China Cybersecurity and Data Protection: Monthly Update - May 2023 Issue

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Follow the links below to view the official policy document on the People’s Republic of China Government websites.

Legislative Developments

1. State Council executive meeting approved Regulation on Administration of Commercial Cipher Codes (Revised Draft)

   On April 14, the State Council’s executive meeting approved the Regulation on the Administration of Commercial Cipher Codes (Revised Draft). In the meeting, it was stressed that a holistic approach to national security must be fully implemented by regulating the use and management of commercial cipher codes as well as urging platform companies to comply with their responsibilities to secure user passwords, thereby ensuring the security of personal privacy, trade secrets, and sensitive government information. Additionally, the meeting recognized the importance of adapting to the rapid development of the digital economy and establishing a robust mechanism to promote the technological innovation and industrial application of commercial cryptography to foster the sustainable and healthy advancement of the commercial cryptography market.

2. China revised Anti-Espionage Law to include cyberattacks against state organs as spy activities

   On April 26, the Second Session of the 14th National People's Congress ("NPC") Standing Committee voted to adopt the revised Anti-Espionage Law, which will take effect on July 1. The revised Anti-espionage Law adheres to a problem-oriented approach and focuses on the key issues in the implementation of the existing law, such as the narrow scope of espionage activities, inadequate security precautions, and insufficient administrative enforcement empowerment. The new law also aims to properly balance the relationship between empowerment and limitation of power by strengthening anti-espionage efforts while at the same time overseeing the exercise of public power.

3. CAC and four other departments jointly issued Notice on Adjusting Security Management of Specialized Cybersecurity Products

   On April 17, the Cyberspace Administration of China ("CAC"), the Ministry of Industry and Information Technology ("MIIT"), the Ministry of Public Security ("MPS"), the Ministry of Finance ("MOF"), and the Certification and Accreditation Administration of the People’s Republic of China ("CNCA") jointly issued the Notice on Adjusting the Security Management of Specialized Cybersecurity Products (the "Cybersecurity Products Notice"). The Cybersecurity Products Notice aims to improve the security management of specialized cybersecurity products, promote the mutual recognition of security certification and testing results, and avoid repeated certification and testing. According to the Cybersecurity Products Notice, the strict regulation of the production of critical network equipment and specialized cybersecurity products, will help to ensure the national supervision of cybersecurity and significantly raise the overall level of national cybersecurity.

4. MIIT issued this year’s work plan for regulation development, including revising Regulation on Protection of Personal Information of Telecommunications and Internet Users

   On April 18, the MIIT issued the work plan for regulation development for this year, which includes the Regulation on the Protection of Personal Information of Telecommunications and Internet Users (Revised) (the "MIIT Regulation"). The MIIT Regulation aims to strengthen the management of the key responsibility chain of Apps, thoroughly implement the Personal Information Protection Law, and comprehensively apply legal norms, administrative supervision, technical support, and social co-governance to further enhance the personal information protection system.

5. State Administration for Market Regulation issued two national standards for postal industry

   Recently, the State Administration for Market Regulation (“SAMR”) issued two national standards: the Express Electronic Waybill and the Universal Delivery Address Coding Rule, which apply to the courier and postal industries. According to the new national standards, when a customer places a courier order, personal information such as the name, phone number, and address of the sender or recipient shall not be displayed in full on the paper waybill to prevent others from accessing the personal information during transit. Specifically, it is required to conceal at least one Chinese character from the name of the sender or recipient, at least six digits from the phone number, and the building and room number from the address. By integrating standard practices with innovative technologies and materials, the new national standards for the postal industry will serve as a catalyst for promoting high-quality development of the industry and addressing the evolving needs of customers.

6. TC260 issued Cybersecurity Standards Practice Guide -- Implementation Guidelines for Cyber Data Security Risk Assessment (Draft for Comments)

   On April 18, the National Information Security Standardization Technical Committee ("TC260") issued the Cybersecurity Standards Practice Guide – Implementation Guidelines for Cyber Data Security Risk Assessment (Draft for Comments) (the "Practice Guide"). The Practice Guide provides ideas, processes, and methods for cyber data security risk assessment and clarifies the steps and content of the assessment. According to the Practice Guide, security risks should be identified and assessed in the context of data security management, data processing activities, data security technologies, and personal information protection. This applies to data processors who conduct security self-assessments as well as relevant competent authorities who organize inspections and assessments.

7. Zhejiang issued Q&A’s on Data Export Security Assessment Declaration (III)

   On April 25, Zhejiang Province issued the Questions and Answers on Data Export Security Assessment Declaration (III). Specifically, the Q&As provide guidance on various issues, including: (1) the format and content requirements for declaration materials; (2) the form requirements for paper declaration materials: (3) explanations for meeting the declaration criteria; (4) instructions for handling multiple export scenarios; (5) the requirements for the declaration form; (6) requirements and important considerations for the content of the self-assessment report; (7) important considerations for the content of legal documents; and (8) and the security assessment of cross-border e-commerce platforms.

   Enforcement Developments

8. CAC held national work conference on network reporting

   On April 17, the CAC held a national work conference on network reporting. During the meeting, it was emphasized that:

   (1) Infringement reporting should be regarded as an important means of practicing the concept of “Cybersecurity for the People” and safeguarding the legitimate rights and interests of internet users. This includes strengthening the handling of infringement reports from internet users and enterprises, increasing the acceptance and processing rates of internet reports, and providing effective protection to internet users;

   (2) Key efforts should be made in combating online rumours, including establishing a coordinated framework and a robust platform, as well as improving the labelling and refutation of rumours; and

   (3) It is necessary to strengthen institutional and system construction, inspection and supervision, and to develop an integrated mechanism for network reporting.

9. CAC launched special action to improve network environment for businesses and combat hyping and leakage of entrepreneurs’ personal information

   On April 28, the CAC announced its decision to launch a three-month nationwide special action themed “Operation Qinglang – Improving the Network Environment for Businesses and Protecting the Legitimate Rights and Interests of Enterprises”. The special action is aimed to clean up and dispose of false and infringing information about enterprises and entrepreneurs, crack down on malicious hyping, investigate and punish website platforms and accounts that violate the legitimate rights and interests of enterprises and entrepreneurs, and create a favourable cyber atmosphere for enterprises to focus on their business and development.

10. Sichuan and Chongqing released list of apps infringing on users’ rights and interests (4th batch)

    On April 24, the Sichuan Provincial Communications Administration and the Chongqing Municipal Communications Administration released a list of illegal Apps after organizing third-party testing agencies to inspect the mobile internet Apps in the mainstream App stores in Sichuan and Chongqing. According to the authorities, a number of Apps engaged in illegal collection and use of personal information and were ordered to rectify within a limited timeframe or face corresponding administrative penalties. As of the date of publication, there were still 18 Apps yet to complete the rectification.

11. Gansu released list of apps infringing on users’ rights and interests (2nd batch)

    On April 20, the Gansu Provincial Communications Administration released a list of illegal Apps after organizing a third-party testing agency to inspect the mobile internet Apps in the province. According to the regulator, a number of Apps engaged in the illegal collection and use of personal information and were ordered to rectify within a limited timeframe or face corresponding administrative penalties. As of the date of publication, there were still 11 Apps yet to complete the rectification.

12. Beijing Intellectual Property Court released Top Ten Typical Anti-Unfair Competition Cases Involving Data

    Recently, the Beijing Intellectual Property Court released the Top Ten Typical Anti-Unfair Competition Cases Involving Data. The cases involved well-known domestic and foreign digital enterprises and behaviours related to data collection, use, processing, and trading. By elaborating on the business ethics in specific data utilization scenarios and applying the rules of the Anti-unfair Competition Law in the cases, the court aimed to balance the interests of various parties including the data holders, demanders, and consumers and strived to protect data while promoting the healthy development of the industry.

13. Beijing Internet Court released case on right to access and copy personal information

    Recently, the Beijing Internet Court released a case concerning users’ right to access and copy their personal information. The court’s judgment in the case has clarified the rules regarding how personal information processors should respond to requests for exercising such right. Specifically, the judgment explains: (1) the principle of good faith that individuals should follow when exercising their right to access and copy their personal information; (2) the general scope of personal information that can be accessed and copied, which should be limited to the individual's own personal information. If the relevant information is inseparable from others' information, the legitimate rights of other subjects of personal information should not be infringed, and the impact on other subjects should be minimized as far as possible; and (3) the way in which personal information processors fulfil the relevant obligations. The case is a representative example in relation to the right to access and copy personal information and provides a reference for similar cases in the future.

14. Pudong New Area People's Court of Shanghai issued White Paper on Judicial Protection of Intellectual Property Rights in Digital Economy (2017 - 2022)

    On April 20, the Pudong New Area People's Court of Shanghai issued the White Paper on the Judicial Protection of Intellectual Property Rights in the Digital Economy (2017 - 2022) (the "White Paper"). A significant number of the cases outlined in the White Paper concern new fields and forms of businesses. Notable cases include the determination of the legitimacy of data crawling and usage, the protection of new business models, and the determination of the responsibility of internet platforms.

    The White Paper also identified existing problems, including: (1) web traffic competition becoming a normal situation, requiring clarification of the boundary for data rights and interests protection; (2) difficulty in judging the legitimacy of data use behaviour, highlighting the need to clarify the norms of behaviour for market subjects; (3) intellectual property disputes in traditional fields showing new characteristics and the development of technology-empowered industries facing new challenges; and (4) the need to address the lack of legislation for the digital economy and to improve the governance system that oversees it.

    Industry Developments

15. Wuhan issued Three-Year Action Plan for Reform of Market-oriented Allocation of Data Elements

    On April 14, the General Office of Wuhan Municipal People's Government issued the Three-Year Action Plan of Wuhan for the Reform of Market-oriented Allocation of Data Elements (2023-2025) (the "Action Plan"). The Action Plan proposes several initiatives aimed at building a preliminary framework for the marketization of data elements by the end of 2023. These include improving the framework for the reform, establishing the Wuhan Data Group, exploring the authorized operation of public data, developing a standard system for data elements, and making exemplary achievements in the utilization of data elements.

16. TC260 released First Batch of Cybersecurity National Standards Requirements List for 2023

    On April 13, the TC260 released the First Batch of Cybersecurity National Standards Requirements List for 2023 (the "Requirements List"). The Requirements List includes a total of 30 proposed cybersecurity national standards to be formulated or revised, including (1) Information Security Technology - Specification for Security of Pre-training and Optimization Training Data for Generative Artificial Intelligence; (2) Information Security Technology - Specification for Security of Human Labelling for Generative Artificial Intelligence; (3) Information Security Technology - Guidelines for Cybersecurity Assessment of Large Cyber Platforms; (4) Information Security Technology - Requirements for Classified and Graded Protection of Data; and (5) Information Security Technology - Guidelines for Auditing of Personal Information Protection Compliance.

17. MIIT launched special operation to enhance security capabilities of 5G network operation

    Recently, the MIIT launched a special operation to enhance the security capabilities of 5G network operation. This initiative focuses on the implementation of three key tasks:

    (1) Establish three lists of network operation safety risks, including extreme accident scenarios, critical network equipment, and high-risk roles. This will facilitate a comprehensive understanding and strict control of potential security risks to avoid extreme accidents;

    (2) Strengthen the four supporting capabilities of network operation security, including network protection, risk awareness, accident prevention, and comprehensive management. Through the development of a multi-dimensional capability system for network operation security, the initiative aims to ensure that 5G networks run safely and reliably on a comprehensive basis; and

    (3) Build a solid foundation for network operation security, which involves strengthening system weaknesses, improving personnel skills, and increasing security awareness.

18. First National Data Privacy Platform for Microbial Science was officially launched

    On April 23, a practical seminar on data security management and cross-domain connectivity in the biological field was held in Beijing. During the conference, the first national data privacy platform for microbial science in China was officially launched. This platform is currently the first of its kind in the scientific data field to use blockchain and privacy computing technology to enable the practical application of scientific data while ensuring both usability and privacy of the data. It provides exemplary solutions to long-standing issues related to data circulation and utilization, such as data security and data rights confirmation.

19. First National Integrated Information Platform for Data Elements was launched

    Recently, the first integrated information platform for data elements in China has been launched, known as the “data trading website” (shujiaowang.cn). The platform focuses on in-depth research and observation in the field of data elements. By implementing an integrated operation mode that combines “media information + data service + industry” and online/offline collaboration in the front, middle, and back end, the platform aims to identify promising companies and products, provide market update and analysis, and offer efficient, accurate, and professional services and decision-making references for organizations both inside and outside the industry.

20. Guiyang Big Data Exchange completed first personal data transaction in China

    Recently, the Global Big Data Exchange in Guiyang has completed the country’s first transaction involving personal data. This is an innovative move of the data exchange to promote the compliant use, sale, and monetization of personal data and to explore new B2B2C business models for data transactions while ensuring that every step of the transaction is monitored and regulated. This transaction enables the circulation and trading of job seekers' resume data, completing a closed-loop process that includes personal data authorization, collection and processing, security compliance, scenario application, and revenue distribution.

21. Shanghai Data Exchange International Board was established

    On April 24, the Data Eco-system Partnership Conference was held in Singapore. The conference commenced the establishment of the Shanghai Data Exchange International Board (the “International Board”), which aims to explore new mechanisms for two-way cross-border data flow and facilitate the circulation and transaction of compliant data products from around the world. The International Board will support the “bringing in” of international enterprises and the “going global’ of domestic businesses. Currently, there are nearly 30 data products listed on the International Board.

22. Seminar on Antitrust and Data Security in Express Delivery Industry was held in Beijing

On April 20, the China Express Association hosted a seminar in Beijing on “Antitrust and Data Security in the Express Delivery Industry”. The seminar was divided into two parts. The first part, themed “Express Industry and Anti-Monopoly”, provided in-depth explanations and discussions on the Anti-monopoly Law and competition compliance. The second part focused on “Express Industry and Data Security”, covering not only data protection in the legal system, but also practical issues related to data security and their corresponding countermeasures.