State Council to formulate the CII security protection regulations
On July 8, 2020, the General Office of the State Council issued the 2020 Legislative Plan, including several laws in the cyber security sector, such as the Regulations on Network Protection of Minors and the Regulations on the Security Protection of Critical Information Infrastructure.
Supreme People’s Court and the National Development and Reform Commission: To strengthen the protection of data rights and personal information security.
On July 20, 2020, the Supreme People’s Court and the National Development and Reform Commission issued the Opinions on Providing Judicial Services and Supports to Accelerate Improvement of the Socialist Market Economy System in the New Era (“Opinions”).
The Opinions emphasize that the state should strengthen the protection of data rights and personal information security. The state should also respect the law of the socialist market economy and the development practice of data-related industries, protect data collection, use, trading and the intellectual achievements according to the law, improve the legal system for data protection, properly handle various data-related dispute cases, promote the deep integration of big data and other new technologies, new fields, and new business forms, and serve the innovative development of the data element market. The state should also implement the provisions of the Personality Rights Part of the Civil Code on the protection of personality interests, improve the judicial protection mechanism for personal information rights and interests such as biological and social data of natural persons, grasp the boundary between the development of information technology and personal information protection and balance the relationship between personal information and public interests.
Shenzhen proposes local data protection regulations to protect “Data Right”
On July 15, 2020, the Justice Bureau of Shenzhen Municipality issued the Data Regulations of Shenzhen Special Economic Zone (“Draft Regulations”) to solicit public opinions by August 14, 2020.
The Draft Regulations propose the concept of “data right” for the first time, defining it as “data is the description and induction of objects (such as facts, events, things, processes, or thoughts), and is the material that can be processed or reinterpreted through automation and other means. Natural persons, legal persons, and unincorporated organizations enjoy data right in accordance with laws, regulations and these Regulations and no organization or individual may infringe upon such right. Data right is the right of the right holder to make independent decisions, control, process, gain, and claim compensation for specific data in accordance with the law.”
The Draft Regulations stipulate the ownership of personal data and public data. According to the Draft Regulations, natural persons have, and no organization or individual may infringe upon data rights to their personal data in accordance with the law. Public data is a new type of state-owned assets, and its data rights belong to the state. The Shenzhen Municipal Government shall exercise the data rights of public data on behalf of the state and authorize the municipal data coordination department to formulate public data asset management measures and organize their implementation.
The Draft Regulations provide that personal data includes personal information data and private data. Personal information data refers to data recorded through automation and other means that can identify the personal identity of a natural person alone or in combination with other data; private data refers to data and its derived data that are closely related to the private life of a natural person and the private space, private activities, and private information that are unwilling to be known to others.
MIIT to crack down unlawful behaviors in information and communications industry as exposed in the “3·15” program by CCTV
On July 16, 2020, CCTV’s 3.15 program exposed the chaos of third-party SDK plug-ins of mobile phone in collecting and using users’ personal information. It was reported that, technicians have found that the SDK plug-ins from two companies, i.e. Credit X and Zhaocai Dog, embedded in more than 50 Apps collect user’s information without prior notice to the user.
In response to the unlawful collection and use of personal information made by the SDK plug-ins, the Ministry of Industry and Information Technology (“MIIT”) immediately organized relevant entities to conduct thorough inspections, and strictly investigated and dealt with the enterprises involved in accordance with laws and regulations. The MIIT requires,
- the Beijing Communications Bureau and Shanghai Communications Bureau to inspect the two companies involved;
- third-party testing institutions to conduct technical testing on 50+ Apps that use the above SDKs;
- major domestic application stores such as Alibaba, Tencent, Baidu, Huawei, Xiaomi, OPPO, vivo, 360, etc., to conduct thorough investigations on similar problems as soon as possible; Apps found of problems should be removed as soon as possible; application stores are also required to promptly notify the App operation developer to conduct self-examination and self-correction to promptly discover and process the SDK that unlawfully collects and uses user’s personal information.
In the next step, the MIIT will adopt normalized regulatory measures to strengthen the comprehensive management of Apps. MIIT is about to increase the handling and exposure of various unlawful activities, such as collection and use of user’s personal information without consent, to effectively protect the legitimate rights and interests of users.
MIIT exposes the second and third batches of Apps infringing upon user’s rights and interests
Recently, the Ministry of Industry and Information Technology (“MIIT”) organized third-party testing agencies to conduct inspection on mobile applications (“Apps”) and issued the Second and Third Batches of Apps that Infringe Upon User’s Rights and Interests, requiring operators of these Apps to make rectification. As of now a number of Apps still have not completed rectification and the MIIT requires them to complete rectification before designated timelines, failing which the MIIT may impose punishment on these Apps.
The above Apps are found of the following problems:
- asking for permission frequently or excessively;
- rejecting providing services if no permission is given;
- collecting personal information without consent or beyond the agreed scope;
- sharing personal information with third parties without consent;
- forcing users to use target pushing functions; and
- difficult to de-register the account.
2020 Governance Work campaign on illegal collection and use of personal information by Apps officially launched
On July 22, 2020, the Central Cyberspace Administration, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation held a meeting in Beijing and started the 2020 governance work on illegal collection and use of personal information by Apps in 2020.
The governance work in 2020 will continue to focus on the following aspects:
(1) Formulate and release the key points of personal information security assessment for SDKs and mobile phone operating systems, and conduct in-depth assessments of Apps, SDKs, and mini programs that have a large scale of users and attract large volume of complaints;
(2) In response to the typical problems reflected by the public, such as illegal collection and use of biometric information (e.g. facial features), self-activation, associated activation of Apps, upload of personal information without asking for user’s permission by Apps, and the abuse of sensitive permissions such as recording and photographing, special research and in-depth inspections are to be carried out;
(3) Intensify the detection, exposure, and punishment of illegal collection and use of personal information. According to the severity of the circumstances and the consequences, punishments such as interviews, warnings, removals, and fines will be imposed in accordance with laws and regulations;
(4) Formulate and release guidelines for App stores to review and manage the collection and use of personal information by Apps, and guide and urge App stores to carry out security reviews properly before Apps go online;
(5) Release free technical tools to guide small and medium-sized enterprises to conduct self-assessment on collection and use of personal information to improve the legal compliance of personal information collection and use activities by small and medium-sized enterprises;
(6) Promote security certification for the protection of personal information by Apps; and
(7) Strengthen personal information security assessment trainings and promote the standardization of personal information security assessment.
MIIT launches a special campaign to promote governance on Apps that infringe upon user’s rights and interests.
In order to effectively strengthen the protection of users’ personal information, the Ministry of Industry and Information Technology (“MIIT”) issued the Notice on Carrying out the Special Campaign to Promote Governance on Apps that Infringe upon User’s Rights and Interests (“Notice”) on July 24, 2020, requiring that a national App technology testing platform management system should be launched before the end of August 2020, which is expected to complete testing for 400,000 mainstream Apps before December 10, 2020.
This campaign focuses on the following illegal behaviors by service providers of Apps and SDK, as well as application distribution platforms:
- illegal behaviors of Apps and SDKs, including illegal collection of personal information, collection of personal information beyond the scope, illegal use of personal information and forcing users to use target pushing functions;
- setting up barriers and frequently harassing users, such as forcing users to give permission, frequently asking for permission or excessively asking for permission made by Apps, and frequent self-activation and associated activation of Apps;
- deceiving and misleading users, including deceiving or misleading users to download Apps or providing personal information; and
- failure to perform obligations by application distribution platforms, including not clearly stating the information about Apps distributed by them, and not implementing the management responsibility.
According to the Notice, MIIT will organize third-party testing agencies to conduct technical testing of Apps and SDKs and supervise and inspect the implementation of the main responsibilities of the application distribution platform. For companies that are found to have problems during the first inspection, they will be ordered to complete rectification within 5 working days. If there are still problems after rectification, they may face punishments including public exposure, removals, administrative penalties and listing as bad business operations or untrustworthy telecommunications businesses. Companies that have repeated problems in different versions of the Apps will be exposed to the public, and face follow-up disposal measures.
NISSIT seeks public opinions on Security Requirements for Supply Chain of Information Technology Products
On July 27, 2020, the National Information Security Standardization Technical Committee (“NISSIT”) released the Information Security Technology — Security Requirements for Supply Chain of Information Technology Products (Draft for Comment) (“Draft Requirements”) to seek public opinions by September 26, 2020.
The Draft Requirements, as a recommended national standard, will apply to the security management activities of the information technology product supply chain of government information systems and critical information infrastructure and can also provide a reference for the supply chain security management activities of other information systems.
According to the Draft Requirements, the supplier of information technology products should meet the following requirements:
- carrying out supply chain security risk assessment;
- developing the traceability strategy of purchased information technology products and components, recording and retaining information such as the origin and original supplier of information technology products and components;
- establishing and implementing the safety development process of information technology products, clarifying development management requirements, safety control measures and personnel codes of conduct, etc.
The customer of information technology products should meet the requirements such as:
- establishing and maintaining a catalog of qualified suppliers;
- regularly assessing the risks of interruption of information technology product supply, suspension of authorization, refusal to provide product upgrades or technical support services;
NISSIT issues Self-Assessment Guidelines for Apps to Collect and Use Personal Information
On July 25, 2020, the Secretariat of National Information Security Standardization Technical Committee (“NISSIT”) released the Practical Guide to Cyber Security Standards – Self-Assessment Guidelines for Apps to Collect and Use Personal Information (“Guidelines”) to guide App operators to carry out self-assessment.
The Guidelines provide 28 self-assessment items in total, covering the following six aspects:
- whether the rules on collection and use of personal information are made public;
- whether the purpose, method and scope of collection and use of personal information are clearly stated;
- whether the collection and use of personal information is subject to the user’s consent;
- whether the principle of necessity is complied with, under which only personal information in relation to the services being provided is collected;
- whether the provision of personal information to others is subject to the user’s consent; and
- whether functions of deleting or correcting personal information are provided, or methods for complaint are made public.
The Guidelines are formed on the basis of the Method for Identifying the Illegal Collection and Use of Personal Information by Apps jointly issued by the Cyberspace Administration of China, Ministry of Industry and Information Technology, Ministry of Public Security and State Administration for Market Regulation and the Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps issued by the App Governance Panel.
NISSIT issues the draft Guidelines for Application and Use of System Permissions by Apps
On July 29, 2020, the Secretariat of National Information Security Standardization Technical Committee (“NISSIT”) released the Practical Guide to Cyber Security Standards— Guidelines for Application and Use of System Permissions by Mobile Internet Applications (App) (Draft for Comment) (“draft Guidelines”) to seek public opinions by August 12, 2020.
The Guidelines provide the basic principles and general requirements for Apps to apply for and use system permissions, as well as the application and use requirements for ten types of Android system permissions including such as call log, SMS, location.
The Guidelines also list the common sensitive system permissions, typical issues in applying for and using system permissions, and the system permissions that are not recommended to apply for by common business functions.
Tianjin: personal privacy data cannot be traded
On July 30, 2020, Tianjin Cyberspace Administration released the Interim Measures for Data Transaction Management in Tianjin (Draft for Comment) (“Draft Measures”).
The draft Measures classify data into tradable data and data that are prohibited to be traded. Tradable data refers to all kinds of data obtained according to law, which cannot identify specific data providers and cannot be recovered.
Data prohibited to be traded include:
- data related to national security, public security and personal privacy;
- data involving trade secrets without authorization and consent of the legal obligee;
- data involving personal information without the explicit consent of the subject of personal information; data involving personal information of minors above the age of 14 without express consent of the minors or their guardians; data involving personal information of minors under the age of 14 without express consent of guardians;
- data obtained by means of fraud, deception and misleading, or from illegal and undue channels;
- data that is clearly prohibited by other laws and regulations or legal agreements.
The Measures require that data providers should conduct security risk assessment on the data to be traded and issue security risk assessment reports. The data trading service agency shall review the security risk assessment report to ensure that the data to be traded do not contain data prohibited to be traded.
Anhui Province proposes regulations to boost development and application of big data 。
On July 6, 2020, the Government of Anhui Province issued the Regulations on the Development and Application of Big Data in Anhui Province (“Draft Regulations”) to seek public opinions.
The Draft Regulations encourage enterprises, universities, scientific research institutions and other organizations and individuals to engage in research and development of big data technology and develop software and hardware products; to use big data to develop new industries, new formats and new models, develop online economy, and give full play to the economic value and social benefits of data resources.
The Draft Regulations further encourage and guide data trading parties to conduct data transactions in big data trading service institutions established according to law. It also clarifies that data resource transaction shall follow the principles of voluntariness, fairness, honesty and credibility, that data resource transaction shall abide by laws and regulations, and respect social morality; and that data resource transaction shall not disclose, sell or illegally provide personal information, privacy and business secrets to others, and shall not damage the interests of the state, the public and the legitimate rights and interests of others.
MoT solicits opinions on Guidelines for Constructing National Connected Car Industry Standard System (Intelligent Transport Related)
The Ministry of Transport (“MoT”) released the Guidelines for Constructing National Connected Car Industry Standard System (Intelligent Transport Related) (“Draft Guidelines”) on July 31, 2020 to seek opinions from relevant competent authorities and associations by August 14, 2020.
The Draft Guidelines set out the key fields where standards should be developed:
- standards of basic generality, including the terms and descriptions, classification codes and symbols, and data management;
- road facilities, including general requirements, traffic perception, traffic control and guidance, intelligent roadside, roadside communication, and map and positioning;
- vehicle-road interaction, including information interaction, vehicle and portable terminal, and vehicle assistance and safe driving;
- management and service, including travel service, transportation organization, and management platform; and
- information security, including certificate keys, and network security protection.
According to the Draft Guidelines, a standard system supporting the application and industrial development of connected car should be initially established by the end of 2022, when more than 20 standards related to intelligent transport in areas such as intelligent transport infrastructure and assisted driving will have been developed and revised. By 2025 it is expected more than 40 standards will have been developed and revised.
If you would like to receive our legal update via email, please contact firstname.lastname@example.org.
For more information, please contact:
Samuel Yang | Partner
AnJie Law Firm
P: +86 10 8567 2968
M: +86 1391 0677 369