REGULATIONS

CAC seeks comments on scope of necessary personal information required for 38 types of Apps

On December 1, 2020, the Cyberspace Administration of China (“CAC”) issued the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications (Draft for Comment) (the “Draft for Comment”) for public comments by December 16, 2020.

The Draft for Comment stipulates the scope of necessary personal information required for 38 common types of Apps such as map navigation App, online car-hailing App, and instant messaging App. In particular, the Draft for Comment provides that as long as a user gives consent to the collection of its necessary personal information required for an App, such App shall not refuse the user’s installation and use. Meanwhile, a total of 12 types of Apps, including online live streaming App, online audio and video App, short video App, and browser App, shall provide basic functional services without asking personal information of users.

http://www.cac.gov.cn/2020-12/01/c_1608389002456595.htm

Three departments released the Announcement on Issuing the Import Licensing List and Export Control List of Commercial Cryptography and Relevant Administrative Measures

On December 2, 2020, the Ministry of Commerce (the “MOC”), the State Cryptography Administration (the “SAC”) and the General Administration of Customs (the “GAC”) jointly released the Announcement on Issuing the Import Licensing List and Export Control List of Commercial Cryptography and Relevant Administrative Measures (the “Announcement”).

Main contents of the Announcement are as below:

1. In order to safeguard national security and public interests, it is hereby decided to carry out import licensing and export control for relevant commercial cryptography.
2. Regarding the import of items and techniques set out in the Import Licensing List of Commercial Cryptography, i.e., encrypted telephone sets, encrypted fax machines, cryptographic machines (cards) and encrypted VPN equipment, the import license of dual-use items and techniques shall be applied for with the MOC.
3. Regarding the export of items and techniques specified in the Export Control List of Commercial Cryptography, including security chips, key management products, special cryptographic equipment and cipher development and production equipment, the export license of dual-use items and techniques shall be applied for with the MOC.

This Announcement shall enter into force on January 1, 2021, and the Announcement No. 18 of the State Cryptography Administration and the General Administration of Customs, the Announcement [2012] No. 64 of the General Administration of Customs and the State Cryptography Administration, the Announcement No. 27 of the State Cryptography Administration and the General Administration of Customs, and the Announcement No. 38 of the State Cryptography Administration, the Ministry of Commerce and the General Administration of Customs are to be repealed simultaneously.

http://www.mofcom.gov.cn/article/zwgk/zcfb/202012/20201203019733.shtml

MIIT announced the seventh batch of Apps for infringement on users’ rights and interests

On December 21, 2020, the Ministry of Industry and Information Technology (“MIIT”) announced the seventh batch of apps for infringement on users’ rights and interests. The main problems involved are as follows:

1. collecting and using personal information in violation of laws and regulations;
2. asking for permission mandatorily and in an excessively frequent way;
3. deceiving and misleading users to download Apps; and
4. App information on the App distribution platform is not clear.

https://www.miit.gov.cn/jgsj/xgj/gzdt/art/2020/art_13136b980ab444519feac1c3b3c48086.html

MHRSS: A human resource service agency shall ensure personal information security

On December 23, 2020, the Ministry of Human Resource and Social Security (“MHRSS”) issued the Administrative Provisions on Online Recruitment Services (the “Provisions”), which will take effect from March 1, 2021.

On personal information protection, the Provisions provide:

• A human resource service agency engaged in online recruitment services shall strengthen cybersecurity management, fulfill cybersecurity protection obligations, and take technical or other necessary measures in accordance with the requirements of national cybersecurity laws, administrative regulations and multi-level protection system of cyber security, to ensure the security of the recruitment service network, information system and user information.
• A human resource service agencyshall establish and improve the information protection system for online recruitment service users, and shall not disclose, tamper with, damage or illegally sell, or illegally provide other people with the ID card number, age, gender, address, contact information and business status of the employer.
• Ahuman resource service agency shall conduct self-examination on the information protection of online recruitment service users at least once a year, record the self-examination situation, and timely eliminate the security risks found in the self-examination.
• Where a human resource service agency engaged in online recruitment services does need to provide an overseas institution with the personal information and important data collected and generated in its operations within the territory of China due to business needs, it shall comply with relevant laws and administrative regulations of the State.

http://www.mohrss.gov.cn//xxgk2020/fdzdgknr/zcfg/bmgz/202012/t20201223_406512.html

MIIT issued the Construction Guidelines of Data Security Standard System in Telecom and Internet Industry

On December 25, 2020, the Ministry of Industry and Information Technology (“MIIT”) issued the Construction Guidelines of Data Security Standard System in Telecom and Internet Industry (the “Guidelines”)

The Guidelines include standards of basic generality, critical technology, safety management and critical areas. The standards of basic generality include the definition of terms, data security framework, data classification and grading, etc., which provide basic support for various standards. The critical technology standards regulate the critical technology of data security from a whole life cycle dimensions of data collection, transmission, storage, processing, exchange, destruction, etc. Security management standards include data security specification, data security assessment, monitoring, early warning and disposal, emergency response and disaster backup, security capability certification, etc. Critical areas standards include 5G, mobile Internet, Internet of vehicles, Internet of things, industrial Internet, cloud computing, big data, artificial intelligence, blockchain and other critical areas.

Data security standards in the field of the Internet of vehicles mainly include the data security of the cloud platform of the Internet of vehicles, the data security of V2X communication, the data security of the intelligent connected vehicle, and the data security of the mobile App of the Internet of vehicles, etc.

Data security standards in the field of mobile Internet mainly include personal information protection of mobile applications, SDK security of mobile applications, etc.

Data security standards in the field of artificial intelligence mainly include data security of artificial intelligence platform, personal information protection of artificial intelligence terminal, etc.

https://www.miit.gov.cn/zwgk/zcwj/wjfb/txy/art/2020/art_4a6aca0048b742ea97cfb280e981125e.html

CONTACT US

REGULATIONS

NISSTC issued the Guidelines for Data Security of Online Car-booking Services (Draft for Comment)

On November 10, 2020, the Secretariat of the National Information Security Standardization Technical Committee (“NISSTC”) issued the Information Security Technology – Guidelines for Data Security of Online Car-booking Services (Draft for Comment) (the “Draft”) for public comments by January 8, 2021.

The Draft specifies the types, scope, methods and conditions of collection, storage, use, sharing, public disclosure and deletion of data, as well as data security management requirements.

The requirements of data collection are as follows:

• before collecting the personal information of users, online car-booking service operators shall inform users and obtain the consent of users;
• When users refuse to provide personal information other than the minimum necessary personal information, online car-booking service operators shall not refuse to provide the online car-booking service; and
• When users refuse to provide the minimum necessary personal information corresponding to the optional business function of online car-booking service, online car-booking service operators can refuse to provide the corresponding optional business function service but should not refuse to provide online car-booking service.

The requirements of data transmission and storage are as follows:

• When online car-booking service operators transmit personal information through the Internet, they should adopt security measures such as encryption;
• Online car-booking service operators shall store the personal identification information, facial recognition features and audio and video trip recordings data of passengers and drivers separately;
• It is not suitable for online car-booking service operators to store the travel track and audio and video trip recordings data in the office terminal, but in the server with security measures.

The Draft also stipulates that online car-booking service operators should not abuse big data analysis and other technical means to set unfair trading conditions based on user consumption records and consumption preferences, thus infringing on users’ legitimate rights and interests.

https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20201110160208&norm_id=20201030200001&recode_id=40116

NISSTC issued the Guidelines on the Code of Ethics for Artificial Intelligence (Draft for Comment)

On November 9, 2020, the Secretariat of the National Information Security Standardization Technical Committee (the “NISSTC”) issued the Practice Guide to Cybersecurity Standards – Guidelines on the Code of Ethics for Artificial Intelligence (Draft for Comment) (the “Draft”) for public comments by November 23, 2020.

The Draft gives safety risk warnings regarding potential ethical issues associated with artificial intelligence (“AI”), and provides guidelines for AI research and development, design and manufacturing, deployment and application, consumer use and other related activities.

On deployment and application, the Draft stipulates that the deployer should explain the functions, limitations, risks and impacts of systems, products or services related to AI to users in a timely, accurate, complete, clear and unambiguous manner, and explain the relevant application process and application results. The deployer should also provide users with a clear and easy way to operate mechanism to refuse or stop using systems, products or services related to AI. After users refuse or stop using systems, products or services related to AI, the deployer should provide users with alternative non-AI options as far as possible.

https://www.tc260.org.cn/front/postDetail.html?id=20201109163419

RCEP: To protect the personal information of electronic commerce users

On November 15, 2020, the Regional Comprehensive Economic Partnership Agreement (“RCEP”) was concluded. The RCEP consists of 20 chapters, covering comprehensive market access commitments on goods, services, investment and other areas.

The Chapter “Electronic Commerce” of RCEP stipulates that the party to the RCEP is:

• encouraged to improve trade management and procedures through electronic means;
• required to create a favorable environment for electronic commerce, to protect the personal information of electronic commerce users, provide protection for online consumers, and strengthen supervision and cooperation on unsolicited commercial electronic information.

On cross-border transfer of information by electronic means, RCEP also provides the party shall not prevent cross-border transfer of information by electronic means where such activity is for the conduct of the business of a covered person.

http://fta.mofcom.gov.cn/rcep/rceppdf/d12z_en.pdf

Announcement on 35 App for non-compliance with collecting and using personal information

On November 13, 2020, Task Force on Apps for Illegal Collection and Use of Personal Information (“Force”) finds that there are problems in the collection and use of personal information of 35 Apps. It is suggested that the relevant App operators should rectify the existing problems in time and feedback the rectification situation to the Force within 30 days from now on. After the 30 days, the Force will verify the rectification situation, submit the review results to the relevant departments, and handle those that cannot be effectively rectified according to laws.

https://mp.weixin.qq.com/s/KGFSSM9yuIxs9Wrv2tR24w

Live streaming platforms shall establish a mechanism for personal information protection 

On November 13, 2020, the Cyberspace Administration of China (“CAC”) issued the Administrative Provisions on Live Streaming Marketing Information Content Services (Draft for Comment) (the “Draft”) to solicit public comments by November 28, 2020.

The Draft stipulates that live streaming platforms shall establish a sound mechanism for registration and cancellation of accounts and live streaming marketing business, information security management, codes of conduct for marketing, minors’ protection, users’ rights protection, personal information protection, credit evaluation and data security. At the same time, the Draft provides live streaming platforms shall strengthen the service management of live streaming information on the Internet. If illegal and bad information is found, it shall immediately take measures to deal with it, keep relevant records and report to the relevant competent authorities. Live streaming platform shall prevent and stop illegal advertising, price fraud and other violations of users’ rights and interests and warn users of the risks of private transactions outside the platform in a prominent way.

http://www.cac.gov.cn/2020-11/13/c_1606832591123790.htm

PBOC issued the Testing and Evaluation Guidelines for Classified Protection of Cybersecurity of Financial Industry and the Implementation Guidelines for Classified Protection of Cybersecurity of Financial Industry

On November 11, 2020, the People’s Bank of China(“PBOC”) formally issued two standards in financial industry, namely the Testing and Evaluation Guidelines for Classified Protection of Cybersecurity of Financial Industry (“Testing and Evaluation Guidelines”) and the Implementation Guidelines for Classified Protection of Cybersecurity of Financial Industry (“Implementation Guidelines”).

The Testing and Evaluation Guidelines stipulate the general requirements and extended requirements of security evaluation for Level-2, Level-3 and Level-4 protected objects in the financial industry. The Testing and Evaluation Guidelines are applicable to guide financial institutions, evaluation institutions and the competent departments of cybersecurity classified protection in the financial industry to conduct security evaluation on the security status of the classified protection objects.

The Implementation Guidelines include six parts, which regulate:

• the cybersecurity framework of the financial industry and the security requirements corresponding to different security levels,
• the basic framework and terminology definition of the cybersecurity level protection work in the financial industry,
• the cybersecurity post setting requirements of financial institutions,
• the cybersecurity post ability requirements,
• the cybersecurity personnel ability evaluation requirements,
• the cybersecurity training related requirements, and
• the financial institutions cybersecurity level protection audit implementation requirements, etc.

The Implementation Guidelines are applicable to guide financial institutions, evaluation institutions and competent departments of financial industry to implement classified cybersecurity protection.

https://www.cfstc.org/bzgk/gk/view/bzxq.jsp?i_id=1891

https://www.cfstc.org/bzgk/gk/view/bzxq.jsp?i_id=1885

NISSTC issued the Practice Guide to Cybersecurity Standards – Security Guidelines for Using Software Development Kit (SDK) for Mobile Internet Applications

On November 27, 2020, the Secretariat of the National Information Security Standardization Technical Committee (“NISSTC”) issued the Practice Guide to Cybersecurity Standards – Security Guidelines for Using Software Development Kit (SDK) for Mobile Internet Applications (“Guidelines”).

The Guidelines provide the responsibilities of the parties involved in the use of the SDK and the common security issues, as well as the security principles and measures of App providers and SDK providers for common problems. The Guidelines are applicable to preventing SDK security and compliance risks when App providers use the SDK, and also provide reference for SDK providers in protecting SDK security and user personal information.

According to the Guidelines, App providers should take adequate security measures to ensure that there is no security risk when using SDKs, such as conducting security assessment on the SDK before integrating SDKs, conducting continuous dynamic monitoring or regular security assessment on the integrated SDK, signing a cooperation agreement with SDK providers or further improving the cooperation agreement with the SDK providers.

Besides, SDK providers should collect personal information at the lowest frequency necessary to realize its own business functions, and enhance its own security by means of code audit and code obfuscation.

https://www.tc260.org.cn/upload/2020-11-27/1606438309423027911.pdf

CONTACT US

REGULATIONS

MIIT launches 2020 program of checking cyber security in telecommunications and internet industries

On October 9, 2020, the Ministry of Industry and Information Technology (“MIIT”) issued the Circular on Working Effectively on the 2020 Program of Checking the Cyber Security in the Telecommunications and Internet Industries (the “Circular”).

The Circular provides that the checking object includes networks and systems constructed and operated by basic telecommunication enterprises, Internet enterprises, domain name registration management and service institutions that have obtained the permission of competent telecommunication authorities according to the law. In addition, the checking will focus on the critical information infrastructure as well as important network units and their carrying information systems of the telecommunications and Internet industries, including but not limited to 5G network infrastructure, Mobile App Store, Internet of Things platforms, Industrial Internet platform, Internet of Vehicles application service platform and online car-hailing information service platforms.

Three main contents of the checking are the implementation of cyber security management, technical measures for cyber security protection, and hidden dangers of major cyber security risks.

http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057724/n3057729/c8112434/content.html

CAC seeks opinions on revising Administrative Provisions on Information Services Provided through Official Accounts to Internet Users

On October 15,2020, the Cyberspace Administration of China (“CAC”) issued the Administrative Provisions on the Information Services Provided through Official Accounts to Internet Users (Draft for Comments) (the “Draft”) for public comments by October 30, 2020.

The Draft stipulates that a platform for the information services provided through official accounts should: prohibit those official accounts that have been closed in accordance with the law and agreement from re-registering with the same account names; review the application for the registration of official accounts engaged in producing the information on the economic, education, health, justice and other fields, and require users to provide the evidentiary materials related to their professional background and professional qualifications when registering; official account information service platform can suspend or terminate the provision of services according to the service agreement for those official accounts that are not logged in or used for more than six months after Internet users have registered; prohibit the compulsory subscription to or following of official accounts of other users without the informed consent of Internet users; and ten kinds of behaviors are prohibited, among which it is required not to “manipulate and utilize multiple platform accounts, release homogeneous information in batch, generate false traffic data, and create false public opinion hot spots”.

http://www.cac.gov.cn/2020-10/15/c_1604325530663495.htm

Standing Committee of the National People’s Congress adopts the Export Control Law

 The Export Control Law of the People’s Republic of China (the “Export Control Law”), adopted at the 22nd Session of the Standing Committee of the 13th National People’s Congress on October 17, 2020, is promulgated, effective on December 1, 2020.

According to the Export Control Law, the term “export control” refers to prohibitive or restrictive measures taken by the State against the transfer of controlled items from the territory of the People’s Republic of China to overseas, and the provision of controlled items by citizens, legal persons and other non-incorporated organizations of the People’s Republic of China to foreign organizations and individuals.

The Export Control Law provides reciprocal measures: where any country or region harms the national security and interests of the People’s Republic of China by abusing the export control measures, the People’s Republic of China may take reciprocal measures against such country or region in light of the actual situations.

The Export Control Law also stipulates that where an exporter has established an internal compliance system for export control and is in good operation, the State’s export control authorities may grant it a general license or take other facilitation measures for relevant controlled items exported by it. Specific measures shall be formulated by the State’s export control authorities.

http://www.npc.gov.cn/npc/c30834/202010/cf4e0455f6424a38b5aecf8001712c43.shtml

China will establish a biosafety information sharing system and biosafety information release system

The Biosecurity Law of the People’s Republic of China (the “Biosecurity Law”) is adopted at the 22nd Session of the Standing Committee of the Thirteenth National People’s Congress of the People’s Republic of China on October 17, 2020, effective April 15, 2021.

The Biosecurity Law provides that the State will establishes a biosafety information sharing system. The national biosafety work coordination mechanism shall organize to establish a unified national biosafety information platform, and the relevant authorities shall collect and deliver the biosafety data and materials and other information to the national biosafety information platform to achieve information sharing.

In addition, the Biosecurity Law provides that the State will establishes a biosafety information release system. Major biosafety information such as the overall situation of the national biosecurity, major biosecurity risk warnings, major biosecurity incidents and their investigation and handling information shall be released by the members of the national biosafety work coordination mechanism according to the division of their responsibilities; other biosafety information shall be released by the relevant departments under the State Council, the local people’s governments at or above the county level and the relevant departments thereof according to their responsibilities and authority. No organization or individual may fabricate or spread false biosafety information.

The Biosecurity Law also requires that where the information on human genetic resources of China is to be provided or made available for use to any overseas organization or individual or the institution established or actually controlled thereby, a report shall be submitted in advance to the department in charge of science and technology under the State Council and information backup shall be submitted.

http://www.npc.gov.cn/npc/c30834/202010/85c189382f6641f8aac2fa1994809df7.shtml

The Chapter Network Protection has been added to the Law on the Protection of Minors

The 22nd Session of the Standing Committee of the 13th National People’s Congress adopted the Law of the People’s Republic of China on the Protection of Minors (Revised in 2020) (the “Law “) on October 17, 2020, which shall take effect from June 1, 2021.

The Chapter Network Protection has been added to the revised Law and the provisions on the protection of minors’ personal information are as follows:

• Information processors who process personal information of minors through the Internet shall follow the principles of legality, legitimacy and necessity. On processing the personal information of minors under the age of 14, the consent of their parents or other guardians shall be obtained, except as otherwise provided by laws and administrative regulations.
• If minors, theirparents or other guardians require the information processor to correct or delete the personal information of minors, the information processor shall take timely measures to correct or delete the personal information, unless otherwise provided by laws and administrative regulations.
• If the Internet service provider discovers that minors release private information through the Internet, they shall prompt them in time and take necessary protection measures.
• If the Internet service provider discovers that the user publishes or disseminates information that may affect the physical and mental health of minors without making a noticeable reminder, it shall make a reminder or notify the user to be reminded; if no reminder is given, the relevant information shall not be transmitted.
• If the Internet service provider finds that the user publishes and disseminates the information that endangers the physical and mental health of minors, it shall immediately stop transmitting the relevant information, take measures such as deleting, shielding and disconnecting links, keep relevant records, and report to the cyberspace administration, public security and other departments.
• If the Internet service provider discovers that a user has committed an illegal or criminal act against a minor by using its Internet service, it shall immediately stop providing Internet service to the user, keep relevant records and report to the public security organ.

http://www.npc.gov.cn/npc/c30834/202010/82a8f1b84350432cac03b1e382ee1744.shtml

Network transaction operators shall keep the personal information collected strictly confidential 

On October 20, 2020, the State Administration for Market Regulation issued the Measures for the Supervision and Administration of Online Transactions (the “Draft”) for public comments by November 2, 2020.

On the protection of personal information, the Draft stipulate that network transaction operators shall obtain the authorization and consent of the collector when collecting and using the personal information of users, and clearly state the purpose, necessity, scope and method of collection and use based on the principle of legality, legitimacy and necessity. It is not allowed to adopt a one-off general authorization method, or to force or disguisedly force the collector to agree to the collection and use of information that is not directly related to business activities by default authorization, binding with other authorizations, or stopping installation and use. When collecting and using sensitive information such as biometric information, health information, property information, social information, etc., authorization and consent of the collector shall be obtained one by one. Network transaction operators and their staff shall keep the personal information collected strictly confidential and shall not provide it to any third party, including related parties, without the authorization and consent of the collector.

http://www.samr.gov.cn/hd/zjdc/202010/t20201020_322434.html

MIIT strengthens in-process and ex-post regulation of foreign-funded telecommunications enterprises

On October 20,2020, the Ministry of Industry and Information Technology (“MIIT”) issued the Circular on Strengthening the In-process and Ex-post Regulation of Foreign-invested Telecommunications Enterprises (the “Circular”).

The Circular provides that the MIIT will cease to approve and issue the Examination Decision on Foreign Investment in Telecommunications (the “Decision”) from the date of issuance of the Decision of the State Council on Cancelling and Decentralizing a Number of Administrative Licensing Items, and the examination of foreign investments will be included in the process of approval of business licensing for telecommunications accordingly. The Circular further clarifies that foreign-invested enterprises that have been approved with the Decision issued previously may continue to apply for the business licensing for telecommunications in accordance with legal procedures. When directly applying for the business licensing for telecommunications or for changes in the telecommunications business, subsequent foreign-invested enterprises are required to concurrently submit relevant application materials on foreign investments, and the MIIT will handle the applications in accordance with laws and regulations.

The Circular also stipulates that restrictions on shareholding ratio held by foreign investors and other access policies and requirements shall be still subject to the Administrative Provisions on Foreign-funded Telecommunications Enterprises, the Telecommunications Regulations of the People’s Republic of China, the Special Administrative Measures (Negative List) for Foreign Investment Access, and other legal documents.

http://www.miit.gov.cn/n1146295/n1652858/n1652930/n3757020/c8126050/content.html

The Law of the People’s Republic of China on Personal Information Protection (Draft) is released

On October 21, 2020, the 22nd Session of the Standing Committee of the 13th National People’s Congress released the Law of the People’s Republic of China on Personal Information Protection (Draft) (the “Draft”) for public comments by November 19, 2020.

The Draft provides it shall apply to activities conducted by organizations and individuals to process the personal information of natural persons within the territory of the People’s Republic of China. And it shall also apply to activities outside territory of the People’s Republic of China to process the personal information of natural persons within the territory of the People’s Republic of China under any of the following circumstances:

• personal information processing is to serve the purpose of providing products or services for natural persons within the territory of the People’s Republic of China;
• personal information processing is to serve the purpose of analyzing and evaluating the behaviors of natural persons within the territory of the People’s Republic of China; or
• having other circumstances as stipulated by laws and administrative regulations.

On the cross-border transfer, the Draft requires that critical information infrastructure operators and personal information processors who process personal information up to the amount as specified by the State cyberspace authorities shall store within the territory of the People’s Republic of China the personal information which they collect and generate within the territory of the People’s Republic of China. If it is really necessary to provide such information overseas, critical information infrastructure operators and personal information handlers shall pass security assessment organized by the State cyberspace authorities; if any law, administrative regulation or the State cyberspace authorities stipulate that security assessment may not be conducted, such provision shall prevail.

The Draft also provides that where personal information is processed in violation of this Law or personal information is processed without any necessary security protection measure in compliance with regulations, authorities performing personal information protection duties shall order a correction, confiscate any unlawful income, and issue a warning; and, if correction is not made, a fine of up to CNY1 million shall be imposed on the personal information processor if it is an organization; and any directly liable person-in-charge or any other directly liable individual shall be fined between CNY10,000 and CNY100,000. If the unlawful act mentioned in the preceding paragraph is grave, authorities performing personal information protection duties shall order a correction, confiscate any unlawful income, and impose a fine of up to CNY50 million, or 5% of last year’s annual revenue, and may also order the suspension of related business operations or suspension of business for rectification, and/or report to relevant competent authorities for the cancellation of the related business permit or cancellation of the business license; and any directly liable person-in-charge or any other directly liable individual shall be fined between CNY100,000 and CNY1 million.

http://www.npc.gov.cn/flcaw/userIndex.html?lid=ff80808175265dd401754405c03f154c

The Ministry of Industry and Information Technology announced the fifth batch of Apps on infringement of users’ rights and interests

The Ministry of Industry and Information Technology recently organized a third-party testing agency to inspect the mobile phone application software and urge enterprises which do not meet relevant requirements to rectify. As of October 26, there are 131 Apps that have not been rectified, and these Apps should be rectified before November 2. In this test, many problems were found in input method Apps, travelling Apps, e-commerce Apps, audio and video Apps. Some App stores and mobile application distribution platform management entities have not fulfilled their responsibilities, and SDK enterprises illegally collected user personal information.

http://www.miit.gov.cn/n1146290/n1146402/c8136537/content.html

REGULATIONS

The Chinese side proposes a Global Initiative on Data Security

On September 8, 2020, Foreign Minister Wang Yi delivered a keynote speech at a high-level meeting of an international seminar themed with “Seizing Digital Opportunities for Cooperation and Development” and proposed a Global Initiative on Data Security (“Initiative”). The Initiative mainly includes the following.：

First, approach data security with an objective and rational attitude, and maintain an open, secure and stable global supply chain.

Second, oppose using information and communications technology (ICT) activities to impair other States’ critical infrastructure or steal important data.

Third, take actions to prevent and put an end to activities that infringe upon personal information, oppose abusing ICT to conduct mass surveillance against other States or engage in unauthorized collection of personal information of other States.

Fourth, ask companies to respect the laws of host countries, desist from coercing domestic companies into storing data generated and obtained overseas in one’s own territory.

Fifth, respect the sovereignty, jurisdiction and governance of data of other States, avoid asking companies or individuals to provide data located in other States without the latter’s permission.

Sixth, meet law enforcement needs for overseas data through judicial assistance or other appropriate channels.

Seventh, ICT products and services providers should not install backdoors in their products and services to illegally obtain user data.

Eighth, ICT companies should not seek illegitimate interests by taking advantage of users’ dependence on their products.

https://www.fmprc.gov.cn/web/ziliao_674904/1179_674909/t1812949.shtml

The Ministry of Public Security issued the Guiding Opinions on the Implementation of Multi-Level Protection System of Cybersecurity and Critical Information Infrastructure Security Protection System

Recently, the Ministry of Public Security issued the Guiding Opinions on the Implementation of Multi-Level Protection System of Cybersecurity and Critical Information Infrastructure Security Protection System (“Opinions”), the Opinions mainly include the following:

1. Implementing the multi-level protection system of national cybersecurity

• Deepening the work of network classification filing

Network operators which are classified as Level 2 or above shall file with the public security organ and the competent department of the industry.

• Carrying out cybersecurity classification assessment regularly

Network operators which are classified as Level 3 or above shall entrust a classification assessment institution in line with the relevant provisions of the state to carry out cybersecurity classification assessment once a year, and timely submit the assessment report to the public security organ and the competent department of the industry. The new network above Level 3 should be put into operation after passing the classification assessment.

• Implementing cryptography security protection requirements

Network operators which are classified as Level 3 or above shall correctly and effectively adopt cryptography technology for protection and use cryptography products and services meeting relevant requirements.

2. Establishing and implementing the critical information infrastructure security protection system

• Organizing to identify critical information infrastructure

The competent departments (hereinafter referred to as the “ Protection Departments”) of important industries and fields, such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry, shall formulate rules for the recognition of critical information infrastructure in their respective industries and fields and report them to the Ministry of Public Security for the record.

• Strengthening the protection of important data and personal information.

Establishing and implementing the important data and personal information protection system. Operators shall store within the territory of the People’s Republic of China the personal information and important data collected and generated during its operation within the territory of the People’s Republic of China. Where such information and data have to be provided abroad for business purposes, security assessment shall be conducted pursuant to relevant provisions.

http://www.nanning.gov.cn/zt/rdzt/2020wsxcz/zcfg_0910/t4461545.html

Beijing: allow foreign companies to invest in virtual private networks 

The State Council recently approved the Work plan for Deepening a New Round of Comprehensive Pilot Projects for the Opening up of Beijing’s Service Industry and the Construction of a Comprehensive Demonstration Area for the Expansion of National Service Industry (“Plan”), the Plan will:

1. Allow foreign companies to invest in domestic internet virtual private networks (VPN), with a proportion of foreign shares not exceeding 50 percent. Overseas telecommunications carriers can set up joint ventures to provide such services for foreign enterprises in Beijing.
2. Support the application of Internet of vehicles (intelligent connected-cars) and automatic driving map and build the Beijing–Shanghai Internet of vehicles highway.
3. Standardize the safe and orderly cross-border flow of data, explore the establishment of data security management mechanisms such as data protection capability certification and promote the pilot project of security management and assessment on data cross-border transfer.

http://www.gov.cn/zhengce/content/2020-09/07/content_5541291.htm

The China Banking and Insurance Regulatory Commission：To standardize health management services of insurance companies to ensure the safety of relevant data and information

The China Banking and Insurance Regulatory Commission (“CBIRC”) has issued the Circular on Standardizing Health Management Services of Insurance Companies (the “Circular”) on September 6, 2020.

The Circular emphasizes the following personal information protection work:

1. informing customers of the content, process, standard, term, precautions and possible risks of health management services in advance and obtain the informed consent of customers.Participation by any third-party service cooperation organization shall be informed at the same time;
2. obtaining the consent of customer when obtaining the customer’s health data; and
3. not providing the customer’s personal information or any health data without the authorization of the customer to ensure data security and protect personal privacy according to law.

http://www.cbirc.gov.cn/cn/view/pages/ItemDetail.html?docId=927766

The People’s Bank of China: To obtain the consent of financial consumers when collecting their financial information

 On September 15, 2020, the People’s Bank of China (“PBOC”) issued the Implementing Measures of the People’s Bank of China for Protection of Financial Consumers’ Rights and Interests (“Measures”), which will take effect on November 1, 2020.

On protection of financial information of consumers, the Measures provide that banks and payment institutions shall:

• adhere to the principles of legitimacy, bona fide and necessity, and obtain the explicit consent of financial consumers or their guardians, unless otherwise stipulated by laws and administrative regulations;
• not collect consumers’ financial information unrelated to their business, nor adopt improper means to collect consumers’ financial information, and nor force consumers to collect their financial information in disguise;
• not refuse to provide financial products or services on the ground that financial consumers do not agree to have their financial information processed, except that processing their financial information is necessary for providing financial products or services;
• use appropriate means to enable financial consumers to independently choose whether or not to consent to the use of their financial information by banks and payment institutions for the purposes of marketing, user experience improvement or market investigation. Where the financial consumers do not agree, banks and payment institutions shall not refuse to provide financial products or services.If banks and payment institutions send financial marketing information to financial consumers, they shall provide them with ways to refuse to continue receiving the financial marketing information;
• specify in the terms the purpose, method and content of collection and scope of use, and remind financial consumers of the possible consequences of such consent in an obvious and easy-to-understand way where banks and payment institutions have obtained the consent to the collection and use of financial information from consumers under standard terms; and
• use consumers’ financial information pursuant to the provisions of laws and regulations and for the purpose agreed between both parties and shall not use such information beyond the agreed scope.

http://www.pbc.gov.cn/tiaofasi/144941/144957/4099060/index.html

The Ministry of Commerce promulgated the Provisions on the Unreliable Entity List

 On September 19, 2020，the Ministry of Commerce promulgated the Provisions on the Unreliable Entity List (“Provisions”) which shall take effect from the same date of the promulgation.

The State shall establish the Unreliable Entity List System (“System”) and a working mechanism participated by relevant central departments (hereinafter referred to as “the Working Mechanism”) to take charge of organization and implementation of the System. The Office of the Working Mechanism is located at the competent department of commerce of the State Council.

The Working Mechanism shall, based on the results of the investigation and by taking into overall consideration the following factors, make a decision on whether to include the relevant foreign entity in the Unreliable Entity List (“List”), and make an announcement of the decision:

• the degree of danger to national sovereignty, security or development interests of China;
• the degree of damage to the legitimate rights and interests of enterprises, other organizations, or individuals of China;
• whether being in compliance with internationally accepted economic and trade rules; and
• other factors that shall be considered.

The Working Mechanism may, based on actual circumstances, decide to take one or several of the following measures (hereinafter referred to as the “Measures”) against the foreign entity which is included in the List, and make an announcement of the decision:

• restricting or prohibiting the foreign entity from engaging in China-related import or export activities;
• restricting or prohibiting the foreign entity from investing in China;
• restricting or prohibiting the foreign entity’s relevant personnel or means of transportation from entering into China;
• restricting or revoking the relevant personnel’s work permit, status of stay or residence in China;
• imposing a fine of the corresponding amount according to the severity of the circumstances; and
• other necessary measures.

http://www.mofcom.gov.cn/article/b/fwzl/202009/20200903002593.shtml

Beijing：To explore the establishment of international information industry and digital trade port

On September 21, 2020, the State Council announced the Overall Plan of China (Beijing) Pilot Free Trade Zone (the “Plan“).

The Plan points out that Beijing will explore the establishment of international information industry and digital trade port. The specific measures are as follows:

• having priority to explore software real name certification, data origin label identification, import and export of data product, etc. on the premise of controllable risks;
• building the digital copyright trading platform to promote the development of intellectual property protection and intellectual property financing business;
• conducting efficient and convenient digital import and export inspection on software and Internet service trade;
• actively exploring the third-party authentication mechanism for the data protection capability of enterprises; and
• exploring the establishment of a website filing system to meet the needs of overseas customers.

http://www.gov.cn/zhengce/content/2020-09/21/content_5544926.htm?_zbs_baidu_bk

Task Force on Personal Information Protection by Apps: 81 Apps have personal information collection and use problems

On September 17, 2020, the Task Force on the Personal Information Protection by Apps (“Task Force”) found that there were problems in the collection and use of personal information in 81 Apps after the assessment and suggested that the relevant App operators should rectify the existing problems in a timely manner, and feedback the rectification situation to the Task Force within 30 days from the date of the announcement. After the 30 days, the Task Force will verify the rectification situation and submit the review results to the relevant departments; App operators who fail to effectively rectify relevant problems will be punished according to the law.

https://mp.weixin.qq.com/s/hLK2EziD8NSF3G1_0VR_Hg

FAQ and Handling Guide for Personal Information Protection by Mobile Internet Application (App) and other two standards released

In the recent 2020 National Cyber Security Promotion Week, the Task Force on the Illegal Collection and Use of Personal Information by Apps (“Task Force”) held a “App Personal Information Protection” theme release event in Beijing (“Event”). At the Event, three standards related to personal information protection by Apps, the FAQ and Handling Guide for Personal Information Protection by Mobile Internet Application (App) (“FAQ and Handling Guide”), Mobile Internet Application (App) System Permission Application Guidelines (“System Permission Guidelines”) and Security Guidelines for Third-Party Software Development Kit (SDK) in Mobile Internet Applications (App) (Draft for Comment) (“Draft SDK Security Guidelines”), were released.

The FAQ and Handling Guide addresses the problems of excessive collection, mandatory claims for permission, frequent claims for permission, and unsynchronized notification of the purpose of collection by Apps. Based on statistics on the frequency of related problems, it gives the top ten frequently asked questions and handling guidelines in current App personal information protection, in order to help App operators prevent and deal with related problems.

The System Permission Guidelines address typical issues such as mandatory, frequent, and excessive claims for system permissions by Apps, bundling authorization, privately calling permissions to upload personal information, and sensitive permissions abuse. It also provides the basic principles and security requirements for system permissions by Apps, which can help App providers standardize App system permission applications and use behaviors and prevent personal information security risks caused by improper use of system permissions.

The Draft SDK Security Guidelines address the problems of third-party SDK’s own security vulnerabilities, malicious third-party SDKs, and unlawful collection and use of personal information by third-party SDKs in the current third-party SDK use practice. Combined with current mobile Internet technology and application status, the Draft SDK Security Guidelines provide practical guidelines for App providers and third-party SDK providers on third-party SDK security issues, aiming to reduce App security and personal information security issues caused by third-party SDKs.

In addition to the above guidelines, the Event also released the promotion video and the English version of the national standard Information Security Technology – Personal Information Security Specification (GB/T 35273-2020) for reader’s convenience; as well as other work results relating to such as App security certification, free evaluation tools, research reports and popular science areas.

https://www.tc260.org.cn/front/postDetail.html?id=20200920124356

The People’s Bank of China issued the Financial Data Security Guidelines for Data Security Classification 

On September 23，2020，the People’s Bank of China (“PBOC”) issued the Financial Data Security Guidelines for Data Security Classification (“Guidelines”). The Guidelines applies to financial institutions to carry out data security classification work, as well as third-party assessment institutions to carry out data security inspection and evaluation.

According to the Guidelines, the financial data involved in the security classification include but are not limited to:

• data collected directly (or indirectly) in the process of providing financial products or services, including data signed or collected through the counter with paper agreement and transferred or saved in computer system after information processing, and electronic information signed or collected through information system;
• data generated and stored in the information system of financial institutions, including business data, operation and management data, etc.;
• electronic data generated, exchanged and filed in the internal office network and office equipment (terminal) of financial institutions. For example, daily business processing information, policies and regulations, business or business management data temporarily stored in business terminals, e-mail information, etc;
• electronic data formed by scanning or other electronic means of the original paper documents of financial institutions;
• other data that should be classified.

At the same time, the Guidelines provides that according to the influence objects and the degree of impact caused by the data security damage of financial institutions, the data security level is divided into Level 5 to Level 1 from high to low.

https://www.cfstc.org/bzgk/gk/view/bzxq.jsp?i_id=1873

Implementation Plan for the Establishment of Beijing International Big Data Exchange: establish and perfect the new data element management system of “separation of ownership and right of use”

On September 29,2020, Beijing Local Financial Supervision and Administration and Beijing Municipal Bureau of Economy and Information Technology issued the Implementation Plan for the Establishment of Beijing International Big Data Exchange (“Plan”).

The Plan will establish and improve the new data element management system of “separation of ownership and right of use”, explore a new mechanism for orderly circulation and efficient utilization of data elements, deeply implement the Beijing big data action plan, and strengthen the integration and application of cross regional, cross domain, cross department and cross level data resources.

The Plan points out that Beijing municipal state-owned enterprises with high-quality data resources will restructure the existing exchange and change its name to Beijing International Big Data Exchange. Strategic investors such as central enterprises and Internet enterprises will be introduced in time to increase registered capital, change business scope and change trading varieties. The service content of Beijing International Big Data Exchange will include data information registration service, data product trading service, data operation management service, data asset financial service and data asset financial technology service

http://jrj.beijing.gov.cn/tztg/202009/t20200929_2103035.html

CONTACT US