China Cybersecurity and Data Protection: Monthly Update – April 2022 Issue

This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement and industry developments in this area. If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Key highlights

The Ministry of Science and Technology (MOST) published the draft implementing rules for the regulation on human genetic resources (HGR) and further updated its response to frequently-asked questions on HGR administration. This marks that the MOST is close to completing its regulatory regime upon HGR administration after the Biosecurity Law and the regulation on HGR were enacted in 2021 and 2019 respectively. We have seen continuous regulatory efforts to strengthen cybersecurity of intelligent and connected vehicles (ICV). The Ministry of Industry and Information Technology released its guidance on building up a comprehensive regime of standards for cybersecurity and data security for internet of vehicles by 2025. A guidance on assessing data security of ICVs was also released. Henan and Sichuan also joined the trend of provinces publishing drafts of local regulations on big data. Notably, the financial regulators have issued penalties to several banks that violated regulations on protection of personal financial information and vowed to launch an enforcement campaign upon violations of the Personal Information Protection Law in the banking and insurance industry.

Regulatory Developments

1. CAC issued the draft Regulations on Internet Pop-up Information Push Services to solicit public opinions
   
   On 2 March, the Cyberspace Administration of China (CAC) issued the draft Regulations on the Administration of Internet Pop-up Information Push Services (the “Draft Regulations”). The Draft Regulations set out a series of obligations for pop-up push notifications service providers, including (i) ensuring that pop-up push notifications are manually reviewed, (ii) clearly informing users of the specific method, content frequency, cancellation channel, etc. of the pop-up services in the form of a service agreement, (iii) refraining from abusing personalized pop-up services or algorithms to block information or make excessive recommendations, (iv) refraining from abusing algorithms to create user profiling or push detrimental information to minors.
   
   
2. CAC published the updated version of the Regulation on the Online Protection of Minors to solicit public opinions
   
   On 14 March, the CAC published the revised version of the Regulation on the Online Protection of Minors (the “revised Regulation”) to solicit public opinions. The revised Regulation sets out a series of specific requirements on the cultivation of online literacy, the regulation of online information content, the protection of personal information, and the prevention and control of online addiction. In terms of personal information protection, the revised Regulation requires network service providers to perform identity verification, based on the information submitted by minors or their guardians, before providing information publishing, instant messaging and other services to minors.
   
   
3. Ministry of Science and Technology updated “FAQs on Human Genetic Resources Management”
   
   On 4 March, the Human Genetic Resources Management Office of China of the Ministry of Science and Technology (MST) issued the Frequently Asked Questions on Human Genetic Resources Management (the “FAQs”) in response to the common questions asked by applicants when handling administrative approval and filing matters in relation to human genetic resources. The FAQs points out that foreign organizations, individuals and institutions that are established or actually controlled by such foreign organizations or individuals (collectively referred to as “foreign entities”) are prohibited from collecting or preserving human genetic resources in China. Foreign entities are not eligible to backup the human genetic resources information and make the filing. The backup and filing procedure should be completed by PRC entities.
   
   
4. Ministry of Science and Technology published the Implementation Rules on the Regulations on Human Genetic Resources Management (Draft for Comments)
   
   On 21 March, the MST published the draft Implementation Rules on the Regulations on Human Genetic Resources Management (the “Implementation Rules”) for public consultation. According to the Implementation Rules, the provision of or open access to human genetic resources information to foreign entities require filing with the MST. Additionally, the outbound provision or open access that might endanger China’s public health, national security or public interests must be subject to a security review conducted by the MST.
   
   
5. The “2022 Cybersecurity National Standards List” was released by TC 260
   
   On 6 March, the National Information Security Standardization Technical Committee (TC260) released the 2022 Cybersecurity National Standards List, which includes a number of national standards to be drafted, such as the Security Requirements for Processing Sensitive Personal Information, Data Security Risk Assessment Methodology, Certification Requirements for Cross-border Transfer of Personal Information, Security Assessment Requirements for Critical Information Infrastructure", Security Requirements for Data Transaction Services, and Security Framework for Artificial Intelligence Computing Platforms.
   
   
6. MIIT issued the Guidelines for the Construction of Standard System Regarding the Cybersecurity and Data Security of Connected Vehicles
   
   On 6 March, the Ministry of Industry and Information Technology (MIIT) released the Guidelines for the Construction of Standard System Regarding the Cybersecurity and Data Security of Connected Vehicles (the “Guidelines”). The Guidelines describe that the basic standard framework of the cybersecurity and data security of connected vehicles will be set up by the end of 2023, with a specific focus on general security requirements, terminal and facility network security, network communication security, data security, application service security, security assurance and support. A more comprehensive cybersecurity and data security standard system for connected vehicles will be formed by 2025.
   
   
7. Association standard on Data Security Assessment Guidelines for Intelligent Connected Vehicles (Draft for comments) was released
   
   On 9 March, the draft association standard Data Security Assessment Guidelines for Intelligent Connected Vehicles (the “Guidelines”) were released to solicit public opinions. The Guidelines clarify that there are three main types of data security assessment for intelligent connected vehicles, i.e. data security risk assessment, data security compliance assessment and data export security assessment. The Guidelines aim to provide implementation process and assessment methodology for the data security risk assessment and data security compliance assessment. The data export security assessment should be carried out in accordance with relevant legislations to be published.
   
   
8. National standard on Information security technology - Security technology specifications of mobile e-government system (Draft for comments) was released
   
   On 28 March, the TC260 released the draft version of the national standard on Information security technology - Security technology specifications of mobile e-government system (the “e-government specifications”). The e-government specifications have enhanced the security requirements for mobile terminal, mobile communication and mobile access.
   
   
9. Data Regulations in Henan Province (Draft for comments) was released
   
   On 7 March, the draft Data Regulations in Henan Province (the “Regulations”) was released for public consultation. The Regulations apply to data processing and utilization, supervision and security management in Henan Province and specify public data, non-public data, data development and use, and data security in separate chapters thereof.
   
   
10. Regulations on the Development of Big Data in Sichuan Province (Draft for Comment) was released
    
    On 23 March, the Department of Justice of Sichuan Province issued the draft Regulations on the Development of Big Data in Sichuan Province (the “Regulations”) to solicit public opinions. The Regulations safeguard the security of data and personal information by introducing specific provisions on the cultivation of security awareness, security management system, data classification, data security risk assessment, security protection measures, and incident response.
    
    
11. Data Regulations in Chongqing Province will be implemented on July 1
    
    On March 30, the Data Regulations in Chongqing Province (the “Regulations”) were passed. The Regulation will come into force on July 1, 2o22. The Regulations require online trading platform operators to perform their obligations in terms of product and service quality assurance, consumer rights protection, data security and personal information protection, employee rights protection, and fair competition in accordance with the law.

Enforcement Developments

1. CAC announced ten key tasks in 2022 “Qinglang” series of special actions
   
   On 17 March, the State Council Information Office held a press conference on the 2022 “Qinglang” series of special actions, where the CAC introduced that the 2022 “Qinglang” series of special actions will focus on 10 key tasks, including Cracking down on Online Rumors, Rectifying MCN Institutions Information Content Chaos, Cracking Down on Chaos in the Field of Online Live Broadcasting and Short Videos, Rectifying the Chaos of Application Information Services, Comprehensive Management of Algorithms, and Minors Online Environment Improvement.
   
   
2. MIIT enhanced supervision on App’s illegal recommended downloads
   
   On 3 March, the Communication Administration department of the MIIT hold a conference to urge internet enterprises to rectify App’s illegal recommended downloads. The conference underlined that it was forbidden to automatically or compulsorily downloaded an App without obtaining the user’s consent when the user browses the page content and an obvious cancel button should be simultaneously provided when recommending the user to download the App.
   
   
3. MIIT published the second batch of Apps that infringed on users’ rights and interests in 2022
   
   On 14 March, the MIIT circulated a notice to publish 14 Apps that infringed on users’ rights and interests. The main problems of these Apps include: misleading users to download the App, failure to disclose relevant information about the App on application distribution platforms, using pop-up messages that harass users, and requesting permissions in a coercive and excessive manner, etc.
   
   
4. MIIT planned to conduct inspections on the violations in the information and communication field exposed at the 3.15 party
   
   It was reported on 16 March that the MIIT planned to conduct inspections on the violations in the information and communication field exposed at the 3.15 party, such as tricking users into downloading malicious apps in the name of free Wi-Fi, application software platform forcing users to download bundled Apps, spam calls, the safety protection of smart watches for kids. 
   
   
5. CVREC warned 17 Apps about privacy violations
   
   As reported by Xinhua News Agency on March 4, the National Computer Virus Emergency Response Center (CVERC) recently found that 17 Apps violated the relevant provisions of the Cyber Security Law and the Personal Information Protection Law, and allegedly collected personal information beyond the minimum scope necessary for achieving the processing purposes.
   
   
6. CVREC warned 15 Apps and 1 SDK about privacy violations
   
   As reported by Xinhua News Agency on March 17, the CVERC recently found that 15 Apps and 1 SDK violated the relevant provisions of the Cyber Security Law and the Personal Information Protection Law, and allegedly collected personal information beyond the minimum scope necessary for achieving the processing purposes.
   
   
7. Supreme People’s Procuratorate published a guiding case involving the illegal processing of children’s personal information
   
   On March 7, the Supreme People's Procuratorate released its 35th batch of guiding cases. One of the cases involves the illegal collection of children’s personal information by an App. The App in question allows children to register accounts, collects and stores sensitive personal information (such as children’s online accounts, location, contact details, and children’s face and voice biometrics), and uses background algorithms to push short videos containing children’s personal information directly to users who have a preference for viewing such videos. The App does not notify the children’s guardians of the above processing activities, nor does it obtain the explicit consent of children’s guardians.
   
   
8. CBIRC’s Consumer Protection Bureau: special actions against the infringement of personal information will be carried out
   
   It was reported on 15 March that the director of the Bureau of Consumer Protection of the China Banking and Insurance Regulatory Commission (CBIRC) said at a special press conference on “the banking and insurance industry's in-depth promotion of financial consumer protection” that the CBIRC will carry out special enforcement actions to protect personal information in the banking and insurance industry in 2022 in order to promote the effective implementation of the Personal Information Protection Law in the banking and insurance industry.
   
   
9. CBIRC imposed penalty on 21 banking institutions for the violation of regulatory data quality
   
   On March 25, the CBIRC issued an announcement, stating that it conducted investigation and inspections on a number of cases that concern the violation of EAST data standard. Administrative penalty was imposed against 21 banking institutions in accordance with the law, with a total penalty amount of RMB87.6 million.
   
   
10. Hunan branch of Postal Savings Bank of China fined RMB1.8 million
    
    It was reported on March 3 that the Changsha branch of the People’s Bank of China (PBOC) imposed a fine of RMB 1,877,000 on the Hunan branch of the Postal Savings Bank of China and fined the individuals responsible for the violations. The main violations include accessing personal credit information without written consent and processing consumers’ personal financial information without authorization or consent.
    
    
11. DBS Bank (China) fined RMB2 million for illegal processing credit information
    
    On March 4, the Shanghai Branch of the PBOC warned and imposed a fine of RMB2,036,000 on DBS Bank (China) Limited for several violations, including failing to implement client identity verification and illegally processing credit information.
    
    
12. Guangdong Huaxing Bank fined RMB30,000 for accessing personal credit information without consent
    
    It was reported on March 25 that the Jiangmen Branch of the PBOC imposed a fine of RMB30,000 on the Jiangmen Branch of Guangdong Huaxing Bank for accessing personal information without consent.
    
    
13. Beijing Communications Administration issued a notice on the removal of 16 Apps
    
    On March 21, the Beijing Communication Administration issued a notice on the removal of 16 Apps that infringed on users’ rights and interests. The main problems of these Apps include: illegal collection of personal information, requesting permissions in a coercive and excessive manner, forcing users to use the targeted push functions, etc. 
    
    
14. Guangdong Communications Administration: conduct network and data security inspections in the telecommunications and Internet industries in 2022
    
    On March 25, the Guangdong Communication Administration issued a notice on the network and data security inspection of the telecommunications and internet industry in 2022. The notice identifies five main areas of the inspection, i.e. network security management and protection system, communication network security protection, data security protection, personal information protection, and network security of industrial internet enterprises.
    
    
15. Shanghai Municipal Administration for Market Regulation published typical cases of infringement of the legal rights and interests of consumers
    
    It was reported on March 13 that the Shanghai Municipal Administration for Market Regulation (Shanghai AMR) published a number of typical cases of infringement of consumers’ rights and interests. One of the cases involved the use of a code ordering mini-program to collect personal information such as mobile phone numbers without notifying consumers of the purposes, means and scope of the processing. Shanghai AMR held the view that such processing violated the necessity principle and notification requirements. In another case, a real estate company installed a face recognition camera at the sales office and posted a notice “You have entered the monitoring area” on the wall. Shanghai AMR believed such notice did not satisfy the notification requirements and the company failed to obtain individuals’ consent for the collection of facial images.

Industry Developments

1. Government work report: strengthen cyber security, data security, personal information protection in 2022
   
   On March 5, the Premier delivered a government work report at the meeting of the fifth session of the 13th National People's Congress. The government work report indicates that China will strengthen cybersecurity, data security and personal information protection, as one of the key tasks in 2022.
   
   
2. Ministry of Science and Technology: a list of high-risk activities in the fields of science and technology will be released in 2022
   
   On March 23, the MST held a press conference to introduce the recently issued Opinions on Strengthening the Ethical Governance of Science and Technology (the “Opinions”). The MST said that it has commissioned the National Science and Technology Ethics Committee to draft a list of high-risk activities in science and technology in key areas such as medicine, life sciences and artificial intelligence. The high-risk list will be released later this year.
   
   
3. CBIRC issued a risk reminder on inducive marketing for excessive borrowing
   
   On March 14, the CBIRC issued a risk reminder on inducive marketing for excessive borrowing. The CBIRC indicated that some financial institutions and Internet platforms excessively collected or used consumers’ personal information when conducting consumer credit related busines and thus infringing on consumers’ personal information rights. Typical violations include: obtaining authorization by opt-out consent or bundled consent, using personal information without consumers’ consent or against their wishes for purposes other than consumer credit related business, improperly collecting consumer information from third parties.
   
   
4. National Development and Reform Commission seeking public opinions on data foundation system
   
   On March 21, the National Development and Reform Commission issued the Notice on Collecting Opinions on the Data Foundation System (the “Notice”), which covers four aspects, i.e. the data property rights system, the data elements circulation and trading system, the data elements revenue distribution system and the data elements security governance system. The Notice suggests promoting the orderly separation and circulation of the rights of the data owner and users, supports data processors to adopt the methods of over the counter and trading in the field for opening, sharing, exchanging and trading data in accordance with the law, and guides large state-owned enterprises and Internet enterprises to open up data elements with public attributes to the data trading market.