NISSTC issued the Guidelines for Data Security of Online Car-booking Services (Draft for Comment)
On November 10, 2020, the Secretariat of the National Information Security Standardization Technical Committee (“NISSTC”) issued the Information Security Technology – Guidelines for Data Security of Online Car-booking Services (Draft for Comment) (the “Draft”) for public comments by January 8, 2021.
The Draft specifies the types, scope, methods and conditions of collection, storage, use, sharing, public disclosure and deletion of data, as well as data security management requirements.
The requirements of data collection are as follows:
- before collecting the personal information of users, online car-booking service operators shall inform users and obtain the consent of users;
- When users refuse to provide personal information other than the minimum necessary personal information, online car-booking service operators shall not refuse to provide the online car-booking service; and
- When users refuse to provide the minimum necessary personal information corresponding to the optional business function of online car-booking service, online car-booking service operators can refuse to provide the corresponding optional business function service but should not refuse to provide online car-booking service.
The requirements of data transmission and storage are as follows:
- When online car-booking service operators transmit personal information through the Internet, they should adopt security measures such as encryption;
- Online car-booking service operators shall store the personal identification information, facial recognition features and audio and video trip recordings data of passengers and drivers separately;
- It is not suitable for online car-booking service operators to store the travel track and audio and video trip recordings data in the office terminal, but in the server with security measures.
The Draft also stipulates that online car-booking service operators should not abuse big data analysis and other technical means to set unfair trading conditions based on user consumption records and consumption preferences, thus infringing on users’ legitimate rights and interests.
NISSTC issued the Guidelines on the Code of Ethics for Artificial Intelligence (Draft for Comment)
On November 9, 2020, the Secretariat of the National Information Security Standardization Technical Committee (the “NISSTC”) issued the Practice Guide to Cybersecurity Standards – Guidelines on the Code of Ethics for Artificial Intelligence (Draft for Comment) (the “Draft”) for public comments by November 23, 2020.
The Draft gives safety risk warnings regarding potential ethical issues associated with artificial intelligence (“AI”), and provides guidelines for AI research and development, design and manufacturing, deployment and application, consumer use and other related activities.
On deployment and application, the Draft stipulates that the deployer should explain the functions, limitations, risks and impacts of systems, products or services related to AI to users in a timely, accurate, complete, clear and unambiguous manner, and explain the relevant application process and application results. The deployer should also provide users with a clear and easy way to operate mechanism to refuse or stop using systems, products or services related to AI. After users refuse or stop using systems, products or services related to AI, the deployer should provide users with alternative non-AI options as far as possible.
RCEP: To protect the personal information of electronic commerce users
On November 15, 2020, the Regional Comprehensive Economic Partnership Agreement (“RCEP”) was concluded. The RCEP consists of 20 chapters, covering comprehensive market access commitments on goods, services, investment and other areas.
The Chapter “Electronic Commerce” of RCEP stipulates that the party to the RCEP is:
- encouraged to improve trade management and procedures through electronic means;
- required to create a favorable environment for electronic commerce, to protect the personal information of electronic commerce users, provide protection for online consumers, and strengthen supervision and cooperation on unsolicited commercial electronic information.
On cross-border transfer of information by electronic means, RCEP also provides the party shall not prevent cross-border transfer of information by electronic means where such activity is for the conduct of the business of a covered person.
Announcement on 35 App for non-compliance with collecting and using personal information
On November 13, 2020, Task Force on Apps for Illegal Collection and Use of Personal Information (“Force”) finds that there are problems in the collection and use of personal information of 35 Apps. It is suggested that the relevant App operators should rectify the existing problems in time and feedback the rectification situation to the Force within 30 days from now on. After the 30 days, the Force will verify the rectification situation, submit the review results to the relevant departments, and handle those that cannot be effectively rectified according to laws.
Live streaming platforms shall establish a mechanism for personal information protection
On November 13, 2020, the Cyberspace Administration of China (“CAC”) issued the Administrative Provisions on Live Streaming Marketing Information Content Services (Draft for Comment) (the “Draft”) to solicit public comments by November 28, 2020.
The Draft stipulates that live streaming platforms shall establish a sound mechanism for registration and cancellation of accounts and live streaming marketing business, information security management, codes of conduct for marketing, minors’ protection, users’ rights protection, personal information protection, credit evaluation and data security. At the same time, the Draft provides live streaming platforms shall strengthen the service management of live streaming information on the Internet. If illegal and bad information is found, it shall immediately take measures to deal with it, keep relevant records and report to the relevant competent authorities. Live streaming platform shall prevent and stop illegal advertising, price fraud and other violations of users’ rights and interests and warn users of the risks of private transactions outside the platform in a prominent way.
PBOC issued the Testing and Evaluation Guidelines for Classified Protection of Cybersecurity of Financial Industry and the Implementation Guidelines for Classified Protection of Cybersecurity of Financial Industry
On November 11, 2020, the People’s Bank of China(“PBOC”) formally issued two standards in financial industry, namely the Testing and Evaluation Guidelines for Classified Protection of Cybersecurity of Financial Industry (“Testing and Evaluation Guidelines”) and the Implementation Guidelines for Classified Protection of Cybersecurity of Financial Industry (“Implementation Guidelines”).
The Testing and Evaluation Guidelines stipulate the general requirements and extended requirements of security evaluation for Level-2, Level-3 and Level-4 protected objects in the financial industry. The Testing and Evaluation Guidelines are applicable to guide financial institutions, evaluation institutions and the competent departments of cybersecurity classified protection in the financial industry to conduct security evaluation on the security status of the classified protection objects.
The Implementation Guidelines include six parts, which regulate:
- the cybersecurity framework of the financial industry and the security requirements corresponding to different security levels,
- the basic framework and terminology definition of the cybersecurity level protection work in the financial industry,
- the cybersecurity post setting requirements of financial institutions,
- the cybersecurity post ability requirements,
- the cybersecurity personnel ability evaluation requirements,
- the cybersecurity training related requirements, and
- the financial institutions cybersecurity level protection audit implementation requirements, etc.
The Implementation Guidelines are applicable to guide financial institutions, evaluation institutions and competent departments of financial industry to implement classified cybersecurity protection.
NISSTC issued the Practice Guide to Cybersecurity Standards – Security Guidelines for Using Software Development Kit (SDK) for Mobile Internet Applications
On November 27, 2020, the Secretariat of the National Information Security Standardization Technical Committee (“NISSTC”) issued the Practice Guide to Cybersecurity Standards – Security Guidelines for Using Software Development Kit (SDK) for Mobile Internet Applications (“Guidelines”).
The Guidelines provide the responsibilities of the parties involved in the use of the SDK and the common security issues, as well as the security principles and measures of App providers and SDK providers for common problems. The Guidelines are applicable to preventing SDK security and compliance risks when App providers use the SDK, and also provide reference for SDK providers in protecting SDK security and user personal information.
According to the Guidelines, App providers should take adequate security measures to ensure that there is no security risk when using SDKs, such as conducting security assessment on the SDK before integrating SDKs, conducting continuous dynamic monitoring or regular security assessment on the integrated SDK, signing a cooperation agreement with SDK providers or further improving the cooperation agreement with the SDK providers.
Besides, SDK providers should collect personal information at the lowest frequency necessary to realize its own business functions, and enhance its own security by means of code audit and code obfuscation.
If you would like to receive our legal update via email, please contact email@example.com.
For more information, please contact:
Samuel Yang | Partner
AnJie Law Firm
P: +86 10 8567 2968
M: +86 1391 0677 369
Hongquan (Samuel) Yang is a partner with AnJie Law Firm. He has worked as in-house counsel and external lawyer in the technology, media and telecoms (TMT) sectors for nearly 20 years and is regarded as a true expert in these areas. He advises clients on a wide range of regulatory, commercial and corporate matters, especially in telecommunications, cybersecurity, data protection, internet, social networking, hardware and software, technology procurement, transfer and outsourcing, distribution and licensing, and other technology-related matters. He also advises clients on compliance and investigation matters.
Samuel has been recognized as a Leading Individual in PRC TMT firms (Legal 500, 2020), a Band 1 Cyber Security & Data Protection Lawyer (LEGALBAND, 2019, 2020) and one of the Top 10 Cyber Security and Data Protection Lawyers in China (LEGALBAND, 2018). Legal 500 commented that Samuel and his team at AnJie have a particular strength in “telecom-related regulatory and general commercial legal services” and “issues such as cyber security and data protection areas” and have “built a real niche” in these areas.
Samuel mainly serves Fortune 500 companies, large state-owned enterprises and leading Chinese internet companies. Samuel is a regular contributor to many legal journals and his publications regarding Chinese data protection and cybersecurity laws are well-received and widely reproduced.
Before joining AnJie, Samuel worked for British Telecom, CMS and DLA Piper.