Platform”) (https://www.nvdb.org.cn) built by the Cybersecurity Bureau of MIIT was officially launched. According to the Provisions on the Administration of Network Product Security Vulnerabilities, network product providers should report vulnerability-related information to the platform in a timely manner and other organizations or individuals are also encouraged to do so.
On September 29, nine ministries including CAC, MIIT and MPS jointly issued the "Guiding Opinions on Strengthening the Comprehensive Governance of Internet Information Service Algorithms" ("Guidance"), which aims to establish a regulatory system covering risk monitoring, security assessment, ethics review, algorithm filing and disposal of violations. The Guidance also proposes a governance mechanism involving multiple parties, including the government, enterprises and users, urge enterprises to use algorithms in a correct, fair and open manner and explain the results timely and effectively as to protect the legitimate rights and interests of users.
10. Shanghai Data Regulation was drafted for public comments
On September 30, the General Office of the Standing Committee of the Shanghai Municipal People's Congress released the draft of Shanghai Data Regulation (the "Regulation") for public comments until October 20. The draft contains 10 chapters and 91 articles, focusing on three parts: data property and trading rights, sharing, opening and authorized operation of public data, digital economy development and urban digitalization.
On September 15, CAC issued the Opinions on Further Intensifying Website Platforms' Entity Responsibility for Information Content (the "Opinion"), which enhances specific requirements for online platforms from nine aspects, including community rules, accounts, content moderation, content quality management, key functions, platform operation, minors’ online protection and personnel management and proposes specific requirements for responsible platforms.
12. CBIRC incorporates "data governance" into the regulatory rating criteria of commercial banks
On September 10, the China Banking and Insurance Regulatory Commission (“CBIRC”) issued the Regulatory Rating Measures for Commercial Banks ("the Measures"), which added the element of "data governance", making the authenticity, accuracy and completeness of data a fundamental factor in evaluating commercial banks’ risk management status. Data governance accounts for 5%, an equal weighting to the criteria of "profitability" and "institutional differentiation".
On September 27, the State Council issued the Outline for the Development of Chinese Children (2021-2030) (the "Outline"), which proposes to strengthen the protection of minors’ personal information and privacy and crack down on online crimes that violate legitimate rights and interests of children. The Outline requires providers of online services such as games, live streaming, audio and video, and social networking to strengthen identity verification of underage users, manage minors’ use time, accessible permissions and consumption quota in accordance with the law, and prohibit the registration of children under 16 for live streaming registered accounts.
In early September 2019, Hedong Branch of the Tianjin Public Security Bureau investigated an internet company allegedly using mobile Apps for purpose of loans for collecting over 2.46 million pieces of personal information such as call address books, call records and SMS messages. On September 4, the case was officially sentenced. The defendants, Ge and Zhu, were both sentenced to three years' imprisonment and a fine of 100,000 yuan for the crime of infringing upon citizens' personal information (Article 253(1) of Criminal Law of the PRC).
On September 2, a civil public interest litigation case between Chongqing Consumer Rights Protection Committee and Chongqing Yangqi Company for consumer rights protection was heard at the Chongqing First Intermediate People's Court. The defendant, Yangqi Company, had publicly disclosed the personal information of up to 10,979 consumers in a WeChat article on 16 July 2020, including their addresses, telephone numbers, names and ID numbers, and the article was republished in large numbers. The plaintiff and Prosecutor's Office requested the company involved in the case to compensate for repairing the damaged public interest by making public apologies through media and organising public awareness campaigns in the consumer field, which was supported by the Court. This case was the first civil public interest litigation case concerning the protection of personal information to be heard nationwide after the promulgation of PIPL on 20 August 2021, and the first civil public interest litigation case where damages are compensated by conduct.
3. MIIT issued Notice on 334 Apps Infringing on Users' Rights and Interests
On September 23, the MIIT issued a notice on 344 Apps infringing on the rights and interests of users. Among them, 282 were filed by local communications authorities, and reported problems mainly include "illegal collection of personal information", "deceiving, misleading and forcing users", "inadequate information disclosure of Apps on App Stores", "frequent self-starting and associated start-ups of Apps" and "difficulty in account cancellation". In addition, the Apps involved not only came from distributed platforms such as App Store and Yingyongbao , but also official sites of some internet companies, such as Kwai. The reported Apps are required to complete rectification before 29 September.
4. CVERC monitored and found 15 illegal Apps
According to the monitoring result of the National Computer Virus Emergency Response Center (CVERC), fourteen Apps were found non-compliant with the privacy regulations under the Cyber Security Law (“CSL”) and were suspected to collect personal information beyond the scope of the regulations. Among them, 1 APP was lack of privacy policy; 2 Apps did not prompt users to read the privacy policy through a screen pop-up; 14 Apps didn’t show all privacy permissions they got; 6 started collecting personal information before obtaining users’ consent; 9 didn’t provide effective functions of correction, deletion and cancellation of PII and 1 did not establish information security complaint and report channels.
5. CAC, MIIT, MPS, SAMR and MT had regulatory talk with 11 ride-hailing platforms
On September 1, the Ministry of Transport (“MT”), along with Cyberspace Administration of China (“CAC”), Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security (“MPS”), the State Administration of Market Regulation (SAMR) and other members, had regulatory talks with 11 ride-hailing platforms, including T3 Travel and Didi, emphasizing the importance of not providing personal information to third parties without consent and building data security management systems.
6. China's first professional collegiate bench for data-related disputes established in Guangzhou
On September 26, China's first professional collegiate bench for data-related disputes was established in Guangzhou Internet Court with ten typical cases involving data and virtual property disputes released at the same time. The collegiate bench for data-related disputes will hear the first trial cases involving the collection, storage, use, processing, transmission, provision, disclosure, deletion and other data processing and data security of personal data, enterprise data and public data under the centralized jurisdiction of the court.
1. Policies and Measures for Promoting Digital Transformation of Shanghai City enter into force
On September 1, the “Policies and Measures for Promoting Digital Transformation of Shanghai City” (“Measures”) came into effect. The Measures cover healthcare, education, elderly care, traveling and other hotspots of people's livelihood, and proposes 27 advanced initiatives, including the establishment of Shanghai Data Exchange, appointment of chief digital officers(CDO) in state-owned enterprises, and licensed uses of public data.
2. New Generation Artificial Intelligence Code of Ethics was released
On September 25, New Generation Artificial Intelligence Code of Ethics (the “Code”) was publicly released, aiming to integrate ethics into the entire lifecycle of AI management, research and development, supply and application. The Code sets out 6 basic ethical requirements, including promoting human welfare, promoting fairness and justice, protecting privacy and security, ensuring controllability and trustworthiness, strengthening responsibility and enhancing ethical literacy.