China Cybersecurity and Data Protection: Monthly Update - April 2023 Issue

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Follow the links below to view the official policy document on the People’s Republic of China Government websites.

Legislative Development

1. CAC issued Provisions on Administrative Law Enforcement Procedures for Cyberspace Administrations

On March 23, the Cyberspace Administration of China (CAC) issued the Provisions on Administrative Law Enforcement Procedures for Cyberspace Administrations (the “Provisions”), which will come into effect on June 1, 2023. The Provisions comprehensively revise the Administrative Law Enforcement Procedures for the Administration of Internet Information Contents previously issued by the CAC and clarify that the same illegal conduct should not be subject to repeated fines. The Provisions outline both the administrative law enforcement procedures for cyberspace authorities and the implementation and supervision of administrative penalties, which is important for the regulation of the law enforcement efforts of the CAC and local internet information offices. 

2. CSRC published Administrative Measures for Administration of Cyber and Information Security in Securities and Futures Industry

On March 3, the China Security Regulatory Commission (CSRC) published the Administrative Measures for the Administration of Cyber and Information Security in the Securities and Futures Industry (the "Measures"), to regulate the network and information security of core institutions, operating institutions, and IT system service institutions in the industry. The Measures are also applicable to IT subsidiaries established by core institutions and operating institutions. The Measures became effective on May 1, 2023.

3. MNR published Administrative Measures for Provision and Use of Confidential Basic Survey and Mapping Achievements

On March 9, the Ministry of Natural Resources (MNR) officially published the Administrative Measures for the Provision and Use of Confidential Basic Survey and Mapping Achievements (the "Survey and Mapping Measures"). Based on China’s Survey and Mapping Law, Administrative License Law, Law on Guarding State Secrets, and Regulation on the Administration of Survey and Mapping Achievements, the Survey and Mapping Measures provide the framework for regulating the provision and use of confidential basic survey and mapping achievements.

4. TC260 released Information Security Technology - Certification Requirements for Cross-Border Transmission of Personal Information for Public Comments 

On March 16, the website of the National Information Security Standardization Technical Committee (TC260) released the draft national standards entitled Information Security Technology - Certification Requirements for Cross-border Transmission of Personal Information (the "Draft Certification Standards") for public comments until May 15. The Draft Certification Standards set out the basic principles and requirements for the protection of the rights and interests of personal information subjects in the cross-border transmission of personal information and will serve as a legal basis for certification bodies. For our commentary on these national standards, please see here.

5. Four departments released Implementation Opinions on Conducting Certification Work for Network Security Services

On March 28, the State Administration of Market Regulation (SAMR), the Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology (MIIT), and the Ministry of Public Security (MPS) jointly released the Implementation Opinions on Conducting the Certification Work for the Network Security Services (the "Implementation Opinions"). The Implementation Opinions contain nine articles, that clarify the catalogue of the cybersecurity services certification will be determined and adjusted by the four departments and has included services such as testing and assessment, security operations and maintenance, security consulting, and a multi-level protection scheme assessment. The Implementation Opinions provide that certification bodies for cybersecurity services are required, upon the request of consignors, to conduct security certification in compliance with the relevant rules, establish a traceable working mechanism to record the entire certification process, and publish the fee standards and certificate status (e.g., valid, suspended, cancelled, or revoked).

6. 12 sets of national standards on cybersecurity were approved for release

On March 17, the SAMR and the National Standardization Administration Committee announced the issuance of the National Standards of the People's Republic of China (No. 1 of 2023), which contain 12 sets of national standards on cybersecurity under the TC260. These include the Information Security Technology - Basic Requirements for Competence of Cybersecurity Workforce (GB/T 42446-2023), the Information Security Technology - Data Security Guidelines for Telecom Field (GB/T 42447-2023), and the Information Security Technology - Guide for Evaluating the Effectiveness of Personal Information De-identification (GB/T 42460-2023).

Enforcement Developments

7. CAC announced cybersecurity review into company A ’s products sold in China

On March 31, the CAC announced a cyber security review into the U.S. semiconductor company A and its products sold in China. The probe has targeted "cyber products and services" including core network equipment, important communication products, high-performance computers and servers, mass storage devices, large databases and application software, cybersecurity equipment, and cloud computing services. In the review, the company's products sold in China will be examined for their security, openness, and transparency as well as the risks of being manipulated as a result of their use.

8. MPS released eight typical cases to crack down on crimes against citizens' personal information

On March 15, the MPS released eight typical examples on its website to crack down on crimes that infringe on citizens' personal information. The cases involve (1) using Trojan horse programs to steal postal and courier information; (2) illegally hacking into the toll platform systems of parking lots to obtain citizens' vehicle location information; (3) illegally obtaining the information of middle-aged and elderly people and selling counterfeit and shoddy health care products to them; (4) illegally obtaining citizens' facial recognition information to unblock their Internet accounts; (5) illegally obtaining payment software user information and selling it overseas; and (6) stealing the property information of residents who consume electricity. 

9. Yuelu Cyber Police issued first penalty notice in Changsha for violations of Data Security Law

It was reported on March 9 that the Cybersecurity Protection Division of the Yuelu Branch of the Changsha Public Security Bureau has recently dealt with a cybersecurity case involving data leakage of an IT company in its jurisdiction. During the investigation, it was discovered that the company's server contained vulnerabilities that allowed for unauthorized access and that there had not been a data security management system established nor filings made under the multi-level protection scheme. A warning was issued to the company by the Cybersecurity Protection Division, as well as a fine of CNY 50,000 in accordance with the Data Security Law of the People's Republic of China. 

10. SPP released typical cases of public interest litigation involving personal information protection

On March 30, the Supreme People's Procuratorate (SPP) released a batch of typical cases of public interest litigation involving personal information protection, focusing on medical and health information, face recognition, big data in logistics and other issues of public interest, in a move to ensure the proper implementation of the Personal Information Protection Law. The eight cases released included two administrative public interest litigation cases respectively involving the protection of personal medical and health information and personal biometric information and a civil public interest litigation case collateral to criminal litigation involving the infringement of personal information displayed on courier labels.

11. Zhejiang released Q&As on Data Export Security Assessment Declaration (II)

On March 9, the Zhejiang Cyberspace Administration released the Questions and Answers on Data Export Security Assessment Declaration in Zhejiang Province (II) (the "Q&As"). The Q&As cover ten aspects, including the application requirements, assessment issues, declaration materials, powers of attorney, declaration forms, legal documents, the assessment date, export scenarios, completeness check, and termination of assessment. In general, the Q&As reflect the requirements for a more refined review of declaration materials in the process of data export security assessment.

12. MIIT has taken action against cracked apps exposed in 315 Gala for illegal collection of users' personal information

On March 16, the MIIT announced to have acted against the cracked apps found to have collected users’ personal information illegally and exposed in the 315 Gala, a television show hosted for World Consumer Rights Day. Specifically, the MIIT has investigated the apps and the relevant clues, acted against the apps’ developers, and conducted technical inspections. The MIIT is committed to addressing the issues identified and keeping the public informed and will continue to implement effective measures to strengthen the protection of personal information of telecommunications and Internet users.

13. MIIT reported 55 apps (SDKs) that infringed on users' rights and interests

On March 21, the MIIT reported 55 apps and third-party software development kits (“SDKs”) found to have infringed on users' rights and interests, which were the 28th batch of problematic apps published by the MIIT in its enforcement action as a national ministry. According to the announcement, the MIIT organized a third-party testing agency to inspect apps and SDKs related to everyday life, leisure and entertainment, and practical tools. The ministry requested the operators of the 55 apps and SDKs to rectify these issues properly or they would face corresponding administrative penalties.

Industry Developments

14. China will establish National Data Bureau

On March 7, the State Council announced the plan to establish the National Data Bureau. The proposed bureau will be responsible for promoting the development of fundamental data-related institutions, coordinating the integration, sharing, and development and application of data resources, and pushing forward the planning and building of a digital China, a digital economy, and a digital society, under the National Development and Reform Commission. The Office of the Central Cyberspace Affairs Commission will transfer certain functions to the bureau, including the responsibilities of drafting plans for the building of a digital China, coordinating informatization of public services and social governance, promoting the construction of smart cities, coordinating the development, utilization, and sharing of important national information resources, and promoting cross-industry and cross-departmental connectivity of information resources. Responsibilities previously undertaken by the National Development and Reform Commission, such as coordinating the development of the digital economy, implementing the national big data strategy, and promoting the construction of the basic system of data elements and the digital infrastructure, will be transferred to the proposed bureau.

15. Guangzhou Nansha launched Data Protection and Data Cross-border Service Platform

On March 2, the Data Protection and Data Cross-border Service Platform was officially launched in Nansha, Guangzhou. The platform, expected to be available in the middle of this year, will provide services such as personal information protection impact assessment, data export self-assessment, and app compliance self-examination to assist enterprises to achieve basic data compliance and effective data governance. Through the "technology + service" approach, the platform will offer enterprises a tailored suite of compliance solutions including data classification, data inventory, and risk management, among others, and help enterprises build an effective pathway towards achieving cross-border data security compliance.

16. Shanghai Data Exchange leads construction of first data trading chain in China

On March 3, the Shanghai Data Exchange and the National Engineering Laboratory for Big Data Distribution and Exchange Technologies officially initiated the construction of the first data trading chain in China. As of now, a total of six business stages are in place for the Shanghai Data Exchange's data trading system, including registration, listing, trading, delivery, clearing and settlement, and voucher issuance. With the establishment of the data trading chain, technologies such as blockchain depository receipts and smart contracts will be applied to enhance security, efficiency, and transparency at every stage of the process. Specifically, smart contracts will be used to register data products prior to a transaction; during the transaction, the progress of the transaction will be monitored in real time through on-chain storage; and following the transaction, blockchain will be utilized to generate the transaction voucher.

17. CCA released Report on Consumer Protection in Field of Personal Information Protection 2022

On March 8, the China Consumers Association (CCA) released the Report on Consumer Protection in the Field of Personal Information Protection 2022 (the "Report"). According to the Report, China has now established a legal system for the protection of personal information with the Civil Code as its basis, the Personal Information Protection Law as its core, and the Law on Protection of the Rights and Interests of Consumer, the Cybersecurity Law, the E-Commerce Law, and the Data Security Law serving as important components. Significant improvement has been made in the protection of consumer personal information in China in 2022, as indicated in the Report, yet all parties should continue to pay close attention to the current issue of infringement of consumers' personal information rights and interests. Additionally, the CCA makes recommendations aimed at strengthening the protection of consumers' rights and interests.

18. China Cyberspace Security Association released test report on personal information collection of "browser" and "map navigation" apps

Recently, the China Cyberspace Security Association and the National Computer Network Emergency Response Technical Coordination Centre released a test report that examined how "browser" and "map navigation" apps collect personal information. In the test, a total of nine "browser" apps downloaded 100 million times and three "map and navigation" apps downloaded 50 million times were selected from 19 app shops. The test included three aspects: system access request, personal information uploads, and cyber upload traffic.