This newsletter summarizes the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement and industry developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].
Key highlights
The China Banking and Insurance Regulatory Commission (“CBIRC”) issued the draft Administrative Measures for Protection of Consumer Rights and Interests by Banking and Insurance Institutions for public consultation in the context of intensified regulatory efforts of the financial regulators to protect consumer rights and a fast-developing data protection regime in China. The Draft Measures incorporated many data protection obligations of the PIPL and at the same time set out a series of special requirements specific to the banking and insurance industry. Banking and financial institutions should be prepared to implement such requirements under the Draft Measures which are expected to be finalised in the near future.
China reports the first reported case where the procuratorate has decided not prosecute a company for data protection and cybersecurity offence on the basis of compliance evaluation. . Companies that have been suspected of committing data-related criminal offences can seek a non-prosecution decision from the procuratorate, if it meets the requirements under the corporate non-prosecution scheme. More importantly, companies should establish and continuously improve their data compliance system to avoid data and cybersecurity breaches and demonstrate to the authorities that adequate compliance measures have been taken in the event of such breach.
Please read our articles at the links below for more details.
Our Views
China Reports First Case of Corporate Non-Prosecution for Data Protection and Cybersecurity Offenses
CBIRC will Strengthen Protection of Consumers’ Personal Information
Regulatory Developments
On 19 May, the China Banking and Insurance Regulatory Commission (CBIRC) released the Administrative Measures for the Protection of Consumer Rights and Interests by Banking and Insurance Institutions (Draft for Comment) (the “Administrative Measures for the Protection of Consumer Rights and Interests”) and the Administrative Measures for Regulatory Statistics of Banking and Insurance Sectors (Draft for Comment) (the “Administrative Measures for Regulatory Statistics”) to solicit public opinions.
The Administrative Measures for the Protection of Consumer Rights and Interests put forward requirements for the protection of consumers’ rights to information security from the aspects of the principles of personal information protection, personal information protection mechanism, personal information processing, automated marketing, partnership management and internal audit. The Administrative Measures for Regulatory Statistics set out requirements for the management of the supervision and statistics documents with regard to the following aspects: establishing a whole process management mechanism to ensure data quality, establishing a robust information system satisfactory to the business needs, strengthen management for the storage of regulatory statistics, and exploring the ability of data analysis.
2. The Information security technology - Requirements of privacy policy of Internet platforms, products and services (Draft for Comments) was released for public comments
On 26 May, the National Information Security Standardization Technical Committee (TC260) released a recommended national standard, i.e. the Information security technology - Requirements of privacy policy of Internet platforms, products and services (Draft for Comments) (the “Requirements”) to solicit public opinions. The Requirements mainly specify five aspects regarding the privacy policy of Internet platforms and their products or services: the preparation procedures, detailed content, release form, revision process and dispute handling.
3. Four industry standards of the “Application personal information collection and usage minimization and necessity evaluation specification” were released for public comments
On 7 May, the Ministry of Industry and Information Technology (MIIT) released four industry standards concerning the Application personal information collection and usage minimization and necessity evaluation specification (collectively referred to as “Specification Series”) to solicit public opinions. The Specification Series apply to APP providers and other terminal providers for their processing activities of users’ personal information.
4. The Classification guide for pre-installed applications on smartphones was released
On 11 May, the TC260 issued TC260-002 the Classification guide for pre-installed applications on smartphones (the “Guide”). The Guide applies to the production activities of smartphone manufacturers and could also be used as a practical guide for the supervision, management, testing and evaluation of the pre-installed applications. The Guide classifies pre-installed smartphone applications into non-uninstallable and uninstallable and provides that non-uninstallable pre-installed applications are limited to the following functions: system setting, file management, multimedia video, making phone calls, sending and receiving text messages, address book, browser and application store. There is at most one pre-installed application with the same function that cannot be uninstalled.
5. CBIRC promotes the development of industry standards related to insurance industry data
On 27 May, the CBIRC issued the Plan for the Standardization in Insurance Sector during the 14th Five-year Plan Period (the “Plan”). The Plan specifies that during the 14th Five-Year Plan period, the insurance industry will: (1) promote the industrial standards in the following areas: business data, risk data and information disclosure, (2) develop standards for data sharing and exchange between commercial insurance and medical / social security, (3) develop basic data standards for risk supervision in the insurance industry and develop a data system for insurance supervision, (4) develop standards for business data and information interaction in the insurance intermediary industry, and (5) develop standards for categorization and classification of insurance data and technical standards for data and information exchange in the insurance industry.
6. NDRC promotes the sharing of health big data
On 10 May, the National Development and Reform Commission (NDRC) issued the Plan for the Development of Bioeconomy during 14th Five-Year Plan Period (the “Plan”). The Plan proposes to develop the bioinformatics industry, integrate multi-source heterogeneous data and promote data sharing. The Plan also aims to further explore the application of health data in the following fields: medical research, education and training, clinical treatment, product development, industry governance, and medical insurance payment.
7. NDRC is developing data elements related policies
On 17 May, the National Committee of the Chinese People’s Political Consultative Conference (CPPCC) held a conference in Beijing on the topic of “Promoting the sustainable and healthy development of the digital economy”. At the conference, CPPCC members suggested exerting the value of digital elements to develop the digital economy. The deputy director of the NDRC said that the NDRC is currently taking the lead in designing the regulatory framework in this regard and will accelerate the draft process of the data elements related policies.
8. The National Medical Products Administration proposes to improve cybersecurity capacity
On 11 May, the National Medical Products Administration issued the Plan for Cybersecurity and Application of Information Technology in Medical Products Regulation during the 14th Five-year Plan Period (the “Plan”). The Plan underlines the improvement of cybersecurity capacity as one of the four key tasks and sets out 16 detailed tasks, including building national and provincial data centers, improving cybersecurity trust system and security management operation centers.
On 22 May, the General Offices of the CPC Central Committee and the State Council issued the Opinions on Promoting the Implementation of the National Cultural Digitization Strategy (the “Opinions”). The Opinions outline 8 key tasks, including digitization of the cultural industry, and further requires the development of cultural data security standards, the construction of a cultural data security supervision system, and the protection of property rights of cultural data and cultural digital content in the stages of data collection, processing, trading, transfer, storage and data governance.
10. Shanghai protects the personal information collected due to epidemic prevention from leakage
On 24 May, the Decision on the Further Promotion and Protection of the construction of the “A Network for Unified Management” (the “Decision”) was released. The Decision specifies that people entering public places, residential areas and other places should accept personal epidemic prevention and control information verification. The collection and processing of personal epidemic prevention and control information should comply with the laws and regulations relating to personal information protection. The personal information collected should be used only for the purposes of epidemic prevention and control and must not be disclosed by anyone.
Enforcement Developments
1. MIIT carries out security activities for industrial Internet
On 13 May, the MIIT issued the Notice on Industrial Internet Security Activities (the “Notice”) to carry out security assessment for industrial Internet. According to the Notice, the action aims to (1) promote industrial Internet security-related policies and standards, (2) improve the mechanism of independent grading, grading verification, security protection and risk assessment, (3) implement nationwide cybersecurity categorization and classification of industrial Internet enterprises, (4) urge enterprises to implement their responsibilities to maintain cybersecurity, and (5) enhance the security and safety capabilities of the industrial Internet.
It was reported on May 25 that the China Security Regulatory Commission recently issued the Notification on Agency Supervision (the “Notification”), focusing on recent security incidents of information system. The Notification points out that the frequent information security incidents reflect the following problems: (1) inadequate internal controls for compliance; (2) the lack of awareness of responsibilities, failure to meet obligations and incomplete mastery of the system architecture of the software provided by external vendors; (3) the operational personnel are not standardized enough and the enterprises concerned fail to establish an effective access control mechanism; (4) the management of APP development is deficient; and (5) there are loopholes in security management.
On 10 May, Putuo District People’s Procuratorate in Shanghai held a public hearing on its proposed decision not to prosecute a company for alleged illegal acquisition of data in computer information systems. The hearing concluded that the non-prosecution decision was appropriate on the ground that the company implemented adequate compliance measures. This is the first reported case where the procuratorate has decided not prosecute a company for data protection and cybersecurity offence on the basis of compliance evaluation.
4. The judgement of the first case of network "Crawler" in the field of short video platform was pronounced
On 10 May, the People’s Court of Liangxi District, Wuxi sentenced the defendant Ding to one year and six months in prison, suspended for two years, and a fine of 30,000 CNY for the crime of providing programs used for intruding into computer information systems. The case is the first case of the exploitation of web crawler in the field of short video platform. According to reports, in 2021, the defendant repackaged an illegal crawler software and sold it to the public, making an illegal profit of more than 24,000 CNY.
5. MIIT: “Double List” makes data protection measures stronger
It was reported on 5 May that the MIIT recently indicated that the perception of information services should be improved and the MIIT will urge major Internet enterprises to establish a “double list” of personal information protection (i.e. personal information collection list and third-party personal information sharing list).
6. The first Data Resource Court in China was established
On 18 May, the Data Resources Court of the People’s Court of Ouhai District, Wenzhou was officially established. This Data Resource Court is the first court in China to handle data resource cases as its core business. The court implements a three-in-one model of criminal, civil and administrative, which helps to further clarify the boundaries of legality of data production, storage, usage and transaction.
On 19 May, the Beijing Communications Administration issued a notice, announcing the launch of the cybersecurity and data security inspection of the telecom and Internet industry in 2022. The inspection focuses on the implementation of cybersecurity, data security and personal information protection of critical information infrastructure and important information systems.
On 10 May, the Beijing Municipal Education Commission and 2 other departments jointly issued the Notice on Further Improving the Filing and Management of Educational Mobile Internet Applications (the “Notice”). The Notice requires that educational APPs whose main users are teachers and students should be filed on the the filing management platform (https://app.eduyun.cn/) and are forbidden to disseminate negative information, bad information, game links and advertisements. The Notice also specifies that Beijing will no longer accept the filing application of the APPs developed for online training and education before elementary school, and revoke the fillings of relevant APPs that have been filed.
In May, the National Computer Virus Emergency Response Center found a total of 30 mobile APPs with privacy non-compliance through Internet monitoring. The above mobile APPs mainly involve the following problems: (1) the APP does not notify all the privacy rights applied to users; (2) the APP starts collecting personal information before obtaining users’ consent; (3) the APP does not provide effective functions of correcting and deleting personal information and cancelling users’ accounts, or sets unreasonable conditions for cancelling users’ accounts; (4) the APP does not establish and announce the channels for personal information security complaints and reporting, or exceeds the promised response time limit.
10. The Cyberspace Administration of Hainan Province reported 4 dating APPs with privacy non-compliance
On 24 May, the Cyberspace Administration of Hainan Province reported 4 dating APPs of the following problems: (1) collecting personal information or opening permissions that can collect personal information after users explicitly disagree, or frequently seeking users’ consent, (2) collecting personal information or opening permissions that can collect personal information that are out of the scope of its existing business functions, (3) ccollect personal sensitive information such as users’ ID numbers without informing the user of its purpose simultaneously, or the purpose is unclear or difficult to understand, (4) reffusing to provide business functions because the user does not agree to provide non-essential personal information or open non-essential permissions.
On 20 May, the Hangzhou Central Sub-branch of the People’s Bank of China released an administrative penalty information. According to the penalty information, Shaoxing Bank was fined 5.5 million CNY for 4 violations as follows: (1) failure to fulfil customer identification obligations as required, (2) failure to keep customer identification information and transaction records as required, (3) failure to fulfil large and suspicious transaction reporting obligations as required, and (4) trading with unidentified customers. Meanwhile, 7 responsible persons of the bank were fined from 10,000 to 70,000 CNY.
On 19 May, the Consumer Rights Protection Commission of Jiangsu Province released the Investigation Report on Unfair Format Terms in the New Energy Vehicle Industry (the “Report”), pointing out that 14 new energy vehicle companies use personal information inappropriately. The Report claims that the processing of personal information as indicated in the agreements of new energy vehicle companies is not compliant with the law. The companies concerned violate the non-collection by default principle, collect personal information that is obviously unnecessary, violate the voluntary authorization and necessity principle, fail to address information security issues and fail to handle individual rights requests in a timely manner.
On 19 May, the Consumer Commission of Guangdong Province released a case on its official website in which a live-streaming platform refused to provide users’ personal account consumption information. According to the relevant provisions of the law, users’ consumption records on the live-streaming platform are their personal information. The live-streaming platform, as a platform operator processing consumer personal information, should respect consumers’ rights of access and copy.
Industry Developments
1. Guiyang Big Data Exchange released the first data-trading-rule system in China
On 27 May, the data trading rules conference of Guiyang Big Data Exchange was held. The conference released the first data-trading-rule system in China. The data-trading-rule system released covers a series of documents such as data element circulation and trading rules, guidelines for data product cost assessment, data product trading price assessment, data asset value assessment, data trading compliance review, and data trading security assessment.
2. The first Personal Data Center White Paper in China was released
On 26 May, 2022, China International Big Data Industry Expo held the first “Personal Data Centre” forum. During the forum, China’s first Personal Data Centre White Paper (the “White Paper”) was released. The White Paper covers the basic concepts, technical components and application scenarios of personal data centres.
