This newsletter summarizes the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.
If you would like to subscribe to our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected]
On 14 September 2022, the Cyberspace Administration of China (“CAC”) released the draft amendment to the Cybersecurity Law (“CSL”) for the first time since its enactment in 2016.
The amendment has substantially increased the penalties for breaches of most obligations under the CSL to a level in line with those under Data Security Law and the Personal Information Protection Law. Apparently, such a move is intended to incentivise network operators to comply with the CSL and could herald renewed efforts of the CAC to enforce the CSL. Companies should ensure that they have identified and remediated gaps in compliance with the CSL, in particular the obligations relevant to the multi-level protection scheme, contingency plans, content security and appointment of security personnel.
On 12 September, the Cyberspace Administration of China and other relevant departments drafted the Decision on Amending the Cybersecurity Law of the PRC (Draft for Comments) (the “Decision”). The revisions in the Decision seek to improve the legal liability systems respectively for violations of the general provisions on network operation security, the security protection of critical information infrastructure, the network information security, and the protection of personal information.
On 14 September, the National Information Security Standardization Technical Committee (TC260) released the Information Security Technology - Requirements for the Classification and Grading of Network Data (Draft for Comments) (the “Requirements”). The Requirements aim to support the establishment of the classified and graded data protection system proposed by Article 21 of the Data Security Law and to provide the principles and methods for data classification and grading, including the basic principles for data classification and grading, the framework and methods for data classification, and the framework and methods for data grading.
On 8 September, the CAC issued the Provisions on the Administrative Law Enforcement Procedures of Cyberspace Administrations (Draft for Comments) (the “Provisions”). The Provisions set forth the jurisdiction and application of administrative law enforcement and the general procedures, implementation, and case conclusion of administrative penalties. Among them, the general procedures include the provisions on the procedures for case filing, investigation, evidence collection, hearing, interview, and administrative penalty decision and service.
On 27 September, the Guiyang Data Exchange released the interpretations on its first set of Data Trading Rules in China (the “Rules”). The Rules will play an important role in establishing an efficient service system for data trading and are intended to regulate the registration of trading entities, listing of traded objects, operation of trading venues, implementation of trading procedures, and related supervision and administration measures.
On 1 September, the National Health Commission (NHC) and other departments jointly issued the Cybersecurity Management Measures for Medical and Healthcare Institutions (the “Measures”). According to the Measures, medical and health institutions are required to identify their cybersecurity protection level under the relevant standards and conduct security tests before any new network is put into operation. In addition, the cybersecurity budget for new informationised projects shall not be less than 5% of the total budget and efforts shall be made to strengthen the institution’s capability to report and alert about cybersecurity incidents.
On 19 September, the China Meteorological Administration (CMA) issued the Implementing Rules for Meteorological Data Access and Sharing (for Trial Implementation) (the “Rules”). According to the Rules, only data that has been strictly evaluated for quality control and operation eligibility should be used as raw data and data products in order to ensure data quality; and only operational data that has been evaluated for operation eligibility and updated in real time should be used for forecast products and service products so as to secure the timeliness of services.
On 13 September, the Shanghai Municipal Commission of Economy and Informatization (SHEITC) issued the Implementation Rules of the Shanghai Municipality for the Opening of Public Data (Draft for Comments) (the “Rules”). The Rules call for a set scope of the public data that should be made accessible and a new mechanism for sample data development. The purposes of the Rules are to improve the quality of public data, reinforce the relevant standards, and introduce mechanisms for data examination and correction, objection verification, and quality control.
On 29 September, the Standing Committee of the Shaanxi Provincial People's Congress adopted the Shaanxi Provincial Regulations on Big Data (the “Regulations”). The Regulations allow for the lawful trading of data products and services generated from data processing activities conducted by market entities under the law unless exceptions apply. The Regulations also set forth the range of fines for violations.
On 21 September, the Standing Committee of the Beijing Municipality People's Congress launched the second round of deliberation on the Regulations of the Beijing Municipality on Digital Economy Promotion (Draft) (the “Regulations”). Key revisions are made in the second deliberation draft of the Regulations to strengthen the protection of personal information, establish a list for open public data, and provide alternative digital public services for the elderly and other specific groups.
On 8 September, the Data Security Committee of the China Cybersecurity Industry Alliance (CCIA) released the alliance’s technical document, the Guidelines on the Social Responsibilities in Data Security and Personal Information Protection (Draft for Comments) (the “Guidelines”) prepared by its member institutions. The Guidelines are applicable to data-processing organizations and may also serve as guidance for third parties to evaluate the organizations’ performance of social responsibilities in data security and personal information protection.
On 30 September, the National Information Security Standardization Technical Committee (TC260) released the Information Technology - Security Technology - Methodology for IT Security Evaluation (Draft for Comments) (the “Methodology”), a set of complementary standards for the GB/T 18336 Information Technology - Security Technology - Evaluation Criteria for IT Security. The Methodology includes a detailed description of the evaluation methods for security criteria such as Protection Profile (APE), PP Configuration (ACE), Security Target (ASE), Development (ADV), Guidance Documents (AGD), Lifecycle Support (ALC), Tests (ATE), Vulnerability Assessment (AVA), and Combination (ACO).
On 28 September, the National Information Security Standardization Technical Committee (TC260) released the Information Security Technology - Guidelines for Cybersecurity Information Submission (Draft for Comments) (the “Guidelines”). According to the Guidelines, cybersecurity information is categorized into various types such as vulnerabilities, cybersecurity threats, cybersecurity events, cybersecurity incidents, cybersecurity situations, and cybersecurity news. The information element requirements for each type are also set in the Guidelines.
On 27 September, the National Information Security Standardization Technical Committee (TC260) released the Information Security Technology - Requirements for Crowdsourcing Security Test Services (Draft for Comments) (the “Requirements”). According to the Requirements, the crowdsourcing test demand-side should authorize the subjects for testing; the crowdsourcing test provider should develop and publicize the code of conduct for the authorized test entity and prepare a security plan; the authorized test entity should strictly comply with the code of conduct during the implementation stage; and the crowdsourcing test auditing entity should conduct an audit on the authorized test entity. In addition, the crowdsourcing security test service platform is required to pass the assessment under the Multi-Level Protection Scheme and be graded at Level 3 or above.
On 23 September, the Shanghai Communications Administration (SHCA) released a list of illegal APPs after engaging a third-party testing agency to inspect the APPs in Shanghai for infringement of users’ rights. The inspection found that 127 APPs were involved in issues such as “the illegal collection of personal information”, “the illegal use of personal information”, and “mandatory, frequent, and excessive requests for permissions”. As of the date of publication, there were still 25 APPs yet to complete the rectification. According to the SHCA, all the APP operators were required to fully rectify these issues by 30 September or they would face corresponding administrative penalties.
On 27 September, the Zhejiang Communications Administration (ZJCA) released a list of illegal APPs after engaging a third-party testing agency to inspect 24 smart home APPs. Among them, 20 were found to have problems such as “the illegal collection of personal information” and “mandatory, frequent, and excessive requests for permissions”. According to the ZJCA, all the APP operators were required to fully rectify the problems by 3 October or they would face corresponding administrative penalties.
On 8 September, the Ministry of Public Security announced in a press conference that a number of cybercrime cases involving infringement of citizens' personal information were solved. The most notable cases among them included the one cracked by the Sichuan police in August 2020, in which the suspects were found to illegally obtain citizens' personal information through technical means for debt collection. The ministry also reported another case concluded by the police in Gansu concerning suspects who crawled data such as phone call records, payment records, and contact lists to generate comprehensive risk reports of the users before selling them to loan fraudsters for profit.
It was reported on 24 August that the Guangdong Provincial Postal Administration, in conjunction with other departments, carried out a special action in Guangzhou to regulate personal information-related activities in the postal and express delivery sector. According to the postal administration, the provincial headquarters of courier enterprises should strengthen the integrated management to improve their internal governance and system operation and promote the use of encrypted courier labels in order to boost personal information protection in the sector.
On 19 September, the First Intermediate People's Court of the Chongqing Municipality heard a public interest case brought by the Chongqing Consumers Association against a person surnamed Fei over his illegal sale of personal information. The plaintiff and the defendant reached a settlement agreement in court and the defendant made a public apology afterwards. The Chongqing Consumers Association believes that although Fei is spared from criminal charges, he should still be held liable for civil infringement as a consequence of his acts to trade students' and parents' personal information, which has seriously damaged the legitimate rights and interests of many consumers and harmed public interests.
On 11 September, the People's Court of the Daxing District in Beijing publicized a cybercrime case concerning IT system hacking. According to the court judgement, a person surnamed Yu, knowing that the WIND hacking software programmed by others could be used to invade the JD.com computer system and steal discount vouchers by using proxy IP addresses to generate virtual addresses as new customers, promoted the software to others on social media for profit. The court found Yu guilty of the crime of providing programs and tools for intrusion and illegal control of computer information systems.
On 16 September, Suzhou Big Data Group Co. Ltd. and the Suzhou Big Data Exchange were officially inaugurated, which would enable the opening, development, and use of data that is available but not accessible and the provision of 24/7 services for data traders from home and abroad. Also, the Suzhou Big Data Exchange has signed a strategic cooperation agreement with the Shanghai Data Exchange. They will work together on research on asset evaluation, registration, and settlement, and business matchmaking to promote the development of the core technology in data trading and to explore solutions for the recognition of data products listed on both markets and the flow and allocation of data elements across different regions.
On 2 September, based on the practices in Jiangsu Province, the Jiangsu Provincial CAC published the Jiangsu Provincial Guidelines on the Application of Data Export Security Assessment (First Edition) (the “Guidelines”). The Guidelines are intended to clarify the application process and the definitions of important data and sensitive personal information.
On 29 September, Shanghai Data Group Ltd. was officially inaugurated. Based on the supply of franchised and authorized public data, state-owned enterprise data, and other social data, Shanghai Data Group provides compliant and secure data products and data services such as standardization, evaluation and pricing, as well as payment and settlement. The group, which spearheads the city’s effort in the investment and structuring of the data industry in key industry sectors, will play an important role in the investment and development of major data infrastructure in Shanghai.
On 17 September, China's first digital asset insurance innovation centre was established in Xi'an. As the protection and security of intangible assets has become an area of great importance for enterprises, the Digital Asset Insurance Innovation Center is committed to helping enterprises understand and manage their intangible assets such as trade secrets and privacy data with the confirmation of rights in data assets as the starting point for intellectual property protection. At the same time, the centre will tap into innovative insurance technology to enhance the protection of the data assets of enterprises.
On 9 September, the Beijing Consumers Association released a survey report on big data-enabled price discrimination. According to the survey, most consumers interviewed believe that the phenomenon known as “big data backstabbing” still exists, particularly in online travel and food delivery sectors, where user information is leveraged to market various prices and discounts to different customers. The Beijing Consumers Association suggests building a sound legal system and utilizing innovative methods in market regulation to strengthen the protection of personal information. The association also calls for the establishment of an online supervision platform for big data and urges enterprises to implement standard personal information protection measures.