The Chinese side proposes a Global Initiative on Data Security
On September 8, 2020, Foreign Minister Wang Yi delivered a keynote speech at a high-level meeting of an international seminar themed with “Seizing Digital Opportunities for Cooperation and Development” and proposed a Global Initiative on Data Security (“Initiative”). The Initiative mainly includes the following.：
First, approach data security with an objective and rational attitude, and maintain an open, secure and stable global supply chain.
Second, oppose using information and communications technology (ICT) activities to impair other States’ critical infrastructure or steal important data.
Third, take actions to prevent and put an end to activities that infringe upon personal information, oppose abusing ICT to conduct mass surveillance against other States or engage in unauthorized collection of personal information of other States.
Fourth, ask companies to respect the laws of host countries, desist from coercing domestic companies into storing data generated and obtained overseas in one’s own territory.
Fifth, respect the sovereignty, jurisdiction and governance of data of other States, avoid asking companies or individuals to provide data located in other States without the latter’s permission.
Sixth, meet law enforcement needs for overseas data through judicial assistance or other appropriate channels.
Seventh, ICT products and services providers should not install backdoors in their products and services to illegally obtain user data.
Eighth, ICT companies should not seek illegitimate interests by taking advantage of users’ dependence on their products.
The Ministry of Public Security issued the Guiding Opinions on the Implementation of Multi-Level Protection System of Cybersecurity and Critical Information Infrastructure Security Protection System
Recently, the Ministry of Public Security issued the Guiding Opinions on the Implementation of Multi-Level Protection System of Cybersecurity and Critical Information Infrastructure Security Protection System (“Opinions”), the Opinions mainly include the following:
- Implementing the multi-level protection system of national cybersecurity
- Deepening the work of network classification filing
Network operators which are classified as Level 2 or above shall file with the public security organ and the competent department of the industry.
- Carrying out cybersecurity classification assessment regularly
Network operators which are classified as Level 3 or above shall entrust a classification assessment institution in line with the relevant provisions of the state to carry out cybersecurity classification assessment once a year, and timely submit the assessment report to the public security organ and the competent department of the industry. The new network above Level 3 should be put into operation after passing the classification assessment.
- Implementing cryptography security protection requirements
Network operators which are classified as Level 3 or above shall correctly and effectively adopt cryptography technology for protection and use cryptography products and services meeting relevant requirements.
- Establishing and implementing the critical information infrastructure security protection system
- Organizing to identify critical information infrastructure
The competent departments (hereinafter referred to as the “ Protection Departments”) of important industries and fields, such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry, shall formulate rules for the recognition of critical information infrastructure in their respective industries and fields and report them to the Ministry of Public Security for the record.
- Strengthening the protection of important data and personal information.
Establishing and implementing the important data and personal information protection system. Operators shall store within the territory of the People’s Republic of China the personal information and important data collected and generated during its operation within the territory of the People’s Republic of China. Where such information and data have to be provided abroad for business purposes, security assessment shall be conducted pursuant to relevant provisions.
Beijing: allow foreign companies to invest in virtual private networks
The State Council recently approved the Work plan for Deepening a New Round of Comprehensive Pilot Projects for the Opening up of Beijing’s Service Industry and the Construction of a Comprehensive Demonstration Area for the Expansion of National Service Industry (“Plan”), the Plan will:
- Allow foreign companies to invest in domestic internet virtual private networks (VPN), with a proportion of foreign shares not exceeding 50 percent. Overseas telecommunications carriers can set up joint ventures to provide such services for foreign enterprises in Beijing.
- Support the application of Internet of vehicles (intelligent connected-cars) and automatic driving map and build the Beijing–Shanghai Internet of vehicles highway.
- Standardize the safe and orderly cross-border flow of data, explore the establishment of data security management mechanisms such as data protection capability certification and promote the pilot project of security management and assessment on data cross-border transfer.
The China Banking and Insurance Regulatory Commission：To standardize health management services of insurance companies to ensure the safety of relevant data and information
The China Banking and Insurance Regulatory Commission (“CBIRC”) has issued the Circular on Standardizing Health Management Services of Insurance Companies (the “Circular”) on September 6, 2020.
The Circular emphasizes the following personal information protection work:
- informing customers of the content, process, standard, term, precautions and possible risks of health management services in advance and obtain the informed consent of customers.Participation by any third-party service cooperation organization shall be informed at the same time;
- obtaining the consent of customer when obtaining the customer’s health data; and
- not providing the customer’s personal information or any health data without the authorization of the customer to ensure data security and protect personal privacy according to law.
On September 15, 2020, the People’s Bank of China (“PBOC”) issued the Implementing Measures of the People’s Bank of China for Protection of Financial Consumers’ Rights and Interests (“Measures”), which will take effect on November 1, 2020.
On protection of financial information of consumers, the Measures provide that banks and payment institutions shall:
- adhere to the principles of legitimacy, bona fide and necessity, and obtain the explicit consent of financial consumers or their guardians, unless otherwise stipulated by laws and administrative regulations;
- not collect consumers’ financial information unrelated to their business, nor adopt improper means to collect consumers’ financial information, and nor force consumers to collect their financial information in disguise;
- not refuse to provide financial products or services on the ground that financial consumers do not agree to have their financial information processed, except that processing their financial information is necessary for providing financial products or services;
- use appropriate means to enable financial consumers to independently choose whether or not to consent to the use of their financial information by banks and payment institutions for the purposes of marketing, user experience improvement or market investigation. Where the financial consumers do not agree, banks and payment institutions shall not refuse to provide financial products or services.If banks and payment institutions send financial marketing information to financial consumers, they shall provide them with ways to refuse to continue receiving the financial marketing information;
- specify in the terms the purpose, method and content of collection and scope of use, and remind financial consumers of the possible consequences of such consent in an obvious and easy-to-understand way where banks and payment institutions have obtained the consent to the collection and use of financial information from consumers under standard terms; and
- use consumers’ financial information pursuant to the provisions of laws and regulations and for the purpose agreed between both parties and shall not use such information beyond the agreed scope.
On September 19, 2020，the Ministry of Commerce promulgated the Provisions on the Unreliable Entity List (“Provisions”) which shall take effect from the same date of the promulgation.
The State shall establish the Unreliable Entity List System (“System”) and a working mechanism participated by relevant central departments (hereinafter referred to as “the Working Mechanism”) to take charge of organization and implementation of the System. The Office of the Working Mechanism is located at the competent department of commerce of the State Council.
The Working Mechanism shall, based on the results of the investigation and by taking into overall consideration the following factors, make a decision on whether to include the relevant foreign entity in the Unreliable Entity List (“List”), and make an announcement of the decision:
- the degree of danger to national sovereignty, security or development interests of China;
- the degree of damage to the legitimate rights and interests of enterprises, other organizations, or individuals of China;
- whether being in compliance with internationally accepted economic and trade rules; and
- other factors that shall be considered.
The Working Mechanism may, based on actual circumstances, decide to take one or several of the following measures (hereinafter referred to as the “Measures”) against the foreign entity which is included in the List, and make an announcement of the decision:
- restricting or prohibiting the foreign entity from engaging in China-related import or export activities;
- restricting or prohibiting the foreign entity from investing in China;
- restricting or prohibiting the foreign entity’s relevant personnel or means of transportation from entering into China;
- restricting or revoking the relevant personnel’s work permit, status of stay or residence in China;
- imposing a fine of the corresponding amount according to the severity of the circumstances; and
- other necessary measures.
On September 21, 2020, the State Council announced the Overall Plan of China (Beijing) Pilot Free Trade Zone (the “Plan“).
The Plan points out that Beijing will explore the establishment of international information industry and digital trade port. The specific measures are as follows:
- having priority to explore software real name certification, data origin label identification, import and export of data product, etc. on the premise of controllable risks;
- building the digital copyright trading platform to promote the development of intellectual property protection and intellectual property financing business;
- conducting efficient and convenient digital import and export inspection on software and Internet service trade;
- actively exploring the third-party authentication mechanism for the data protection capability of enterprises; and
- exploring the establishment of a website filing system to meet the needs of overseas customers.
Task Force on Personal Information Protection by Apps: 81 Apps have personal information collection and use problems
On September 17, 2020, the Task Force on the Personal Information Protection by Apps (“Task Force”) found that there were problems in the collection and use of personal information in 81 Apps after the assessment and suggested that the relevant App operators should rectify the existing problems in a timely manner, and feedback the rectification situation to the Task Force within 30 days from the date of the announcement. After the 30 days, the Task Force will verify the rectification situation and submit the review results to the relevant departments; App operators who fail to effectively rectify relevant problems will be punished according to the law.
FAQ and Handling Guide for Personal Information Protection by Mobile Internet Application (App) and other two standards released
In the recent 2020 National Cyber Security Promotion Week, the Task Force on the Illegal Collection and Use of Personal Information by Apps (“Task Force”) held a “App Personal Information Protection” theme release event in Beijing (“Event”). At the Event, three standards related to personal information protection by Apps, the FAQ and Handling Guide for Personal Information Protection by Mobile Internet Application (App) (“FAQ and Handling Guide”), Mobile Internet Application (App) System Permission Application Guidelines (“System Permission Guidelines”) and Security Guidelines for Third-Party Software Development Kit (SDK) in Mobile Internet Applications (App) (Draft for Comment) (“Draft SDK Security Guidelines”), were released.
The FAQ and Handling Guide addresses the problems of excessive collection, mandatory claims for permission, frequent claims for permission, and unsynchronized notification of the purpose of collection by Apps. Based on statistics on the frequency of related problems, it gives the top ten frequently asked questions and handling guidelines in current App personal information protection, in order to help App operators prevent and deal with related problems.
The System Permission Guidelines address typical issues such as mandatory, frequent, and excessive claims for system permissions by Apps, bundling authorization, privately calling permissions to upload personal information, and sensitive permissions abuse. It also provides the basic principles and security requirements for system permissions by Apps, which can help App providers standardize App system permission applications and use behaviors and prevent personal information security risks caused by improper use of system permissions.
The Draft SDK Security Guidelines address the problems of third-party SDK’s own security vulnerabilities, malicious third-party SDKs, and unlawful collection and use of personal information by third-party SDKs in the current third-party SDK use practice. Combined with current mobile Internet technology and application status, the Draft SDK Security Guidelines provide practical guidelines for App providers and third-party SDK providers on third-party SDK security issues, aiming to reduce App security and personal information security issues caused by third-party SDKs.
In addition to the above guidelines, the Event also released the promotion video and the English version of the national standard Information Security Technology – Personal Information Security Specification (GB/T 35273-2020) for reader’s convenience; as well as other work results relating to such as App security certification, free evaluation tools, research reports and popular science areas.
The People’s Bank of China issued the Financial Data Security Guidelines for Data Security Classification
On September 23，2020，the People’s Bank of China (“PBOC”) issued the Financial Data Security Guidelines for Data Security Classification (“Guidelines”). The Guidelines applies to financial institutions to carry out data security classification work, as well as third-party assessment institutions to carry out data security inspection and evaluation.
According to the Guidelines, the financial data involved in the security classification include but are not limited to:
- data collected directly (or indirectly) in the process of providing financial products or services, including data signed or collected through the counter with paper agreement and transferred or saved in computer system after information processing, and electronic information signed or collected through information system;
- data generated and stored in the information system of financial institutions, including business data, operation and management data, etc.;
- electronic data generated, exchanged and filed in the internal office network and office equipment (terminal) of financial institutions. For example, daily business processing information, policies and regulations, business or business management data temporarily stored in business terminals, e-mail information, etc;
- electronic data formed by scanning or other electronic means of the original paper documents of financial institutions;
- other data that should be classified.
At the same time, the Guidelines provides that according to the influence objects and the degree of impact caused by the data security damage of financial institutions, the data security level is divided into Level 5 to Level 1 from high to low.
Implementation Plan for the Establishment of Beijing International Big Data Exchange: establish and perfect the new data element management system of “separation of ownership and right of use”
On September 29,2020, Beijing Local Financial Supervision and Administration and Beijing Municipal Bureau of Economy and Information Technology issued the Implementation Plan for the Establishment of Beijing International Big Data Exchange (“Plan”).
The Plan will establish and improve the new data element management system of “separation of ownership and right of use”, explore a new mechanism for orderly circulation and efficient utilization of data elements, deeply implement the Beijing big data action plan, and strengthen the integration and application of cross regional, cross domain, cross department and cross level data resources.
The Plan points out that Beijing municipal state-owned enterprises with high-quality data resources will restructure the existing exchange and change its name to Beijing International Big Data Exchange. Strategic investors such as central enterprises and Internet enterprises will be introduced in time to increase registered capital, change business scope and change trading varieties. The service content of Beijing International Big Data Exchange will include data information registration service, data product trading service, data operation management service, data asset financial service and data asset financial technology service
If you would like to receive our legal update via email, please contact firstname.lastname@example.org.
For more information, please contact:
Samuel Yang | Partner
AnJie Law Firm
P: +86 10 8567 2968
M: +86 1391 0677 369
Hongquan (Samuel) Yang is a partner with AnJie Law Firm. He has worked as in-house counsel and external lawyer in the technology, media and telecoms (TMT) sectors for nearly 20 years and is regarded as a true expert in these areas. He advises clients on a wide range of regulatory, commercial and corporate matters, especially in telecommunications, cybersecurity, data protection, internet, social networking, hardware and software, technology procurement, transfer and outsourcing, distribution and licensing, and other technology-related matters. He also advises clients on compliance and investigation matters.
Samuel has been recognized as a Leading Individual in PRC TMT firms (Legal 500, 2020), a Band 1 Cyber Security & Data Protection Lawyer (LEGALBAND, 2019, 2020) and one of the Top 10 Cyber Security and Data Protection Lawyers in China (LEGALBAND, 2018). Legal 500 commented that Samuel and his team at AnJie have a particular strength in “telecom-related regulatory and general commercial legal services” and “issues such as cyber security and data protection areas” and have “built a real niche” in these areas.
Samuel mainly serves Fortune 500 companies, large state-owned enterprises and leading Chinese internet companies. Samuel is a regular contributor to many legal journals and his publications regarding Chinese data protection and cybersecurity laws are well-received and widely reproduced.
Before joining AnJie, Samuel worked for British Telecom, CMS and DLA Piper.