China Cybersecurity and Data Protection: Monthly Update - May 2024 Issue

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.

Key Highlights

• Local governments of Hangzhou, Shenyang, Shijiazhuang and other cities have issued guidance for the orderly circulation, development and utilization of local data according to local conditions.
• On data transactions, Shenzhen announced the first registration of data as intellectual property and transaction of artificial intelligence (“AI”) multimodal arithmetic set in China.
• On AI development safety, the National Network Safety Standards Committee has issued a draft specification for data annotation security, pre-training and optimized training data security, detailing the safety, providing safety specifications for AI large model training.
• On automobile data security, the China Automobile Association issued the group standard on the establishment, evaluation and improvement of data security management system for automobile data processors, detailed guidelines for data classification and level management and data lifecycle management.

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. The SAMR issued a regulation to standardize the work of electronic data forensics for market supervision administration and administrative law enforcement (7 April)

   The SAMR issued the Interim Provisions on Electronic Data Forensics for Market Supervision and Administration Administrative Law Enforcement (Interim Provisions), which consists of eight chapters and thirty-six articles, regulating issues including electronic data forensics, seizure and detention of original storage media, on-site extraction of electronic data, online extraction of electronic data from the network, and inspection, analysis and storage of electronic data. The Interim Provisions provide strong guidance for market supervision and management authorities and their law enforcement officers in the process of supervision and inspection of electronic data forensics.

2. TC260 issued a draft security requirements on government data processing (15 April)

   TC260 issued the national standard Data Security Technology - Security requirements for government data processing (Draft for Comments), which provides guidelines for enterprises to carry out data classification and grading and to identify important data (15 April), which specifies in detail the framework of security requirements for governmental data processing, security management requirements, security technology requirements and personal information protection requirements. Among them, security operation requirements and security supervision requirements are important assessment methods and evaluation indicators.

3. TC260 issued a draft national standard for cybersecurity operation and maintenance (15 April)

   TC260 issued the national standard Cybersecurity technology - Implementation guide of cybersecurity operation and maintenance (Draft for Comments). The standard introduces the reference framework, model and objectives of cybersecurity operation and maintenance, and provides guidance on the conditions for cybersecurity operation and maintenance as well as the implementation contents in the process of business establishment. It realizes cybersecurity operation and maintenance from the aspects of operation and maintenance management, identification, defense, monitoring, response and collaboration, and introduces the cybersecurity operation and maintenance effect evaluation model and other contents covering the whole process.

4. TC260 issued a draft national standard for personal information transfer (3 April)

   TC260 issued the national standard Data security technology - Requirements for personal information transfer based on request of personal information subject (Draft for Comments). The standard regulates and explains the scope of application, conditions for exercising the transfer of personal information, process requirements, automated processing requirements, and requirements for agents or agencies. Detailed explanations are also provided for special cases of personal information transfer: requests for transfer of personal information of minors under the age of 14, processing involving third parties, and processing involving cross-border transfer requests.

5. TC260 issued a draft national standard for generative AI data annotation security (3 April)

   TC260 issued the national standard Cybersecurity technology - Generative artificial intelligence data annotation security specification (Draft for Comments). The standard constructs the basic security foundation of data annotation from the aspects of data security requirements, annotation tool security requirements, access control security requirements, data transmission security requirements and rule security requirements. In addition, the standard provides specific explanations on labelling personnel, data labelling verification requirements and labelling security test methods.

6. TC260 issued a draft national standard for generative AI pre-training and fine-tuning data security (3 April)

   TC260 issued the national standard Cybersecurity technology - Security specification for generative artificial intelligence pre-training and fine-tuning data (Draft for Comments). The standard describes in detail the safety requirements for pre-training data processing activities and fine-tuning data processing activities from the aspects of data collection, data pre-processing and data utilization, and specifies the evaluation methods for the two data processing activities.

7. The CAAM released the collective standard to specify the requirements for the automotive data security management system (11 April)

   The CAAM released the collective standard T/CAAMTB 189-2024 Data Security Management System Requirements for Automobile Enterprise, which specifies the requirements that a reasonable, effective and complete data security management system for automotive data processing activities should meet, as well as the corresponding evaluation methods. The standard is applicable to competent regulatory bodies and third-party evaluation organizations to evaluate whether the data security management system of automotive data processors can meet the requirements for safeguarding data security.

8. Shenzhen issued the assessment methods to provide guidelines for carrying out common data processing activities (22 April)

   The Assessment Methods of Common Data Security consists of ten chapters, one normative appendix and four informative appendices. The main articles and chapters include scope of public data security, normative references, terms and definitions, acronyms, general provisions, generic management security assessment, generic technical security assessment, security assessment of data processing activities, overall assessment, assessment conclusions, and appendices.

9. Hangzhou solicits opinions on regulations for accelerating the establishment of data circulation and transaction system (22 April)

   Hangzhou Data Resource Management Bureau seeks public comments on Regulations on Promoting Data Flow and Transaction in Hangzhou. The Regulation consists of nine chapters and forty-three articles, with the first chapter, general provisions, defining the legislative purpose, scope of application, development principles and departmental responsibilities. Subsequent chapters introduce its detailed provisions on topics such as data interests and subjects, data flow and transaction services, data authorization and operation, data pricing and revenue distribution, data ecology cultivation, data industry guidance and safeguard measures.

10. Shijiazhuang releases new guidelines to facilitate data development and management (10 April)

    Shijiazhuang municipal government drafted and released the common data development and utilization, common data product compliance review and operation dispute management approach in response to the overall requirements of deepening the market-oriented reform of data elements, accelerating the promotion of the social application of common data, and assisting in the high-quality development of the economy and society.

11. Shenzhen released regulations to promote healthy development of digital economy (23 April)

    The standing committee of the Shenyang people’s congress announces Regulations on the Promotion of the Digital Economy in Shenyang (the Regulation). The Regulations consist of eight chapters and forty-one articles, which are divided into general provisions, digital infrastructure, data elements, digital industrialization, industrial digitization, digital technological innovation, safeguards and by-laws.

Enforcement Developments

12. The CAC deploys the special action to crack down illegal information links (28 April)

    The Cyberspace Administration of China (“CAC”) has deployed a two-month nationwide special action called “clearing up and cracking down on illegal information links”. The special action focuses on eight main links that are prone to illegal information links: account links, comment links, group circle links, live broadcasts, short videos, life services, browsers, search engines, e-commerce links and links involving minors.

13. Supreme Court releases top 10 intellectual property cases and 50 typical intellectual property cases in 2023 related to disputes over unfair competition involving “Data” (22 April)

    The unfair competition dispute case of Guangdong Provincial Higher People’s Court (2022) Guangdong Civil Final No. 4541 Civil Judgment is a typical case in which data is illegally captured and traded for resale. The judgment is based on the balanced relationship between “strong protection” and “orderly flow” of data, and clarifies the boundaries of data interests’ protection, reflecting the clear judicial attitude of guiding market parties to acquire and utilize data in a “proper way and in a proper manner”.

14. Hangzhou court sentenced a public interest litigation case for personal information protection (16 April)

    The Hangzhou Internet Court sentenced the three defendants to make a public apology and pay public interest damages of more than RMB 290,000 in court. The three defendants illegally traded and used the relevant personal information of specific groups of people for profit-making purposes, which not only undermined the rights and interests of the relevant subjects of citizens’ personal information and disturbed the peace and quiet of newborn babies and their parents, but also infringed on the social and public interests.

Industry Developments

15. The NDB deployed the key work of digital society in 2024 (24 April)

    The National data bureau (“NDB”) issued Key Points for the Digital Society 2024, which proposes to implement the initiatives in the following nine areas: (i) to plan the layout of the digital infrastructure appropriately and ahead of schedule; (ii) to accelerate the construction of the data fundamental policies; (iii) to promote the digital transformation of industries; (iv) to accelerate the promotion of digital technology innovation breakthroughs; (v) continue to enhance the level of public services and improve the effectiveness of "Internet + Government Services"; (vi) to promote the digital economy governance system; (vii) to build a comprehensive digital security barrier; (viii) to proactively expand international cooperation in the digital economy; (viiii) to strengthen cross-sectoral coordination and reinforce the coordination mechanism.

16. The NDB and related departments issued program to accelerate the cultivation of digital talents (2 April)

    The NDB and related departments issued the Action Program for Accelerating the Cultivation of Digital Talents to Support the Development of the Digital Economy (2024-2026), which details six key tasks for future development: first, implementation of the digital technical engineer cultivation project; second, promotion of digital skills upgrading actions; third, development of international exchanges of digital talents; fourth, development of innovation and entrepreneurship actions for digital talents; fifth, development of actions for digital talents to empower industrial development; and, sixth, organization of digital vocational and technical skills competitions. Related departments will provide policy support in terms of systems, institutions, channels, inputs and incentives.

17. The MIIT emphasized the enhancement of network security capabilities (27 April)

    The Ministry of Industry and Information Technology (“MIIT”) issued Notice on Improving Work Safety and Network Operation Safety in the Information and Communication Industry in 2024 (“Notice”). It emphasizes the principles of adhering to the combination of safety development, prevention-oriented and technology management, lists the main tasks of strengthening ideological and political guidance, improving the system of institutions and policies, enhancing the ability of safety prevention and strengthening the remediation of key issues, and elaborates on the measures to enhance the level of emergency response and strict enforcement, supervision and assessment. At the same time, the Notice emphasizes safeguards to strengthen organizational leadership, rule of law, investment and incentives to ensure safe production and network security in the information and communications industry.

18. Beijing plans to promote the application of data industrialization (19 April)

    The Beijing Municipal Bureau of Economy and Information Technology releases Beijing Municipal Action Plan to Accelerate the Construction of a Highland for Innovation and Development of the Information and Software Industry. It advocates seizing the opportunities of industrial change, formulating the main objectives and key tasks for the development of Beijing’s information and software industry, and providing safeguard measures from all sides, in an effort to accelerate the construction of a highland for the innovation and development of the information and software industry.

19. Chaoyang District of Beijing plans to support innovative development of the digital healthcare industry (17 April)

    Chaoyang District, Beijing, released a three-year action plan for the innovative development of the digital healthcare industry and special support policies, mainly from the support of artificial intelligence drug research and development, artificial intelligence-assisted diagnosis and assisted treatment product development, the development of intelligent high-end medical equipment and medical devices, digitization in the field of traditional Chinese medicine, and open application of medical and health data.

20. Fujian Province plans to promote the high-quality development of culture and tourism (17 April)

    The General Office of Fujian Province issued the Implementation Plan on Promoting the High-Quality Development of Digital Culture and Tourism. This Plan focuses on key projects, to create a model of digital culture and tourism. From the construction of the cultural and tourism data resource centre, to promote the digitization of special cultural and tourism resources, to build cultural and tourism data circulation links, to strengthen the monitoring and analysis of big data, to promote the “Internet + supervision”, to strengthen the digital construction of public culture, to promote the digital protection of non-heritages, to build a digital protection platform for cultural relics, and to promote industrial chain innovation and application.

21. Fujian Province issued guidelines to accelerate the cultivation of data elements markets (20 April)

    Fujian Development and Reform Commission issues Several Measures to Promote the Circulation and Transaction of Data Elements in Fujian Province. It is intended to implement the decision-making and deployment of data elements in terms of strengthening the high-quality supply of data, promoting the flow of data elements and empowering innovative data applications, so as to give full play to the multiplier effect of data elements and promote the compliant and efficient flow of data.

22. Guangdong Province releases Key Guidelines to build data province and foster digital economy (19 April)

    Guangdong government services and data management bureau releases Key Points of Guangdong’s Digital Economy in 2024 to build a stronger province in digital economy. Key points vigorously promote the digital industrialization and industrial digitization, promote the development and utilization of data resources, accelerate digital technological innovation, optimize and upgrade the digital infrastructure. It points out that the sound and perfect governance and security system is to create a good environment for the development of the digital economy.

23. Hangzhou issued draft opinions to promote the circulation of data elements (10 April)

    Hangzhou Municipal Government issued Implementation Opinions on Building “China’s Digital Valley” to a High Standard and Promoting the Flow of Data Elements (Exposure draft). The Implementation Opinions explore the construction of a data system in terms of accelerating the promotion of data transaction legislation, accelerating the innovation of the rights registration system, optimizing the safety and compliance circulation system and continuously improving the standards and norms system. The Implementation Opinions advocate optimizing the layout of data infrastructure, promoting the supply of data resources, accelerating data industry agglomeration, exploring cross-domain cooperation and synergy of data, and strengthening the leadership of data application scenarios.

24. Anhui Province successfully held “4-26 World Intellectual Property Day” and issued first data intellectual property certificate (29 April)

    The first data intellectual property certificate issuance ceremony and "4-26 World Intellectual Property Day" Series of thematic activities were successfully held, which were divided into two phases, namely the first data intellectual property certificate issuance ceremony and the centralized signing and project roadshow, with a total of seven themes. The main leaders in charge of related affairs attended the event. At the event, certificates of data intellectual property rights registration were issued to the certified enterprises.

25. Beijing Daxing builds the nation’s first “Data Compliance Port” to construct a “North Port and South Bank” layout for data elements (25 April)

    Beijing Daxing Economic Development Zone has realized the leapfrog development of information and software industry exceeding 10 billion in 2023, attracting more than 1,000 high-quality enterprises and investment projects. The development of data service industry is characterized by the compliance flow of data elements, the construction of “Data Compliance Port” and Data Elements Service Centre, the creation of the nation’s first "Data Compliance Platform", and the creation of the “North Port and South Bank” layout of the data elements industry. It will build the “North Port and South Bank” layout of the data element industry, explore the Daxing model of "data industry + compliance platform + cross-border services", and promote the value of data elements.

26. Western digital trading centre officially launched automotive industry data products (25 April)

    Chongqing Changshou District builds the Western Data Trading Centre, a local trading platform aimed at further aggregating and releasing the value of data. The centre online will be used to innovate the development mode of data asset use management, exploitation, value preservation and appreciation, promote the efficient flow of data elements, accelerate the release of data element value, improve the market-oriented allocation of data elements, promote the vigorous development of the local digital economy, and build a new model of data-driven economic growth.

27. Shenzhen released the first closed loop for AI multimodal data intellectual property rights registration + the first national onsite multimodal arithmetic set transaction in China (24 April)

    The multiplier value of data as a core element of the data economy is becoming increasingly prominent. The in-depth integration of “data element x” and “AI +” has brought new industries, new modes and new energies to various fields of the economy and society. Registering and trading the intellectual property rights of AI multimodal data sets is conducive to clarifying their ownership, promoting the effective circulation of data resources, maximizing the value of data, and promoting the rapid development of the artificial intelligence field.

28. Shaanxi Province cultural tourism industry achieved its breakthroughs in data assets, financing applications (23 April)

    With the successful practice of “cultural tourism industry operation data set”, Yunchuang Science and Technology Company was approved by Bank of Communications Shaanxi Branch for a financing credit of 5 million yuan. The company has initially realized the closed-loop flow of data elements in the field of cultural tourism industry operation, including data resourceization, resource productization, product assetization and asset financialization, which provides a practical and effective path for the implementation of “data elements × cultural tourism”, and creates useful experience.

29. Shanghai Lingang: China’s first grassroots data cross-border service centre opens, which will provide data processors with all-round, full-process data cross-border services (7 April)

    The first data cross-border service centre in China, jointly built and operated by the Internet information department and local government, was opened in the Lingang New Area Data Cross-border Service Centre. Lingang New Area has taken a landmark step in taking the lead in exploring the establishment of a legal, safe and convenient mechanism for cross-border data flow. The centre will be committed to providing data processors with all-round, full-process data cross-border services, including material acceptance, business consulting and other links, to create a “green channel” for cross-border data flow.

30. Shanghai Stock Exchange permits general market making service for E-Funds Cloud Computing and Big Data Thematic Traded Investment Fund (18 April)

    To promote the market liquidity and smooth operation of E-Funds Cloud Computing and Big Data Thematic Traded Open-ended Index Securities Investment Fund, in accordance with the relevant provisions of the “Guidelines on the Application of the Self-Regulatory Rules for Funds of the Shanghai Stock Exchange No. 2 - Listed Funds Market-Making Business” and other relevant provisions, the Shanghai Stock Exchange has agreed that Huatai Securities Co. will provide general market-making services for Cloud Computing from April 18, 2024 to provide general market making services for such cloud computing.

31. Tianjin’s first certificate of data asset registration showed demonstration application of intelligent internet of vehicles (10 April)

The first certificate of data asset registration for demonstration application of intelligent internet of vehicles was issued in Hebei District of Tianjin, laying the foundation for the subsequent promotion of vehicle networking data assetization and intelligent transportation construction. Through the demonstration construction of vehicle-road-cloud integration, Tianjin has realized the convergence and processing analysis of a cumulative total of more than 30 items of data related to telematics, including basic data, business data and field information data, which effectively meets the data requirements of application scenarios, such as intelligent networking vehicle application, information control optimization and intelligent networking comprehensive service.