This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].
The CAC published regulation to implement the central government’s policy of boosting economic growth and foreign investment and to address concerns over the burdensome and complex compliance obligations under the previous data export regime.
The regulation exempts a wide range of data export activities from the entire data export regime and, by amending the numerical thresholds, significantly reduces the number of data exporters that are required to make SCCs filings or apply for the security assessment.
A number of data exporters will be released from all or part of their obligations under the Data Export Regime. However, as pointed out in our comments, the CAC should clarify the key issues that could hinder its implementation.
Companies should reassess their obligations in accordance with the Regulation. For companies that are exempted from the data export regime, the general obligations in relation to data export under the Personal Information Protection Law (“PIPL”) will also apply. For companies that have submitted their SCCs filing or security assessment application or have completed the processes, we would recommend that they liaise with their case handlers for instructions on next steps.
Please read our article at the link below for more comments on the Regulation.
What You Need to Know about CAC’s New Data Export Rules
Follow the links below to view the official policy documents or public announcements.
To foster the development of the digital economy and alleviate the compliance burden on businesses, the CAC has officially issued the Regulation for Promoting and Regulating Cross-border Flow of Data (the “Regulation”), effective from March 22. The Regulation specifies several scenarios where a data outbound security assessment declaration, the establishment of standard contracts for personal information export, or personal information protection certification is not required. Examples include common cross-border human resource management scenarios in multinational companies, as well as cross-border shopping, postal services, and visa processing scenarios where individuals act as contract parties. Compared to the draft for comments released by the CAC in September of the previous year, the official version includes significant adjustments. For instance, the term “promote” is emphasized in the title, reflecting the national emphasis on facilitating cross-border data flow; the threshold for data outbound security assessments has been relaxed, such as moving the cumulative starting point from “since January 1 of the previous year” to “since January 1 of the current year,” and extending the validity period of data outbound security assessment results from 2 years to 3 years. It is important to note that, despite the exemption or mitigation of prior regulatory requirements for certain cross-border data situations, data outbound activities are still required to comply with the Personal Information Protection Law and other regulations. This includes informing and obtaining individual consent, conducting personal information protection impact assessments, and fulfilling data security obligations to ensure the security of data crossing borders.
As supplementary documents to the Provisions on Promoting and Regulating Cross-border Flow of Data, the CAC has published the related guidelines. While lowering the compliance threshold for data outbound security assessments and personal information outbound standard contract filings, these guides provide practical operation instructions. Based on the first edition, the guides simplify the outline for self-assessment reports related to data outbound, for instance, eliminating the assessment of the personal information handler's security capabilities, focusing only on assessing the security capabilities of the overseas recipient, and no longer considering the data protection policies and regulations of the overseas recipient's country or region as part of the evaluation.
The State Council published the Regulations on the Implementation of the Law of the People’s Republic of China on the Protection of Consumer Rights and Interests (the “Regulations”). The Regulations require that operators shall not over-collect consumers’ personal information when providing goods or services, and shall not use one-time general authorization, default authorization, etc., to compel or de facto compel consumers to agree to the collection and use of personal information that is not directly related to their business activities.
This is the first set of departmental regulations focused on data protection in the natural resources field. It applies not only to non-secret data processing activities related to natural resources within China but also to such activities conducted abroad in the fulfilment of the ministry's duties (such as engaging in international cooperation on natural resources). The measures encompass geographic information data, such as basic geographic information and the impact of remote sensing, survey, and monitoring data on natural resources like land and forests, national spatial planning data, and natural resources management data including farmland protection. The management measures clarify the classification and grading of data in the natural resources field, the identification and determination mechanisms for important and core data and propose specific data security protection measures for different data levels. These include detailed requirements for the log retention time for processing important and core data, the network security level protection requirements needed for storing important and core data and establish emergency handling and reporting mechanisms for data security incidents.
These measures regulate various aspects of consumer finance companies, including establishment, governance, and business operations. In terms of protecting consumers' personal information, they reaffirm the basic principles of the "Personal Information Protection Law," requiring that the processing of consumer personal information should involve notification and consent, except as otherwise provided by laws and regulations. Furthermore, the measures also set requirements in data and cybersecurity, for example, ensuring the authenticity and validity of borrower identity data. Companies are required to establish an information technology risk management system that matches the information system operation and management mode, establish a collection management system, manage and record the collection process, and ensure that records are true, objective, complete, and traceable. Relevant data and materials must be retained for at least five years.
These documents are set against the backdrop of constructing a smart civil aviation system and specify the coordinated governance of non-secret civil aviation data and data sharing among others, providing support for the circulation and integrated application of civil aviation data elements. The data management work in civil aviation will be coordinated by the Civil Aviation Administration, with division of responsibilities among various business departments and regional administrations. The scope of civil aviation data extends beyond personal information data to include public and enterprise data and will be managed through a unified catalogue. The Civil Aviation Data Sharing Management Measures identify three types of data sharing: unconditional sharing, conditional sharing, and non-sharing.
Comprising nine chapters and eighty-one articles, these measures are formulated for the data processing activities of banking and insurance institutions. They regulate various aspects including data security governance, data classification and grading, data security management, personal information protection, and data risk monitoring. For example, it specifically requires banking and insurance institutions to designate a department responsible for data security as the main department in charge of data security work within the institution. This department is tasked with developing data security management standards, establishing and maintaining a data catalogue, promoting classified and graded protection of data, organizing risk monitoring, early warning, and handling responsibilities; and requires banking and insurance institutions to conduct a security assessment prior to undertaking related data processing activities. During the process of internal data sharing within the data group, data between the head office (company) and subsidiaries are to be securely isolated, and effective protection measures for the shared data must be implemented.
The National Technical Committee 260 On Cybersecurity of Standardization Administration of China (the “TC260”) issued the national standard Data Security Technology – Rules for Data Classification and Grading. This standard specifies in detail the principles, framework, methods, and processes for data classification and grading. It also provides specific operational guidelines and methods for identifying important data according to the conditions of different industries, regions, and data processors.
TC260 published the Basic Security Requirements for of Generative Artificial Intelligence Service (1 March)
TC260 published the Basic Security Requirements for of Generative Artificial Intelligence Service (the “Basic Requirements”). The Basic Requirements is a supporting document for the Interim Measures for the Administration of Generative Artificial Intelligence Services, which provides for the refinement of its content, puts forward the basic requirements for generative AI service providers in terms of safety, including corpus safety, model safety, safety measures, etc., and gives the requirements for the assessment.
The interoperability of cybersecurity products encompasses the functionality of interoperability and the information exchanged between products, which includes asset information, vulnerability information, and more. Focused on asset information interoperability, TC260 has issued this guide to standardize the description format of asset information. This is intended for the design, development, application, and testing of cybersecurity products. Prior to this, TC260 had already published a series of national standards on the interoperability of cybersecurity products, aiming to enhance the efficiency and effectiveness of cybersecurity measures across different products and platforms.
The Standardization Administration of the People’s Republic of China (the “SAC”), in collaboration with multiple departments, has issued the Action Plan for the Implementation of the <National Standardization Development Outline> (2024—2025), aiming to enhance the interaction between standardization and technological innovation, improve the level of modern industrial standardization, and focus on establishing and improving standards related to cross-border data transmission and security. The plan includes several key tasks, such as accelerating standard research in key technological areas, improving mechanisms for the conversion of scientific and technological achievements into standards, and promoting the in-depth development of standardization across all areas, with the goal of achieving the standardization development targets by 2025. These measures are intended to improve the level of standardization development, steadily expand the standardized system of opening up, continuously solidify the foundation for standardization development, and ensure that standardization plays a greater role in promoting high-quality economic and social development.
The General Office of the State Council has issued the Action Plan for Solidly Promoting a High Level of Opening-Up, Attracting, and Utilizing Foreign Investment More Effectively. The plan explicitly supports the data flow between foreign-invested enterprises and their headquarters, standardizes cross-border data security management, and organizes data outbound security assessments and related work to promote the safe and orderly flow of cross-border data. Notably, the plan proposes the development of cross-border data transfer standards for the Guangdong-Hong Kong-Macao Greater Bay Area, explores the establishment of a “whitelist” system for cross-border data flows, and steadily promotes the convenient flow of data within the Greater Bay Area.
The Intellectual Property Administration of Jiangsu Province, the Jiangsu Higher People's Court, the Jiangsu Development and Reform Commission, and the Jiangsu Department of Justice jointly issued the Jiangsu Province Data Intellectual Property Registration Management Measures (Trial), aimed at standardizing data intellectual property registration management across the province, protecting the legal rights of data handlers, and promoting the open flow and development utilization of data resources. This regulation is applicable to data that is lawfully acquired, processed through rules or algorithms, and possesses practical value and intellectual achievement attributes, offering data intellectual property registration services including establishment, change, and cancellation of registration. The measures specify the principles to follow for data intellectual property registration, registration procedures, and supervision and management regulations.
The Zhejiang Provincial Administration for Market Supervision released the Opinions on Deepening Data Intellectual Property Reform to Promote the Empowerment and Development of Data Elements (Draft for Comments), highlighting data intellectual property as the “greatest common divisor” linking data resources, data assets, and data elements. This document aims to implement the Central Committee of the Communist Party of China and the State Council's requirements on establishing a data foundation system and better leveraging the role of data elements. It seeks to facilitate data intellectual property rights registration, value assessment, circulation use, and rights protection, systematically building a data intellectual property registration, application, and protection system that is clear in ownership, traceable at the source, compliant in operation, and efficient in governance. The opinions set forth overall requirements, basic principles, main objectives, and specify measures from four aspects: promoting the comprehensive expansion of the data intellectual property system, promoting the full-chain closure of data intellectual property protection, promoting the comprehensive formation of the data intellectual property ecosystem, and ensuring measures.
The Gansu Provincial Government has officially issued the Gansu Province “Data Element ×” Three-Year Action Implementation Plan (2024—2026), making Gansu the first province in China to launch a provincial-level “Data Element ×” three-year action plan. This plan aims to fully leverage the multiplier effect of data as a basic resource, promote the high-level application of data elements, and drive high-quality economic and social development. Covering key areas such as industrial manufacturing, modern agriculture, commercial circulation, transportation, financial services, technological innovation, cultural tourism, and healthcare, the plan is designed to encourage all types of entities to actively participate in the development and utilization of data elements. It aims to nurture new industries, new models, and new drivers of growth, providing strong support for promoting high-quality development.
Nanjing is officially soliciting public opinions on the Interim Measures for the Management of Public Data Authorization and Operation and the Interim Measures for Data Asset Registration in Nanjing. These interim measures are intended to regulate the authorization, operation, and registration of public data and data assets, protect the legal rights of participants in the data market, and promote the efficient flow and utilization of data. By clarifying the process, responsibilities, application and exit procedures, as well as safety and supervision measures for data authorization and operation, Nanjing aims to foster a healthy and orderly data element market, providing a solid institutional guarantee for the development of the digital economy. The implementation of these measures is expected to positively impact Nanjing's data governance capabilities, unleash the application value of data resources, and promote the market-oriented operation of data assets.
This batch includes five cases focusing on the theme of protecting minors online. It covers crimes such as using the internet to commit child molestation, rape, extortion, producing, selling, and distributing obscene materials for profit, online fraud, infringing citizens’ personal information online, aiding cybercrime activities, and renting or selling online game accounts. The prosecutorial authorities, while strictly cracking down on crimes against minors, also place significant emphasis on the protection, education, and correction of minors. This reflects the importance of safeguarding minors’ rights and the comprehensiveness of the law in protecting minors.
The recently published Notice on the Special Rectification of Chaos in the Infringement of Personal Information Rights by Banking and Insurance Institutions revealed significant issues in personal information protection within these institutions. These include the collection, storage, transmission, inquiry, use, provision, deletion of personal information, and issues related to third-party cooperation. The NAFR requires banking and insurance institutions to strengthen their primary responsibility for personal information protection. They should enhance the protection level of personal information comprehensively by setting up data governance and security management systems, improving monitoring, early warning, and internal management mechanisms.
The Beijing CAC, in collaboration with 13 departments launched a special operation to combat and rectify the chaos of mandatory QR code scanning. The operation focuses on key consumer areas such as dining and parking, which are integral to the daily lives of the public. It aims to address issues like the mandatory following of public accounts and excessive collection of personal information during the service provision process using QR code scans. Through methods like clue collection, on-site guidance, collective interviews, compliance training, and case filing for penalties, the operation guides merchants to optimize QR code function settings. This enhances the consumer experience, protecting consumers’ personal information rights and interests.
The Shanghai Municipal Administration for Market Supervision published a series of typical cases involving infringement of consumer rights. These cases covered product quality, personal information protection, consumer fraud, infringement of personal dignity, false advertising, illegal mystery boxes, and cheating scales, highlighting typical illegal acts that infringe on consumer rights. In the case of personal information protection, a nursing home was suspected of failing to adopt technical and other necessary measures to prevent information leakage, resulting in an order for correction and a fine of 50,000 yuan.
The Shanghai Administration for Market Supervision disclosed a series of typical cases related to the protection of consumer personal information. These cases of non-compliance in personal information protection involved unauthorized use of facial recognition technology to collect personal information without consumer consent, illegal collection and use of consumer personal information, and failure to provide a legal source of personal information. These cases not only educate market participants, raising their awareness and compliance with laws and regulations on consumer rights protection but also demonstrate to the public the regulatory authorities’ determination and capability to protect consumer rights and maintain a fair competitive market environment.
Xi’an Weiyang cyber police successfully dismantled a gang involved in the illegal sale of citizens’ personal information, arresting 124 suspects. Nineteen individuals were criminally detained in accordance with the law, and 13 bank accounts related to the case were frozen. After registering a so-called legal consultancy company, which ostensibly offered legal advice and lawsuit drafting services, the company’s performance did not improve as expected. To “expand their business,” the suspects, along with others, illegally obtained citizens’ personal information through their upstream contact, Liu, engaging in the query and sale of this information to make illegal profits exceeding 2.7 million yuan. The case is currently under further investigation.
CCA released the Top Ten Typical Judicial Cases of National Consumer Rights Protection in 2023 (15 March)
The China Consumer Association (the “CCA”) released the Top Ten Typical Judicial Cases of National Consumer Rights Protection in 2023, highlighting legal progress in the protection of consumer rights, especially in critical areas such as personal information protection. Among these, a case involved a dining company forcing consumers to provide personal information without authorization to use its ordering service, which the court ruled as a violation of the consumer’s personal information rights.
Chongqing CAC published a number of cases related to the cybersecurity law (18 March)
The Chongqing CAC announced a series of enforcement and interview actions against enterprises and agencies that violated the Cybersecurity Law, along with publishing a batch of related cases. These cases include a variety of illegal activities such as failing to fulfil cybersecurity management responsibilities, unauthorized reproduction of news information, discrepancies between registered and actual website names, repeated notifications of weak password vulnerabilities, and failing to fulfil audit management duties, as well as incidents of weak passwords and cyber-attacks affecting information systems. In accordance with relevant laws and regulations, district cyberspace offices have imposed warnings, penalties, and demanded timely rectifications. They require enterprises and agencies to strictly fulfil their primary responsibilities on web platforms, strengthen the review and publication system of website information content, and improve cybersecurity capabilities to protect the cyber ecosystem and maintain cybersecurity.
The Shanghai CAC released the Data Export Security Assessment Declaration and Personal Information Export Standard Contract Filing Work Practice Q&A (Part III) in response to the Provisions on Facilitate and Regulate the Cross-Border Flow of Data and related guidelines recently issued by the CAC. This Q&A aims to guide data handlers on how to correctly submit assessment or filing materials, clarify changes in submission material requirements, help identify applicable declaration scenarios, and explain which data outbound activities are exempt from declaration, assessment, or filing. Additionally, the Q&A provides detailed requirements on the examination time for data outbound security assessment declaration materials and the deadline for supplementing and improving materials for the filing of personal information outbound standard contracts. It also addresses execution issues that are inconsistent with existing regulations. Furthermore, the Shanghai Cyberspace Administration offers telephone consultation services to further support and guide related work.
The first national project for unsecured financing and credit granting based on rural revitalization data assets has successfully been established at Xinhuang Rural Commercial Bank. This marks a significant innovation and breakthrough in the business model of county-specific industrial data elements. Leveraging the industrial advantage of Xinhuang County, known as “the Home of Chinese Xiangxi Cattle,” in collaboration with the South China Digital Industry Group, a data product named “Huangniu Bao” was developed. It was listed on the Shenzhen Data Exchange and completed its first transaction signing. This initiative not only explores the financial attributes of data assets and their potential to be converted into actual economic benefits but also provides new momentum for rural revitalization and the high-quality development of county economies.
Southern Finance’s latest report unveils the rise in data assets recognition and financing across China, showcasing at least 31 successful cases of data asset financing spread across various provinces and cities, with Shandong leading with 7 instances. The report highlights the financial value of data after governance and the positive role of financial institutions like China Everbright Bank in promoting data asset financing. These cases include a variety of financing methods, such as digital asset pledges and data intellectual property pledges, underlining the crucial role of data assets in fostering the digital transformation of the economic and social landscape. Looking ahead, as financial innovation with data assets deepens, a broader application prospect and value-added space are anticipated for the financial services sector.
Digital Guangxi Group successfully completed Guangxi Province’s first data asset on-balance-sheet financing case, securing a 10-million-yuan unsecured loan from China Everbright Bank’s Nanning branch. This achievement marks a substantial breakthrough in the valuation and financing of data assets for the group. As a platform enterprise under the Guangxi Investment Group, Digital Guangxi Group has been tasked with the important mission of advancing data security, operation, and value realization. Through cooperation with various institutions, the group successfully addressed key issues such as data governance, compliance security assessment, and rights registration, completing the full cycle of data asset financialization. This provides a powerful case study for local state-owned enterprises exploring new avenues for the resource utilization, productization, and capitalization of data.
The Shanghai Municipal Communications Administration has initiated a special operation named Forge Shield Vehicle Connect for network and data security in the vehicle networking sector. This action aims to strengthen the management of network security in the vehicle networking field, ensuring the security and compliant use of vehicle networking data. Through this special operation, the Shanghai Municipal Communications Administration will conduct a comprehensive investigation of network security risks for vehicle networking enterprises, enhance data protection measures, ensure the security of consumer personal information, and promote the healthy and orderly development of the vehicle networking industry. This operation reflects the government’s attention to the new challenges posed by the rapid development of vehicle networking technology and demonstrates a commitment to strengthening network and data security to protect public interests.
The first National Data Broker Innovation Centre has been established in Qianhai, Shenzhen, marking a significant step by the Qianhai government and Huawei Cloud towards promoting high-quality development in the data element industry. This initiative aims to foster innovative enterprises and talents in data elements, promote cross-border data transactions between Shenzhen and Hong Kong, and strengthen the market-oriented allocation reform of data elements, further advancing the construction of a data special zone in the Guangdong-Hong Kong-Macao Greater Bay Area. Huawei will leverage its technological and ecosystem advantages, along with Qianhai’s industrial support policies, to jointly promote the formation of a world-class data element industry ecosystem, providing comprehensive intelligent transformation services for Shenzhen and the Greater Bay Area.
Guizhou Province’s first case of environmental protection data assets being recognized on the balance sheet has successfully landed, symbolically recognizing the “Water Plant Simulation AI Model Operation Dataset” as a corporate asset and reflecting its value and business contribution in the financial statements. This breakthrough was achieved by Guizhou Kanset Ecological Environmental Science and Technology Co., Ltd., a company specializing in the scenario-based, productized, and grounded services of environmental protection data. Through cooperation with Beijing Wisdom Wealth Group and Guiyang Big Data Exchange, after a series of data resource governance and expert evaluations, the data asset was successfully listed. This not only enhanced the data management and utilization efficiency of Guizhou Kanset Technology but also provided a new path and model for the capitalization of enterprise data assets and their financing.
The Northern Big Data Exchange Centre’s first service base has officially settled in the Tianjin Tiankai Higher Education Science and Innovation Park, marking an important step for Tianjin in the field of data trading and digital transformation services. The establishment of the service base aims to provide a data trading service platform that is based in the park and radiates across the city, meeting the digital transformation and data value creation needs of the enterprises located there.
The Shanghai delegation at the National People’s Congress announced that the Shanghai Free Trade Zone and the Lingang New Area will soon release the first batch of catalogues for cross-border data flow management. This includes 20 scenarios such as intelligent networked vehicle remote diagnostics and multinational corporation group management, as part of the classified and graded management of cross-border data flows in the Shanghai Free Trade Zone. By constructing an international data economy industrial park, establishing a cross-border data service centre, promoting the implementation of three major systems, and accelerating the compilation of data lists and important data catalogues, the Shanghai Free Trade Zone and Lingang New Area are actively exploring and practicing to meet the needs of enterprises for cross-border data business development, promoting the development of new forms of data industry, and ensuring cross-border data security.
Authors: James Gong (Partner), Tanya Luo (Associate), Michael Dong (Associate), Mira Zhang (Associate)