China Cybersecurity and Data Protection: Monthly Update - January 2023 Issue

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Key Highlights

On 8 December 2022, the Ministry of Industry and Information Technology (MIIT) released the final version of the Interim Administrative Measures for Data Security in Industry and Information Technology (the “Measures”) after two rounds of public consultation, which became the first sectoral regulation on the data security regime that the Data Security Law proposed to establish.

Our Views

Please see our detailed comments here: China to Strengthen Data Security in Industry and IT Sectors

Follow the links in each heading below to view the official policy document on the People’s Republic of China Government website.

Legislative Developments

1. TC260 issued Security Certification Specification for Cross-border Personal Information Processing Activities V2.0

On 16 December, the secretariat of the National Information Security Standardization Technical Committee (TC260) issued the Network Security Standard Practice Guide - Security Certification Specification for Cross-border Personal Information Processing Activities V2.0 (the "Practice Guide"). The Practice Guide stipulates the basic principles to be followed in cross-border processing of personal information and the relevant obligations and responsibilities of data processors and foreign recipients in the protection of the rights and interests of data subjects.

2. CPC Central Committee and State Council issued Opinions on Establishing Basic Data Basic System for Better Utilization of Data Resources

On 19 December, the CPC Central Committee and the State Council jointly issued the Opinions on Establishing a Basic Data System for the Better Utilization of Data Resources (the “Opinions”). It will help enable China to fully exploit its vast data resources, expand the digital economy, empower the real economy, and give the country a competitive edge in the international marketplace.

3. CBIRC issued Administrative Measures for Protection of Consumer Rights and Interests by Banking and Insurance Institutions

On 30 December, the China Banking and Insurance Regulatory Commission (CBIRC) issued the Administrative Measures for the Protection of Consumer Rights and Interests by Banking and Insurance Institutions (the “Administrative Measures”), which will come into force on 1 March 2023. The Administrative Measures primarily consist of five parts: (1) provisions on the overall objectives, the definition of banking and insurance institutions, their responsibilities and obligations, the supervisory organisation, and the basic principles; (2) the system and mechanism for protecting consumer rights and interests; (3) rules governing the operation of banking and insurance institutions to protect the basic rights of consumers; (4) the supervision and management of the industry; and (5) the scope of application, the power of interpretation, and the timeframe for implementation.

4. China’s Anti-Telecom and Network Fraud Law came into effect on 1 December

China’s Anti-Telecom and Network Fraud Law (the “Law”), adopted by the country’s top legislative body in September, came into effect on 1 December 2022. The Law sets out the fundamental principles to combat telecom and online fraud, in particular the basic administration system for phone cards, Internet of Things cards, bank accounts, payment accounts, and Internet accounts. The Law will help to promote the development of a unified monitoring system across various sectors and enterprises, as well as provide institutional support for anti-fraud efforts using big data. Additionally, the Law strengthens the regulatory oversight of illegal services, equipment, and industries involved in fraud and clarifies legal liability for violations, which is of great importance to the fight against fraud in the telecommunications sector.

5. MIIT issued Measures for Administration of Data Security in Field of Industry and Information Technology (for Trial Implementation)

On 13 December, MIIT issued the Measures for the Administration of Data Security in the Field of Industry and Information Technology (for Trial Implementation) (the "Measures"), with effect from 1 January 2023. The Measures focus on the following four aspects: (1) the management of data classification and grading, as well as the identification and filing of important and core data; (2) requirements for security management and protection of the lifecycle processing of data of various grades; (3) monitoring and early warning of data security threats, reporting and sharing of risk information, emergency response, the acceptance of complaints and reports, as well as other working mechanisms; and (4) monitoring, certification, and evaluation of data security.

6. MIIT publicly solicited opinions on Notice on Further Improving Service Capabilities of Mobile Internet Apps (Draft for Comments)

On 27 December, MIIT publicly solicited opinions on the Notice of MIIT on Further Improving the Service Capabilities of Mobile Internet Apps (Draft for Comments) (the “Draft”). The Draft contains provisions on standardizing App installation and unloading, optimizing users’ service experience, strengthening protection of personal information, and responding to user requests.

7. MOF solicited opinions on Interim Provisions on Accounting Treatment of Enterprise Data Resources (Draft for Comments)

On 1 December, the Ministry of Finance (MOF) issued the Interim Provisions on Accounting Treatment of Enterprise Data Resources (Draft for Comments) (the "Interim Provisions") to strengthen the management of enterprise data resources, standardize accounting treatment related to enterprise data resources, and regulate the disclosure of relevant accounting information. The Interim Provisions stipulate the applicable criteria for accounting treatment of data resources and the requirements for information disclosure and categorize enterprise data resources at the present stage into those for internal use and those for external transactions. According to the Interim Provisions, enterprises should disclose in a detailed table the information about the original data such as the type, scale, source, ownership, application, and transfer.

8. TC260 publicly solicited opinions on Industrial Internet Enterprise Cybersecurity - Part 4: Data Protection Requirements

On 30 November, the secretariat of the National Information Security Standardization Technical Committee (TC260) officially issued a notice to solicit public opinions on the Industrial Internet Enterprise Cybersecurity - Part 4: Data Protection Requirements (the "Draft"). As defined in the Draft, industrial Internet data refers to, whether recorded electronically or otherwise, the data generated and collected in the industrial Internet across a wide range of industries and fields, including in the processes of R&D, production, operation and management, maintenance, platform operation, and etc. The Draft outlines the process and the specific requirements for the security management and processing activities of industrial Internet data. Specifically, the Draft proposes a three-tier system for categorizing data as general, important, or core, with different requirements for each tier.

9. TAF released Processing Specification for Personal Information of Software Development Kit (SDK) and other eight group standards

On 25 November, the Telecommunication Terminal Industry Forum Association (TAF) publicly released a total of 9 sets of group standards for the telecommunications sector, all with immediate effect. The standards are (1) Implementation Specifications of Smart Mobile Terminal Application Software Classification and Uninstallation; (2) Application Software User Personal Information Collection and Usage Minimization and Necessity Evaluation Specification - Part 1: General Principle; (3) Application Software User Rights Protection Evaluation Specification - Part 7: Deception, Misleading, and Coercion Behavior; (4) Processing Specification for Personal Information of Software Development Kit (SDK); (5) Technical Requirements for Differential Privacy-based User Personal Information Protection; (6) App User Rights Protection Requirements and Evaluation Specification in Recommendation Algorithm; (7) Telecommunications and Internet Personal Information Protection Compliance Audit Specification; (8) User Rights Protection Evaluation Specification for Smart Watch; and (9) User Rights Protection Evaluation Specification for Smart TV.

10. Standing Committee of Sichuan Provincial People's Congress issued Data Regulation of Sichuan Province

On 2 December, the 38th meeting of the Standing Committee of the 13th Sichuan Provincial People's Congress voted to adopt the Data Regulation of Sichuan Province (the "Regulation"). The Regulation, effective from 1 January 2023, specifies the scope of application, general principles, and specific work duties of each department, as well as provisions concerning data resources, data circulation, data application, data security, regional cooperation, legal responsibilities, and supplementary rules.

11. Standing Committee of Jiangxi Provincial People's Congress solicited public opinions on Regulation on Data Application of Jiangxi Province (Draft)

On 28 November, the Legislative Affairs Commission of the Standing Committee of Jiangxi Provincial People's Congress released a notice to solicit opinions on the Regulation on Data Application of Jiangxi Province (Draft) (the “Regulation”). The Regulation focuses on the development of data application and aims to regulate the entire data lifecycle, including data collection, integration, sharing, opening, governance, and circulation. Additionally, the Regulation clarifies the responsibilities of relevant departments and the functions of various platforms and explores the means of establishing an operational mechanism for public data authorization and conducting trials for data asset registration.

12. Standing Committee of Xiamen Municipal People's Congress issued Data Regulation of Xiamen Special Economic Zone

On 27 December, the Standing Committee of Xiamen Municipal People's Congress issued the Data Regulation of the Xiamen Special Economic Zone (the “Regulation”), which will come into force on 1 March 2023. According to the Regulation, government departments and public service organizations are required to explore means to establish a chief data officer system. In addition, the Regulation urges the municipal big data department to set up a public data resource platform.

13. Standing Committee of Guizhou Provincial People's Congress amended and adopted Information Infrastructure Regulation of Guizhou Province

On 1 December, the 36th meeting of the Standing Committee of the 13th Guizhou Provincial People's Congress amended and adopted the Information Infrastructure Regulation of Guizhou Province (the "Regulation"), which will come into force on 1 March 2023. As defined in the Regulation, information infrastructure refers to telecommunications networks, broadcast television networks, the Internet, public data centres and their supporting environments. Information infrastructure operators are required (1) to strengthen network and data security protection and to implement the requirements of the network security grading system; (2) to establish and improve mechanisms for monitoring and early warning, risk assessment, and responsibility identification; (3) to formulate and improve emergency plans and conduct emergency drills on a regular basis; and (4) actively address cyber security incidents and inform users and report to the authorities responsible for network information, public security, communication, and big data in a timely manner.

Enforcement Developments

14. CAC launched “Operation Qinglang” to create better internet ecosystem for mobile Apps

On 12 December, the Cyberspace Administration of China (CAC) launched a special campaign named "Operation Qinglang” to crack down on problematic applications in accordance with the Regulation on the Administration of Mobile Internet Application Information Services. Specifically, the operation targets: (1) issues that users may encounter when searching for Apps online such as copycat Apps, fake rankings, misleading information, and unregistered Apps; (2) issues that users may encounter when downloading and installing Apps, including compulsory, bundled download and installation, Apps disguised to avoid regulatory oversight, and Apps that entice users to download by promising money rewards; and (3) issues that users may encounter when using Apps such as pop-ups, malicious functions, and Apps that attempt to trick users into making a payment.

15. Supreme People’s Procuratorate released five typical cases on punishment of crimes against citizens' personal information

On 2 December, the Supreme People's Procuratorate issued the Notice on the Printing and Distribution of Typical Cases concerning the Punishment of Crimes against Citizens' Personal Information by Prosecutorial Authorities (the “Notice”). The Notice discloses five typical cases concerning the punishment of crimes that infringe upon different types of citizen personal information, including credit information, biometric identification information, whereabouts information, and health and physiological information.

16. Supreme People’s Court released 35th batch of guiding cases

On 28 December, the Supreme People's Court released its 35th batch of guiding cases (Case No. 192 to No. 195), all of which are criminal cases concerning the protection of citizens' personal information, respectively involving facial recognition information, resident ID card information, WeChat and other social media account information, mobile phone verification code information, and other citizens' personal information protected by the criminal law.

17. Anhui Communications Administration reported 15 Apps that violated users' rights and interests and failed to rectify

On 7 December, the Anhui Communications Administration punished 29 apps that collected and used personal information in violation of laws and regulations, including the Cybersecurity Law, the Telecommunications Regulation, and the Provisions on the Protection of Personal Information of Telecommunications and Internet Users. So far, there are still 15 Apps that have not completed the rectification, and they would be subject to administrative penalties if they fail to resolve their problems within the specified timeframe.

18. Zhejiang Communications Administration reported 47 Apps that violated users' rights and interests and failed to rectify

On 16 December, the Zhejiang Communications Administration punished 255 illegal Apps according to the Personal Information Protection Law and the Measures for Determining the Illegal Collection and Use of Personal Information by Apps. The Apps were involved in the illegal collection of personal information, the excessive collection of personal information, the illegal use of personal information, and forcing users to turn on push notifications. So far, there are still 47 Apps that have not completed the rectification, and they would be subject to administrative penalties if they fail to resolve their problems within the specified timeframe.

19. Sichuan Communications Administration and Chongqing Communications Administration issued Notice on the List of Apps Infringing Users' Rights and Interests in Sichuan and Chongqing (6th Issue)

On 28 December, the Sichuan Communications Administration and the Chongqing Communications Administration jointly issued the Notice on the List of Apps Infringing Users' Rights in Sichuan and Chongqing (6th Issue), which included 15 apps that failed to complete the rectification as required.

20. Shanghai First Intermediate People's Court issued ten typical cases on protection of personality rights

On 13 December, the Shanghai First Intermediate People's Court held a press conference to release the White Paper on the Trial of Cases Concerning the Protection of Personality Rights and issued ten typical cases that cover the most common types of personality right disputes, including the illegal handling of personal information. The court's judgments illustrate a key point: if the illegal processing of personal information violates the rights and interests of a large number of individuals, those individuals may seek relief through the civil public interest litigation system.

21. Yinan Rural Commercial Bank was fined RMB 1.193 million yuan for failing to fulfil customer identification obligations as required

On 20 December, the Shandong-based Yinan Rural Commercial Bank was fined RMB 1.193 million yuan for multiple violations, according to the website of the Jinan Branch of the People’s Bank of China. Specifically, Yinan Rural Commercial Bank was involved in the following six illegal acts: (1) financial statistical index data errors; (2) violations of account management regulations; (3) violations of regulations governing the circulation of RMB; (4) violations of regulations governing the administration of RMB; (5) violations of regulations governing the administration of the national treasury; and (6) failure to fulfil customer identification obligations as required.

22. Taikang Online was fined RMB 890,000 yuan for failing to fulfill customer identification obligations as required

Recently, Taikang Online Property Insurance Co., Ltd. was fined RMB 890,000 yuan for failing to fulfil customer identification obligations as required. The news was published on the administrative penalty information publicity form issued by the Wuhan Branch of the People's Bank of China.

23. Beijing Internet Court ruled that Apps' forced collection of users’ profile information for personalized recommendation constituted infringement

On 28 December, the Beijing Internet Court announced its ruling against an App operator in a dispute involving its compulsory collection of user profile information. The court held that the scope necessary for the performance of the contract should be limited to the basic service functions provided by the software operator or the additional functions that may be selected by users. Personalized recommendations that cater to different user needs might be a move to improve user experience, but they should not be viewed as a basic function or a function users must choose for the contract to be fulfilled. During the initial log-in process, the App asked for consent to collect profile information from users but did not provide them with the option to skip or reject the request, which was compulsory collection and constituted infringement, the ruling noted.

Industry Developments

24. Jing'an District became the first to establish CDO system in Shanghai

In September 2022, Jing'an District issued the Implementation Plan for Establishing the Chief Data Officer (CDO) System in Jing'an District, which marked the official establishment of the system in Jing’an and made it the first district in Shanghai to promote and implement the system comprehensively. As of 19 December, Jing'an District has fully implemented the CDO system in 64 departments and towns of the district. A team of CDOs and data executive specialists has been set up for all the departments and towns, and a long-term working mechanism has been put in place, including a joint meeting of CDOs and work trainings. The CDO is the chief responsible person for the overall management of data resources in an organization, according to the official explanation provided by the Shanghai Cyberspace Administration. And it is the CDO’s responsibility at all levels to coordinate and promote data operation, governance, security management, sharing and opening, and utilization and to expand data application scenarios.

25. Guizhou Cyberspace Administration launched automobile data security reporting for 2022

On 7 December, the Guizhou Cyberspace Administration launched the program for automobile data security reporting for 2022 according to the Regulation on the Management of Automobile Data Safety (for Trial Implementation). The program is aimed to regulate automobile data processing activities, protect the legitimate rights and interests of individuals and organizations, safeguard national security and social and public interests, and promote the healthy and orderly development of the automobile industry.

26. Hubei Cyberspace Administration launched automobile data security reporting for 2022

On 6 December, the Hubei Cyberspace Administration launched the program for automobile data security reporting for 2022 according to the Regulation on the Management of Automobile Data Safety (for Trial Implementation). The program is aimed to regulate automobile data processing activities, protect the legitimate rights and interests of individuals and organizations, safeguard national security and social and public interests, and promote the proper development and utilization of automobile data.

27. Yunnan Cyberspace Administration launched automobile data security reporting for 2022

On 7 December, the Yunnan Cyberspace Administration issued a notification to automobile data processors involved in important data processing activities in the province about the reporting of automobile data security for 2022 in accordance with Article 13 of the Regulation on the Management of Automobile Data Safety (for Trial Implementation). The move is aimed to regulate automobile data processing activities, protect the legitimate rights and interests of individuals and organizations, safeguard national security and social and public interests, and promote the healthy and orderly development of the automobile industry.

28. Shanghai Telecommunications Administration and Shanghai Municipal Commission of Economy and Informatization released review result of Internet of Vehicles security protection grading filing

On 20 December, the Shanghai Communications Administration and the Shanghai Municipal Commission of Economy and Informatization jointly released the result of the regular review of the Internet of Vehicles security protection grading filing, in accordance with the Notice of the Ministry of Industry and Information Technology on Strengthening the Network Security and Data Security of the Internet of Vehicles and the Notice on the Filing of the Internet of Vehicles Network Security Protection Grading.