The Ministry of Commerce launches pilot program on security management for cross border data transfer

On August 14, 2020, the Ministry of Commerce (“MOC”) issued the Master Plan for Comprehensively Deepening the Pilot Program on Innovative Development of Trade in Services (“Plan”), covering 28 provinces and municipalities directly under the Central Government (regions), including Beijing, Tianjin and Shanghai, and the period for the pilot program will be three years.

The Plan proposes to：

• establish dedicated Internet data channel in pilot areas where feasible, and the Ministry of Industry and Information Technology(“MIIT”) shall formulate relevant policies;
• explore the classification and supervision model of cross-border data flow and carry out the pilot program for cross-border data transfer security management. Office of the Central Cyberspace Affairs Commission shall formulate relevant policies, pilot program work for cross-border data transfer security management shall be implemented in pilot areas such as Beijing, Shanghai, Hainan, and Xiong’an New Area;
• develop cross-border services such as big data collection, storage, processing, analysis, mining and trading based on industrial Internet in pilot areas;
• explore the rules and standards of data service collection, masking, application, trading, supervision, etc.;
• promote the commercialization and securitization of data assets, and explore the formation of new models for trading of big data;
• carry out security assessment on cross-border data flow in pilot areas; and
• establish data security management mechanisms on data protection capability certification, data circulation backup review, cross-border data flow and transaction risk assessment, etc.; encourage cooperation in international cooperation on digital rules in pilot areas and strengthen the protection of data.

For more information ，please refer to http://images.mofcom.gov.cn/fms/202008/20200814092010665.pdf

China proposes to tighten controls on import and export of commercial cryptography products.

On August 20, 2020, the State Cryptography Administration released the Regulations for the Administration of Commercial Cryptography (Draft for Comment) (“Draft Regulations”) to solicit public opinions by September 19, 2020.

The Draft Regulations provide that, import of the commercial cryptography in the “Commercial Encryption Import License List” and export of the commercial cryptography in the “Commercial Encryption Export Control List” should be subject to the import and export license for dual-use items issued by the competent commercial department of the State Council.

According to the Draft Regulations, operators of networks and information systems such as unclassified critical information infrastructure, network of Grade III or above (under the network graded protection regime), and national government information system shall:

• use commercial cryptography for protection;

• formulate commercial cryptography application scheme;

• have necessary funds and professionals;

• plan, construct and operate the commercial cryptography safeguard system synchronously;

• carry out the security assessment on commercial cryptography application by itself or commercial cryptography testing institutions.

The above-mentioned network and information systems can be put into operation only after the security assessment on commercial cryptography application. After operation, the assessment shall be conducted at least once a year, and the assessment results shall be filed with the local municipal cryptography administrative department.

The Draft Regulations provide that operators of networks and information systems such as unclassified critical information infrastructure, network of Grade III or above, and national government information system should use commercial cryptography products and services that have been tested or certified, and use commercial cryptography technology listed in the Guidance Catalog of Commercial Cryptography Technology.

The Draft Regulations stipulate that if operators of critical information infrastructure purchase network products and services involving commercial cryptography, which may affect national security, they shall pass the national security examination organized by the state cyberspace department, the state cryptography department and other relevant departments according to the law.

For more information ，please refer to http://www.oscca.gov.cn/sca/hdjl/2020-08/20/content_1060779.shtml

China released the revised Catalogue of Technologies Prohibited and Restricted from Export

On August 28, 2020, the Ministry of Commerce and the Ministry of Science and Technology jointly released the revised Catalogue of Technologies Prohibited and Restricted from Export (“Catalogue”). The revisions of the Catalogue removed 4 items of technologies prohibited from export, removed 5 items of technologies restricted from export, added 23 items of technologies restricted from export, and revised technical parameters of 21 items of technologies.

It is worth noting that, in the export restriction section, the Catalogue adds “personalized information push service technology based on data analysis” and “technology of unmanned aerial vehicles”.

For more information ，please refer to http://www.most.gov.cn/kjbgz/202008/t20200828_158546.htm

NISSTC seeks public opinions on the Information Security Technology – Cyber-data Process Security Specification

On August 31, 2020, the National Information Security Standardization Technical Committee (“NISSTC“) issued the Information Security Technology – Cyber-data Process Security Specification (Draft for Comment) (“Draft Specification”) for public comments by October 27, 2020.

Highlights of the Draft Specification include:

Provision of data to others: Before providing data to others, network operators should conduct security impact analysis and risk assessment. If national security, public security, economic security, and social stability will be endangered, they must not provide the data to others.

Responsible person for data security: When network operators carry out business and service activities and collect important data and personal sensitive information, they should clarify the person responsible for data security and provide them with necessary resources to ensure that they perform their duties independently. The person in charge of data security should have professional knowledge of data security and relevant management work experience, participate in important decisions related to data processing activities, and perform the following duties:

a) organizing and determining the data protection catalog, formulating a data security protection plan and supervising the implementation;

b) organizing and carrying out data security impact analysis and risk assessment, and supervising the rectification of security risks;

c) reporting data security protection and incident handling to the cyberspace administration and relevant departments as required; and

d) organizing to accept and handle data security complaints and reports.

Transmission and storage: Network operators should take security measures for data transmission and storage activities, including:

a) When transmitting important data and personal sensitive information, security measures such as encryption should be adopted;

b) When storing important data and personal sensitive information, security measures such as encryption, secure storage, access control, and security audits should be adopted; and

c) The storage of personal information should not exceed the storage period agreed with the personal information subject, unless otherwise provided by laws and regulations.

The Draft Specification also provides special rules for the protection of personal information in public health emergencies. For example, in the process of providing information services, when face recognition is used as the authentication method, other authentication methods should be provided for users to choose in principle. The original image that can extract the face recognition information shall not be retained in principle when using face recognition information for identity verification.

For more information ，please refer to https://www.tc260.org.cn/front/postDetail.html?id=20200830094619

MIIT: No user’s consent, No commercial SMS or calls

On August 31, 2020, the Ministry of Industry and Information Technology (“MIIT”) issued the Administrative Regulations on Short Messages and Voice Call Service (Draft for Comments) (“Draft Regulations”) to seek public comments by September 30, 2020.

According to the Draft Regulations, any organization or individual shall not send commercial short messages or make commercial telephone calls to the user without his/her consent or request, or if he/she has explicitly refused to receive such SMS/calls. If the user does not explicitly agree, it shall be deemed as refusal. If the user agrees previously and explicitly refuses to accept it later, sending commercial short messages or making commercial telephone calls shall be terminated. If a short message service provider sends port type commercial short messages, it shall ensure that the relevant user has agreed or requested to receive these messages and keep the user’s consent proof for at least five months. A voice call service provider shall not make platform commercial calls, or provide communication resources, platform facilities and other conditions for organizations and individuals who make commercial calls in violation of the Draft Regulations.

For more information ，please refer to http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057709/n3057717/c8067025/content.html

Ministry of Culture and Tourism: Big data analysis and other technical means must not be abused to violate tourists’ rights

On August 31, 2020, the Ministry of Culture and Tourism issued the Interim Provisions on Administration of Online Tourism Business and Services (“Provisions”), which will take effect on October 1, 2020.

According to the Provisions, online tourism operators should implement graded protection system of cyber security, take management and technical measures for cyber security, formulate contingency plans for cyber security and organize regular trainings according to the PRC Cybersecurity Law and other relevant laws to ensure the normal development of online tourism business and services.

Online tourism operators shall protect the tourists’ right of comment and shall not arbitrarily shield or delete tourists’ comments on their products and services, nor shall they mislead, induce, substitute or force tourists to make comments. Comments made by tourists shall be saved and made public.

Online tourism operators should protect the security of tourists’ personal information and other data, and clearly indicate the purpose, method and scope of the collection of tourists’ personal information in advance and obtain the consent of the tourists.

Online tourism operators must not abuse technical means such as big data analysis to set unfair trading conditions based on tourists’ consumption records, travel preferences, etc., and infringe on the legitimate rights and interests of tourists.

According to the Provisions, online tourism operators refer to natural persons, legal persons and unincorporated organizations engaged in online tourism business and services, including online travel platform operators, operators on the platform, and operators who provide travel services through self-built websites and other network services.

For more information ，please refer to http://zwgk.mct.gov.cn/auto255/202008/t20200831_874550.html?keywords=

Six government agencies call for recommendation of national green data centers in 2020

On August 6, 2020, the Ministry of Industry and Information Technology (“MIIT”) and five other government agencies issued the Circular on Organizing and Implementing the Recommendation of National Green Data Centers (2020) (the “Circular”).

According to the Circular, all regions shall recommend a batch of well-managed and representative data centers featuring high energy efficiency and advanced technology in major application fields of data centers, such as manufacturing, telecommunications, Internet, public institutions, energy, finance, and e-commerce, in accordance with the Evaluation Indicator System for Green Data Centers.

The Circular provides four basic conditions that a recommended data center shall meet：

1. The owner of the data center shall have independent legal person status. The data center shall have clear property rights and shall abide by relevant laws, regulations, policies and standards in the process of construction and operation. In the past 3 years (including less than 3 years of establishment), it has had no major safety incidents, environmental protection incidents or other incidents, and no other serious illegal or untrustworthy conducts decided by judicial or administrative agencies;
2. The data center shall have a clear and complete physical boundary, independent power supply and distribution, and a cooling system that meet the requirements of theAction Plan for Green and Efficient Refrigeration and has been officially operating for one or more consecutive years as of the application date;
3. The construction and layout shall meet the requirements of the Guiding Opinions on the Construction Layout of Data Centers, and meet the requirements of the local construction planning and other local laws and regulations; and
4. It is not included in the list of Special Supervision and Rectification for the Energy Efficiency of the Industrial Energy Conservation Supervision Data Center in 2019.

For more information ，please refer to http://www.miit.gov.cn/n1146295/n1652858/n1652930/n3757016/c8045053/content.html

China issues the Guide to the Building of National Standard Framework for New Generation Artificial Intelligence

On August 7, 2020, the Standardization Administration and other four government departments issued the Guide to the Building of National Standard Framework for New Generation Artificial Intelligence (“Guide”).

According to the Guide, the framework of standards for artificial intelligence includes eight aspects, namely basic generality, supporting technology and products, basic software and hardware platforms, key general technologies, technologies in key fields, products and service, industry application and safety/ethnics.

The Guide requires that, the top-level design of artificial intelligence standardization should be clarified by 2021, when more than 20 key standards in key general technologies, technologies in key fields, ethics, etc. have been preliminarily researched. By 2023, an artificial intelligence standard system should have been initially established, focusing on the development of key and urgently needed standards such as data, algorithms, system services, and taking the lead in manufacturing, transportation, finance, security, home furnishing, elderly care, environmental protection, education, healthcare, justice and other key industries and fields.

For more information ，please refer to http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057497/n3057502/c8048365/content.html

NISSTC seeks public opinions on its proposed national standards to identify the boundaries for Critical Information Infrastructure

On August 10, 2020, the National Information Security Standardization Technical Committee (“NISSTC”) released the Information Security Technology – Method of Boundary Identification for Critical Information Infrastructure (Draft for Comment) (“Draft Method”) to seek public opinions.

The Draft Method provides that, boundary identification for critical information infrastructure (“CII”) deals with further analysis and sorting after the competent authority’s identification of the critical business, which the CII operator will identify the network facilities and information systems that are indispensable for the continuous and stable operation of the critical business for the purpose of providing a basis for the protection, review, and emergency response.

The Draft Method provides six factors that should be considered in identifying the boundaries of CII: critical business, network facilities, information system, critical business information, critical business information flow, and basic operation environment.

• Critical business is the core element and the basis for boundary identification of CII;
• Critical business information is an indispensable information resource for the normal operation of critical business, and also a bridge and link for network facilities and information system to support the informatization for critical business;
• Network facilities and information system design, collect, integrate, process, present, apply, store and destroy critical business information according to business operation logic and functions to support the automated, intelligent and efficient operation of critical business;
• Critical business information flow is the flow process in the whole life cycle of critical business information. By sorting out the critical business information flow, network facilities and information systems supporting informatization for critical business can be obtained;
• Basic operation environment refers to the safety equipment, safety measures, rules and regulations, machinery, plant, water, electricity, etc. supporting basic operation for critical business.

For more information ，please refer to https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20200810142946595318&norm_id=20200112070029&recode_id=39652

NISSTC seeks public opinions on the Method for Evaluating Security Protection Capabilities of Critical Information Infrastructure

On August 10, 2020, the National Information Security Standardization Technical Committee (“NISSTC”) issued the Information Security Technology – Method for Evaluating the Security Protection Capabilities of Critical Information Infrastructure (Draft for Comment) (“Draft Method”) for public comments by October 9, 2020.

The Draft Method provides that the evaluation of security protection capabilities of critical information infrastructure (“CII”) includes three parts: capability domain level evaluation, graded protection evaluation, and cryptography evaluation. Before the evaluation of the security protection capability of CII, the CII should first pass the corresponding graded protection evaluation and related cryptography evaluation. Then, the organization should carry out the evaluation according to the evaluation content and evaluation operation method, give the judgment result and grade of each evaluation index, get each capability domain level, and finally obtain the security protection capability level of critical information infrastructure based on the evaluation results of capability domain level and graded protection.

For more information ，please refer to https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20200810142946548146&norm_id=20200112070019&recode_id=39650

MIIT seeks public opinions on Guidelines on the Construction of Data Security Standard System in Telecom and Internet Industries

On August 11, 2020，the Ministry of Industry and Information Technology (“MIIT”) issued the Guidelines on the Construction of Data Security Standard System in Telecom and Internet Industries (“Draft Guidelines”) to seek public opinions.

According to the Draft Guidelines, the data security standard system of telecom and Internet industries includes four categories of standards, namely the standards for basic generality, critical technologies, security management and critical fields:

• the standards for basic generality include definitions of terms, data security framework, and data category and classification;
• the standards for critical technologies deal with data security technology from the dimensions of the entire life cycle, including data collection, transmission, storage, processing, exchange, and destruction;
• the standards for security management include data security specifications, data security assessment, monitoring and early warning and handling, emergency response and disaster backup, and security capability certification; and
• the standards for critical fields mainly include 5G, mobile Internet, connected-car, Internet of Things, Internet of Industry, cloud computing, big data, artificial intelligence, blockchain and other critical fields.

For more information, please refer to http://www.miit.gov.cn/n1278117/n1648113/c8050746/content.html

The Ministry of Justice: To strengthen protection of trade secrets and confidential business information in administrative licensing

On August 14, 2020, the Ministry of Justice (“MOJ”) issued the Guiding Opinions on Strengthening the Protection of Trade Secrets and Confidential Business Information in Administrative Licensing (Draft for Comment) (the “Draft Opinions”) for public comments by September 30, 2020.

The Draft Opinions provide that applicants for administrative licenses shall expressly indicate their trade secrets pursuant to the Anti-Fair Competition Law or other laws or regulations, as well as their business information that are needed to be kept confidential when making an administrative license application to an administrative authority, and correctly identify the scope of confidentiality.

When applicants submit the application materials to the administrative authorities, they must clearly indicate the key points of confidentiality, and not generally regard all materials as trade secrets and confidential business information. Such information should be clearly marked on the first page of the paper-based or electronic materials submitted and the key points of confidentiality.

For more information, please refer to http://www.moj.gov.cn/government_public/content/2020-08/14/657_3254208.html

Shandong Province releases classification management rules on health care big data

On August 25, 2020, the People’s Government of Shandong Province issued the Measures for the Management of Health Care Big Data in Shandong Province (the “Measures”), which will take effect on October 1, 2020.

According to the Measures, health care big data falls into three categories:

• health care data involving trade secrets, personal privacy or other types of data which are not allowed to be accessed according to laws and regulations shall be categorized as inaccessible data;
• health care data with higher requirements for data security, processing capacity, and timeliness or that needs to be acquired continuously shall be categorized as conditional accessible data; and
• health care data other than the above two categories shall be categorized as unconditional accessible data.

The Measures also stipulate that:

• for unconditional accessible data, citizens, legal persons and other organizations can access it through the health care big data platform.
• for conditional accessible data, health care big data management institutions and data using organizations should sign data using agreements to access the data. The agreement shall specify the scope, conditions, data products, confidentiality responsibilities and security measures, etc. of the data.
• for inaccessible data, it can be accessed after the consent of the relevant obligees or after the desensitization and declassification, unless otherwise provided by laws and regulations.

For more information, please refer to http://www.shandong.gov.cn/art/2020/8/25/art_107851_108458.html

If you would like to receive our legal update via email, please contact jianghongyu@anjielaw.com.

For more information, please contact:

Samuel Yang | Partner

AnJie Law Firm

P: +86 10 8567 2968

M: +86 1391 0677 369

E: yanghongquan@anjielaw.com

Hongquan (Samuel) Yang is a partner with AnJie Law Firm. He has worked as in-house counsel and external lawyer in the technology, media and telecoms (TMT) sectors for nearly 20 years and is regarded as a true expert in these areas. He advises clients on a wide range of regulatory, commercial and corporate matters, especially in telecommunications, cybersecurity, data protection, internet, social networking, hardware and software, technology procurement, transfer and outsourcing, distribution and licensing, and other technology-related matters. He also advises clients on compliance and investigation matters.

Samuel has been recognized as a Leading Individual in PRC TMT firms (Legal 500, 2020), a Band 1 Cyber Security & Data Protection Lawyer (LEGALBAND, 2019, 2020) and one of the Top 10 Cyber Security and Data Protection Lawyers in China (LEGALBAND, 2018). Legal 500 commented that Samuel and his team at AnJie have a particular strength in “telecom-related regulatory and general commercial legal services” and “issues such as cyber security and data protection areas” and have “built a real niche” in these areas.

Samuel mainly serves Fortune 500 companies, large state-owned enterprises and leading Chinese internet companies. Samuel is a regular contributor to many legal journals and his publications regarding Chinese data protection and cybersecurity laws are well-received and widely reproduced.

Before joining AnJie, Samuel worked for British Telecom, CMS and DLA Piper.

State Council to formulate the CII security protection regulations

On July 8, 2020, the General Office of the State Council issued the 2020 Legislative Plan, including several laws in the cyber security sector, such as the Regulations on Network Protection of Minors and the Regulations on the Security Protection of Critical Information Infrastructure.

http://www.gov.cn/zhengce/content/2020-07/08/content_5525117.htm

Supreme People’s Court and the National Development and Reform Commission: To strengthen the protection of data rights and personal information security.

On July 20, 2020, the Supreme People’s Court and the National Development and Reform Commission issued the Opinions on Providing Judicial Services and Supports to Accelerate Improvement of the Socialist Market Economy System in the New Era (“Opinions”).

The Opinions emphasize that the state should strengthen the protection of data rights and personal information security. The state should also respect the law of the socialist market economy and the development practice of data-related industries, protect data collection, use, trading and the intellectual achievements according to the law, improve the legal system for data protection, properly handle various data-related dispute cases, promote the deep integration of big data and other new technologies, new fields, and new business forms, and serve the innovative development of the data element market. The state should also implement the provisions of the Personality Rights Part of the Civil Code on the protection of personality interests, improve the judicial protection mechanism for personal information rights and interests such as biological and social data of natural persons, grasp the boundary between the development of information technology and personal information protection and balance the relationship between personal information and public interests.

http://www.court.gov.cn/fabu-xiangqing-242911.html

Shenzhen proposes local data protection regulations to protect “Data Right”

On July 15, 2020, the Justice Bureau of Shenzhen Municipality issued the Data Regulations of Shenzhen Special Economic Zone (“Draft Regulations”) to solicit public opinions by August 14, 2020.

The Draft Regulations propose the concept of “data right” for the first time, defining it as “data is the description and induction of objects (such as facts, events, things, processes, or thoughts), and is the material that can be processed or reinterpreted through automation and other means. Natural persons, legal persons, and unincorporated organizations enjoy data right in accordance with laws, regulations and these Regulations and no organization or individual may infringe upon such right. Data right is the right of the right holder to make independent decisions, control, process, gain, and claim compensation for specific data in accordance with the law.”

The Draft Regulations stipulate the ownership of personal data and public data. According to the Draft Regulations, natural persons have, and no organization or individual may infringe upon data rights to their personal data in accordance with the law. Public data is a new type of state-owned assets, and its data rights belong to the state. The Shenzhen Municipal Government shall exercise the data rights of public data on behalf of the state and authorize the municipal data coordination department to formulate public data asset management measures and organize their implementation.

The Draft Regulations provide that personal data includes personal information data and private data. Personal information data refers to data recorded through automation and other means that can identify the personal identity of a natural person alone or in combination with other data; private data refers to data and its derived data that are closely related to the private life of a natural person and the private space, private activities, and private information that are unwilling to be known to others.

http://sf.sz.gov.cn/xxgk/xxgkml/gsgg/content/post_7892072.html

MIIT to crack down unlawful behaviors in information and communications industry as exposed in the “3·15” program by CCTV

On July 16, 2020, CCTV’s 3.15 program exposed the chaos of third-party SDK plug-ins of mobile phone in collecting and using users’ personal information. It was reported that, technicians have found that the SDK plug-ins from two companies, i.e. Credit X and Zhaocai Dog, embedded in more than 50 Apps collect user’s information without prior notice to the user.

In response to the unlawful collection and use of personal information made by the SDK plug-ins, the Ministry of Industry and Information Technology (“MIIT”) immediately organized relevant entities to conduct thorough inspections, and strictly investigated and dealt with the enterprises involved in accordance with laws and regulations. The MIIT requires,

1. the Beijing Communications Bureau and Shanghai Communications Bureau to inspect the two companies involved;
2. third-party testing institutions to conduct technical testing on 50+ Apps that use the above SDKs;
3. major domestic application stores such as Alibaba, Tencent, Baidu, Huawei, Xiaomi, OPPO, vivo, 360, etc., to conduct thorough investigations on similar problems as soon as possible; Apps found of problems should be removed as soon as possible; application stores are also required to promptly notify the App operation developer to conduct self-examination and self-correction to promptly discover and process the SDK that unlawfully collects and uses user’s personal information.

In the next step, the MIIT will adopt normalized regulatory measures to strengthen the comprehensive management of Apps. MIIT is about to increase the handling and exposure of various unlawful activities, such as collection and use of user’s personal information without consent, to effectively protect the legitimate rights and interests of users.

http://www.miit.gov.cn/n1146290/n1146402/c8016746/content.html

MIIT exposes the second and third batches of Apps infringing upon user’s rights and interests

Recently, the Ministry of Industry and Information Technology (“MIIT”) organized third-party testing agencies to conduct inspection on mobile applications (“Apps”) and issued the Second and Third Batches of Apps that Infringe Upon User’s Rights and Interests, requiring operators of these Apps to make rectification. As of now a number of Apps still have not completed rectification and the MIIT requires them to complete rectification before designated timelines, failing which the MIIT may impose punishment on these Apps.

The above Apps are found of the following problems:

• asking for permission frequently or excessively;
• rejecting providing services if no permission is given;
• collecting personal information without consent or beyond the agreed scope;
• sharing personal information with third parties without consent;
• forcing users to use target pushing functions; and
• difficult to de-register the account.

http://www.miit.gov.cn/n1146290/n1146402/n1146440/c7993756/content.html

http://www.miit.gov.cn/n1146290/n1146402/n1146440/c8026316/content.html

2020 Governance Work campaign on illegal collection and use of personal information by Apps officially launched

On July 22, 2020, the Central Cyberspace Administration, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation held a meeting in Beijing and started the 2020 governance work on illegal collection and use of personal information by Apps in 2020.

The governance work in 2020 will continue to focus on the following aspects:

(1) Formulate and release the key points of personal information security assessment for SDKs and mobile phone operating systems, and conduct in-depth assessments of Apps, SDKs, and mini programs that have a large scale of users and attract large volume of complaints;

(2) In response to the typical problems reflected by the public, such as illegal collection and use of biometric information (e.g. facial features), self-activation, associated activation of Apps, upload of personal information without asking for user’s permission by Apps, and the abuse of sensitive permissions such as recording and photographing, special research and in-depth inspections are to be carried out;

(3) Intensify the detection, exposure, and punishment of illegal collection and use of personal information. According to the severity of the circumstances and the consequences, punishments such as interviews, warnings, removals, and fines will be imposed in accordance with laws and regulations;

(4) Formulate and release guidelines for App stores to review and manage the collection and use of personal information by Apps, and guide and urge App stores to carry out security reviews properly before Apps go online;

(5) Release free technical tools to guide small and medium-sized enterprises to conduct self-assessment on collection and use of personal information to improve the legal compliance of personal information collection and use activities by small and medium-sized enterprises;

(6) Promote security certification for the protection of personal information by Apps; and

(7) Strengthen personal information security assessment trainings and promote the standardization of personal information security assessment.

http://www.cac.gov.cn/2020-07/25/c_1597240741055830.htm

MIIT launches a special campaign to promote governance on Apps that infringe upon user’s rights and interests.

In order to effectively strengthen the protection of users’ personal information, the Ministry of Industry and Information Technology (“MIIT”) issued the Notice on Carrying out the Special Campaign to Promote Governance on Apps that Infringe upon User’s Rights and Interests (“Notice”) on July 24, 2020, requiring that a national App technology testing platform management system should be launched before the end of August 2020, which is expected to complete testing for 400,000 mainstream Apps before December 10, 2020.

This campaign focuses on the following illegal behaviors by service providers of Apps and SDK, as well as application distribution platforms:

1. illegal behaviors of Apps and SDKs, including illegal collection of personal information, collection of personal information beyond the scope, illegal use of personal information and forcing users to use target pushing functions;
2. setting up barriers and frequently harassing users, such as forcing users to give permission, frequently asking for permission or excessively asking for permission made by Apps, and frequent self-activation and associated activation of Apps;
3. deceiving and misleading users, including deceiving or misleading users to download Apps or providing personal information; and
4. failure to perform obligations by application distribution platforms, including not clearly stating the information about Apps distributed by them, and not implementing the management responsibility.

According to the Notice, MIIT will organize third-party testing agencies to conduct technical testing of Apps and SDKs and supervise and inspect the implementation of the main responsibilities of the application distribution platform. For companies that are found to have problems during the first inspection, they will be ordered to complete rectification within 5 working days. If there are still problems after rectification, they may face punishments including public exposure, removals, administrative penalties and listing as bad business operations or untrustworthy telecommunications businesses. Companies that have repeated problems in different versions of the Apps will be exposed to the public, and face follow-up disposal measures.

http://www.miit.gov.cn/n1146290/n1146402/n1146440/c8027864/content.html

NISSIT seeks public opinions on Security Requirements for Supply Chain of Information Technology Products

On July 27, 2020, the National Information Security Standardization Technical Committee (“NISSIT”) released the Information Security Technology — Security Requirements for Supply Chain of Information Technology Products (Draft for Comment) (“Draft Requirements”) to seek public opinions by September 26, 2020.

The Draft Requirements, as a recommended national standard, will apply to the security management activities of the information technology product supply chain of government information systems and critical information infrastructure and can also provide a reference for the supply chain security management activities of other information systems.

According to the Draft Requirements, the supplier of information technology products should meet the following requirements:

• carrying out supply chain security risk assessment;
• developing the traceability strategy of purchased information technology products and components, recording and retaining information such as the origin and original supplier of information technology products and components;
• establishing and implementing the safety development process of information technology products, clarifying development management requirements, safety control measures and personnel codes of conduct, etc.

The customer of information technology products should meet the requirements such as:

• establishing and maintaining a catalog of qualified suppliers;
• regularly assessing the risks of interruption of information technology product supply, suspension of authorization, refusal to provide product upgrades or technical support services;

https://www.tc260.org.cn/front/postDetail.html?id=20200722172943

NISSIT issues Self-Assessment Guidelines for Apps to Collect and Use Personal Information

On July 25, 2020, the Secretariat of National Information Security Standardization Technical Committee (“NISSIT”) released the Practical Guide to Cyber Security Standards – Self-Assessment Guidelines for Apps to Collect and Use Personal Information (“Guidelines”) to guide App operators to carry out self-assessment.

The Guidelines provide 28 self-assessment items in total, covering the following six aspects:

1. whether the rules on collection and use of personal information are made public;
2. whether the purpose, method and scope of collection and use of personal information are clearly stated;
3. whether the collection and use of personal information is subject to the user’s consent;
4. whether the principle of necessity is complied with, under which only personal information in relation to the services being provided is collected;
5. whether the provision of personal information to others is subject to the user’s consent; and
6. whether functions of deleting or correcting personal information are provided, or methods for complaint are made public.

The Guidelines are formed on the basis of the Method for Identifying the Illegal Collection and Use of Personal Information by Apps jointly issued by the Cyberspace Administration of China, Ministry of Industry and Information Technology, Ministry of Public Security and State Administration for Market Regulation and the Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps issued by the App Governance Panel.

https://www.tc260.org.cn/front/paview/20200722134829.html

NISSIT issues the draft Guidelines for Application and Use of System Permissions by Apps

On July 29, 2020, the Secretariat of National Information Security Standardization Technical Committee (“NISSIT”) released the Practical Guide to Cyber Security Standards— Guidelines for Application and Use of System Permissions by Mobile Internet Applications (App) (Draft for Comment) (“draft Guidelines”) to seek public opinions by August 12, 2020.

The Guidelines provide the basic principles and general requirements for Apps to apply for and use system permissions, as well as the application and use requirements for ten types of Android system permissions including such as call log, SMS, location.

The Guidelines also list the common sensitive system permissions, typical issues in applying for and using system permissions, and the system permissions that are not recommended to apply for by common business functions.

https://www.tc260.org.cn/front/postDetail.html?id=20200729195232

Tianjin: personal privacy data cannot be traded

On July 30, 2020, Tianjin Cyberspace Administration released the Interim Measures for Data Transaction Management in Tianjin (Draft for Comment) (“Draft Measures”).

The draft Measures classify data into tradable data and data that are prohibited to be traded. Tradable data refers to all kinds of data obtained according to law, which cannot identify specific data providers and cannot be recovered.

Data prohibited to be traded include:

• data related to national security, public security and personal privacy;
• data involving trade secrets without authorization and consent of the legal obligee;
• data involving personal information without the explicit consent of the subject of personal information; data involving personal information of minors above the age of 14 without express consent of the minors or their guardians; data involving personal information of minors under the age of 14 without express consent of guardians;
• data obtained by means of fraud, deception and misleading, or from illegal and undue channels;
• data that is clearly prohibited by other laws and regulations or legal agreements.

The Measures require that data providers should conduct security risk assessment on the data to be traded and issue security risk assessment reports. The data trading service agency shall review the security risk assessment report to ensure that the data to be traded do not contain data prohibited to be traded.

https://mp.weixin.qq.com/s/8Scofen1MTmmcBJd3IKubQ

Anhui Province proposes regulations to boost development and application of big data 。

On July 6, 2020, the Government of Anhui Province issued the Regulations on the Development and Application of Big Data in Anhui Province (“Draft Regulations”) to seek public opinions.

The Draft Regulations encourage enterprises, universities, scientific research institutions and other organizations and individuals to engage in research and development of big data technology and develop software and hardware products; to use big data to develop new industries, new formats and new models, develop online economy, and give full play to the economic value and social benefits of data resources.

The Draft Regulations further encourage and guide data trading parties to conduct data transactions in big data trading service institutions established according to law. It also clarifies that data resource transaction shall follow the principles of voluntariness, fairness, honesty and credibility, that data resource transaction shall abide by laws and regulations, and respect social morality; and that data resource transaction shall not disclose, sell or illegally provide personal information, privacy and business secrets to others, and shall not damage the interests of the state, the public and the legitimate rights and interests of others.

http://sft.ah.gov.cn/zhzx/tzgg/53877731.html

MoT solicits opinions on Guidelines for Constructing National Connected Car Industry Standard System (Intelligent Transport Related) 

The Ministry of Transport (“MoT”) released the Guidelines for Constructing National Connected Car Industry Standard System (Intelligent Transport Related) (“Draft Guidelines”) on July 31, 2020 to seek opinions from relevant competent authorities and associations by August 14, 2020.

The Draft Guidelines set out the key fields where standards should be developed:

• standards of basic generality, including the terms and descriptions, classification codes and symbols, and data management;
• road facilities, including general requirements, traffic perception, traffic control and guidance, intelligent roadside, roadside communication, and map and positioning;
• vehicle-road interaction, including information interaction, vehicle and portable terminal, and vehicle assistance and safe driving;
• management and service, including travel service, transportation organization, and management platform; and
• information security, including certificate keys, and network security protection.

According to the Draft Guidelines, a standard system supporting the application and industrial development of connected car should be initially established by the end of 2022, when more than 20 standards related to intelligent transport in areas such as intelligent transport infrastructure and assisted driving will have been developed and revised. By 2025 it is expected more than 40 standards will have been developed and revised.

http://xxgk.mot.gov.cn/2020/jigou/kjs/202007/t20200731_3443771.html

If you would like to receive our legal update via email, please contact jianghongyu@anjielaw.com.

For more information, please contact:

Samuel Yang | Partner

AnJie Law Firm

P: +86 10 8567 2968

M: +86 1391 0677 369

E: yanghongquan@anjielaw.com