China issues draft Data Security Law to solicit public opinions
Recently, the National People’s Congress released the Data Security Law of the People’s Republic of China (Draft) for public opinions (“Draft”).
Highlights of the draft include:
In order to establish data security system, the State implements:
- data classification and grading protection system:The Draft provides that data should be protected by different levels and categories based the importance of data in economic and social development, and the degree of damage to national security, public interest, or the legitimate rights and interests of citizens and organizations once it has been tampered with, destroyed, leaked, or illegally acquired or illegally used. Relevant departments should formulate catalogues of important data to protect the data.
- export control of data:The State exercises export control over data pertaining to controlled items related to fulfilling international obligations and maintaining national security.
- retaliatory restriction:Where any country or region takes discriminatory prohibitions, restrictions or other similar measures against China in terms of investment and trade related to data and technologies related to data development and utilization, etc., China may take corresponding measures against the country or region according to the actual situation.
In carrying out data related activities, relevant entities should perform the following obligations to protect data security:
- Establish and improve data protection systems:Data activities should be carried out in accordance with the provisions of laws, administrative regulations and mandatory requirements of national standards, to establish and complete data security management systems in all stages, organize data security education and training, and take corresponding technical measures and other necessary measures to ensure data security.
- Carry out security assessments of important data:Processors of important data should conduct regular risk assessments of their data activities in accordance with regulations and submit risk assessment reports to the relevant competent authorities.
- Implement restrictions on cross-border judicial assistance:If overseas law enforcement agencies require access to data stored in China, relevant organizations and individuals shall report to the relevant competent authority and provide it only after obtaining approval.
The Draft also exerts extraterritorial effect on the data processing activities. According to the Draft, organizations and individuals outside China who carry out data activities that damage the national security, public interests or the legitimate rights and interests of citizens and organizations of China shall be investigated for legal responsibility according to law.
For more information, please refer to http://www.npc.gov.cn/npc/c30834/202006/97f149839ff04c428224f6344ead7e38.shtml
MIIT urges tighter management over call centers
The Ministry of Industry and Information Technology (“MIIT“) has recently distributed the Circular on Tightening Call Center Business Management (“Circular“) on June 8, 2020.
The Circular touches upon six aspects, namely stepping up entry management, tightening management of codes and numbers, ramping up access management, beefing up management of business behaviors, miscellaneous, and work requirements.
The Circular calls on enterprises running call centers to improve their own internal management and control mechanism and use technical means to strictly control outbound calls, prohibits them from making or facilitating crank calls, requires them to safekeep at least 30 days phone call records and other information, bans them from leasing out or reselling, without approval, voice trunk lines and other telecommunications resources and from illegally altering or concealing the telecommunications access numbers, and urges them to ensure safety of clients’ personal information.
The Circular clarifies that those who only provide call center systems and seat rental services also belong to operating call center business, and requires relevant operators to verify the legitimacy of user voice trunk and numbers and prevent harassment of calls. The Circular also clarifies that the types of self-use, manpower outsourcing, and technical services do not belong to the business of operating call centers.
After the issuance of the Circular, the enterprise shall carry out a self-examination. Relevant departments will also carry out inspections on operations of the call center business.
For more information, please refer to http://www.miit.gov.cn/n1146290/n1146402/c7979549/content.html
MIIT to carry out the 2020 Network and Data Security Management in Telecommunications and Internet Industry
Recently, the Ministry of Industry and Information Technology (“MIIT”) issued the Notice on Doing a Good Job of Network Data Security Management in the Telecommunications and Internet Industry in 2020 (“Notice”). The Main content of the Notice includes:
- Deepening special governance of network and data security in the industry;
- conducting in-depth evaluation of network and data security compliance;
- Speeding up the construction of network and data security system standards; and
- Improving technology guarantee capabilities of network and data security.
For more information, please refer to http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057724/n3057728/c7981569/content.html
Guidelines on Financial Data Security Classification to be released
It was reported that the China Financial Standardization Technical Committee recently issued a notice that the Financial Data Security – Guidelines on Financial Data Security Classification (“Guidelines”) have been submitted for formal approval.
According to the draft version of the Guidelines, the influence (such as the possible damage, loss and potential risk) caused by the damages on the data’s security (i.e. confidentiality, integrity and availability) is a critical criterion to determine the security level of the data. The main factors to be considered are:
- Object that may be influenced, including national security, public rights and interests, personal privacy and enterprise’s legitimate rights and interests; and
- Possible degree of influence, including very serious, serious, medium and light.
Taking into the two factors above above, the Guidelines classify the security level of financial data from the highest level, level 5, to the lowest level, level 1. The level 4 data corresponds to the C3 information of personal financial information; the level 3 data to C2 information and level 2 data to C1 information.
In February 2020, the People’s Bank of China released the Personal Financial Information Protection Technical Specification, which classifies the personal financial information into C3, C2 and C1 based on the sensitivity of the data.
For more information, please refer to https://mp.weixin.qq.com/s/lkOlhz1OsS2zlzph6BVwzw
MOT: Transport-related scientific data should be shared with the society conditionally
Recently, the Ministry of Transportation (“MOT”) released the Measures for the Management of Transport-Related Scientific Data (Draft for Comment) (“Draft Measures”) for public consultation.
The Draft Measures provide that the transport-related scientific data (“Scientific Data”) should be open to the society and relevant departments on the principle of opening as the norm and not being the exception. The relevant departments will formulate an open catalog of the Scientific Data, to classify Scientific Data into three categories, i.e. unconditional sharing, conditional sharing and not sharing, and to clarify the confidentiality level and confidentiality period, open conditions, open objects and audit procedures, etc. of Scientific Data.
The Draft Measures further clarify the attribution of intellectual property rights of Scientific Data. The Measures stipulate that users of Scientific Data should abide by the relevant provisions on intellectual property rights, and indicate the Scientific Data used and referenced in the publication of papers, patent applications, and monograph publications. Providers of Scientific Data have the right to preferential use of data. If others apply for the use of data, the scientific data center in the industry may provide it to the applicant subject to the written consent of the Scientific Data provider.
The Measures also stipulate the principle of paying for using Scientific Data. For the use of Scientific Data for business activities, the parties should sign a paid service contract, clarifying the rights and obligations between them.
For more information, please refer to http://xxgk.mot.gov.cn/jigou/kjs/202006/t20200623_3398111.html
Zhejiang Province: Public data should be shared with the society conditionally.
Zhejiang provincial government released the Interim Measures of Zhejiang Province for Public Data Opening and Security Management (“Measures”) on June 4, 2020.
The Measures define the “public data” as various types of data resources obtained by administrative agencies at all levels and public institutions with public management and service functions (hereinafter collectively referred to as “public management and service agencies”) in the course of performing their duties according to law. Relevant departments in Zhejiang province will compile open catalog and supplementary catalog for public data in the province. According to the degree of risk of data opening, public data is divided into three categories: unconditional opening, restricted opening, and prohibited opening.
For restricted opening public data, the open subject shall not set discriminatory conditions and shall disclose to the society a list of the restricted public data that has been obtained. Citizens, legal persons and other organizations may propose to the open subject the service requirements for access to restricted open data.
Citizens, legal persons and other organizations may also raise the demand for data open services outside the open catalogue of the public data. Public management and service agencies should conduct assessments and reviews in accordance with the provisions of these Measures and inform the demanders of the relevant processing results.
For more information, please refer to http://www.zj.gov.cn/art/2020/6/17/art_1229017137_557682.html
Shanghai Communications Administration to carry out the 2020 Shanghai Network Security Inspection in Telecommunications and Internet Industry
On June 22, 2020, Shanghai Communications Administration released the Notice on Carrying out the Network Security Inspection of the Telecommunications and Internet Industry in 2020 (“Notice”). according to the Notice, key entities to be inspected are basic telecommunications companies, value-added telecommunications companies, industrial Internet platform companies, operators of critical information infrastructure, operators of mobile Internet App, etc.in Shanghai. The inspection will focus on:
- implementation of the grading and recording, compliance evaluation and security risk assessment by communication network entities;
- check and identification of critical information infrastructure in the industry;
- security protection of industrial Internet platforms and network connected industrial control equipment;
- data security and personal information protection. Emphasis will be put on the inspection of unlawful collection and use of personal information by Apps;
- network security management and technical protection; and
- increased awareness of network security among industry practitioners.
The Notice requires enterprises should complete the self-inspection before July 31, 2020 and Shanghai Communications Administration will conduct random inspection before August 31, 2020.
For more information, please refer to
If you would like to receive our legal update via email, please contact firstname.lastname@example.org.
For more information, please contact:
Samuel Yang | Partner
AnJie Law Firm
P: +86 10 8567 2968
M: +86 1391 0677 369