MIIT launches 2020 program of checking cyber security in telecommunications and internet industries
On October 9, 2020, the Ministry of Industry and Information Technology (“MIIT”) issued the Circular on Working Effectively on the 2020 Program of Checking the Cyber Security in the Telecommunications and Internet Industries (the “Circular”).
The Circular provides that the checking object includes networks and systems constructed and operated by basic telecommunication enterprises, Internet enterprises, domain name registration management and service institutions that have obtained the permission of competent telecommunication authorities according to the law. In addition, the checking will focus on the critical information infrastructure as well as important network units and their carrying information systems of the telecommunications and Internet industries, including but not limited to 5G network infrastructure, Mobile App Store, Internet of Things platforms, Industrial Internet platform, Internet of Vehicles application service platform and online car-hailing information service platforms.
Three main contents of the checking are the implementation of cyber security management, technical measures for cyber security protection, and hidden dangers of major cyber security risks.
CAC seeks opinions on revising Administrative Provisions on Information Services Provided through Official Accounts to Internet Users
On October 15,2020, the Cyberspace Administration of China (“CAC”) issued the Administrative Provisions on the Information Services Provided through Official Accounts to Internet Users (Draft for Comments) (the “Draft”) for public comments by October 30, 2020.
The Draft stipulates that a platform for the information services provided through official accounts should: prohibit those official accounts that have been closed in accordance with the law and agreement from re-registering with the same account names; review the application for the registration of official accounts engaged in producing the information on the economic, education, health, justice and other fields, and require users to provide the evidentiary materials related to their professional background and professional qualifications when registering; official account information service platform can suspend or terminate the provision of services according to the service agreement for those official accounts that are not logged in or used for more than six months after Internet users have registered; prohibit the compulsory subscription to or following of official accounts of other users without the informed consent of Internet users; and ten kinds of behaviors are prohibited, among which it is required not to “manipulate and utilize multiple platform accounts, release homogeneous information in batch, generate false traffic data, and create false public opinion hot spots”.
Standing Committee of the National People’s Congress adopts the Export Control Law
The Export Control Law of the People’s Republic of China (the “Export Control Law”), adopted at the 22nd Session of the Standing Committee of the 13th National People’s Congress on October 17, 2020, is promulgated, effective on December 1, 2020.
According to the Export Control Law, the term “export control” refers to prohibitive or restrictive measures taken by the State against the transfer of controlled items from the territory of the People’s Republic of China to overseas, and the provision of controlled items by citizens, legal persons and other non-incorporated organizations of the People’s Republic of China to foreign organizations and individuals.
The Export Control Law provides reciprocal measures: where any country or region harms the national security and interests of the People’s Republic of China by abusing the export control measures, the People’s Republic of China may take reciprocal measures against such country or region in light of the actual situations.
The Export Control Law also stipulates that where an exporter has established an internal compliance system for export control and is in good operation, the State’s export control authorities may grant it a general license or take other facilitation measures for relevant controlled items exported by it. Specific measures shall be formulated by the State’s export control authorities.
China will establish a biosafety information sharing system and biosafety information release system
The Biosecurity Law of the People’s Republic of China (the “Biosecurity Law”) is adopted at the 22nd Session of the Standing Committee of the Thirteenth National People’s Congress of the People’s Republic of China on October 17, 2020, effective April 15, 2021.
The Biosecurity Law provides that the State will establishes a biosafety information sharing system. The national biosafety work coordination mechanism shall organize to establish a unified national biosafety information platform, and the relevant authorities shall collect and deliver the biosafety data and materials and other information to the national biosafety information platform to achieve information sharing.
In addition, the Biosecurity Law provides that the State will establishes a biosafety information release system. Major biosafety information such as the overall situation of the national biosecurity, major biosecurity risk warnings, major biosecurity incidents and their investigation and handling information shall be released by the members of the national biosafety work coordination mechanism according to the division of their responsibilities; other biosafety information shall be released by the relevant departments under the State Council, the local people’s governments at or above the county level and the relevant departments thereof according to their responsibilities and authority. No organization or individual may fabricate or spread false biosafety information.
The Biosecurity Law also requires that where the information on human genetic resources of China is to be provided or made available for use to any overseas organization or individual or the institution established or actually controlled thereby, a report shall be submitted in advance to the department in charge of science and technology under the State Council and information backup shall be submitted.
The Chapter Network Protection has been added to the Law on the Protection of Minors
The 22nd Session of the Standing Committee of the 13th National People’s Congress adopted the Law of the People’s Republic of China on the Protection of Minors (Revised in 2020) (the “Law “) on October 17, 2020, which shall take effect from June 1, 2021.
The Chapter Network Protection has been added to the revised Law and the provisions on the protection of minors’ personal information are as follows:
- Information processors who process personal information of minors through the Internet shall follow the principles of legality, legitimacy and necessity. On processing the personal information of minors under the age of 14, the consent of their parents or other guardians shall be obtained, except as otherwise provided by laws and administrative regulations.
- If minors, theirparents or other guardians require the information processor to correct or delete the personal information of minors, the information processor shall take timely measures to correct or delete the personal information, unless otherwise provided by laws and administrative regulations.
- If the Internet service provider discovers that minors release private information through the Internet, they shall prompt them in time and take necessary protection measures.
- If the Internet service provider discovers that the user publishes or disseminates information that may affect the physical and mental health of minors without making a noticeable reminder, it shall make a reminder or notify the user to be reminded; if no reminder is given, the relevant information shall not be transmitted.
- If the Internet service provider finds that the user publishes and disseminates the information that endangers the physical and mental health of minors, it shall immediately stop transmitting the relevant information, take measures such as deleting, shielding and disconnecting links, keep relevant records, and report to the cyberspace administration, public security and other departments.
- If the Internet service provider discovers that a user has committed an illegal or criminal act against a minor by using its Internet service, it shall immediately stop providing Internet service to the user, keep relevant records and report to the public security organ.
Network transaction operators shall keep the personal information collected strictly confidential
On October 20, 2020, the State Administration for Market Regulation issued the Measures for the Supervision and Administration of Online Transactions (the “Draft”) for public comments by November 2, 2020.
On the protection of personal information, the Draft stipulate that network transaction operators shall obtain the authorization and consent of the collector when collecting and using the personal information of users, and clearly state the purpose, necessity, scope and method of collection and use based on the principle of legality, legitimacy and necessity. It is not allowed to adopt a one-off general authorization method, or to force or disguisedly force the collector to agree to the collection and use of information that is not directly related to business activities by default authorization, binding with other authorizations, or stopping installation and use. When collecting and using sensitive information such as biometric information, health information, property information, social information, etc., authorization and consent of the collector shall be obtained one by one. Network transaction operators and their staff shall keep the personal information collected strictly confidential and shall not provide it to any third party, including related parties, without the authorization and consent of the collector.
MIIT strengthens in-process and ex-post regulation of foreign-funded telecommunications enterprises
On October 20,2020, the Ministry of Industry and Information Technology (“MIIT”) issued the Circular on Strengthening the In-process and Ex-post Regulation of Foreign-invested Telecommunications Enterprises (the “Circular”).
The Circular provides that the MIIT will cease to approve and issue the Examination Decision on Foreign Investment in Telecommunications (the “Decision”) from the date of issuance of the Decision of the State Council on Cancelling and Decentralizing a Number of Administrative Licensing Items, and the examination of foreign investments will be included in the process of approval of business licensing for telecommunications accordingly. The Circular further clarifies that foreign-invested enterprises that have been approved with the Decision issued previously may continue to apply for the business licensing for telecommunications in accordance with legal procedures. When directly applying for the business licensing for telecommunications or for changes in the telecommunications business, subsequent foreign-invested enterprises are required to concurrently submit relevant application materials on foreign investments, and the MIIT will handle the applications in accordance with laws and regulations.
The Circular also stipulates that restrictions on shareholding ratio held by foreign investors and other access policies and requirements shall be still subject to the Administrative Provisions on Foreign-funded Telecommunications Enterprises, the Telecommunications Regulations of the People’s Republic of China, the Special Administrative Measures (Negative List) for Foreign Investment Access, and other legal documents.
The Law of the People’s Republic of China on Personal Information Protection (Draft) is released
On October 21, 2020, the 22nd Session of the Standing Committee of the 13th National People’s Congress released the Law of the People’s Republic of China on Personal Information Protection (Draft) (the “Draft”) for public comments by November 19, 2020.
The Draft provides it shall apply to activities conducted by organizations and individuals to process the personal information of natural persons within the territory of the People’s Republic of China. And it shall also apply to activities outside territory of the People’s Republic of China to process the personal information of natural persons within the territory of the People’s Republic of China under any of the following circumstances:
- personal information processing is to serve the purpose of providing products or services for natural persons within the territory of the People’s Republic of China;
- personal information processing is to serve the purpose of analyzing and evaluating the behaviors of natural persons within the territory of the People’s Republic of China; or
- having other circumstances as stipulated by laws and administrative regulations.
On the cross-border transfer, the Draft requires that critical information infrastructure operators and personal information processors who process personal information up to the amount as specified by the State cyberspace authorities shall store within the territory of the People’s Republic of China the personal information which they collect and generate within the territory of the People’s Republic of China. If it is really necessary to provide such information overseas, critical information infrastructure operators and personal information handlers shall pass security assessment organized by the State cyberspace authorities; if any law, administrative regulation or the State cyberspace authorities stipulate that security assessment may not be conducted, such provision shall prevail.
The Draft also provides that where personal information is processed in violation of this Law or personal information is processed without any necessary security protection measure in compliance with regulations, authorities performing personal information protection duties shall order a correction, confiscate any unlawful income, and issue a warning; and, if correction is not made, a fine of up to CNY1 million shall be imposed on the personal information processor if it is an organization; and any directly liable person-in-charge or any other directly liable individual shall be fined between CNY10,000 and CNY100,000. If the unlawful act mentioned in the preceding paragraph is grave, authorities performing personal information protection duties shall order a correction, confiscate any unlawful income, and impose a fine of up to CNY50 million, or 5% of last year’s annual revenue, and may also order the suspension of related business operations or suspension of business for rectification, and/or report to relevant competent authorities for the cancellation of the related business permit or cancellation of the business license; and any directly liable person-in-charge or any other directly liable individual shall be fined between CNY100,000 and CNY1 million.
The Ministry of Industry and Information Technology announced the fifth batch of Apps on infringement of users’ rights and interests
The Ministry of Industry and Information Technology recently organized a third-party testing agency to inspect the mobile phone application software and urge enterprises which do not meet relevant requirements to rectify. As of October 26, there are 131 Apps that have not been rectified, and these Apps should be rectified before November 2. In this test, many problems were found in input method Apps, travelling Apps, e-commerce Apps, audio and video Apps. Some App stores and mobile application distribution platform management entities have not fulfilled their responsibilities, and SDK enterprises illegally collected user personal information.
If you would like to receive our legal update via email, please contact firstname.lastname@example.org.
For more information, please contact:
Samuel Yang | Partner
AnJie Law Firm
P: +86 10 8567 2968
M: +86 1391 0677 369
Hongquan (Samuel) Yang is a partner with AnJie Law Firm. He has worked as in-house counsel and external lawyer in the technology, media and telecoms (TMT) sectors for nearly 20 years and is regarded as a true expert in these areas. He advises clients on a wide range of regulatory, commercial and corporate matters, especially in telecommunications, cybersecurity, data protection, internet, social networking, hardware and software, technology procurement, transfer and outsourcing, distribution and licensing, and other technology-related matters. He also advises clients on compliance and investigation matters.
Samuel has been recognized as a Leading Individual in PRC TMT firms (Legal 500, 2020), a Band 1 Cyber Security & Data Protection Lawyer (LEGALBAND, 2019, 2020) and one of the Top 10 Cyber Security and Data Protection Lawyers in China (LEGALBAND, 2018). Legal 500 commented that Samuel and his team at AnJie have a particular strength in “telecom-related regulatory and general commercial legal services” and “issues such as cyber security and data protection areas” and have “built a real niche” in these areas.
Samuel mainly serves Fortune 500 companies, large state-owned enterprises and leading Chinese internet companies. Samuel is a regular contributor to many legal journals and his publications regarding Chinese data protection and cybersecurity laws are well-received and widely reproduced.
Before joining AnJie, Samuel worked for British Telecom, CMS and DLA Piper.