Key highlights
The CAC finally released its guidelines for data export security assessment just a day before the six-month grace period for compliance started on 1 September. The guidelines set out the materials to be submitted to the CAC and provide for templates of the key materials, notably the application form and the self-assessment report.
Whilst it has been anticipated that the guidelines will provide important guidance to numerous companies preparing for the assessment, the guidelines fall short of providing enough details to some of the key issues in the application process. More importantly, some recent development in CAC’s position on extraterritorial effect has also given rise to concerns over a drastic and unfounded extension of the scope of the security assessment and confusion over what should be a clear-cut boundary. We will further discuss this in our upcoming articles. Please stay tuned.
Regulatory Developments
1. CAC released Guidelines for Data Export Security Assessment Application (First Edition)
On 31 August, the Cyberspace Administration of China (CAC) released the Guidelines for Data Export Security Assessment Application (First Edition) (the "Guidelines"). The Guidelines sets out the scope, method, procedure, required materials, and contact information for queries regarding the assessment application. And in the annexes, the Guidelines also provides the detailed requirements for the application materials and corresponding templates including the power of attorney for the case handler, the application letter, and the self-assessment report.
On 26 August, the China Securities Regulatory Commission (CSRC), the Ministry of Finance (MOF), and the US Public Company Accounting Oversight Board (PCAOB) signed an audit oversight cooperation agreement. The deal makes clear agreements on the cooperation between the two sides on regulatory inspections and investigation activities of relevant accounting firms and lays a solid foundation for further cooperation in accordance with the legal and regulatory requirements of both sides.
3. NHC issued Cybersecurity Management Measures for Medical and Healthcare Institutions
On 8 August, the National Health Commission (NHC) released the Cybersecurity Management Measures for Medical and Healthcare Institutions (the "Measures"). The Measures contains 34 articles, which set out the requirements for the management of cybersecurity, data security, and supervision and the supporting measures of medical and healthcare institutions.
On 23 August, the Ministry of Transport (MOT) released the Measures for the Management of the Security Protection of Critical Information Infrastructure of Highways and Waterways (Draft for Comments) (the "Measures"). The Measures contains 48 articles, which provide for the identification of critical information infrastructure of highways and waterways, the responsibilities and obligations of the operator, supporting and supervisory measures, as well as legal responsibilities.
On 22 August, the Ministry of Industry and Information Technology (MIIT) released 55 sets of communication industry standards for public comments before approval. Among them, the standards related to cybersecurity and data protection mainly include the Assessment Specifications for the Protection of the Rights of Mobile Internet Application (APP) Users; the Assessment Specifications for the Implementation of the “Minimum Necessary” Principle in the Collection and Use of Personal Information by Mobile Internet Applications (APPs) Part 5: Device Information, Part 8: Video Information, and Part 10: Phone Call Records; and the Mobile Application Software Security Assessment Methods.
On 25 August, the Ministry of Industry and Information Technology (MIIT) mentioned in the Letter of Reply to the Proposal No. 00095 of the Fifth Session of the 13th National Committee of the Chinese People's Political Consultative Conference (the "Reply Letter") that the MIIT would take active measures to facilitate the development of cybersecurity insurance standards jointly with the China Banking and Insurance Regulatory Commission (CBIRC) and other departments. It was also stated in the Reply Letter that the MIIT would organize the formulation of the key standards related to the quantitative assessment of cybersecurity risks, risk monitoring management, and implementation of claims services to tackle the issues in the underwriting, monitoring, and claiming of cybersecurity insurance and would specify the cybersecurity insurance service processes and baseline requirements with an aim to promote the continued sound development of cybersecurity insurance.
On 10 August, the Ministry of Transport (MOT) released the Guidelines for the Operation of Customized Shuttle Services (the "Guidelines"). According to the Guidelines, e-commerce platforms that provide Internet information services related to customized passenger transportation are required to properly retain passengers’ personal information collected and operation data generated for no less than three years. The platforms should also make sure to encrypt and de-identify passengers’ personal information before it is made public in order to protect passengers’ personal information security.
On 8 August, the National Information Security Standardization Technical Committee (TC260) released the list of the second batch of national standard project plans for cybersecurity in 2022, including nine recommended national standards such as the Information Security Technology - Network Data Classification and Grading Requirements and the Information Security Technology – Guidelines for the Management of Personal Information Processing Activities of Mobile Internet Applications (Apps) on Mobile Intelligent Terminals.
9. CCRC released Application Form for Data Security Management Certification
On 15 August, the China Cybersecurity Review Technology and Certification Center (CCRC) officially released the Application Form for Data Security Management Certification (the "Application Form"), the supporting document for data security management certification in China. It should be noted that enterprises should comply with the GB/T 41479 Information Security Technology - Network Data Processing Security Requirements and related standard specifications when applying for certification.
On 24 August, the Shanghai Cyberspace Administration and the General Office of the city’s government held a meeting on the pilot work on data classification and grading and the formulation of an important data directory. It was pointed out in the meeting that this would involve a long-term, dynamic process that should take into account the business foundation and data characteristics and that the data classification and grading rules should be adjusted in accordance with the changes in business attributes, data volume, integrated application, usage scenarios, and policies. The meeting also stressed that the key to the development of data classification and grading and the important data directory lies in the application and that therefore special emphasis should be placed on the "usage" of data to achieve further progress underpinned by data security.
On 16 August, the Shanghai Municipal Economic and Information Technology Commission and the Shanghai Communications Administration issued a notice to launch the work on the management of cybersecurity classification and grading for industrial Internet enterprises for the year 2022. The work, based on the national cybersecurity classification and grading management service platform for industrial Internet enterprises, includes five steps in its workflow, namely self-grading by enterprises, grading verification by regulators, implementation of security measures, sampling assessment by regulators, and work review.
12. Guangdong released Guidelines for Establishment of Chief Data Officer System for Enterprises
On 24 August, the Department of Industry and Information Technology of the Guangdong Province issued the Guidelines for the Establishment of the Chief Data Officer System for Enterprises in Guangdong (the "Guidelines") to encourage eligible enterprises to set up the post of Chief Data Officer (CDO) in their organizations. The system should be, in principle, led by enterprises with the support of the government and the collaboration of relevant parties. The Guidelines also provides specific guidance on the position details, candidate competency, job responsibilities, and supporting measures.
Enforcement Developments
1. Central CAC: over 20 companies planning to be listed abroad applied for cybersecurity review
On 19 August, the Publicity Department of the CPC Central Committee held a series of press conferences themed "China in the Past Decade". During the conference, the Central Cyberspace Affairs Commission (Central CAC) said that since the revised Cybersecurity Review Measures came into effect this February, more than 20 companies planning to go public abroad had applied for cybersecurity review with the National Cybersecurity Review Office. In addition, as for the follow-up of Didi’s cybersecurity review, the Central CAC said it would guide and urge the ride-hailing company to effectively implement the rectification measures and would also step up the enforcement actions in cybersecurity, data security, and personal information protection.
2. MIIT: 570,000 APPs were inspected in second quarter and 358 of them were ordered to rectify
On 3 August, the Ministry of Industry and Information Technology (MIIT) issued the Notice on the Quality of Telecommunications Services in the Second Quarter of 2022 (the "Notice"). According to the Notice, during the second quarter, the MIIT inspected a total of 570,000 APPs, of which 358 were ordered to rectify and 121 were publicly named. In addition, the MIIT also organized quarterly sampling inspections of APPs listed in APP stores and held the “Children Protection Plan - APP Personal Information Protection Review Conference" to strengthen the protection of APP users' rights.
3. MIIT reported 47 illegal APPs and SDKs
On 26 August, the Ministry of Industry and Information Technology (MIIT) reported 47 APPs and SDKs found to have infringed on users' rights. The list included several WeChat mini programs of catering enterprises, which were involved in the illegal collection of personal information, mandatory, frequent, and excessive access requests, deceiving and misleading users, and forcing users to turn on push notifications. According to the ministry, all the APP (SDK) operators were required to fully rectify these issues before 9 September or they would face corresponding administrative penalties.
On 3 August, the China Banking and Insurance Regulatory Commission (CBIRC) issued the Notice on the Special Rectification Action on Regulating Infringements of Personal Information Rights by Banking and Insurance Institutions (the “Notice”) to all the banking and insurance regulatory bureaus in China. The Notice calls for comprehensive screening of the issues and loopholes regarding consumers' personal information protection in the banking and insurance sector and urges banking and insurance institutions to establish and improve the mechanism for consumers' personal information protection.
On 30 August, the Supreme People's Court (SPC), the Supreme People's Procuratorate of (SPP), and the Ministry of Public Security (MPS) jointly released the Opinions on Several Issues Regarding the Application of Criminal Procedure in Handling Information Network Crimes, to be effective from 1 September. The Opinion was issued to further regulate the jurisdiction, evidence collection and examination, seized asset management, and other issues related to information network crime cases.
6. SPP released typical cases on enterprise network security and data compliance
On 10 August, the Supreme People's Procuratorate (SPP) released the third batch of typical cases on enterprise cybersecurity and data compliance. The cases, selected from the ones concluded by China’s procuratorates, included both special compliance actions for large and medium-sized enterprises and simplified compliance procedure for small and micro enterprises.
7. Shanghai launched supervision and inspection campaign for network and data security for year 2022
On 1 August, the Public Security Bureau of Shanghai decided to launch a supervision and inspection campaign across the city, which will last until October 2022. The inspection campaign focuses on the responsibility fulfilment and safeguard measures in the protection of the critical information infrastructure, filing of the cybersecurity protection grading assessment, implementation of rectification measures, and etc.
8. SHCA reported 31 illegal APPs
On 22 August, the Shanghai Communications Administration (SHCA) released a list of illegal APPs after engaging a third-party testing agency to inspect the Apps in Shanghai for infringement of users’ rights. It was found that 127 APPs were involved in issues such as "illegal collection of personal information" and "deceiving and misleading users to download APPs". The SHCA has notified the relevant APP operators and urged them to rectify the problems.
On 11 August, a special inspection campaign was launched for network and data security in the information and communication industry in Jiangsu Province. The campaign would last for about 10 days with a focus on the loopholes and risks in the network assets of 4 basic telecommunications companies, 100 Internet companies in the province, and 200 industrial Internet companies.
10. ZJCA reported two batches of illegal APPs
On 3 August, the Zhejiang Provincial Communications Administration (ZJCA) issued a notice on the recent inspection of mobile APPs conducted by a third-party testing agency. The inspection found that a number of Apps were involved in issues such as “illegal collection of personal information”, “excess collection of personal information”, and “forcing users to turn on push notifications”. According to the ZJCA, all the APP operators were required in writing to fully rectify these issues within the set time frame.
11. Hangzhou Internet Court released ten typical cases on personal information protection
On 19 August, the Hangzhou Internet Court issued "Ten Typical Cases on Personal Information Protection", which covered difficult judicial issues such as the traditional personal information processing field, new personal information processing scenarios, personal information protection of civil subjects, the determination of compensation standards for personal information, and the preconditions for the exercise of the information subject's right to sue.
12. Hangzhou Internet Court released ten typical cases on data and algorithms
On 24 August, the Hangzhou Internet Court released the "Ten Typical Cases on Data and Algorithms", which involved a series of trending legal issues such as data ownership, data crawling, automated decision-making of platform algorithms, and the boundaries of commercial use of public data. The cases will serve as a reference for enterprises on how to use data and apply algorithms in compliance from the perspective of judicial adjudication.
13. Jiangxi Bank was fined 3.245 million CNY for data violations
On 3 August, the Nanchang Central Sub-branch of the People's Bank of China imposed an administrative penalty on Jiangxi Bank. According to the penalty decision, the violations of the bank included the failure to submit the materials in relation to account opening, change, and cancellation to the People's Bank of China as required; the failure to fulfil its customer identification obligations as required; conducting transactions with unidentified customers; and breaches of the management regulations on credit information collection, provision, queries, and etc.
14. Haizhu District Police cracked down on illegal collection of personal information by mobile APPs
On 3 August, the Guangzhou Haizhu District Police launched a "100-Day Campaign" to crack down on the illegal collection of personal information by mobile APPs. To date, a total of 21 companies that were found with violations have been punished in accordance with the law.
Industry Developments
1. Guangdong issued first batch of Public Data Assets Registration Certificates
On 9 August, the Guangdong Provincial Government Service Data Administration (the “Administration”) issued the first batch of "Public Data Assets Registration Certificates" in the province, while the first public data operation service provider approved by the Administration concluded contracts with various banks and insurance institutions in Shunde, Foshan City. The two events are a major breakthrough for the province as they mark the first movement of data elements of public data products in south Guangdong after resolving the key issues in the 10 stages including aggregation, authorization, governance, development, evaluation, registration, operation, matching, circulation, and monitoring.
2. First batch of data brokers "licensed" in Guangdong
On 10 August, the licence awarding ceremony for the first batch of "Data Brokers" was held in Haizhu District, Guangzhou City, Guangdong Province, which marked a major breakthrough for the pilot national data broker program. There are three companies in the broker list including Guangdong Power Grid Energy Investment Co., Ltd., a subsidiary of Guangdong Power Grid Corporation, Guangzhou Finance Holdings Credit Service Co., Ltd., a subsidiary of Guangzhou Finance Holdings Group Co., Ltd., and Guangzhou Vipshop Information Technology Co., Ltd., a subsidiary of Vipshop (China) Co., Ltd.
3. Guangdong Data Exchange to open soon
On 9 August, according to the announcement of Guangzhou Exchange Group, Guangdong Big Data Exchange Center Co., Ltd. (Guangdong Data Exchange) will open soon in the China (Guangdong) Free Trade Pilot Zone. To date, in addition to Guangdong Big Data Exchange Center Co., Ltd., there are another three data trading-related companies set up in Guangdong, including Shenzhen Southern Big Data Trading Co., Ltd., Shenzhen Data Trading Co., Ltd., and South China (Guangdong) International Data Trading Co., Ltd.
4. Zhengzhou Data Exchange launched in Zhengzhou
On 21 August, Zhengzhou Data Exchange (ZDE) was inaugurated. ZDE is a provincial-level trading platform approved by the People's Government of Henan Province and supervised by the Provincial Department of Industry and Information Technology. The products listed for trading mainly include data services, data reports, APIs, data applications, and etc., covering communications, power, transportation, meteorology, finance, and other businesses in and outside the province.
Gloss