China Cybersecurity and Data Protection Monthly Update - July 2024 Issue

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Key Highlights

June 2024 saw China continuously enhancing its personal information protection, data flow, and cybersecurity management through strengthened regulation and international cooperation to safeguard personal data, promote orderly data flow, and improve overall standards:

• Personal Information Protection: The Cyberspace Administration of China (“CAC”) and other departments have issued a series of policies and guidelines covering governance of online violence information, establishment of compliance management systems for personal information protection, and identification of sensitive personal information. These measures aim to comprehensively protect personal information and ensure a safe and healthy online environment. Notably, the Civil Aviation Administration of China (“CAAC”) solicited opinions on data management regulations in the aviation sector to build a big data governance framework for the industry (for more details on the aviation data regulations, please click here and here). Enforcement actions have been taken against illegal collection of personal information, including publishing lists of apps violating user rights and imposing severe penalties, further strengthening personal information protection and safeguarding user rights.
• Data Flow: The CAC signed a Memorandum of Understanding (“MOU”) with Germany’s Ministry of Digital and Transport in Beijing, aimed at enhancing bilateral cooperation in cross-border data flow and artificial intelligence. Additionally, the Ministry of Commerce, along with authorities in Beijing and Hainan, issued related opinions and regulations to support businesses in expanding international markets, enhancing cross-border e-commerce service capabilities and international competitiveness, and ensuring the secure and orderly flow of cross-border data. These policies also aim to optimise the foreign investment environment to facilitate cross-border data flow. These efforts collectively demonstrate China’s ongoing commitment to promoting cross-border data flow and international cooperation.
• Cybersecurity Management: The CAC renewed a cybersecurity cooperation MOU with Indonesia, deepening bilateral collaboration in this field. The Ministry of Energy and the National Information Security Standardization Technical Committee (“TC260”) issued emergency plans and evaluation guidelines related to network security incidents in the power and internet platform sectors, aiming to enhance response mechanisms and ensure the stable operation of power systems. Concurrently, the Shanghai Communications Administration conducted network and data security inspections in the telecom and internet industries to ensure security during major events. These measures collectively improve China’s network and data security management across various industries.

Our Views

China’s Data and Privacy Regime for the Civil Aviation Sector is Under Design: An Initial Exploration of Regulatory Blueprint (Part I)

China’s Data and Privacy Regime for the Civil Aviation Sector is Under Design: An Initial Exploration of Regulatory Blueprint (Part II)

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. CAC and three other departments issued new regulations to strengthen governance of cyberbullying information (14 June)

The CAC, the Ministry of Public Security, the Ministry of Culture and Tourism, and the National Radio and Television Administration jointly issued the Regulations on Governance of Cyberbullying Information. These regulations aim to govern cyberbullying information, create a positive online environment, protect citizens’ legal rights, and safeguard the public interest. The regulations define the responsibilities of online information service providers, requiring them to establish robust systems for user registration, information release review, monitoring, and early warning. They also mandate the prevention, monitoring, and handling of cyberbullying information. Local cyberspace departments and relevant authorities will collaborate to promote the governance of cyberbullying information.

2. National Energy Administration issued emergency plan for power network security incidents, requires timely reporting (16 May)

The National Energy Administration released the Emergency Plan for Power Network Security Incidents to improve the response mechanisms for power network security events, ensuring the safe and stable operation of the power system and the reliable supply of electricity. The plan specifies the classification of warnings, rules concerning monitoring and early warning systems, incident reporting, emergency response, post-event handling, and preventive measures, aiming to safeguard measures for power network security incidents. The plan also defines the roles and responsibilities of the National Energy Administration, power dispatch organisations, and power companies in responding to incidents, ensuring close coordination, rapid response, and scientific handling by all parties during power network security incidents.

3. TC260 issued guidelines for large internet platforms to conduct cybersecurity assessments (27 June)

The TC260 issued the Cybersecurity Standards Practice Guidelines - Cybersecurity Assessment Guidelines for Large Internet Platforms. These guidelines aim to help large internet platforms evaluate and prevent cybersecurity risks that could impact social stability and public interest, in addition to ensuring compliance with cybersecurity regulations. The guidelines detail the security risk assessment content and methods that platforms should focus on, providing standardised practice guidance for relevant entities. The release of these guidelines will help to enhance the security level of large internet platforms, ensuring effective management and control of cybersecurity risks.

4. China Internet Association issued guidelines to guide enterprises in building personal information protection compliance management systems (12 June)

The China Internet Association issued the Guidelines for Personal Information Protection Compliance Management Systems for Enterprises to guide enterprises in establishing, implementing, evaluating, maintaining, and improving their personal information protection compliance management systems. The guidelines aim to ensure that enterprises comply with relevant laws and regulations when processing personal information and to safeguard personal information security. The guidelines emphasise the principles of effectiveness, comprehensiveness, independence, dynamism, and traceability in compliance management. They cover topics such as identifying compliance obligations, risk assessment, institutional responsibilities, operational mechanisms, safeguarding mechanisms, evaluation mechanisms, and continuous improvement. These guidelines will help enterprises to enhance their personal information protection levels and promote high-quality development.

5. TC260 proposed new guidelines to provide guidance on the scope and priorities of social responsibility for data security and personal information protection (20 June)

The TC260 issued the Guidelines for Social Responsibility in Data Security and Personal Information Protection (Draft for Comment). These guidelines aim to provide enterprises with implementation guidance for social responsibility in data security and personal information protection. The document details specific requirements for enterprises in areas such as organisational governance, compliance and innovation, user rights protection, and fulfillment of social responsibilities. It emphasises that enterprises should engage in transparent and ethical behaviour to maximise sustainable development, protect user rights, and enhance the overall level of data security and personal information protection in society.

6. TC260 proposed national standard to establish a capability indicator system for the security protection of critical information infrastructure (20 June)

The TC260 sought public comments on the Cybersecurity Technology Capability Indicator System for Security Protection of Critical Information Infrastructure (Draft for Comment). This document aims to establish and standardise a capability indicator system for the security protection of critical information infrastructure. It covers security indicators at “basic protection”, “enhanced protection”, and “strategic protection” levels and is intended to guide critical information infrastructure operators in improving their security protection capabilities. The document details capability requirements in four areas: management norms, security architecture, technical defence, and security operations, to ensure cybersecurity in critical industries and sectors. The document is open for public comment, and relevant institutions and individuals are encouraged to provide feedback.

7. TC260 proposed new guidelines to guide personal information processors in further identifying sensitive personal information (11 June)

The TC260 issued the Cybersecurity Standards Practice Guidelines - Guidelines for Identifying Sensitive Personal Information (Draft for Comment). These guidelines aim to help personal information processors identify sensitive personal information and regulate its handling, cross-border transfer, and protection activities. The guidelines propose methods for identifying sensitive personal information, list common categories and examples of sensitive personal information, and provide clear references for organisations to ensure the dignity and security rights of individuals.

8. China and Germany jointly signed a memorandum of understanding on cooperation in cross-border data flows to enhance bilateral exchanges on the issue (26 June)

The CAC and the German Federal Ministry for Digital and Transport jointly signed the Memorandum of Understanding on Cooperation in Cross-Border Data Flows in Beijing. The Chinese side expressed its willingness to work with Germany to implement the cooperation consensus of the two countries’ leaders and use the signing of the memorandum as an opportunity to promote Sino-German exchanges and cooperation in cyberspace, achieving more outcomes. The German side expressed its intent to further strengthen exchanges and cooperation with China in the fields of cross-border data flows and artificial intelligence, actively promoting the implementation of the memorandum. Under the framework of the memorandum, both sides will establish a “Sino-German Data Policy and Regulations Exchange” dialogue mechanism to facilitate cooperation between enterprises of both countries in a fair, just, and non-discriminatory business environment.

9. CAC and Indonesia’s National Cyber and Crypto Agency renewed cybersecurity cooperation memorandum to deepen bilateral cooperation (26 May)

On the 26^th May, the CAC and Indonesia’s National Cyber and Crypto Agency renewed the Memorandum of Understanding on Developing Cybersecurity Capacity Building and Technical Cooperation in Denpasar, Indonesia. This renewal aims to further deepen and expand cooperation between China and Indonesia in the field of cybersecurity.

10. Hainan Provincial CAC proposed new regulations to promote international digital industry development and secure cross-border data flows in Hainan Free Trade Port (26 June)

The Hainan Provincial CAC issued the Regulations on the Development of International Data Centers in Hainan Free Trade Port (Draft for Public Comment). These regulations aim to promote the development of the international digital industry in Hainan Free Trade Port, ensure the secure and orderly flow of cross-border data. The regulations cover the definition of international data center businesses, operating conditions, data export management, international cooperation, and government support, aiming to foster the local digital economy’s growth.

11. Guangdong Province proposed local standards to guide data intellectual property registration (21 June)

The Guangdong Provincial Intellectual Property Office issued the Guidelines for Data Intellectual Property Registration (Draft for Review). These guidelines aim to standardise the data intellectual property registration process, protect the legal rights of data owners, promote the lawful use and sharing of data resources, and drive the development of the data economy. The guidelines specify the application conditions, registration procedures, review standards, and management measures for data intellectual property. They provide the clearer operational guidance for data owners to ensure that the local data intellectual property registration process is efficient and fair.

12. Hunan Province issued regulations to promote digital industrialisation and industrial digitisation, advancing the deep integration of the digital and real economies (14 June)

Hunan Province issued the Hunan Province Digital Economy Promotion Regulations, which will come into effect on 1 July 2024. These regulations aim to advance digital industrialisation and industrial digitisation, promote the deep integration of the digital economy with the real economy, improve the digital economy governance system, build a strong digital economy province, and drive high-quality economic development. The regulations cover aspects such as the construction of digital infrastructure, the development and utilisation of data resources, innovation in digital technology and digital ecosystems, and clearly define the responsibilities and support measures of various levels of government departments.

13. CAAC proposed new regulations to strengthen the management and sharing of civil aviation data, ensuring data security (4 June)

The Civil Aviation Administration of China (“CAAC”) issued the Civil Aviation Data Management Measures and the Civil Aviation Data Sharing Management Measures. The Civil Aviation Data Management Measures established a framework for managing civil aviation data, covering activities such as data collection, storage, usage, processing, and transmission. It clarifies data classification and processing responsibilities, promotes data resource sharing and utilisation, strengthens data security management, and supports the digital transformation and high-quality development of the civil aviation sector. The Civil Aviation Data Sharing Management Measures further defines the entities, responsibilities, and types of data sharing in civil aviation, standardised data catalog management, data aggregation, and usage, as well as ensures the security and compliance of data sharing processes. These measures aim to enhance data governance capabilities and efficient application in the civil aviation industry, promoting its high-quality development.

14. TC260 proposed guidelines for data outside intelligent connected vehicles, guiding automotive data security units to explore convenient methods to stop collecting external data (24 June)

The TC260 sought public comments on the Cybersecurity Standards Practice Guidelines - One-Click Stop for Collecting External Vehicles Data (Draft for Comment). This document introduces the technical requirements and operational guidelines for implementing a one-click stop function for collecting external data in intelligent connected vehicles. The guidelines aim to ensure that vehicles could quickly stop data collection when entering sensitive areas by setting a convenient button, thus avoiding the collection of unnecessary personal information and important data and enhancing data security management. The document covers the basic functions, procedural requirements, trigger methods, status indicators, and provided corresponding testing methods for stopping data collection.

15. Ministry of Commerce and 8 other departments issued opinions to expand cross-border e-commerce exports and accelerate the cultivation of new drivers of foreign trade (14 June)

The Ministry of Commerce and 8 other departments jointly issued the Opinions on Expanding Cross-Border E-Commerce Exports and Promoting the Construction of Overseas Warehouses. This document aimed to promote the coordinated development of cross-border e-commerce and overseas warehouses, proposing 15 measures to support more enterprises in operating overseas, enhance cross-border e-commerce service capabilities, optimise financing channels and regulatory services, and promote the optimisation and stability of foreign trade structure and scale. The document emphasised strengthening international cooperation and standards formulation, promoting economic and trade cooperation with countries related to the Belt and Road Initiative, and enhancing the international competitiveness of China’s cross-border e-commerce and new drivers of foreign trade.

16. Ministry of Natural Resources issued the marine data open sharing catalog to further unlock the potential of marine data elements (17 June)

The Ministry of Natural Resources (“MNR”) issued the Marine Data Open Sharing Catalog (First Batch, June 2024), which covers various standard observation datasets from marine stations, integrated global ocean temperature and salinity datasets, marine biochemical datasets, and more. It includes a total of 37 datasets and data products, encompassing a wide range of spatial and temporal attributes. The datasets are updated at different frequencies and shared in the forms of datasets, data product collections, and data inventories, supporting marine-related scientific research and industrial development.

17. Ministry of Natural Resources publicized eight draft approval standards for data management in the natural resources industry, covering database construction and quality inspection (5 June)

The MNR publicised eight draft approval standards for the industry, including the Measurement Mark Management Data Specifications. These standards cover areas such as database construction, quality inspection, periodic mineral resource surveys and planning, and real estate registration information sharing. The aim is to standardise natural resources data management and enhance the technical level and service capabilities of the industry.

18. Guangdong Province issued implementation opinions to build a new paradigm for the coordinated development of the data element market in the Guangdong-Hong Kong-Macao Greater Bay Area (24 June)

Guangdong Province issued the Implementation Opinions on Establishing a Data Infrastructure System to Promote the High-Quality Development of the Data Element Market. These opinions aim to establish a sound data infrastructure system, promote the high-quality development of the data element market, and stimulate new drivers for the digital economy. By establishing systems for data property rights, circulation and transactions, revenue distribution, and security governance, Guangdong Province seeks to enhance the value and circulation efficiency of data elements, promote the deep integration of data with the real economy, and support the high-quality economic development and digital industrialisation process in the region.

19. Ningxia issued implementation opinions to promote the development of the data element market, accelerating the construction of a new digital economy hub (19 June)

Ningxia Autonomous Region issued the Implementation Opinions on Promoting the Development of the Data Element Market, aiming to accelerate the market-oriented development of data elements and promote the synergy between data and computing power to create a new digital economy hub. The document focuses on improving property rights systems, regulating circulation and transactions, fostering a diverse data industry ecosystem, and promoting the efficient circulation and use of data to empower the real economy. It sets goals to achieve by 2030, including graded data management, standardised public data, and a robust data industry ecosystem. The document also emphasises data security protection, mandates a negative list for transactions and strengthens personal information protection and security supervision.

20. Beijing clarified plans to deepen service sector opening-up and promote foreign investment, including facilitating cross-border data flows (7 June)

Beijing recently released the Implementation Plan for Deepening Service Sector Opening-Up and Promoting Foreign Investment (Draft for Comment), aiming to drive high-quality development in the service sector and further optimise the foreign investment environment. The plan outlines 15 key tasks and measures, including improving foreign investment access management, enhancing the facilitation of cross-border data flows, increasing openness in the medical field, encouraging green and low-carbon development, strengthening legal protection for foreign enterprises, fostering a high-level headquarters economy, deepening cross-border investment and financing forex management pilots, as well as optimising residency policies for foreign employees. The goal of this document is to be the first in the nation to achieve opening-up in key areas such as telecommunications, data, healthcare, and green initiatives.

Enforcement Developments

21. CAC released typical cases from the special enforcement action of Qinglang - Optimising the Online Business Environment by Rectifying Corporate Infringement Information Chaos (8 June)

The CAC recently launched a special enforcement action, Qinglang - Optimising the Online Business Environment by Rectifying Corporate Infringement Information Chaos, exposing several typical cases. Accounts like the WeChat video channel “Mozi Business Talk” were closed for spreading false information and maliciously defaming companies. The Douyin account “Xiaoniu Talks Cars” and similar accounts were shut down for exaggerating and distorting facts to smear enterprises. This operation further strengthens online information management to protect corporate rights and clean up the online environment.

22. MIIT reported the fourth and fifth batches of apps (SDKs) infringing on user rights, listing 46 apps (SDKs) (19 and 28 June)

The Ministry of Industry and Information Technology (“MIIT”) released the lists for the fourth and fifth batches of 2024, naming 46 apps and SDKs that infringe on user rights. The violations include unauthorised collection of personal information, frequent forced permissions requests, and disruptive pop-up ads.

23. Shanghai CAC released an analysis of illegal personal information collection in coffee consumption scenarios, further strengthening awareness of personal information protection among coffee enterprises (25 June)

The Shanghai CAC and the Municipal Administration for Market Regulation conducted legal training and compliance guidance for 24 chain coffee enterprises. The action addressed six common illegal practices, including forced or default consent to privacy policies, lack of or inaccurate privacy policies, and coercive or frequent collection of precise location information. Enterprises were urged to strictly comply with the Personal Information Protection Law of the People's Republic of China to ensure the safety of consumer personal information.

24. Shanghai Communications Administration to conduct network and data security inspection of the telecommunications and internet industry in 2024 (26 June)

The Shanghai Communications Administration announced it will conduct a network and data security inspection of the city’s telecommunications and internet industry in 2024. The inspection aims to enhance security levels and ensure network and data safety during major events. It will cover basic telecommunications companies, internet companies, domain registration service providers, and focus on network and data security management systems, communication network protection, industrial internet security, vehicle network security, data security protection, and personal information protection. Companies are required to self-inspect and report, with the administration conducting spot checks and reviews on remediated accountability measures.

25. Shanghai CAC processed its first law enforcement case in the field of facial recognition technology, with the involved institution having completed rectification and receiving an administrative penalty (6 June)

The Shanghai CAC processed its first case of facial recognition abuse, imposing an administrative penalty on a sports company. The subject company’s swimming pool was reported for forcibly collecting consumer facial information, leading to an order for rectification, and the “facial recognition” option has been removed. This enforcement action, conducted in coordination with the Municipal Market Supervision Bureau and other departments, aims to protect personal information security and plans to launch targeted rectification across various fields and scenarios to raise societal risk awareness.

Industry Developments

26. Guangzhou issued the 2024 digital economy work priorities, systematically deploying digital economy tasks across the city (4 June)

The Guangzhou Municipal Government Services and Data Management Bureau, in collaboration with the Municipal MIIT, officially released the 2024 Guangzhou Digital Economy Work Priorities. This document systematically deployed tasks to enhance digital infrastructure, promote data resource development and utilisation, drive the integration of digital and real economies, deepen digital industry innovation, as well as improve the digitisation of public services. The work priorities cover 33 tasks in six areas, aiming to build Guangzhou into a globally influential leading city in the digital economy and promote high-quality digital economic development of the city.

27. Shanghai Internet Association established the Network and Data Security Committee, focusing on technological innovation and industry collaboration (3 June)

The Shanghai Internet Association officially established the Network and Data Security Committee under the guidance of the Municipal Cyberspace Administration. The committee aims to promote technological innovation, talent cultivation, and public education in network and data security, and to foster the integration of technology and industry. The Municipal Cyberspace Administration emphasised the need to elevate positions, strengthen responsibilities, and build a comprehensive cybersecurity framework. The committee will focus on monitoring network and data security trends, formulating work plans, and advancing high-quality development in Shanghai’s network and data security sector.

28. World Internet Conference, namely Member Activity Day - Digital Era Enterprise Rights Protection Exchange Meeting held in Beijing (19 June)

The World Internet Conference’s Member Activity Day - Digital Era Enterprise Rights Protection Exchange Meeting were held in Beijing. The conference focused on optimising the online business environment and protecting enterprise rights, including addressing corporate infringement information, facilitating complaint channels, and establishing long-term mechanisms. The meeting emphasised the need for cooperation between enterprises and government departments to create a favourable business environment. Representatives from various well-known companies attended the meeting, gaining a better understanding of policies and increasing their confidence in development. The event was hosted by the World Internet Conference International Organisation, attracting numerous enterprises.