China Cybersecurity and Data Protection - Monthly Update - March 2024 Issue

This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Key Highlights

In February, we saw regulatory developments in data assets at central and foreign levels. The National Data Bureau initiated a survey requiring regulatory bodies, state-owned companies, companies in data industries, industry associations and the State Information Centre to report on their data resources. The Ministry of Finance issued a regulation that called upon governmental bodies to protect data assets and manage the data assets in an effective and efficient manner.

Locally, Wuxi released operational rules for public data. Suzhou announced the first case where v2x data was included in the financial statements as asset. Hainan published a scenario-based handbook for data asset valuation.

On data export, according to the Ministry of Commerce, the CAC is finalising the draft regulation to relax restrictions on cross-border data transfer, but no timeline has been released. Interestingly, the CAC has been silent on the progress of the regulation.

Fee trade zones in Shanghai and Tianjin both released guidance on data classification and grading , a regime that was introduced by the Data Security Law. We expect to see more implementing rules of the regime to be released by the ministries and local governments this year.

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. CAC is improving and preparing to issue the Provisions on Regulating and Facilitating Cross-border Data Transfer (5 February)

At the regular policy briefing held by the Information Office of the State Council, the Ministry of Commerce introduced that the Cyberspace Administration of China (“CAC”) has formulated the Provisions on Regulating and Facilitating Cross-border Data Transfer, which is being improved and prepared to be promulgated.

2. The National Data Bureau issued the Notice on Conducting a National Data Resource Survey (22 February)

The Survey targets at provincial data management institutions, competent departments of industry and information technology, public security departments, provincial key data collection and storage equipment vendors, e-commerce platform enterprises, big data, and artificial intelligence (“AI”) technology enterprises, etc. The research focuses on the production and storage, circulation, and trading, development, and utilisation, security, and other conditions of data resources of each unit, aiming to provide data support for relevant policy formulation and pilot demonstration.

3. The Ministry of Industry and Information Technology issued the Implementation Plan for Improving Data Security Capabilities in the Industrial Sector (2024-2026) (26 February)

The Plan proposes that by the end of 2026, a data security guarantee system in China's industrial field will be basically established. The Plan proposes several key indicators, including more than 45,000 enterprises will implement data classification and grading protection and more than 100 data security standards will be issued. In addition, the Plan focuses on improving the data protection capabilities of industrial enterprises, clarifying data security responsibilities, and establishing a sound data security management and supervision mechanism.

4. The Ministry of Finance issued the Notice on Strengthening the Management of Data Assets of Administrative Institutions (8 February)

In order to implement the Opinions of the State Council on Building a Basic Data System to Better Play the Role of Data Elements, strengthen the management of data assets of administrative institutions, and give full play to the value of data assets, the Ministry of Finance issued the Notice, which requires clarifying management responsibilities, improving management systems, standardizing management behaviors, reflecting the value of assets, strictly preventing and controlling risks, and ensuring data security.

5. The Ministry of Natural Resources issued the Overall Plan for Improving the Digital Governance Capacity of Natural Resources (5 February)

The Overall Plan consists of 9 chapters, focusing on the target path, overall structure, key tasks, and safeguard measures for improving the digital governance capacity of natural resources, and puts forward detailed implementation measures, and deploying key tasks such as building intensive and efficient digital infrastructure, improving the global and full-cycle data element system, improving the intelligence level of the basic information platform of land and space, building multi-dimensional digital application scenarios and a solid all-round security system, and improving the standard and specification system.

6. The State Post Bureau issued the Administrative Measures for the Security Management of Personal Information of Mail Service Users (Draft for Comments) (1 February)

The Administrative Measures apply to activities involving the security of users' personal information in the operation and use of courier services in China, as well as to the supervision and management of postal administrations, and set out the requirement that, in addition to obtaining the consent of the individual user, the period of time for which the personal information of the user is kept by the courier enterprise shall not exceed three years from the date of collection.

7. The Ministry of Finance is promoting the development and use of data assets and encourage the effective supply of public data assets in accordance with the law (1 February)

Hou Junming, Director of the Asset Management Department of the Ministry of Finance, said that in terms of strengthening the management of data assets and promoting the development of the digital economy, the Ministry of Finance will focus on three areas of work in the next step: Firstly, it will strengthen the management of the whole process of data assets. The second is to promote the development and utilisation of data assets. The third is to ensure the compliant and safe use of data assets.

8. Shanghai Pilot Free Trade Zone issued Measures for Classification and Grading Management of Cross-border Flow of Data in Lingang New Area (Interim) (8 February)

The Measures were issued by the Management Committee of Lingang New Area of China (Shanghai) Pilot Free Trade Zone. The purpose is to promote the safe and free cross-border flow of data through the classification and grading management. It takes the lead in carrying out a greater degree of stress testing in areas such as cross-border flow of data and cross-border offshore finance. It accelerates the promotion of the construction of the International Data Economy Industrial Park.

9. Tianjin Pilot Free Trade Zone issued the Standard Specification for Enterprise Data Classification and Grading in China (Tianjin) Pilot Free Trade Zone (7 February)

Jointly issued by the Tianjin Municipal Bureau of Commerce and the Administrative Committee of the Pilot Free Trade Zone, the Specification specifies a data classification and grading system covering 13 industry categories and classifies data into three levels: core data, important data, and general data. The Specification focuses on the management of data involving large amounts of personal information and critical infrastructure, requiring enterprises to classify and grade internal data in accordance with the norms, and to regularly report to relevant authorities to safeguard data security.

10. TC260 issued a notice on the establishment of 17 national cybersecurity standards projects (19 February)

The National Information Security Standardisation Technical Committee (“TC260”) issued a notice on the establishment of 17 national standard projects on cybersecurity, promoting the development of several national standards related to cybersecurity technologies. The projects include Basic Requirements for Security of Generative Artificial Intelligence Services of Cybersecurity Technologies, and Technical Specification for Data Leakage Protection Products of Cybersecurity Technologies.

11. Electronic Information Industry Federation published group standard: Guide to Data Compliance Auditing (18 February)

Data compliance auditing is an important part of an enterprise's data compliance management system, which can provide management with a basis for supervision and evaluation and provide strong evidence of the effectiveness of management system design and operation. The Guide aims to give full play to the supervisory role of auditing through the development of group standards, promote compliance through auditing, and promote the high-quality development of the digital economy.

12. Beijing Yizhuang is accelerating the construction of an advanced data base system, building a national data training base and promoting the construction of a large-scale computing power centre (1 February)

Beijing Yizhuang (Beijing Economic-Technological Development Area) is accelerating the construction of a 2,000P-scale public intelligent arithmetic centre, constructing a "1+3+N" system, and advancing the construction of a zone of the data foundation system. Specific measures include creating a national data training base, accelerating the construction of three major support, and building several data zones.

13. Beijing Municipal Public Security Bureau issued the Work Specifications for Information Network Security Review Matters in Internet Access Service Business Premises (Draft for Comments) (2 February)

To conduct the network security review for internet access service business premises, the Specifications stipulate the conditions that an internet access service business shall meet to engage in internet access service business activities, the mechanism of notification and commitment, the process for handling the addition/change of internet access service business premises, and the content of on-site inspections.

14. Wuxi issued the first normative document on authorised operation of public data in Jiangsu Province (22 February)

The Wuxi Municipal Big Data Management Bureau and the Finance Bureau jointly released the Wuxi Public Data Authorised Operation Management Measures (Interim), which aims to promote the effective development and utilisation of public data and the release of the value of data elements. The approach is the first public data authorisation and operation normative document in the province, which innovatively proposes a classification and grading approach for authorisation and operation and strengthens the security of the whole life cycle of data, encourages social forces to carry out value-added development of public data, and provides commercial value and development opportunities for enterprises.

15. Guizhou Provincial Big Data Bureau issued the Guizhou Computing Power Voucher Management Measures (Interim) to encourage the purchase of Guizhou computing power services or data transaction products (20 February)

Guizhou computing power voucher is a policy tool and digital voucher implemented by the Guizhou Provincial Big Data Development Administration, which is used to provide comprehensive policy incentives when purchasing eligible Guizhou Computing Power Service or Guizhou Data Transaction Products. The Measures clarify the relevant subjects, regulations, and supervision. It aims to reduce the cost of computing and promote the development of the digital economy in Guizhou Province through the incentive of computing power vouchers.

The Notice clarifies that the scope of "important networks and information systems" includes digital applications of non-classified government affairs and critical information infrastructure. The Notice requires that important networks and information systems shall strictly implement the relevant laws, regulations, standards, and specifications for the management of cryptography. It puts forward clear requirements for the application of cryptography at all stages of planning, construction, and operation of important networks and information systems. It also regulates intensive construction, financial guarantee, supervision, and inspection.

Enforcement Developments

17. SPP released typical cases of “Punishing Cybercrimes in Accordance with Law and Facilitating Comprehensive Governance of Cyberspace” (23 February)

The Supreme People's Procuratorate (“SPP”) released several typical cases involving personal information protection, telecommunication network fraud and aiding information cybercrimes. Among them, 3 cases involve violations against citizens' personal information. For example, a person purchased and resold more than 1,300 WeChat accounts containing citizens' personal information through online channels, with an illegal income of more than RMB 300,000, with personal illegal profit of more than RMB 140,000. The court sentenced the person to three years' imprisonment and imposed a fine of RMB 300,000, in addition to paying compensation of RMB 140,000 in the incidental civil public interest litigation.

18. SPP announced that from January to November 2023, procuratorates prosecuted 280,000 individuals for various types of cybercrimes (23 February)

From January to November 2023, procuratorates prosecuted 280,000 individuals for various types of cybercrimes, a year-on-year increase of 35.5%, accounting for 18.8% of all criminal offences. The following trends and characteristics were presented: (1) telecommunication network fraud and its associated crimes increased significantly; (2) cybercrimes are accompanied by new technologies and new forms of business; (3) traditional crimes migrated to cyberspace, and cybercrime patterns became more and more complex; (4) crimes that threating data and information security were common, endangering the healthy development of the digital economy.

19. The Ministry of State Security warns of leakage risks of smart wearable devices, webcams, and data monitoring devices (23 February)

The national security authorities have found that cyber espionage may use smart wearable devices and webcams to collect information or lure relevant domestic enterprises to use the professional equipment provided by them to steal sensitive data. This poses a potential threat to China's information security. Individuals need to raise their security awareness. Relevant enterprises should strengthen data security monitoring and management to protect national security.

20. The Beijing Internet Police notified five cases of penalties for non-performance of network security protection obligations (26 February)

The cyber security department of the Beijing Municipal Public Security Bureau has strengthened the force of cracking down on illegal acts of not performing network security protection obligations. It imposed administrative penalties in accordance with the Cybersecurity Law, on several illegal enterprises that have not established management systems for network information security and failed to perform obligations of network information security management.

21. A well-known restaurant chain was interviewed by the Cyberspace Administration of Shanghai for misleading consumers to register as members and asking for mobile phone numbers (2 February)

The Cyberspace Administration of Shanghai interviewed a well-known restaurant. The restaurant violated the Personal Information Protection Law by collecting excessive personal information from consumers in the process of "scanning QR codes to order". Last year, it required more than 55,000 restaurants in Shanghai to rectify the violations, but some of them have yet to complete the rectification. Restaurants in Shanghai should strengthen self-examination and self-correction, comply with the Shanghai Compliance Guidelines for the Protection of Personal Information of Consumers of Online Ordering Services, and improve their compliance and data protection awareness.

22. Hubei Provincial Communications Administration issued a notice on APPs infringing on users' rights and interests (Batch 1 of 2024) (21 February)

Hubei Provincial Communications Administration found 35 APPs related to illegal collection of personal information, and forcing users to use the targeted advertising function. It required the relevant violating companies to rectify the violations. For the 4 APPs that have not been rectified in a timely manner, it issued a public notice, requiring operators to submit written explanations before the specified period, otherwise they will be punished in accordance with laws and regulations.

23. Zhejiang Provincial Communications Administration issued a notice on APPs infringing on users' rights and interests (Batch 1 of 2024) (26 February)

Zhejiang Provincial Communications Administration inspected the apps that the public was concerned about and found that 12 APPs infringed on users' personal information rights and interests and failed to rectify them as required and notified the list of APPs. Relevant operators are requested to complete the rectification before 6 March, otherwise measures such as removal and shutdown will be taken.

24. Guangdong Provincial Communications Administration publicly announced 6 APPs that had not been rectified and took down 2 infringing APPs (2 February)

Guangdong Provincial Communications Administration continued to carry out APP privacy compliance and data security special rectification action, ordered APP operators to rectify within a time limit. It notified 6 APPs that have not yet completed rectification and took down 2 APPs that have not yet completed the rectification feedback in accordance with the requirements.

Cyberspace Administration of Nanchang found that the IP address of a supermarket was remotely controlled and attacked by hackers. The supermarket was found to have failed to fulfil its network security protection obligations and failed to timely dispose of security risks such as system vulnerabilities, computer viruses and network attacks. Based on the Cyber Security Law, Cyberspace Administration of Nanchang imposed a fine of RMB 50,000 on the supermarket and an administrative penalty of RMB 10,000 on the directly responsible person.

Industry Developments

26. Shanghai released implementation plan for promoting high-level institutional opening-up in Pilot Free Trade Zones, taking the lead in implementing high-standard digital trade rules (6 February)

This Plan states that Shanghai will explore the establishment of a lawful, safe, and convenient mechanism for the cross-border flow of data, facilitating data processors to carry out data export self-assessment and other data export security compliance work by strengthening guidance on the classification of outbound data in relevant industries, issuing model scenarios and establishing a data cross-border service centre in the new Lingang area. On the premise of ensuring data security, the China (Shanghai) International Trade Single Window will accelerate the construction of a cross-border data exchange system, adopting internationally recognised standards and accessible open standards, and enhancing system compatibility and interoperability.

27. Hangzhou issued several policies to promote high-quality economic development, with general AI as a breakthrough track to support the development of digital trade and digital economy (19 February)

The Hangzhou Municipal People's Government proposed in the policies: (1) Support and promote the construction of future industrial pilot areas. With general AI as the breakthrough track, Hangzhou will encourage cutting-edge-oriented exploratory basic research and organise and implement several major scientific and technological projects. (2) Support the innovation and quality improvement and development of the digital economy. Establish the Hangzhou Digital Economy Industry Intellectual Property Protection Centre. (3) Support the development of digital trade. Enterprises are encouraged to carry out security assessments for data exports.

28. Xuanwu District of Nanjing released the first district-level data element action programme in Jiangsu Province to create a cross-border data flow platform (20 February)

The first district-level data element action plan in Jiangsu Province, Xuanwu District's Action Plan on the Innovative Development of the Data Element Industry (2024-2026), proposes to promote the development of the data element industry and build a pilot zone for cross-border data flow. Nanjing will create a platform for cross-border data flow, build a data trading platform and apply for the establishment of the Jiangsu (Nanjing) Data Exchange.

29. China’s first case of inclusion of connected vehicles data assets in the financial statements was completed in Suzhou (8 February)

From 1 January this year, the Ministry of Finance's Interim Provisions on Accounting Treatment Related to Enterprise Data Assets was implemented, making it clear that data assets will be regarded as an asset to be included in the financial statements. Recently, a company in Suzhou has successfully completed the first case in China to include connected vehicles data assets in the financial statements. This move puts into practice the "Data Element x" Three-Year Action Plan (2024-2026) of the National Data Bureau and 17 other departments, which not only improves the company's data management, but also provides an example for the digital transformation in the industry.

30. Shanghai Data Exchange and China Construction Bank set a precedent for pledge financing of data assets based on credible data asset certificates (23 February)

Shanghai Construction Bank, in cooperation with Shanghai Data Exchange, successfully issued the first data asset pledge loan based on "Digital Easy Loan", realising the whole process of “right identification, evaluation, pledge and loan” for data assets. This move will promote the discovery of the value of data assets, facilitate the high-quality development of capital elements and data elements. It also provides new channels for small and micro enterprises to obtain financing.

31. Hainan issued the Handbook on Scenario-based Cases for Data Asset Assessment (5 February)

Issued by the Hainan Data Product Supermarket, the handbook is the first guiding manual in China for data asset assessment operations based on typical application scenarios of real data elements. The manual selects six typical application scenarios of data elements, namely, electric power, tourism, customs, international trade, meteorology, and manufacturing. It provides specific operational guidelines for scenario-based assessment of data assets in terms of overview of the current situation of the industry, application scenarios in the industry, types of assessed values, and assessment methods.

32. China Academy of Information and Communications Technology released the White Paper on the Integration of Digital Government (2024) (20 February)

The White Paper systematically analyses the development situation of digital government integration, clearly puts forward the construction concept and implementation points of “digital government integration”. It proposes three major promotion strategies for the construction of digital government integration based on three spatial perspectives: provincial, regional, and national. It aims to provide top-level architecture suggestions for the national integrated digital government construction. It also provides directions and strategies for local governments to organise and implement the work, and points out the way for all walks of life to participate in the construction of digital government.

33. 2024 Shanghai Cyber Security Industry Innovation Conference was held (28 February)

The conference showcased Shanghai's remarkable achievements and innovation and upgrading in the cybersecurity industry, emphasizing that Shanghai will continue to promote innovation in technology, services, policies, and systems, and improve the industrial ecology. This conference inaugurated the Collaborative Innovation Centre for Cyber Security Industry in the Nuclear Energy Industry. It released the 2023 Shanghai Cyber Security Industry Innovation Catalogue. It also held the signing ceremony of excellent security solutions in key industries.

34. The State Administration for Market Regulation released the 2023 industry standard formulation plan, including the project of guiding the hierarchical management of market regulation data (18 February)

The State Administration for Market Regulation has determined the 2023 market supervision industry standard formulation plan project, in accordance with the requirements of the Measures for the Administration of Market Supervision Industry Standards and the Implementation Rules for the Management of the Formulation of Market Supervision Industry Standards. It requires to complete the formulation of the project within 24 months from the date of issuance. A total of 11 projects are data-related, including the Guidelines for the Hierarchical Management of Market Supervision Data.

35. China Computer Federation released the top ten development trends in Cyber Security in 2024 (18 February)

The development trend of cyber security includes the following: (1) AI security technology will become the focus of research; (2) the attributes of cyber security infrastructure and public safety services will be strengthened; and (3) the application of generative AI in the field of cyber security will begin to show results.

36. TC260 announced the List of Winners of Excellent Practice Cases of National Standards for Cybersecurity in 2023 (7 February)

TC260 announced the list of winners of the 2023 National Cyber Security Standard Excellent Practice Cases. Among them, the application of "Information Security Technology - Network Data Processing Security Requirements" in the field of data security certification, and the application practice of "Information Security Technology - Automotive Data Processing Security Requirements" in the automotive industry won the first prize for outstanding practice cases. TC260 selected 6 first prizes, 14 second prizes, and 24 third prizes through case collection, formal review, technical preliminary review, comprehensive review, on-site research, and publicity and approval.