This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].
In 2023, we witnessed a profound evolution in the realms of cybersecurity and data compliance. Throughout the year, a plethora of new regulations and enforcement dynamics emerged, aligned with China’s commitment to protecting national security and data subjects’ rights as well as developing the data as resources to the economy. Simultaneously, emphasis was placed on the data flow —both in cross-border transfer and domestic circulation. Let’s take a closer look at these developments and what we can expect from them in the year 2024 in the articles at the links below.
On 13 December 2023, the Cyberspace Administration of China (“CAC”) and the Hong Kong SAR Government jointly released implementation guidelines for the standard contracts for cross-border flows of personal information (“PI”) within the Guangdong-Hong Kong-Macao Great Bay Area (“GBA”) in China. PI processors in the GBA that meet stipulated conditions may voluntarily adopt the GBA standard contract mechanism for their cross-border PI flows in the GBA, with a reduced burden of obligations. For our detailed analysis of the key provisions and observations on the guidelines, please read our articles at the link below.
On 1 January 2024, the Regulations on the Protection of Minors in Cyberspace takes effect. It has taken seven years to draft and finalise the regulations, which has established the legal framework for protection of minors in cyberspace in China together with other laws and regulations. The regulations apply to a broad range of market players and aim to promote minor’s cyber literacy, manage online information content, protect PI of minors and prevent minors’ addiction to the internet. We highlighted key provisions and shared our observations in the article at the link below.
China Data Protection and Cybersecurity: Annual Review of 2023 and Outlook for 2024 (I)
China Data Protection and Cybersecurity: Annual Review of 2023 and Outlook for 2024 (II)
China Strengthens the Protection of Minors in Cyberspace
>Follow the links below to view the official policy documents or public announcements.
The release of the guidelines marks the first facilitation measure to promote the safe and orderly cross-border flow of PI in the GBA. The GBA standard contract mechanism can be voluntarily established and complied with by individuals and organizations. Before carrying out cross-border PI, PI processors who adopt the GBA standard contract mechanism need to fully inform the PI subject and obtain a legal basis for the cross-border transferring of PI, carry out personal information protection impact assessments, sign the GBA standard contract with the recipient(s), and file record to the local regulatory authority.
The "Policy Statement" proposes a comprehensive data governance concept and strategy, promotes data integration, application, openness and sharing, and strengthens data security protection and facility planning, to better coordinate development and security. It proposes 18 measures in the following 5 areas:
(1) leading the digital government and optimizing data governance;
(2) formulating or updating policy guidelines and regulations;
(3) strengthening cybersecurity protection;
(4) strengthening digital infrastructure support;
(5) promoting cross-border data flow.
This Measure requires network operators to initiate emergency response plans for incident disposal when cybersecurity incidents occur. Incidents categorized as significant, major, or critical, according to its attachment "Cybersecurity Incident Classification Guidelines", shall be reported within one hour. If the network operator delays, omits, lies, or conceals the cybersecurity incident, causing major adverse consequences, the network operator and relevant responsible persons shall be punished severely according to law.
This plan aims to establish a sound emergency management and response mechanism for data security incidents in the industrial and information technology sector. Data processors should initiate emergency response mechanisms according to the level of the incident. Data security incidents are divided into four levels: particularly major, major, large, and general, according to the scope of influence and harm caused by data security incidents to national security, enterprise network facilities and information systems, production and operation, economic operation, etc.
This plan addresses high-standard digital trade rules such as (1) promoting cross-border data flow, (2) application of digital technology, and (3) data openness, sharing, and governance. It supports the Shanghai Free Trade Zone to take the lead in formulating catalogues of important data according to classified and level-based data protection system, establishes sound data sharing mechanisms to support data sharing by enterprises, expands the scope of government data openness, and clarifies the methods of obtaining and using open data.
The draft guidelines aim to guide large internet platforms to assess and prevent network security risks that may affect social stability and public interests. Large internet platforms need to establish a network security assessment working group, clarify the scope of security assessment, organize assessment work, research and formulate assessment plans of important items, and carry out rectification. The assessment areas include resilience of critical service, capability of disaster recovery and backup, supply chains security of critical software and hardware product, controllability of data provided to external parties, etc.
This applies to SDK development, operation, and security monitoring and evaluation. In terms of PI processing security requirements for SDKs, it covers multiple aspects such as collection, storage, use and processing, transmission, provision, public disclosure, and deletion. It also clarifies rules and protection responsibilities for PI processing.
This applies to the design, development, production, and testing of mobile smart terminals. The document proposes security requirements in terms of function and management for mobile smart terminals, e.g., choice of uninstallation, and uninstallation security requirements.
This applies to various organizations for network security emergency response capability construction and assessment. Based on the network security emergency response practice of various industries, regions, and IT systems, it proposes the requirements for network security emergency response capabilities and provides corresponding assessment processes.
This plan aims to leverage the multiplier effect of data factors to empower economic and social development. By combining data factors with major industries, the plan aims to activate the potential of data factors and empower high-quality development of industries. For example, it encourages the development of new models for data-driven product research and development, through the integration of design, simulation, and experimental verification data. The plan also provides guidance for nine specific industrial sectors, including transportation, finance, technology innovation, culture and tourism, medical health, emergency management, meteorological services, smart cities, and green low carbon.
The guidance proposes specific task measures from enriching digital application scenarios for life services, filling short boards in the digital development of life services, etc. For example, it proposes to strengthen the construction of digital infrastructure for life services, create digital life service communities and blocks, establish a digital standard system for life services, improve digital applications and services for the elderly and disabled.
This opinion establishes a mechanism of property rights separated from operation rights, that is, to separate the rights of data ownership, data processing, use, and data product operation, and to clarify data property rights through civil and commercial contracts. It also explores the establishment of a classified and level-based system for the confirmation and authorization of public data, enterprise data, and PI.
This regulation clarifies responsibilities of data security protection, lifecycle management of public data, and sharing and openness of non-public data. It promotes the establishment of data exchanges, encourages data trading, and clarifies the need to cultivate talents in the data field, conduct local standard formulation, and strengthen regional cooperation.
This regulation clarifies that surveying and mapping activities include the collection, storage, transmission, and processing of spatial coordinates, images, point clouds of natural geographic elements or surface artificial facilities by intelligent networked vehicles and other intelligent devices equipped with space location sensors. To address the inadequate supervision of construction, operation, and service of base stations for satellite navigation positioning, the regulation requires the provincial department of natural resources to establish and maintain a unified Beidou satellite navigation positioning base service system and provide free public services of navigation positioning base information to society.
This Guidelines cover the entire process of the creation, application, management, and protection of enterprise intellectual property. It encourages to formulate data assets from enterprise intellectual property, register data through the Beijing Data Exchange, actively carry out data asset entry activities. It proposes to incorporate data intellectual property compliance management into the performance evaluation system of data compliance management and intellectual property compliance management.
This document clarifies the subjects involved in data trading, including data sellers, data buyers, data merchants, data trading third-party service agencies, data trading venue operators, and data regulatory agencies. The document proposes that the data trading process can be divided into seven steps: transaction application, transaction evaluation, transaction matching, transaction implementation, transaction settlement, transaction completion, and transaction settlement. It also explains the requirements that each relevant party needs to meet in each step.
This document clarifies the work process of public data special zone authorization operation, including information release, application submission, qualification review, and agreement signing. Public data follows the overall requirement of "original data does not leave the domain, data can be used but not visible," and conducts authorized operations while maintaining national data security and protecting PI.
These four data trading documents respectively apply to data product compliance circulation transactions, the identification of data product rights and interests in the data trading process, data product quality evaluation in the data trading scenario, and the organization of data asset value evaluation activities.
This document aims to promote public data sharing, development, and application, and to advance the construction of a digital Yunnan. The document proposes to build a unified public data platform, implement unified catalog management of public data throughout the province, follow the principles of legality, accuracy, and timeliness, and collect public data in accordance with legal authority, scope, procedures, and standard specifications.
This document stipulates that data product confirmation registration should follow the principles of legal compliance, voluntary payment, safety and efficiency, promotion of circulation, openness and transparency, honesty and credit, and follow the process of application, acceptance, review, publicity, and issuance. The data product supermarket operator is responsible for acceptance and review, and the data products that have passed the review will be publicly displayed on the website of the Provincial Big Data Management Bureau and the platform provided by the data product supermarket operator.
21. CAC in various provinces have launched the 2023 annual automobile data security management report submission materials. (Please see links here: Guangdong, Shanghai, Fujian, Hunan, Sichuan, Xinjiang)
The materials highlight the important data exit situation, the landing of important data risk assessment report submission work and increase the explanation of the situation and compliance plan requirements for not adopting relevant automobile data security protection and management measures.
It is reported that some foreign organizations, institutions, and personnel attempt to use geographic information system software to carry out intelligence theft activities. In response to the above situation, the National Security Agency, together with relevant departments, has launched a special investigation and governance of geographical information data security risks, guiding and assisting relevant units to conduct inventory and rectification, and timely eliminating major security risks such as data theft and leakage.
Recently, the Beijing police cracked a case of illegal acquisition of account information by hackers using website vulnerabilities. After investigation, the suspect used the relatively simple signature algorithm of the recruitment website to write instructions, make hacker software, and attack the website by colliding with the database. They also sold their own malicious programs and hacker tools to others to profit from it. The cyber police reminded enterprise employees to be cautious when using third-party apps or unknown applications that require important account passwords and try to minimize the disclosure of personal detailed information.
24. On 15 December, the MIIT issued a notice on APP (SDK) behaviours that infringe on user rights
The issues involved in the notice include deception, misleading, and coercion of users, excessive and frequent requests for permissions, collection of PI beyond the scope, and violations of PI. This is the ninth batch of notices (a total of 35 batches) issued by the MIIT in 2023. In the future, the MIIT will continue to carry out special rectification actions for APPs that infringe on user rights.
The defendant’s enterprise information query platform incorrectly identified the plaintiff as the legal representative of other unrelated companies and made corresponding investment and employment reports based on the wrong information. The court held that the defendant had damaged the plaintiff’s PI rights and should correct the above errors. The defendant’s erroneous association behavior reduced the public’s evaluation of the plaintiff, thus also constituting an infringement of the plaintiff’s reputation. As an enterprise engaged in credit business, the defendant should make the greatest efforts to improve its technical level or take reasonable measures to ensure the accuracy of the information it provides. After receiving the lawsuit materials in this case, the defendant has deleted the relevant information. The court ruled that the defendant should publish a statement on the platform involved in the case to apologize to the plaintiff, eliminate the impact, restore the reputation, and compensate the plaintiff for mental damages of 20,000 yuan and legal fees.
These cases include both network crimes and traditional crimes committed using information networks. These cases involve using number-grabbing software to grab hospital registration numbers, using software to control computer screens in examination rooms to help others cheat on exams, helping to commit telecommunications network fraud by “investment drainage,” illegally buying and selling citizens’ PI through “dark web transactions,” and implementing new pyramid schemes under the guise of network trading platforms.
These cases mainly involve four types of cases: (1) cases involving the processing or use of PI to infringe on other personality rights on the network; (2) cases involving the protection of data property rights and interests and market competition order in data form; (3) cases involving the legal obligations of platform operators/data algorithm users and the protection of relevant subject rights and interests; (4) cases involving the infringement of data form rights and interests, the use of data technology to commit network crimes, and the prevention and control of black and gray industries.
The defendants used artificial intelligence to generate videos from facial photos, cracked facial recognition systems, and entered other people’s accounts to obtain PI such as payment records and movement trajectories, which they then sold to others. The court found that the defendants illegally processed more than 2,000 pieces of PI and made illegal gains of more than 100,000 yuan, constituting the crime of infringing on citizens’ PI. They were sentenced to imprisonment for one year and two months to one year and fined.
The security risks of original data are high, and the ownership is unclear, which can easily cause controversy and increase transaction costs. The rights and obligations of data trading parties are difficult to define. This case clarifies one of the rules for identifying commercial secrets infringed by data trading buyers and reasonably defines the obligations of data trading buyers. It is of great significance to accelerate the construction of a data rights protection system.
From the cases investigated by the public security organs, crimes of infringing on citizens’ PI mainly involve three links: information leakage, information resale, and information use. Criminals illegally obtain citizens’ PI through methods such as hacking technology, illegal collection through APP, deception, or purchase.
As a network data processor, the company did not take corresponding network data security management measures and technical measures to ensure network data security. The Yuzhong District Network Information Office filed a case to investigate the company’s illegal and irregular behavior related to data leakage, ordered it to correct it within five days, gave an administrative warning, and imposed a fine of 100,000 yuan.
The notice aims to promote enterprises’ ability to improve their response, establish and improve network security insurance process mechanisms, establish network security insurance standard specifications, and accelerate the development of new network security service formats. The pilot insurance types mainly include network security property insurance and network security liability insurance, which are aimed at enterprise insurance and network security products, information technology products, and network security service insurance for key industries such as telecommunications and the Internet, industrial Internet, and car networking.
On December 18, the MIIT and others issued a notice on carrying out pilot demonstration work on network security technology applications. The pilot demonstration application is aimed at enterprises and institutions in the public communication and information services, human resources and social security, water conservancy, health, emergency management, radio and television, finance, transportation, postal services, and other industries, as well as enterprises and institutions that provide them with network and data security technology, products, solutions, and services. The pilot demonstration projects will be selected for key directions such as basic network security, artificial intelligence security, big data security, car networking security, and network security “high precision” innovation platforms.
The Central Economic Work Conference was held in Beijing. The conference proposed to accelerate the development of artificial intelligence, seriously solve the problem of cross-border data flow, continue to build a first-class market-oriented, rule-of-law, and international business environment, and create an “Invest in China” brand.
The second Guangdong-Hong Kong-Macao data cooperation conference was held in Nansha, Guangzhou. The “GBA Data Protection and Cross-border Data Service” platform was officially launched and signed the first batch of cooperative units. The platform will provide a series of legal rules, practical cases, application tools, capability training, and solutions services for enterprises and institutions in the GBA, helping enterprises to build an effective path for cross-border data security compliance, and striving to create a one-stop platform for cross-border professional services and solutions for enterprises and institutions.
The development goal proposed in the draft is that by 2027, the added value of the digital economy will account for more than 50% of GDP, and several key digital economy enterprises will be cultivated. Around the high-quality development of digital product manufacturing, digital product service industry, digital technology application industry, and digital element-driven industry in line with the development trend of new industrialization, accelerate the construction of a core digital economy industrial cluster.
The plan proposes that by the end of 2026, the data factor basic system in Hainan Province will be established and improved to reach the domestic leading level, and the basic infrastructure for cultivating the data factor market will be basically completed. For specific tasks, it is proposed to establish and improve the property rights operation system of data resources holding rights, data processing and usage rights, and data product operation rights. Promote the classification, authorization, and use of data factors, improve the protection system of data factor rights and interests of market entities, and implement the right to know and decide of data-related objects.
Starting with the concept and connotation of public data, the report analyzes the development foundation, practical status, and common difficulties of public data authorization and operation. It also provides specific suggestions for promoting the development of public data authorization and operation from the aspects of system construction, implementation, platform, coordination, and effectiveness evaluation.
The China Cybersecurity Review Technology and Certification Center issued the first batch of the certificates for PI protection certification to five companies including Zhuhai MUST Science and Technology Research Institute, Alipay (China) Network Technology Co., Ltd., Beijing Huapin Borui Network Technology Co., Ltd., and JD Technology Information Co., Ltd. This marks an important step in the implementation of PI protection certification in China.
The verification work is assisted by the International Cooperation Center of the National Development and Reform Commission to invite relevant experts to conduct special training, develop question banks, organize assessments, and issue certificates of qualification for chief data officers. After passing the ability verification and assessment, the verification certificate for chief data officer is issued by the Research and Development Center of the State Administration for Market Regulation.
41. On 26 November, the Shanghai Data Exchange and others released reports and guidelines on China’s data trading at the 2023 Global Digital Commerce Conference.
The report estimates that the size of China's data trading market was 87.68 billion yuan in 2022. It is estimated to reach 204.6 billion yuan by 2025 and 515.59 billion yuan by 2030. The Chinese data trading market will continue to move towards the exchange transactions, and with the migration of OTC transactions to exchange transactions in the future, regulatory rules, product standards, and business models will become more standardized.
This document introduces the PDCA model for data trading, which includes trustworthy participants, data, contracts, and algorithms. It proposes a strategy to regulate the circulation and transaction of data factors by combining institutional norms with theoretical technology. The strategy aims to address regulatory difficulties in the circulation and transaction of data factors.
It creatively proposes a 2+2 security harbour rule to explore dispute resolution mechanisms, which combines "compliant technology" with "legal rules" and "active involvement" with "expected exemption". Through the regulatory environment of data trading venues, it reduces the legal risks of market entities in innovative, exploratory, and large-scale data trading scenarios.
This guide provides operational guidance for enterprise data asset entry, revenue calculation, and innovative applications. It re-designs the path from enterprise data resources to data assets formation with the idea of "strategic planning + operation management". It also identifies the top ten challenges of data asset entry and proposes corresponding solutions.
This document selects 28 typical application scenarios for data factor circulation, covering eight major fields including industry, finance, medical care, agriculture, transportation, electric power, smart cities, and marketing. It provides important references for more enterprise data circulation and application.
The platform is aimed at data subjects who act as authorizers and data users who are authorized, providing data authorisation and data authorisation query services, and supporting data users to query authorised data, in order to solve the pain points of data subject authorization in data circulation transactions.
New Automobile Co., Ltd. was awarded the first "Data Asset Registration Certificate" for the domestic postal express industry by Beijing International Big Data Exchange, which will accelerate the promotion of national express industry data factor technology product innovation, and improve the governance of express industry data intellectual property rights and assetisation.
This document focuses on the market-oriented circulation and application of data factors in transportation industry. It comprehensively investigates the current situation and development trends of data factor circulation and market-oriented application in industries of highways, waterways, aviation, urban transportation, railways, etc.