China Data Protection and Cybersecurity: Annual Review of 2023 and Outlook for 2024 (II)

In 2023, we witnessed a profound evolution in the realms of cybersecurity and data compliance governance. With the enactment of three pivotal laws — the Personal Information Protection Law (“PIPL”), the Data Security Law (“DSL”), and the Cyber Security Law (“CSL”) — China embarked on a journey to refine and actualise data protection imperatives. Throughout the year, a plethora of new regulations and enforcement dynamics emerged, meticulously aligning with China’s commitment to safeguard data subjects’ rights. Simultaneously, emphasis was placed on the fluidity of data — both in cross-border circulation and internal ecosystems — allowing the very essence of data to come alive. As we are heading into 2024, what are the new challenges for businesses? Let’s take a closer look at these developments and what we can expect from them in the year of 2024.[1]

In this second article, we will set out highlights of the year and 2024 predictions in terms of data security, cyber security, and data exchange and transactions. Click here if you would like to read our first article where we gave an overview of the highlights in China, and developments in personal information protection.

If you’d like to speak with us about how to align your business, or subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Part Three: Data Security

Regulatory developments

1. Data security risk assessment by MIIT

On 9th October, the MIIT issued the Implementing Rules for Data Security Risk Assessment in the Field of Industry and Information (for Trial Implementation) (Draft for Comment), which stipulates that important data and core data processors should complete a data security risk assessment at least once a year (with the results of the assessment being valid for one year), and report or update the assessment report to the industry supervisory authorities within ten working days of the completion of the assessment.

The implementation of this document will usher in significant changes for all companies involved in data processing activities in the relevant industries, particularly for important data and core data processors who will need to apply for risk assessments in the MIIT sector. (Click hereto read our comments on the risk assessment by MIIT.

2. Automotive industry sectoral developments

In 2023, China strengthened its regulatory landscape for intelligent and connected vehicles (“ICV with a focus on data security and standardisation. The MIIT released the National Vehicle Networking Industry Standard System Construction Guide (Intelligent Connected Vehicles) (2023 Edition) on 26 July, highlighting the need for stringent data security standards in ICVs. This complemented by the finalisation (not ratified yet) of two key mandatory national standards in September 2023 - Technical Requirements for Whole-Vehicle Information Security and Data Recording Systems for Intelligent Connected Vehicles with Autonomous Driving. These measures aim to create a secure, standardised framework for ICV data management, covering issues from information security management in vehicles to protocols for data recording in autonomous driving.

Moreover, the importance of data throughout the automotive lifecycle was emphasised. Major regions such as Beijing, Shanghai, Jiangsu, and Fujian are aligning with these standards, implementing 2023 data security management measures as outlined in the Interim Provisions on Automotive Data Security Management, displaying a concerted effort to uphold data security at a regional level.

Looking ahead to 2024, China’s ICV sector looks poised for continued growth and innovation, with an unwavering commitment to safety, security, and the pioneering use of data and technology.

3. Financial industry sectoral developments

As a highly regulated industry, China’s finance industry witnessed significant advancements in data security, marked by key regulatory initiatives in 2023.

On 24 July, the People’s Bank of China (“PBOC”) released the Measures for Management of Data Security in the Business Areas of the PBOC (Draft for Comments) (see our views ). Despite being a draft for comments, this document holds significant reference value. It detailed stringent regulations for data classification, security, and processing, providing a clear framework for the entire data lifecycle from collection to deletion.

Four new financial national standards focusing on internet finance were released on 23 August 2023, covering online consumer credit, software evaluation, and risk prevention. These aimed to standardise practices across the sector. Later, on 10 November 2023, the Internet Finance Association introduced nine group standards , targeting financial data management, digital transformation, and fintech, highlighting a commitment to enhancing data management and security.

In terms of enforcement, we have seen several banks penalised by the National Financial Regulatory Administration (“NFRA”) and PBOC for various violations relevant to personal information and expect to see more similar enforcement actions in 2024 with the further improvement of the relevant industrial regulations.

4. Healthcare sectoral developments

As China intensifies its focus on the “Data Elements x Healthcare” initiatives, data protection and security are gaining heightened importance in the healthcare sector. Coinciding with this shift, the Detailed Rules for the Management of Human Genetic Resources were implemented on 1 July 2023. These rules define important terms, improve administrative processes, and introduce a robust system for registration and reporting in managing human genetic resources.

On 24 August 2023, the National Health Commission issued four healthcare data elements standards. These standards aim to improve how health data is processed, with clear rules for data modeling, metadata, and classification.

In terms of enforcement, a recent incident involving the leak of personal medical information (electronic medical record) has garnered significant attention. Relevant officials have stated that appropriate measures were taken against those involved in this breach. Looking to 2024, we expect increased efforts to bolster data security and prevent such breaches in the healthcare sector.

Enforcement developments

Enforcement activities on data security and personal information protection

Enforcement regulators

The Ministry of Public Security Departments, China Consumers Association

Enforcement overview and key focus

In 2023, enforcement activities based on the DSL in China have become much more active comparing to the past two years pursuant to Article 26, 27, 31, 33, and 45 of the DSL.

These activities have expanded from the internet and technology industries to other sectors, including small and medium-sized enterprises. For instance, -

  • Since May 2023, the Jiangsu Public Security Law Enforcement Publicity Platform (the “Platform”) has disclosed hundreds of law enforcement cases concerning “failure to fulfill data security obligations”. The entities imposed with punishments are mainly small street shops such as cake shops, convenience stores, pet shops, and Internet cafes, i.e., a cake shop that has been collecting its customers’ personal information, such as name, cell number, etc., for membership purposes, was warned by the enforcers for not organising data compliance training, not having established organizational data protection mechanism, and not having technical measures adopted to ensure data security. As a result, personal information handler, the cake shop was found in violation of Article 27 of the DSL. It is noteworthy that the number of such enforcement cases has increased significantly since May 2023.
  • According to the administrative penalty cases published by relevant authorities, this year’s typical cases have three key issues:
  • data handlers have not followed regulations on data transaction security and provided important data to overseas without authorization;
  • the involved enterprises did not implement data security management systems and operating procedures, did not conduct formal data security talent training for unit employees, and lack of data security risk assessment and monitoring and emergency response systems; and
  • internet platforms excessively collect personal sensitive data, causing data monopolies.

Penalties

Damages, deletion of illegally collected personal information, public apology, be ordered to make rectifications and begiven a warning by the competent department and may be concurrently fined; the directly liable persons in charge and other directly liable persons may also be fined.

Outlook for 2024

To effectively assess and mitigate data security risks, it is vital for the data handlers to conduct thorough data mapping to gain a comprehensive understanding of the important data and core data that they process, as well as the specific data processing activities, sources, and flows. In 2023, we witnessed a further emphasis on data classification and grading. We could expect to see further clarification of the industrial list for important and core data in 2024.

Additionally, the draft document proposing data security risk assessment by MIIT provides a comprehensive and systematic evaluation process. We anticipate that in 2024, the MIIT sector will become one of the fastest and most advanced sectors in many industries in the context of data security risk assessment requirements, nevertheless, leading by the pilot draft in the MIIT sector, other sectors may also have similar requirements for data security risk assessment and there would be a need for enterprise-evaluation work to be carried out based on whether this draft document will be implemented in the MIIT sector.

Part Four: Cyber Security

1. Legislative plan to revise the CSL

On 7 September, the Standing Committee of the 14th National People’s Congress (“NPC”) announced its legislative plan, including the finalisation of the commented-for-revision version of the CSL. In effect since 2017, the current CSL was proposed with a draft-to-comments version in September 2022. During 2023’s NPC, the legislative plan to finalise the revised CSL may be scheduled for consideration when conditions are ripe after sufficient study and justification.

2. Swift cybersecurity reporting mandate

On 8 December 2023, the CAC introduced the Management Measures for Reporting Cybersecurity Incidents. Swift reporting—within one hour—is mandatory for significant, major, or exceptionally major incidents. If uncertainty lingers, 24 hours allow for supplementary details, in which case, reporting as required for basic facts must be completed within one hour.

Within five working days, a summary report must ascend. Notably, incidents involving significant data leaks or personal information exposure of over one million individuals deemed ‘major’. These stringent timelines prompt companies to prepare cybersecurity emergency plans to meet regulatory demands. (We will have an article on this specific topic available within two weeks, subscribe us to keep posted.)

3. Regulations issued to implement cybersecurity requests

  • During 2023, a series of draft or formally implemented rules and guidelines applicable to cybersecurity have been continuing issued. For instance:
  1. The Information Security Technology – Guidelines for Category and Classification of Cybersecurity Incidents was issued on 23 May. The guidelines describe the methods of classifying and grading cyber security incidents, define the categories and levels of cyber security incidents, and the classifies the codes of cyber security incidents.
  2. The Cybersecurity Standards Practice Guide – Implementation Guidelines for Cyber Data Security Risk Assessment was released on 29 May 2023 and provides ideas, processes, and methods for cyber data security risk assessment. The document clarifies the steps and content of the assessment, which applies to data processors who conduct security self-assessments as well as relevant competent authorities who organize inspections and assessments.
  3. The Network Critical Equipment Security Technical Requirements for Programmable Logic Controllers (PLC) (Draft for Comments) issued on 21 September 2023 specifies the information security technical requirements for PLC. It also provides a standard basis for third-party testing and certification organisations to conduct PLC equipment security testing and certification. Finally, it serves as a basis for enterprises to purchase network-critical equipment, further implementing the requirements under Article 23 of the CSL.
  4. The National Information Security Standardisation Issued the Application Guidelines of Information Security Technology in Network Security Insurance (Draft for Comments), issued on 13 September, aiming to solve problems such as the lack of unified understanding of network security insurance by enterprises, promote the standardisation of its application, and improve the supply and demand capacity of the market.
  • On 28 March 2023, the State Administration of Market Regulation (“SAMR”), the Office of the Central Cyberspace Affairs Commission, the MIIT, and the Ministry of Public Security jointly released the Implementation Opinions on Conducting the Certification Work for the Network Security Services (the “Implementation Opinions”), which contains nine articles to clarify that the catalogue of the cybersecurity services certification will be determined and adjusted and to include services such as testing and assessment, security operations and maintenance, security consulting, and a multi-level protection scheme assessment. The Implementation Opinions provides that certification bodies for cybersecurity services are required, upon the request of consignors, to conduct security certification in compliance with the relevant rules, establish a traceable working mechanism to record the entire certification process, and publish the fee standards and certificate status (e.g., valid, suspended, cancelled, or revoked).
  • On 17 March 2023, the SAMR and the National Standardisation Administration Committee announced the issuance of the National Standards of the People’s Republic of China (No. 1 of 2023), which contains 12 sets of national standards on cybersecurity under the TC260, including the Information Security Technology - Basic Requirements for Competence of Cybersecurity Workforce (GB/T 42446-2023).

4. Guidance on the data classification system in the MIIT sector

On 24 October, the MIIT released the Measures for the Classified and Graded Management of Industrial Internet Security (Draft for Comment). Among other things, this document clarifies that industrial Internet enterprises can carry out independent grading, and they need to consider elements such as enterprise scale, business scope, the impact of the consequences of a cybersecurity incident, and the degree of application of the industrial Internet, operation of important systems, mastery of important data, as well as the importance to the development of the industry and industrial chain supply chain security.

Enforcement developments

During 2023, we noticed that the Public Security Bureau, as the law enforcement body, becoming more active in the enforcement of cybersecurity and personal protection in various fields. In particular, the Public Security Bureau relies primarily on Article 44, and 64 of the CSL and the law enforcement content is more targeted at the mandatory requirements on network products and services. In addition, the law enforcement objects have expanded from enterprises to individuals, and enforcement activities under the CSL have been carried out in an all-round and multi-dimensional manner, compared with the previous two years.

Further enforcement of the cybersecurity review

On 1 September 1 2023, the CAC made administrative penalties against a well-known knowledge service platform after conducting a cybersecurity review in accordance with the CSL, the PIPL, the Administrative Penalty Law and other laws and regulations. Considering the nature, consequences and duration of this subject platform’s unlawful handling of personal information, in particular the cybersecurity review, and other factors, CAC decided to impose administrative penalties on this platform in accordance with the law in relation to the cybersecurity.

In addition, the CAC carried out a cybersecurity review on a global semiconductor supplier who sold products in China. The review found that the supplier’s products have serious hidden cybersecurity risks, which pose significant security risks to China’s critical information infrastructure supply chain and could affect China’s national security. The products of the semiconductor supplier are therefore unlikely to pass the cybersecurity review in accordance with the CSL and other laws and regulations.

Outlook for 2024

During 2023, we saw that cybersecurity reviews are no longer limited to the protection of data and cyber security, but are also focusing on preventing security risks from harming China’s critical information infrastructure security. As a result, the cybersecurity review became a necessary measure to safeguard national security. On 1 July 1 2023, China passed the revised Counter-Espionage Law (“CEL”) and further stressed a robust legal framework encompassing a series of regulations and laws, including CSL, designed to safeguard its national security interests. (See our views on the CEL here.) In 2024, China’s regulation of cybersecurity will be multi-dimensional and will focus on balancing data flow with national security.

Moreover, as the Legal Advisory Committee on Cybersecurity held its inaugural meeting and a seminar on the legal system of cybersecurity in Beijing from 10-11 October, we expect to see the Ministry of Public Security strengthening legal research on cybersecurity, cracking down on new types of cybercrime, guarding against security risks of modern technologies and applications, and strengthening comprehensive cyber governance against both individuals and enterprises, who provide Internet products or services.

In the meanwhile, we look forward to the implementation of the newly revised CSL, as one of the three higher-level laws to provide a framework and legal basis for China’s cyber security and data compliance.

Part Five: Data Exchange and Transactions

Regulatory developments

1. The inauguration of the National Data Authority

The data element market originated from the idea of treating data as a novel type of production. China has promoted a series of regulations and policies to foster the development and governance of the data element market since 2015, aiming to enhance the core competitiveness of data elements and promote data openness and innovation.

On 19 December 19 2022, one of the most critical documents in the recent years - the Opinions on Building Data Infrastructure System to Better Play the Role of Data Elements (the Opinions on Building Data Elements”) was issued by the State Council, focusing on the top-level design established for data elements governance in China and aiming to facilitate the fundamental policy design in relation to data exchange and transactions. The Opinions on Building Data Elements creatively proposed the concept of “three rights separation”, which partitions rights for data resources, data processing, and data product operations based on the roles and involvement levels in data processing activities. Tailored to distinct data types, this framework applies varied rights and authorisation mechanisms to public data, corporate data, and personal information.

In the wake of the Opinions on Building Data Elements, a National Data Bureau was proposed in March and the bureau officially debuted on 25 October 25 2023, administered by the National Development and Reform Commission. The National Data Bureau orchestrates the construction of a robust data foundation system, harmonising resource integration, utilisation, and digital planning. Its establishment propels accelerated innovation, weaving digital technologies—Internet, big data, cloud computing, AI, and blockchain—into the fabric of our real economy.

2. Data resource to be recorded as asset in financial statements

On 1 August 2023, the Ministry of Finance issued the Interim Provisions on Accounting Treatment of Enterprise Data Resources. The provisions outline the scope of application of the document, the principles of accounting for data resources, and the presentation and disclosure requirements on enterprises regarding their data resource. The unveiling of this document turns the concept of data from resource to asset by recognising data as an asset category in a company’s balance sheet, reflecting its value and business contribution in financial reports.

3. Current business model

The Opinions on Building Data Elements advocates for a robust framework that harmonises data element circulation and transactions via various business model such as data exchange centres or data service providers / brokers. One year after the publish of the Opinions on Building Data Elements, the current business models concerning data exchange and transactions in China mostly are using two models - the data exchange centres running by the government using a dealing matching model, and the unilateral data brokering model adopted by private parties. That said, we observed local regulations specifically governing data brokers released by provincial governments, aiming to enhance efficiency, compliance, and the dynamic exchange and transactions of data elements, and in October, the first compliant circulation transaction of personal information was completed at the Guiyang Big Data Trading Exchange in China, in which case, it was supervised and managed throughout all stages, representing an innovative practice by the Guiyang Big Data Trading Exchange.

4. Local developments

During 2023, local regulations surged, shaping data exchange and transactions Notably, on 19 October, the Shanghai Data Exchange unveiled the Guidelines for Data Transaction Security Compliance, providing a list of compliance considerations and documents and aiding enterprises in risk identification and third-party compliance assessments.

In addition to publishing local rules mandating that data resources are recorded as assets in financial statements, local governments also steered discussions on data rights and commercial value. For instance, the Beijing Municipal Intellectual Property Office introduced the Management Measures for Data Intellectual Property Registration—a five-chapter opus exploring registration, supervision, and more.

From the perspective of local regulations, more specific normative documents provide local guidance on how to define data brokers, how to convert data resources into data assets, and how to register intellectual property rights of data asset at the local level. These guidelines can further promote the implementation of data transactions and their expansion at the local level.

Enforcement developments

Data Intellectual Property Registration Certificate

Regulators

Beijing Internet Court

Enforcement overview and key focus

  • On 14 December 2023, the Beijing Internet Court convened to publicly hear the first case in China involving the recognition of the effectiveness of an “Data Intellectual Property Registration Certificate”.
  • In this case, the plaintiff accused the defendant of illegally obtaining and disseminating their voice dataset.
  • The dispute highlights the importance of data property rights and compliance in the AI and data exchange and transactions sector. While the plaintiff asserts its rights, the defendant claims the dataset was publicly available.

Penalties

This is a rather recent case. The panel focused on clarifying the disputed points between the plaintiff and the defendant, thoroughly examining the relevant facts. The verdict in this case will be announced later and the court’s decision will have an impact on data exchange and transactions practices and innovation.

Outlook for 2024

In practice, there are various claims for rights and interests in the process of data transactions. Enterprises should consider the nature of the data, regulatory requirements, the interests of the contracting parties and other factors to determine the distribution of data rights.

With the recent establishment of the National Data Bureau, exciting prospects emerge. By crafting guidance documents, we can propel the development of a dynamic data trading system. The National Development and Reform Commission and the National Data Bureau may hasten research on public data pricing mechanisms and regulatory provisions. This paves the way for compliant and efficient data circulation, explores the “three rights separation” concept, and encourages secure data sharing. Meanwhile, local policies will continue to bloom, fostering diverse data trading models.

Finally, with the promulgation of the Interim Provisions on Accounting Treatment of Enterprise Data Resources, we look forward to more discussions on how to classify data recourses and how to estimate the value of data resources in different fields and industries based on the characteristics of each industry.


[1] For an overview of 2021 development and the three-pillar regulatory framework for cybersecurity and data protection in China, see our previous articles here and here.

Latest insights

More Insights
featured image

Bird & Bird marks World Children’s Day by announcing its forthcoming Global Comparative Guide to Children in the Digital World

7 minutes Nov 20 2024

Read More
The European Commission Modern office buildings in Brussels, Belgium.

VAT in the Digital Age (“ViDA”): prepare your business with Bird & Bird – 10 key insights for success

Nov 15 2024

Read More

Hungary: Easing the tax burden of innovative startups – from January 2025, the IP contributions will become tax-free

Nov 14 2024

Read More