China Cybersecurity and Data Protection: Monthly Update – July 2022 Issue

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected]. 

Key highlights

Within a month, we saw major development in China’s data export regime. Regulations and standards, including drafts, have been released on all three data export tools under the Personal Information Protection Law. 

On 7 July 2022, the Cyberspace Administration of China (“CAC”) released the Measures of Security Assessment for Data Export, which will take effect on 1 September 2022. Data processors are allowed six months to complete any rectification required for compliance with the Measures. Despite the ambiguities and issues that could prove to be problematic in implementation, the security assessment has now become an enforceable requirement for certain data processors in China. With the tight timeframe for compliance with the Measures, data processors should start to take actions immediately. We have given our recommendations in our article. 

On 30 June 2022, the CAC released a draft of the long-awaited standard contract for personal information export and an accompanying regulation for public consultation. The release of the draft Standard Contract and the relevant regulation marks a step closer toward establishing China mechanism for exporting PI via Standard Contract. Whilst the draft standard contract of China bears many similarities with the SCCs under the GDPR, the data importers and exporters should pay attention to the worth-noting differences and consider its compatibility with the current cross-border transfer tools.

On 24 June 2022, the National Information Security Standardization Technical Committee circulated the finalised Technical Certification Specification for Certification of Personal Information Cross-border Processing. The Certification Specification makes some worth-noting amendments to its draft version released by in April 2022. The specification retains most the requirements in the previous draft whilst trying to make some clarifications and supplements. However, most the issues we raised in our comments on the previous draft remain unresolved. The specification is a useful attempt towards establishing the certification regime for data export in China, but the regime will not be complete in the absence of higher-level mandatory regulations.

Please see our detailed comments by clicking the links in the section below. 

Our Views

China Released Measures of Security Assessment for Data Export: dust settled?

What you need to know about China’s Draft SCCs for Data Export

China Released Certification Specification for Personal Information Export

Legislative Developments

1. CAC released the Draft Standard Contract Provisions on the Export of Personal Information for public comment
   
   On 30 June, the Cyberspace Administration of China (CAC) released the Standard Contract Provisions on the Export of Personal Information (Draft for Comments) (the “Standard Contract Provisions”) for public comment.
   
   The Standard Contract Provisions specifies its scope of application, the key issues in the Personal Information Protection Impact Assessment (PIPIA) prior to exporting any personal information and the main provisions in the Standard Contract.
   
   
2. TC260 issued the Practice Guideline for Network Security Standards - Technical Specification for Certification of Personal Information Cross-border Processing Activities
   
   On 24 June, the National Information Security Standardisation Technical Committee (TC260) issued the Practice Guideline for Network Security Standards - Technical Specification for Certification of Personal Information Cross-border Processing Activities (the “Certification Specification”).
   
   Compared to the Certification Specification (Draft for Comments) released 2 months ago, the Certification Specification changes the expression of “relevant parties involved in cross-border processing of personal information” to “personal information processor and foreign recipient”; extends the scope of application and includes the circumstance of “cross-border processing of personal information among affiliated companies”; grants personal information subjects the right to withdraw their consent; and imposes the obligations to “take remedial measures” and “notify the relevant authorities” in the event of a personal information security incident.
   
   
3. The National Health Commission and another administration jointly issued the Administrative Rules for the Regulation of Internet Diagnosis and Treatment (for Trial Implementation) to strengthen the protection of patients’ privacy
   
   On 9 June, the National Health Commission and the National Administration of Traditional Chinese Medicine jointly issued the Administrative Rules for the Regulation of Internet Diagnosis and Treatment (for Trial Implementation) (the “Rules”).
   
   The Rules clarifies the pharmaceutical, medical and technical regulatory requirements for Internet diagnosis and treatment, and stipulates the following data protection obligations: (1) artificial intelligence software is not allowed to impersonate or replace physicians to provide medical services; (2) medical institutions shall establish systems for cybersecurity, data security, personal information protection and privacy protection; (3) medical institutions shall promptly report and handle cybersecurity incidents; (4) medical institutions shall strengthen the content management of information published on the Internet; (5) provincial regulatory platforms and online diagnosis and treatment platforms used by medical institutions shall implement advanced information security protections classified as Level 3 or above.
   
   
4. SAMR and CAC jointly issued the Announcement on Carrying 0ut Data Security Management Certification
   
   On 9 June, the State Administration of Market Regulation (SAMR) and CAC issued the Announcement on Carrying 0ut Data Security Management Certification (the “Announcement”) and the annexed Implementation Rules of Data Security Management Certification, as they made the decision to carry out data security management (DSM) certification. The Announcement encourages network operators to standardise their network data processing activities and strengthen network data security by obtaining the DSM certification.
   
   
5. MIIT: the Provisions on Protecting the Personal Information of Telecom and Internet Users is being revised
   
   On 14 June, the Publicity Department of the CPC Central Committee held a conference at which the Chief Engineer of the Ministry of Industry and Information Technology (MIIT) said that MIIT was currently revising the Provisions on Protecting the Personal Information of Telecom and Internet Users, which was published in 2013, to strengthen the management of the key responsibility chain in application services and improve the personal information protection system.
   
   
6. NEA released the Administrative Measures for cybersecurity in the Electric Power Industry (Revised Draft for Comments) and the Administrative Measures for Multi-Level Cybersecurity Protection in the Electric Power Industry (Revised Draft for Comments)
   
   On 12 June, the National Energy Administration (NEA) released the Administrative Measures for Cybersecurity in the Electric Power Industry (Revised Draft for Comments) (the “Administrative Measures for Cybersecurity”) and the Administrative Measures for Multi-Level Cybersecurity Protection in the Electric Power Industry (Revised Draft for Comments) (the “Administrative Measures for Multi-Level Cybersecurity Protection”).
   
   The Administrative Measures for Cybersecurity stipulates that electric power enterprises shall submit a special summary of their cybersecurity work for the year to NEA, NEA’s agencies and local energy regulators by 1 November each year. The Administrative Measures for Multi-Level Cybersecurity Protection sets out 5 levels of cybersecurity protection for networks in the electric power industry. The grading and review of the networks that are proposed to be Level 2 or above may be carried out by the network operators themselves; the grading and review of all the networks that are proposed to be Level 4 or above shall be conducted by NEA; Enterprises with Level 3 or above network systems are subject to random inspection by energy regulators.
   
   
7. TC260 issued two recommended national standards relating to the processing of personal information in Apps (Draft for Comments)
   
   In June, TC260 issued the Information Security Technology—Personal Information Processing Management Guide for Apps of Smart Mobile Terminals (Draft for Comments) (the “Guide for Smart Mobile Terminals”) and the Information Security Technology—Normative Guide Personal Information Processing Audit and Management for Apps in App Stores (Draft for Comments) (the “Guide for App Stores”).
   
   The Guide for Smart Mobile Terminals recommends that smart mobile terminals adopt mechanisms such as access permission prompts and recording and displaying the personal information collection activities of Apps in an effort to provide more detailed guidance for enterprise compliance in their development and design of products and services. The Guide for App Stores clarifies the review process of an App’s personal information processing activities before the App becomes available in the App Store and the requirements for personal information security management afterwards.
   
   
8. The China Appraisal Society issued Guidance on Data Asset Appraisal (Draft for Comments)
   
   On 8 June, the China Appraisal Society issued the Guidance on Data Asset Appraisal (Draft for Comments) (the “Guidance”). The Guidance clarifies the basic attributes of data assets, the classification dimensions of data assets, the factors affecting the value of data assets and the appraisal approach of data assets. The Guidance can serve as a reference for asset appraisal institutions to value data assets in relevant trading, funding and financing.
   
   
9. Beijing prepares to regulate personal information protection in waste electrical and electronic equipment recycling
   
   According to the news on 28 June, the Beijing Municipal Administration for Market Regulation recently issued the Specifications for Waste Electrical and Electronic Equipment Recycling (Draft for Comments), which states that recycling operators of waste mobile phones, computers and other electronic equipment involving personal privacy shall remove any personal information in the device, maintain the customer’s privacy, and shall not disclose any relevant information to any third party.
   
   
10. Xiamen Municipal Bureau of Justice released Xiamen Special Economic Zone Data Regulations (Draft for Comments)
    
    On 1 June, the Xiamen Municipal Bureau of Justice released the Xiamen Special Economic Zone Data Regulations (Draft for Comments) (the “Regulations”). The Regulations provides for data resources, the data element market, data security, application and development, legal liabilities and other aspects.

Enforcement Developments

1. “People Data Protection”, the first personal information protection and right confirmation service platform in China, was officially launched
   
   On 20 June, “People Data Protection”, the first personal information protection and right confirmation service platform in China, was officially launched. “People Data Protection” is built by People Data Management Co., Ltd. and VNET Group, Inc. as a platform aimed to provide personal data centre (PDC) service for everyone. The platform can help users to ensure that their data is secure, reliable and immutable and features functionality such as data right confirmation, authorization, circulation and secondary development.
   
   
2. MIIT: It has completed the inspection of 3.22 million Apps and taken down nearly 3,000 illegal Apps in total so far
   
   On 14 June, the Publicity Department of the CPC Central Committee held a conference at which the Chief Engineer of MIIT said that the Ministry has completed the inspection of 3.22 million Apps and taken down nearly 3,000 illegal Apps in total so far. In the next step, MIIT will build a public service platform for the inspection and certification of mobile web Apps to enhance the capability of automated inspection, big data analysis, monitoring and warning, certification signature and public services.
   
   
3. The Supreme Procuratorate to crack down on personal information leaks by industry insiders
   
   According to the news on 21 June, the Supreme People’s Procuratorate recently issued the Notice on Strengthening the Collaboration between Criminal Prosecution and Public Interest Litigation Prosecution to Crack Down on Telecommunication Network Crimes and Strengthen the Judicial Protection of Personal Information (the “Notice”). The Notice requires local procuratorates to crack down on personal information leaks by industry insiders with a focus on the cases in major risk areas in key industries involving certain groups of people.
   
   
4. MIIT reported 84 Apps infringing on users’ rights and interests
   
   On 1 June, MIIT released the Notification on Apps Infringing on Users’ Rights and Interests (the 4th batch in 2022) (the “Notice”), which notes that there are 84 Apps in the fields of shopping and office among others that have not completed the required rectification. The problems with the Apps include collecting personal information beyond the necessary scope and/or in an illegal way, forcing users to turn on push notifications and misleading users with vague information about the App on the App distribution platform.
   
   
5. CVERC detected 15 illegal mobile Apps
   
   On 17 June, the National Computer Virus Emergency Response Centre (CVERC) reported15 mobile apps that are not compliant with privacy regulations. The problematic Apps are found to have processed sensitive personal information without obtaining separate consent from the individuals, processed personal information of minors under the age of 14 in the absence of specific relevant rules and committed other 6 breaches. 
   
   
6. Hainan Provincial CAC found 9 Apps illegally collecting and using personal information
   
   On 23 June, the Hainan Provincial CAC released a notification which noted that 9 dating and game Apps had illegally collected and used personal information. The relevant violations include asking for permission to collect personal information or sensitive personal information without informing the user about the purpose at the same time or without accurately/clearly stating the purpose.
   
   
7. CRO launched a cybersecurity review on CNKI
   
   On 23 June, the Cybersecurity Review Office (CRO) announced a cybersecurity review on Tongfang Knowledge Network Technology Co., Ltd. (Beijing) (CNKI). It is reported that CNKI holds a large amount of personal information and important data related to key areas such as national defence, industry, telecom, transportation, natural resources, health and finance, as well as sensitive information covering major projects, important scientific achievements and key technological developments. Previously, CNKI was investigated by the State Administration for Market Regulation for alleged monopoly.
   
   
8. BOSS Zhipin, Huochebang and Yunmanman resumed new user registration after nearly a year of cybersecurity review
   
   On 29 June, after nearly a year of cybersecurity review, “Yunmanman”, “Huochebang” and “BOSS Zhipin” announced that, with CRO’s approval, new user registration will be resumed immediately. On 5 July 2021, CRO announced it launched a cybersecurity review of these Apps and new user registration was suspended during the review process.
   
   
9. In Tianjin face recognition case, the property management company was ruled illegal for using facial recognition as the only means of verifying residents’ identities
   
   According to the news on 5 June, a property management company in Tianjin was sued by a resident over its adoption of a facial recognition system as the exclusive method for identity verification. Recently, the judgement was made in the second instance. The court required the property management company to delete the appellant’s facial recognition information and provide him with alternative ways of identity verification, in accordance with the Provisions of the Supreme People’s Court on Several Issues concerning the Application of Law in the Trial of Civil Cases involving the Processing of Personal Information Using the Facial Recognition Technology.
   
   
10. Judgement was made in the first case of China’s first Data Resources Tribunal
    
    On 28 June, the Data Resources Tribunal of the People’s Court of Ouhai District in Wenzhou found Wu guilty of illegally obtaining data from a computer information system and sentenced him to 3 years and 3 months in prison, with a fine of 30,000 CNY. This is the first judgement since the establishment of this tribunal. After the conclusion of the case, Ouhai District People’s Court made several judicial suggestions to the relevant authorities and platforms in Zhejiang Province involved in the management of big data, advising them to raise data security awareness, strengthen the security protection in data-related areas and avoid being used in illegal activities.
    
    
11. Two enterprises in Hangzhou were fined 1.4 million CNY for developing "store-cloning" software and making illegal profits
    
    According to the news on 10 June, the Hangzhou Municipal Bureau of Market Regulation recently punished 2 enterprises for developing and selling “store-cloning” software to make illegal profits. The software crawled and scraped shop and product data such as store design and product details and pictures on e-commerce platforms and was used to clone a huge number of stores automatically. Over the past year, the software had illegally crawled nearly 20 million pieces of relevant data. Under the relevant provisions of the Anti-Unfair Competition Law, the 2 enterprises were fined 1.4 million CNY in total by the Hangzhou Municipal Bureau of Market Regulation.
    
    
12. ICBC Hunan Branch was fined 918,000 CNY for illegally collecting consumers’ financial information and other violations
    
    On 15 June, the Changsha Branch of the People’s Bank of China announced a list of administrative penalties against the Hunan branch of the Industrial and Commercial Bank of China (ICBC). The ICBC branch was warned and fined 918,000 CNY for 9 violations, including “collecting consumers’ financial information unrelated to its business”.

Industry Development

1. The Data Security Cooperation Initiative of China+Central Asia (C+C5) was released
   
   On 8 June, the third China + Central Asia (C+C5) foreign ministers’ meeting was held in Nur-Sultan, Kazakhstan. The meeting adopted the Data Security Cooperation Initiative of China+Central Asia (C+C5) (the “Initiative”). The Initiative puts forward that countries should respect the sovereignty, jurisdiction and security management of other countries’ data, and should not directly access data of enterprises or individuals located in other countries without the permission of the other countries’ laws; if countries need to access data across borders for law enforcement purposes such as combating crimes, they should solve the problem through judicial assistance channels or in accordance with inter-state agreements; the agreement of cross-border data access between countries should not infringe on the judicial sovereignty and data security of third countries.
   
   
2. SASAC to improve the informationisation of state-owned assets supervision
   
   On 23 June, the State-owned Assets Supervision and Administration Commission of the State Council (SASAC) organized the conference for 2022 on the informationisation of state-owned assets supervision. The conference noted that state-owned central enterprises should improve digital and smart development, accelerate the support for the informationisation drive and strengthen their cybersecurity and data security.
   
   
3. Shanghai Municipal Government approved the establishment of Shanghai Data Group Co., Ltd.
   
   On 3 June, the Shanghai Municipal Government issued the Approval of the Shanghai Municipal People’s Government on Agreeing to the Establishment of Shanghai Data Group Co., Ltd., and approved the incorporation of Shanghai Data Group Co., Ltd. by the Shanghai Municipal State-owned Assets Supervision and Administration Commission.
   
   
4. IDC released the China Data Governance Market Share 2021
   
   On 17 June, International Data Corporation (IDC) released the report China Data Governance Market Share 2021. According to the report, in 2021, the scale of the data governance platform market in China reached 2.39 billion CNY in value and the scale of the data governance solution market reached 2.66 billion CNY. IDC analysts said, “This market is poised for a period of rapid growth as industries begin to bring in data governance partners to fuel digital transformation and intelligent applications.”