China Cybersecurity and Data Protection - Monthly Update - July 2023 Issue

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Legislative Developments

1. National Information Security Standardization Technical Committee released Practice Guidelines for Cybersecurity Standards - Implementation Guidelines for Cyber Data Security Risk Assessment

   On May 29, to implement the requirements of the Data Security Law on data security risk assessment, the Secretariat of the National Information Security Standardization Technical Committee (the "TC260") compiled the Practice Guidelines for Cybersecurity Standards - Implementation Guidelines for Cyber Data Security Risk Assessment (the "Implementation Guidelines"). The Implementation Guidelines outline the approach, workflow, and key components of the data security risk assessment, including data security management, data processing activities, data security technology, and personal information protection. The Implementation Guidelines are relevant not only for data processors and third-party agencies conducting risk assessments, but also serve as a reference for competent supervisory authorities in their data security inspection and assessment.

2. Sichuan released Interim Guidelines for Construction of Chief Data Officer System in Enterprises for comments

   On May 30, the Sichuan Provincial Department of Economy and Information Technology issued the Interim Guidelines for the Construction of the Chief Data Officer System in Enterprises in Sichuan Province (Draft for Comments) (the "Sichuan CDO Guidelines"), to further unlock the value of data elements and promote enterprise development. The Sichuan CDO Guidelines aim to: (1) outline the principle of a government-led approach that centres around enterprises, matching power with accountability while prioritizing business performance and efficiency; (2) designate the responsibilities of each party, including competent authorities, industry associations and alliances, and the enterprises, in the construction of the system; and (3) emphasize the basic responsibilities and capacity requirements of enterprise Chief Data Officers.

3. Cyberspace Administration of China implements Provisions on Administrative Law Enforcement Procedures for Internet Information Department

   On June 1, the Provisions on Administrative Law Enforcement Procedures for Internet Information Departments (the "Provisions on Law Enforcement"), issued by the Cyberspace Administration of China (the "CAC") in March, were formally implemented. The Provisions on Law Enforcement consist of five chapters, with a total of 56 articles covering the jurisdiction and applicability of administrative law enforcement, regular procedures for administrative penalties, enforcement rules, and case closure rules. The regular procedures for administrative penalties outlined in the Provisions on Law Enforcement specify the procedural requirements for case filing, investigation and evidence collection, hearings and interviews, decision-making on administrative penalties, and service. The Provisions on Law Enforcement primarily target data violations and introduce new rules about the authority and grounds for administrative penalty cases on "cybersecurity, data security, and personal information protection".

4. Beijing Municipal Regulations on Protection of Minors came into force, with a special chapter on protection of minors online

   On June 1, the Beijing Municipal Regulations on the Protection of Minors came into force. The regulations contain a special chapter on "Protection Online", which includes a series of provisions aimed at safeguarding the rights and interests of minors online. The chapter stresses the obligation on network product and service providers to protect minors and requires them to establish and improve mechanisms for the protection of minors and network compliance systems and to take measures to prevent minors from becoming addicted to the Internet.

5. Hainan released Q&As on Data Export Security Assessment Declaration (I)

   On June 2, the Cyberspace Administration of Hainan Province issued a set of practical Q&As aimed at facilitating data export security assessment declaration. The Q&As were issued in response to inquiries and common issues found in completeness checking, in accordance with the Measures for Data Export Security Assessment and the Guidelines for Data Export Security Assessment Declaration (First Edition).

6. State Council’s Legislative Work Plan for 2023 includes new Regulations on Network Data Security Management and on Protection of Minors Online and revision of Law on Guarding State Secrets

   On June 6, the General Office of the State Council released its legislative work plan for 2023, which includes two legislative plans related to network security and data protection. The first plan aims to formulate the Regulations on Network Data Security Management, with the goal of improving the rule of law system for national security and safeguarding national security and social stability. The second plan is to formulate the Regulations on the Protection of Minors Online and to amend the Law on Guarding State Secrets, which are intended to support the strategy of invigorating China through science and education and to bolster cultural self-confidence and self-improvement.

7. CAC issued Provisions on Management of Close-range Mesh Network Information Services (Draft for Comments)

   On June 6, the CAC issued the Provisions on the Management of Close-range Mesh Network Information Services (Draft for Comments) (the "Mesh Network Provisions"). The Mesh Network Provisions contain a total of 19 articles and are intended to regulate close-range mesh network information services, safeguard national security and social public interests, and protect the legitimate rights and interests of citizens, legal persons, and other organizations. The Mesh Network Provisions outline the definition and scope of application of close-range mesh networks and related information services, as well as the obligations of the information service providers.

8. Shanghai Municipal Communications Administration issued Interim Guidelines for Construction of Chief Data Officer System for Telecoms and Internet Industry in Shanghai

   On June 6, the Shanghai Municipal Communications Administration issued the Interim Guidelines for the Construction of the Chief Data Officer System for the Telecoms and Internet Industry in Shanghai (the "Shanghai CDO Guidelines"). According to the Shanghai CDO Guidelines, the organizational structure of the CDO system should be designed with a clear division of responsibilities and duties. The guidelines also outline the responsibilities of the enterprise CDO, which include formulating a data governance strategy and promoting its implementation, optimizing data governance and development within the enterprise, and enhancing data compliance and security measures.

9. General Office of Guizhou Provincial People's Government issued Measures for Management of Government Service Data Resources

   On June 8, the General Office of the Guizhou Provincial People's Government issued the Measures for the Management of Government Service Data Resources (the "Guizhou Measures"). The Guizhou Measures consist of 11 chapters, including 53 articles that cover a range of activities related to the collection, storage, sharing, opening, authorized operation, coordination, and security protection of non-confidential government service data resources, as well as the management of these activities. Specifically, the Guizhou Measures seek to (1) improve the mechanism of government data officers and strengthen the coordination at and among the county, municipal, and provincial levels; (2) implement the Guizhou Provincial Regulations on the Sharing and Opening of Government Data and further clarify the rules for government departments to manage data resource storage, cataloguing, sharing, and opening, as well as metadata annotations; and (3) develop the data element market and encourage the data regulators at various levels to authorize qualified market players to operate the government service data, which will enable the development of data services and products that can be traded at the Guiyang Global Big Data Exchange.

10. Supreme People's Court, Supreme People's Procuratorate, and Ministry of Public Security issued Guiding Opinions on Punishing Cyber Violence and Crimes in accordance with Law (Draft for Comments)

    On June 9, the Supreme People's Court, the Supreme People's Procuratorate, and the Ministry of Public Security issued the Guiding Opinions on Punishing Cyber Violence and Crimes in accordance with the Law (Draft for Comments) (the "Guiding Opinions") to effectively safeguard citizens’ personality rights and interests and maintain a normal order in cyberspace. The Guiding Opinions stress the need to (1) apply law precisely and punish cyber violence crimes strictly in accordance with the law; (2) facilitate the litigation process and provide effective legal remedies in a timely manner; and (3) implement the necessary work requirements and improve comprehensive management measures.

11. Zhejiang issued Guidance for Filing Standard Contract for Personal Information Export

    On June 14, the Zhejiang Cyberspace Administration (the "Zhejiang CA") issued the Guidance for Filing the Standard Contract for Personal Information Export under the Measures on the Standard Contract for Personal Information Export and the Filing Guidance for the Standard Contract for Personal Information Export (First Edition). This move is to assist personal information processors in filing the standard contract for personal information export correctly by providing specific instructions on the scope of application, the filing method and process, and required materials for filing and filing consultation. Additionally, the Zhejiang CA has established a hotline for consultation purposes.

12. Shandong launched channel for filing standard contract for personal information export

    On June 14, the Shandong Cyberspace Administration (the "Shandong CA") launched a channel for filing the standard contract for personal information export to aid personal information processors in filing their contracts correctly. According to the Shandong CA, the scope of application, the filing method and process, and required materials for filing should follow the instructions outlined in the Filing Guidance for the Standard Contract for Personal Information Export (First Edition).

13. Hunan issued Guidance for Filing Standard Contract for Personal Information Export

    On June 19, the Hunan Cyberspace Administration issued the Guidance for Filing the Standard Contract for Personal Information Export under the Measures on the Standard Contract for Personal Information Export and the Filing Guidance for the Standard Contract for Personal Information Export (First Edition). This move is to assist personal information processors with data export security assessment declaration and provide detailed instructions on the method, process, and required materials for filing the standard contract.

14. CAC published filing information related to deep synthesis service algorithms

    On June 20, the CAC published the filing information related to deep synthesis service algorithms in China. Detailed information can be found at: https://beian.cac.gov.cn. The CAC advises that service providers and technical supporters of deep synthesis services should follow the procedures for filing, modification, or cancellation and urges both the service providers and technical supporters yet to complete the filing procedures to apply for filing as soon as possible. Additionally, the CAC released the first batch of approved deep synthesis service providers and technical supporters, which includes 41 deep synthesis algorithms of technology giants such as Baidu, Alibaba, Tencent, Douyin, and iFlytek.

15. Jiangxi issued Guidance for Filing Standard Contract for Personal Information Export

    On June 21, the Jiangxi Cyberspace Administration issued the Guidance for Filing the Standard Contract for Personal Information Export under the Measures on the Standard Contract for Personal Information Export and the Filing Guidance for the Standard Contract for Personal Information Export (First Edition). This move is to assist personal information processors in filing the standard contract for personal information export correctly by providing specific instructions on the method, process, and required materials for filing.

16. National Administration of Financial Regulatory issued Notice on Enhancing Cyber and Data Security Management in Third-Party Cooperation

    On June 27, the National Administration of Financial Regulatory (the "NAFR") issued the Notice on Enhancing Cyber and Data Security Management in Third-Party Cooperation (the "NAFR Notice") to local banking and insurance regulators, as well as banks, insurance companies, and financial management companies. The NAFR Notice highlights data leakage incidents in the financial industry over the past two years, focusing on two types of risks: corporate WeChat service risks and technology outsourcing risks. To address these risks, the NAFR requires banks and insurance companies to conduct a thorough self-examination to identify the risks associated with their third-party cooperation and implement corresponding rectifications. The NAFR also calls on the relevant institutions to assume responsibility for data security, coordinate the management of technological risks, strengthen the security responsibilities of outsourcing service providers, and improve the overall level of risk control.

17. Hainan issued Guidance for Filing Standard Contract for Personal Information Export

    On June 30, the Hainan Cyberspace Administration issued the Guidance for Filing the Standard Contract for Personal Information Export under the Measures on the Standard Contract for Personal Information Export and the Filing Guidance for the Standard Contract for Personal Information Export (First Edition). This move is to assist personal information processors in filing the standard contract for personal information export correctly by providing specific instructions on the scope of application, the filing method and process, and required materials for filing and filing consultation.

18. Implementation Rules for Regulations on Management of Human Genetic Resources

    On July 1, the Implementation Rules for the Regulations on the Management of Human Genetic Resources (the "Human Genetic Resources Implementation Rules") officially came into force. The Human Genetic Resources Implementation Rules aim to (1) provide clarity on the definitions of key concepts such as
    “foreign organisations” and “human genetic resource information”; (2) specify the scope for the administrative license and improve the filing procedure; (3) enhance the efficiency of the system and standardize the application, modification, extension, and revocation procedures for the administrative license and filing; and (4) implement the registration and reporting mechanisms for the management of human genetic resources.

    Enforcement Developments

19. Beijing Municipal Communications Administration summoned Raisecom for network security issues

    The Beijing Municipal Communications Administration (the "Beijing MCA") reported on June 6 that it had summoned Raisecom, a Beijing-based tech company, for cybersecurity issues. The Beijing MCA ordered the company to fully realize the importance for ensuring network security and to meet the following requirements: (1) to strictly fulfil the main responsibility for network security in line with the Cybersecurity Law and Provisions on the Management of Network Product Security Vulnerabilities; (2) to conduct a thorough self-examination and immediately rectify the problems identified; and (3) to establish a long-term mechanism, strengthen compliance awareness, and study relevant regulations, while launching a channel for receiving vulnerability information and strictly regulating its efforts to identify, report, and repair bugs.

20. Zhejiang called out 18 Apps infringing on users’ rights and interests

    It was reported on June 19 that the Zhejiang Provincial Municipal Communications Administration (the "Zhejiang MCA") arranged for a third-party testing agency to inspect Apps related to practical tools, online shopping, and photo editing. The inspection revealed that 18 of these Apps were violating users' rights and that the developers and operators failed to complete the necessary rectifications within the specified time frame. Consequently, the Zhejiang MCA issued written notifications to the developers and operators of the 18 problematic Apps, ordering them to complete the required rectifications by June 28. Failure to do so would result in administrative penalties, such as removal or cancellation of the App, or other punitive measures.

21. Guangdong adopted comprehensive approach to address issues related to automatic renewal of mobile App services

    On June 17, the Guangdong Provincial Consumer Association announced in a meeting the findings of their investigation into default automatic renewal of some mobile App value-added services. The investigation revealed that cancelling these services was challenging for consumers and the association provided recommendations to address the issue. The Guangdong Provincial Market Supervision Administration Bureau instructed the App operators to take this matter seriously and rectify the situation immediately to ensure the protection of users’ legitimate rights and interests. Enterprises in attendance signed a letter of commitment and pledged to offer reasonable automatic renewal settings, clarify the cancellation process for users, and provide relevant guidelines and reminders to protect users' right to fair trade, right to know, and right to choose. These measures will effectively safeguard users' legitimate rights and interests and promote the healthy and sustainable development of the Internet economy.

22. Anhui released fourth batch of Apps infringing on users' rights and interests in 2023

    It was reported on June 21 that the Anhui Provincial Municipal Communications Administration (the "Anhui MCA") had conducted an inspection of Apps in the province and found 23 Apps that were illegally collecting and using users’ personal information. On May 29, the Anhui MCA issued written notifications to the developers and operators of the problematic Apps, ordering them to rectify the situation within a limited timeframe. However, as of June 21, there were still 11 Apps yet to complete the necessary rectifications. The Anhui MCA stated that companies must implement the rectifications before July 3, or they would face corresponding penalties.

23. Hengnan County Cyberspace Administration imposed fines of CNY62,000 yuan for hospital data leakage

    On June 25, the Hengnan County Cyberspace Administration (the "Hengnan CA") in Hengyang City, Hunan Province issued its first penalty notice for data security violations. The notice was issued to a hospital in Hengnan County, which failed to fulfil its data security protection obligations, resulting in data leakage that violated Article 29 of the Data Security Law. Pursuant to Article 45 of the Data Security Law, the Hengnan CA issued a warning to the hospital, instructing it to rectify the data security breach, and imposed an administrative penalty of CNY50,000 yuan. Additionally, a fine of CNY12,000 yuan was imposed on a third-party technology company and its responsible persons.

24. Zhejiang-based tech company was fined CNY1 million for serious data breach

    On June 26, the Public Security Bureau of Wenzhou, Zhejiang Province imposed administrative penalties pursuant to Article 45 of the Data Security Law on a Zhejiang-based tech company, its project manager, and the directly responsible person. The company was fined CNY1 million yuan, while its project manager and the directly responsible person were fined CNY80,000 yuan and CNY60,000 yuan, respectively. This was due to the company's failure to comply with data protection regulations when developing and operating an information management system for a county-level municipal government in the province. Specifically, the company uploaded sensitive business data collected by a construction unit to a rented public cloud server without the unit's consent and failed to implement adequate security protection measures, resulting in a serious data breach.

25. Beijing MCA released fifth batch of problematic Apps in 2023

    On June 30, the Beijing MCA issued a circular (Issue 5, 2023) on problematic Apps as part of its ongoing campaign to ensure privacy compliance and network data security of Apps. The circular identifies 28 Apps that have not completed the rectifications and were found to have infringed users’ rights and interests and posed safety risks during a recent inspection. Additionally, the circular names 15 Apps that have yet to implement the necessary rectifications and will be taken down from the App stores. These Apps were previously called out in May 2023 for infringing users' rights and interests.

26. Zhejiang MCA launched "Zhijiang Data Security" data security special campaign

    On June 30, the Zhejiang MCA launched a special campaign called "Zhijiang Data Security" targeting the telecoms and Internet sector in Zhejiang Province. The primary objective of the campaign is to enhance the level of data security protection and ensure data security for the upcoming Hangzhou Asian Games. To accomplish this goal, the campaign advocates the creation of an accountability mechanism for data security, the identification and filing of important data and core data, conducting thorough risk assessments for data security, monitoring and issuing early warnings, implementing data life cycle security management, strengthening data security capabilities, and fostering talent development.

    Industry Developments

27. Office of Central Cyberspace Affairs Commission held symposium on optimizing online environment for businesses

    On May 31, the Office of the Central Cyberspace Affairs Commission held a symposium on optimizing the online environment for businesses. The event involved the participation of various business representatives, who provided their feedback and recommendations on the matter. The meeting emphasized the need to identify precisely the key challenges in the online environment for businesses, comprehensively analyse the root causes behind false information about enterprises and the information infringing on the rights and interests of entrepreneurs, and effectively address the harmful information online that negatively impacts enterprises and entrepreneurs. Furthermore, the meeting called for a multi-pronged approach to address the issue, including:

    (1) Improving the acceptance of network infringement reports by expanding the methods available to accept reports and establishing dedicated online channels to facilitate the reporting process for enterprises;

    (2) Enhancing the effectiveness of report handling by assisting website platforms to process reports in a classified manner, examining the acceptance and handling of referred online infringement reports by website platforms, and promoting website platforms to publish the results of report handling;

    (3) Strengthening the management of problematic accounts by cracking down on malicious accounts and cyber trolls engaged in slandering and smearing; and

    (4) Increasing public awareness and dispelling rumours by providing accurate and timely information to the public.

28. National integrated computing network scheduling platform was launched

    On June 5, the Computing Power Innovation and Development Summit Forum, hosted by the Ministry of Industry (the "MIIT") and Information Technology and organized by the China Academy of Information and Communications Technology (the "CAICT"), commenced in Beijing. During the meeting, the CAICT and China Telecom jointly launched China's first national platform for scheduling multi-type heterogeneous computing power, known as the National Integrated Computing Power Network Scheduling Platform (Version 1.0). The platform serves as a crucial step towards implementing the national Eastern Data and Western Computing Initiative and addressing the challenges associated with managing, controlling, and scheduling computing power.

29. Test report on collection of personal information by "online video and audio" Apps was released

    It was reported on June 12 that the Cyber Security Association of China and the National Computer Network Emergency Response Technical Team/Coordination Center conducted a test on the collection of personal information by some commonly used Apps in the "online video and audio" category. A total of 8 Apps were selected from across 19 App stores, each with a cumulative download counts of 100 million. The test was conducted under a uniform test environment, which examined the Apps’ behaviour with regards to system permission requests, personal information uploading, and the amount of traffic used for the completion of an online video/audio search and play activity. The results showed that the 8 Apps requested access under 5 different scenarios to 5 types of system permissions related to geographic location, device information, App list, clipboard, and storage. However, no Apps were found to have requested access to camera, microphone, or address book. In addition, the test revealed that 8 apps uploaded 5 types of personal information, including location, unique device identifier, app list, cell phone number, and interaction information generated during the use of the Apps.

30. Shanghai Cyberspace Administration selected Yangpu District Big Data Center as exemplar for data classification and grading

    On June 7, the Shanghai Cyberspace Administration (the "Shanghai CA") released an exemplary case highlighting the Yangpu District Big Data Center. This initiative is part of the regulator’s joint efforts with the General Office of the Municipal Government to implement pilot programs for data classification and grading, as well as cataloguing important data. The Yangpu District's approach involves conducting regular audits on staff, systems, and departments involved in data operations. This includes adhering to 14 normative requirements such as the management specifications for the big data resource platform, rules for data classification and grading, interface security management specifications, data desensitization rules, and data security emergency plans.

31. Shanghai CA released exemplary case of auto data classification and grading

    On June 9, the Shanghai CA released an exemplary case that showcased the Shanghai Electric Vehicle Public Data Collecting, Monitoring, and Research Centre’s approach towards integrating standard specifications and business scenarios and exploring the classified management and use of automotive data. This approach involves studying national standards and industry specifications, taking stock of data assets, designing classification and grading plans tailored to its business needs, management plans for different grades of data based on application scenarios, and establishing an efficient organization and management system.

32. Hubei Data Group was officially established

On June 6, Hubei Data Group was formally incorporated in the Wuhan East Lake High-Tech Development Zone, marking a major breakthrough in the province’s efforts to promote market-oriented allocation of data elements. Hubei Data Group aims to pool resources to promote the development of its core business by creating two platforms: Hubei Public Data Authorization and Operation Platform and Hubei Data Factor Circulation and Trading Platform. These platforms will help build a strong data infrastructure for the province's data factor market.