China Cybersecurity and Data Protection - Monthly Update - October 2023 Issue

1. CAC released the draft Regulation for Administering and Promoting Cross-border Data Flow (“Draft Regulation”)

On 28 September, the Cyberspace Administration of China (“CAC”) released the draft Regulation for Administering and Promoting Cross-border Data Flow (“Draft Regulation”) for public consultation, with a deadline of 15 October 2023 for comments. The Draft Regulation, totalling 11 articles, substantially changes the applicable standards for data export governmental security assessment (“Governmental Assessment”), entering the standard contractual clauses with the overseas PI importers (“SCCs”), and PI protection certification by an institution accredited by the CAC (“Certification”) . It also exempts some data export scenarios with strong export necessity and those involving only a small amount of PI export from the compliance obligations. The Draft Regulation also allows free trade zones (“FTZs”) to formulate their own negative list of data export.

For example, the Draft Regulation specifies that the following scenarios do not require the application of Governmental Assessment, the filing of SCCs, or the Certification: (1) PI export for the purpose of entering into or performing a contract to which the individual is a party, such as cross-border purchases, cross-border remittance, hotel and air ticket booking, and visa application; (2) PI export pursuant to the employment rules and policies formulated by the law, and the signing of a contract in accordance with the law; (3) the export of PI is expected to be less than 10,000 individuals within one year, or (4) the export of data other than those on the negative list established by the FTZs. As can be seen, the Draft Regulation aims to substantially reduce the compliance burden on companies while ensuring the orderly data export flow.

2. The legislative plan of the Standing Committee of the 14th National People's Congresswas announced, involving legislative projects such as the revision of the cybersecurity law, the law on the promotion of the digital economy, and the ownership of data.

On 7 September, the legislative plan of the Standing Committee of the 14th National People's Congress (“NPC”) was announced, involving legislative projects such as the revision of the Cybersecurity Law, Law on the Promotion of Digital Economy, and data ownership. Legislative projects in areas such as data ownership and cyber governance may be scheduled for consideration when conditions are ripe after study and justification.

3. State Council reviewed and adopted the draft Regulations on the Protection of Minors in Cyberspace

On 20 September, the State Council reviewed and adopted the draft Regulations on the Protection of Minors in Cyberspace (“Draft Regulations”). It is understood that the Draft Regulations make provisions for strengthening the promotion of minors' network literacy, the regulation of network information content, the protection of minors' personal information network, and the prevention and treatment of minors' network indulgence, and stipulate the corresponding legal responsibilities for relevant illegal acts.

4. Supreme People's Court, the Supreme People's Procuratorate, and the Ministry of Public Security jointly issued the Guiding Opinions on Punishing Network Violence and Illegal Crimes in accordance with the Law

On September 25, the Supreme People's Court, the Supreme People's Procuratorate, and the Ministry of Public Security jointly issued the Guiding Opinions on Punishing Network Violence and Illegal Crimes in accordance with the Law (the “Guiding Opinions”), which requires courts, procuratorates, and public security authorities around the world to: (1) fully understand the social hazards of cyber-violence, and safeguard the rights and interests of citizens and the order of the network in accordance with the law; (2) accurately apply the law, and severely punish cyber-violence and illegal crimes in accordance with the law (including the acts of infringing on citizens' personal information (including infringement of citizens' personal information and refusal to fulfil information network security management obligations); (3) smooth litigation procedures and provide timely and effective legal remedies; and (4) implement work requirements and promote the strengthening of comprehensive governance.

5. The SCA issued the Administrative Measures for the Security Assessment of Commercial Cryptography Application

On 11 September, the State Cryptography Administration (“SCA”) considered and passed the Measures for the Administration of Security Assessment of Commercial Cryptographic Applications (“Measures”), which will come into force on 1 November 2023, as a complementary regulation to the Cryptography Law and the Regulations on the Administration of Commercial Cryptography. The Measures, as the supporting regulations of the Cryptography Law and the Regulations on the Administration of Commercial Passwords, further clarify and refine the scope of security assessment of commercial password applications, the responsible parties, the working principles and requirements, and the implementation specifications, etc., to regulate the work of security assessment of commercial password applications.

6. The State Administration of Radio and Television, the Ministry of Industry and Information Technology, and the State Administration for Market Regulation jointly issued the Notice on Further Strengthening the Management of In-car Audio and Video

On 1 September, the State Administration of Radio and Television and three other departments jointly issued the Notice on Further Strengthening the Management of In-vehicle Audio and Video (“Notice”). The Notice put forward a number of requirements in three aspects, such as strengthening the supervision of in-car radio broadcasting, engaging in in-vehicle network audio and video services should obtain appropriate licences (e.g. information network transmission of audio and video programme licence, mobile Internet application filing), and standardising the management of in-car audio and video system platforms, with regard to the irregularities in the service behaviours of in-car audio and video services. For example, the regulation of in-vehicle wireless broadcasting should be strengthened, in-vehicle network audio and video services should obtain the appropriate permits (such as the "Information Network Dissemination of Audio-visual Programmes Licence" and the filing of mobile Internet applications), and the management of in-vehicle audio and video system platforms should be regulated.

7. The Ministry of Science and Technology has issued Frequently Asked Questions on the Administration of Human Genetic Resources

The Ministry of Science and Technology (“MOST”), in response to the common questions asked by applicants since the promulgation of the Implementing Rules of the Regulations on the Administration of Human Genetic Resources, has formed the Frequently Asked Questions on the Management of Human Genetic Resources (“FAQs”), which involves issues such as administrative licences for collection and preservation, licences for and filing of international cooperation, and reporting of information provided to the outside world or for open access in the first place for applicants to make declarations. The FAQs published in previous issues will be cancelled at the same time.

8. National Information Security Standardisation Technical Committee issued Network Key Equipment Security Technical Requirements Programmable Logic Controller (PLC) (Draft for Comments)

On 21 September, to implement Article 23 of the CyberSecurity Law of the People's Republic of China on network critical equipment requirements, the Commission has released the Network Critical Equipment Security Technical Requirements for Programmable Logic Controllers (PLC) (Draft for Comments) (the “Draft”). The Draft specifies the information security technical requirements for PLC, which is applicable to guide PLC design, development, testing and evaluation, and provides a standard basis for the third-party testing and certification organisations to conduct PLC equipment security testing and security certification, as well as a basis for enterprises to purchase network-critical equipment.

9. National Information Security Standardisation Committee issued Security Specification for Storage Media Data Recovery Services in Information Security Technology (Draft for Comments)

On 28 September, the Information Security Standardisation Committee issued the Security Specification for Information Security Technology Storage Media Data Recovery Services (Draft for Comments) (the “Security Specification”), which is intended to amend GB/T 31500-2015 Information Security Technology Storage Media Data Recovery Service Requirements. The Security Specification aims to support the security requirements for data recovery services in regulations such as the Cybersecurity Law and the Data Security Law, and to promote the compliance and security development of the data recovery industry. For example, the Security Specification puts forward requirements for data security implemented by data recovery agencies from the organisational and technical aspects, regulates data recovery practitioner agencies, practitioners, and practitioner environments, and puts forward data recovery service management and technical security requirements, and an evaluation system for data recovery service security requirements.

10. National Information Security Standardisation issued the Application Guideline of Information Security Technology in Network Security Insurance (Draft for Comments)

On 13 September, the National Information Security Standardisation Issued the Application Guidelines of Information Security Technology in Network Security Insurance (Draft for Comments) (the “Guidelines”). Aiming at the actual problems existing in the application of the current domestic network security insurance market, the Guidelines starts from the actual application process of network security insurance, and practically solves the problems such as the lack of unified understanding of network security insurance by insured enterprises, the large difference in the cognition of network security risks and insurance coverage, and the basic methods in the application of network security insurance, so as to help the insured enterprises, insurers, and the third-party technical service providers and other participants to better understand and apply network security insurance, promote the standardisation of its application, and improve the supply and demand capacity of the market.

11. Beijing Administration for Market Regulation issued Beijing Antitrust Compliance Guidelines, responds to hot topics of anti-monopoly in data and algorithms

On 7 September, the Beijing Administration for Market Regulation issued the Beijing Antitrust Compliance Guidelines (the “Guidelines”). The Guidelines is applicable to relevant operators and industry associations within the administrative area of Beijing, and partly applicable to administrative organs and organisations with public affairs functions in accordance with the law, and are aimed at guiding operators to set up and improve their antitrust compliance management system, improving their ability to identify, prevent and deal with the risks of monopolistic conduct, and safeguarding the sustainable and healthy development of their business activities. Focusing on the field of digital economy, the Guidelines analyse in detail the ways and manifestations of monopoly behaviours involving data and algorithms, and platform rules, and provide reference for operators to conduct anti-monopoly compliance work in the fields of data and algorithms.

12. Beijing Municipal Bureau of Commerce released Beijing Foreign Investment Regulations (Draft for Comments), calls for establishment of green channel for data export by foreign invested enterprises and whitelist for data flow

On 20 September, the Beijing Municipal Bureau of Commerce released the Regulations on Foreign Investment in Beijing (Draft for Comments) (the “Regulations”), which aims to promote foreign investment in Beijing, regulate the management of foreign investment, protect the legitimate rights and interests of foreign investment, and promote the high-quality development of the capital's open economy. Notably, the Regulations proposes facilitation measures for cross-border flow of data, requiring the establishment of a green channel for data export by foreign invested enterprises in data and a whitelist for data flow, and the creation of a more transparent, stable and predictable environment under the rule of law.

13. Shanghai CAC jointly issued Compliance Guidelines for Shanghai Internet Securities Information Service Enterprises with various departments

On 15 September, the Shanghai Municipal People's Procuratorate, in conjunction with the Shanghai CAC and the Shanghai Securities Association, issued the Guidelines for Compliance of Shanghai Internet Securities Information Service Enterprises(the “Guidelines”). The Guidelines aims to consolidate the results of the special action Clean Pujiang - Online Illegal Securities Activity Governance, establish and improve the long-term working mechanism, guide the relevant enterprises to strengthen the compliance construction of Internet securities information services, and safeguard the clean cyberspace and the legitimate rights and interests of netizens.

14. Shenzhen Municipal Government Service Data Management Bureau released Shenzhen Open Public Data Management Regulation (Draft for Comments)

On 26 September, the Shenzhen Municipal Government Service Data Management Bureau released the Shenzhen Public Data Open Management Measures (Draft for Comments) (the “Management Measures”). The Management Measures aim to regulate and promote the city's public data opening work, release the value of public data resources, and enhance the government's governance capacity and public service level. The main contents of the Management Measures include: clarifying the division of responsibilities among government departments at all levels, public management and service institutions, and the management and service institutions of the city's public data open platform; clarifying the requirements for the classification and hierarchical management of public data; encouraging and supporting the open use of public data; and stipulating the management system related to the security of open data, the requirements for data desensitisation, and the self-assessment of the security of open data, among other matters.

15. The National Technical Committee for Standardisation of Automobiles, Intelligent Connected Vehicles Sub-Technical Committee, reviewed and approved two mandatory national standards technical requirements for Information Security of Automotive Vehicles and Automated Driving Data Recording System for Intelligent Networked Vehicles

From 13 to 14 September, the National Technical Committee for Standardisation of Automobiles adopted the mandatory national standards Technical Requirements for Information Security of Automotive Vehicles and Intelligent Networked Vehicles Autonomous Driving Data Recording System. The former helps enterprises define baseline requirements for information security, and stipulates requirements for automotive information security management system, general requirements for information security, technical requirements for information security, inspection and test methods, and the same type of judgement. The latter stipulates requirements for data recording, storage and reading, crashworthiness, information security, and vehicle-specification-level environment and corresponding test methods for the automatic driving data recording system of intelligent networked automobiles, and helps enterprises to establish a complete automatic driving data recording mechanism, collect and store data and other information in the event of a collision, establish a database of the causes of accidents, and restore the circumstances under which the accident occurred.

16. Shenzhen Procuratorate jointly issued Guidelines on Data Compliance for Shenzhen Enterprises with various departments

On 11 September, the Shenzhen Municipal People's Procuratorate, in conjunction with the Shenzhen CAC and other departments, issued the Guidelines on Data Compliance for Shenzhen Enterprises (“Guidelines”). The Guidelines consist of six chapters and 77 articles, including the construction of the organisational system for data security compliance management, the construction of the system for data compliance management system, data full life cycle compliance, data exit compliance and bylaws. For the scenarios of data review, collection, use, storage and transaction, it accurately identifies various types of security risks in the whole life cycle of data and builds a standard specification for the whole process of compliance. In the field of data transactions, the Guidelines explicitly propose for the first time that, for enterprises involved in compliance construction assessed to be in line with the validity standards, the procuratorate may, as appropriate, make recommendations or opinions on mitigation or alleviation to the relevant competent authorities according to the specific circumstances, further extending the incentive effect of data compliance to the field of administrative supervision.

Enforcement Developments

17. Cyberspace Administration of China (CAC) made administrative penalties against CNKI after conducting a network security review according to the Cybersecurity Law

On September 1, the CAC made administrative penalties against CNKI after conducting a network security review in accordance with the Cybersecurity Law, the Personal Information Protection Law, the Administrative Penalty Law and other laws and regulations. Taking into account the nature, consequences and duration of CNKI's unlawful handling of personal information, in particular the network security review, and other factors, CAC made a decision to impose administrative penalties on CNKI in accordance with the law in relation to the network security review and ordered CNKI to stop its unlawful handling of personal information and impose a fine of RMB 50 million yuan. It was found that 14 apps operated by CNKI, such as Mobile Knowledge and Knowledge Reading, had violated the principle of necessity in collecting personal information, collected personal information without consent, failed to disclose or express the rules of collection and use, failed to provide the function of account cancellation, and failed to delete users' personal information in a timely manner after they cancelled their accounts, and other illegal acts.

18. The Central CAC launched a special action to rectify the information content of life service platforms

On 28 September, the Central Internet Information Office launched a two-month special operation entitled "Clearly - Rectification of Information Content on Life Service Platforms" (the “Special Action” ). The Special Action focuses on life service platforms that are closely related to clothing, food, housing and transport, concentrates on information content rectification, severely investigates and deals with illegal accounts and platforms, and resolutely blocks illegal and undesirable information from spreading and spreading channels. The main responsibility for platform content management has been strengthened, account information management and community rules have been established and improved, and the information content governance mechanism has been regularised. The Special Action focuses on seven types of outstanding problems, including diversion of traffic for offline illegal activities and the presentation of illegal information in search links.

19. CAC released the second batch of Algorithmic record information for deep synthesis services

On September 16th, the Cyberspace Administration of China (“CAC”) issued a public announcement regarding the release of the second batch of filing information for domestic deepfake synthesis service algorithms, in accordance with the Regulations on the Administration of Internet Information Services for Deepfake Synthesis. It reminded deepfake synthesis service providers and technical supporters who have not yet completed the filing procedures to apply for filing as soon as possible.

20. CAC Released first batch of application distribution platform filing numbers

On 27 September, the Cyberspace Administration of China (“CAC”) officially released the names and filing numbers of the first batch of 26 application distribution platforms, including well-known platforms such as the Xiaomi App Store, Alipay's Small Program Technology Platform, and WeChat Small Program. According to the relevant requirements of the Provisions on the Administration of Mobile Internet Application Information Services, the filing is only a confirmation of the behaviour of the application distribution platform in providing distribution services, which does not represent the recognition of the platform's service capability and its on-shelf applications, and any platforms and individuals shall not be used for any commercial purpose and shall not engage in other businesses in violation of the law.

21. The CAC's illegal and harmful information reporting centre organised the tenth batch of 405 websites and platforms to the industry to unify the way to report acceptance

On September 19, the CAC's illegal and harmful information reporting centre organised the tenth batch of 405 websites and platforms to the industry to unify the way to report acceptance, including KuaiShou e-commerce, Quark browser, Perfect World and other websites and platforms. Website platforms should publish report acceptance as an opportunity to standardise the network of illegal and undesirable information reporting work, timely acceptance and disposal and feedback of netizen reports and complaints, and effectively safeguard the legitimate rights and interests of netizens, and jointly create a clear cyberspace.

22. Beijing Communications Administration released typical cases of network and data security in Beijing

On 18 September，the “Network and Data Security” typical case selection results were announced at the 2023 Beijing Internet Conference’s Network and Data Security Forum. The winning cases involved the advanced persistent network threat active protection system, network security compliance platform solution, enterprise data security control and personal information privacy protection platform, data cross-border security monitoring solution, and data security risk monitoring and warning mechanism based on big data intelligent analysis etc. For example, the award-winning enterprise data security control and personal information privacy protection platform has the ability to carry out data identification and classification and grading management, data security responsible person task management, and filing and registration form management for relevant business system data, which improves the data security management system of the relevant business system, and enhances the ability of operation and management of the whole life cycle of data.

23. Beijing Internet Court released White Paper on Trial Work and ten typical cases in five categories

In order to better regulate the role of the internet and ensure the high-quality development of the digital economy, on 31 August, Beijing Internet Court held a press conference to release the "White Paper on the Trial Work of the Beijing Internet Court" , comprehensively presenting the results of the Court’s work over five years. It focused on  the areas of digital copyright, digital consumption, platform governance, data algorithms, protection of network rights and interests, and releasing five categories of ten typical cases.

24. Supreme People’s Court released 2023 Typical Cases of People's Courts Against Monopoly and Unfair Competition, involving the determination of unfair competition behaviour in data scraping

On 14 September, the Supreme People’s Court released the typical cases of anti-monopoly and anti-unfair competition for the year 2023, which involved the determination of unfair competition through data scraping. Beijing Intellectual Property Court has explored and clarified the legal nature of non-original data aggregation, distinguished the rights protected by copyright law from the interests protected by the Anti-Unfair Competition Law, and protected the legitimate rights and interests of platform operators in collecting, storing, processing, and transmitting data. They have actively explored the application of the anti-unfair competition law in regulating data utilisation behaviour.

25. The State Post Bureau, the CAC and the Ministry of Public Security jointly promote the application of privacy waybill in the field of postal express delivery

On 8 September, the State Post Bureau, the CAC and the Ministry of Public Security jointly held a meeting to promote the application of privacy waybill in the field of postal express. The meeting pointed out that the State Post Bureau will be in close contact with the Central Internet Information Office and the Ministry of Public Security, strengthen synergy and information sharing, increase the investigation and handling of illegal acts involving personal information security in the field of postal express delivery, focus on the management of hidden dangers and weaknesses in the management and control of information security risks, and strengthen the management and control of information security risks from the technological, systemic, and managerial levels, and requested that all e-commerce platforms and sending enterprises work closely to protect  personal information in the field of postal express delivery, and jointly crack down on illegal and criminal acts involving postal information.

26. State Administration for Market Regulation announced a batch of typical cases of network unfair competition, involving unfair competition through data scraping

State Administration for Market Regulation announced a batch of typical cases of network unfair competition, involving unfair competition through data scraping.To effectively play the role of typical cases to warn and educate, enhance the integrity of the business entity to abide by the law, the awareness of compliance, and guide consumers to scientific and rational consumption, the state Administration for Market Regulation on 26 September announced several special actions to investigate and deal with the network of unfair competition typical cases involving data crawling unfair competition. In the case, the merchant made use of the third-party interface through the call, without the consent of the data source shopping platform and the operators within the platform, crawling the data source shopping platform commodity information data, and uploaded it to other shopping platforms with a competitive relationship. By the time of the offence, the software had extracted more than 9.42 million pieces of commodity information data. The merchant was subject to an administrative penalty of 1 million yuan.

27. The Internet Security Departments of Beijing’s Changping and Chaoyang Districts have effectively applied the Data Security Law to punish enterprises

Recently, the Internet Security departments in Changping and Chaoyang districts of Beijing have effectively applied the Data Security Law to impose administrative penalties on enterprises that failed to establish data security management systems or fully implement the network security level protection system. This had a good effect in terms of warning and education. Both cases involved technology companies that had data vulnerabilities, resulting in the exposure of citizens’ private data on the Internet and a high risk of personal information leakage. The Internet Security departments imposed administrative penalties on these companies and ordered them to rectify the issues within a specified period.

28. The Beijing Regulatory Bureau of the China Banking and Insurance Regulatory Commission imposed an administrative penalty of 200,000 yuan on the Beijing ZhongGuanCun Bank

On 8 September, the Beijing Regulatory Bureau of the China Banking and Insurance Regulatory Commission imposed an administrative penalty of 200,000 yuan on the Beijing ZhongGuanCun Bank. It was reported that the bank had experienced a significant incident in its information system but failed to report it to the regulatory authorities, which constituted a serious violation of prudent operation rules.

29. Tianjin Municipal Public Security issued network law penalty case: in which an information system was invaded and the corporate entity was held responsible

The Tianjin Municipal Public Security Nankai Branch Network Security Detachment issued an investigation into the malicious tampering of a company's system data, and found that there were multiple problems with the company's operating system: (1) imperfect technical measures to prevent network intrusion, and monitoring loopholes within the physical network environment; (2) less than six months of network logs to monitor and record network operating status; and (3) risks of security defects and loopholes. The company did not immediately take remedial measures and did not report to the relevant departments, the information system continues to operate with risk, giving lawbreakers an opportunity to take advantage of. In accordance with the provisions of Article 21 and Article 59 of the Network Security Law of the People's Republic of China, the Nankai Branch fined the company and relevant supervisors 50,000 yuan and 20,000 yuan respectively.

30. A Shanghai government information system technology service company was administratively punished for leaking citizens' personal information that was disclosed and peddled outside China

The Shanghai CAC, in conjunction with relevant departments, has conducted an on-site network security inspection and imposed administrative penalties on a government information system technology service company in Shanghai for its failure to strictly fulfil its obligations to protect data security. During the investigation, it was found that the company had placed government data on the internet for testing purposes, and there were high-risk vulnerabilities in the related storage endpoints, resulting in a large-scale leakage of citizens’ data. The company failed to effectively fulfil its obligations regarding data security and personal information protection during data processing activities. It did not establish a comprehensive data security management system, nor did it implement technical protection measures to ensure data security and the security of citizens’personal information. As a result, the platform was frequently subjected to remote access from overseas and faced risks of data leakage. Recently, the Shanghai CAC, in coordination with relevant departments, has required the company to immediately take down government website pages, close relevant cloud service ports, cooperate with the network asset inventory, and impose administrative penalties on the company.

31. Shanghai Internet Information Office carries out special inspection on 46 apps collecting and using personal information in its territory

To standardise the handling of personal information by apps and protect the legitimate rights and interests of citizens’personal information, from April to September 2023, the Shanghai CAC conducted a special inspection on 46 apps with a high number of local downloads and complaints. A total of more than 160 issues were identified. Common problems related to the collection and use of personal information include incomplete or inconsistent explanations in privacy policies regarding the collection and use of personal information, refusal to provide services if users do not agree to the privacy policy, failure to provide options for users to actively consent to the privacy policy and service agreements, and excessive collection of personal information in the background mode. Following notification and guidance, all app operators have completed the rectification of the identified issues.

32. Shanghai CAC and Municipal Market Supervision Bureau carry out joint inspection on personal information protection of some real estate agents and auto 4S shops

To evaluate the effectiveness of previous legal training and protect the legitimate rights and interests of consumer personal information, the Shanghai CAC and the Municipal Market Supervision Bureau jointly conducted on-site inspections of three real estate agencies (Lianjia, Centaline, and Pacific) and three automotive brands’ 4S stores on 26 September and 27 September. Previous inspections revealed some common issues in the collection of personal information by real estate agencies, such as frequent pop-ups requesting precise location information permissions for convenience services, failure to prompt users to read the privacy policy upon entering the mini programme, failing to inform users of the purpose and necessity of collecting personal information when accessing app lists, and not providing effective channels for account cancellation. Similarly, 4S stores faced common issues that hindered users’ experiences, such as frequent pop-ups requesting location permission, mandatory agreement to open storage permissions for camera usage, frequent prompts to improve personal information by completing user profiles, and mandatory registration and login for using the test drive appointment feature.

33. A Court in Guangdong reported a case in which high-speed railway station employees unlawfully obtained, sold, or provided personal information of citizens through the abuse of their official positions

Recently, the People’s Court of Nanhai District, Foshan City, Guangdong, disclosed a case in which a high-speed rail station employee illegally obtained, sold, or provided personal information of citizens for personal gain by taking advantage of their position. Several individuals involved in the case have been sentenced. It was reported that the defendants, including Chen, abused their positions as railway station customer service staff to access the high-speed rail itinerary information of celebrities, and they would provide this information for a fee or sell it. Additionally, Chen also joined multiple WeChat groups and posted numerous advertisements offering their services for information queries. By September 2021, Chen had earned approximately 190,000 yuan from these activities. After hearing the case, the court held that the actions of Chen and others constituted the crime of infringing upon the personal information of citizens. In addition to criminal liability, they also bore corresponding civil liability.

34. Internet security department of Jiangsu public security organs: 336 administrative cases have been handled in accordance with the Data Security Law

In the past two years since the implementation of the Data Security Law, the internet security department of the Public Security Bureau in Jiangsu province has focused on tackling various problems and irregularities in the industry related to information data leakage, misuse, and tampering. They have strengthened supervision, inspection, warning, and administrative law enforcement. The police have enforced strict measures against illegal acts of failing to fulfil obligations to protect data security and have actively held network operation entities accountable for their data security responsibilities. So far, a total of 336 administrative cases have been handled in accordance with the Data Security Law, covering various sectors such as medical examination institutions, technology companies, real estate registration centres, pharmaceutical companies, and more.

35. Zhejiang Jiashan Agricultural and Commercial Bank fined 1.21 million yuan for violating consumer financial information protection regulations

On 22 September, Zhejiang Jiashan Rural Commercial Bank Co., Ltd. received a warning and was fined 1.21 million yuan by the Jiaxing Branch of the People’s Bank of China for illegal behaviour. Three individuals responsible for the violations were also penalized. The violations included breaching account management regulations, failing to fulfil customer identity verification obligations as required, and violating regulations on consumer financial information protection and financial consumer rights protection.

36. Zhejiang Provincial Communications Administration notified 12 Apps that infringed the rights and interests of users

The Zhejiang Provincial Communication Administration recently released a list of 12 mobile apps that have infringed upon user rights. The list includes several types of apps such as online shopping, utility tools, and instant messaging apps. The issues involved in these apps include illegal collection and usage of personal information, excessive collection of personal information beyond the necessary scope, app permissions being forcefully, frequently, and excessively requested, as well as apps frequently self-starting and launching related activities. The Communication Administration has urged the developers and operators of these apps to complete rectification and implementation work by September 13th. If the rectification is not conducted properly, the Zhejiang Provincial Communication Administration will take measures such as removing them from app stores, shutting them down, and imposing administrative penalties, depending on the circumstances.

37. Shaanxi Communications Administration took down 3 Apps that infringed users' rights and interests

The Shaanxi Communication Administration has taken down three mobile apps that have violated user rights. These three apps were found to have violated regulations regarding the collection, excessive collection, and illegal usage of personal information, as well as forcing users to enable targeted push notifications and excessively requesting app permissions.

38. Sichuan Communication Administration has taken down 10 mobile Apps that have infringed user rights

Recently, the Sichuan Communication Administration has taken down 10 mobile apps that have violated user rights. Despite being notified of the violations and requested to rectify the issues, these 10 apps continued to illegally collect and use personal information, as well as excessively request app permissions. In response, the Sichuan Communication Administration has conducted discussions with the affiliated companies and decided to remove these 10 problematic apps from the market.

39. Chongqing Communication Administration has taken down 5 mobile Apps that have infringed user rights

The Chongqing Communication Administration has taken down five mobile apps that have infringed upon user rights. The issues associated with these five apps include failure to clearly indicate personal information processing rules, illegal collection of personal information, unreasonable permission requests, excessive and frequent requests for app permissions, failure to provide an effective account cancellation function, and a lack of guidance for account cancellation on privacy policies and related interfaces.

40. Guangdong Communication Administration removed 18 mobile Apps that infringed user rights and posed security risks

On August 16, the Guangdong Communication Administration removed 18 mobile apps that were infringing upon user rights and posing security risks. The issues associated with these 18 apps include illegal collection of personal information, frequent automatic and associated startup of the apps, and excessive and frequent requests for app permissions. The Guangdong Communication Administration will continue to monitor the reported apps and take further measures, such as disconnecting their network access, imposing administrative penalties, and including them in a list of poorly managed telecommunications businesses, depending on the situation.

Industry Developments

41. CAC released latest version of Cloud Computing Service Security Assessment Professional and Technical Organisations list

On 25 September，the Cyberspace Administration of China(“CAC”) has released a new version of the list of Cloud Computing Service Security Assessment Professional and Technical Organisations list, which includes a total of eight institutions. The newly added evaluation institutions are the National Computer Network and Information Security Management Centre, the State Information Centre, the 15th Research Institute of the China Electronics Technology Group Corporation, and the National Industrial Information Security Development Research Centre. The expansion of these evaluation institutions will provide support for further promoting cloud computing service security management and assessment work in the Chinese government and enterprises.

42. China Appraisal Society released Guidelines on Data Asset Valuation, providing guidance to professional organisations on valuing data assets

On 8 September, China Appraisal Society (“CAS”) released the Guidelines on Data Asset Appraisal (the “Guidelines”), which aims to regulate the practice of asset appraisal and protect the legitimate rights and interests of the parties involved in asset appraisal and the public interest and will come into effect from 1 October 2023 onwards. The Guidelines make it clear that in performing data asset valuation business, one may understand and pay attention to the basic situation of the data assets under appraisal by means of provision by the principal, relevant parties, etc. or through independent collection; one should be aware of the characteristics of the data assets such as non-physicality, dependence, shareability, processability and volatility in value, and pay attention to the impact of the characteristics of the data assets on the subject of the appraisal.

43. Asset Management Association of China released Group Standard on Technical Specification for Mobile Internet Applications for Fund Management Companies

On 12 September, Asset Management Association of China released the group standard of Technical Specification for Mobile Internet Applications of Fund Management Companies (the “Group Standard”). The Group Standard applies to mobile internet applications and their associated back-office services used by public fund management companies to provide financial services to users. The Group Standard stipulates the technical requirements for mobile Internet applications of public fund management companies in terms of software security, security of users' personal information, compatibility, performance, interaction, etc. and the management requirements for software R&D, operation and maintenance. For example, in terms of data security, it stipulates that encryption measures should be taken for the transmission of sensitive personal information to and from other local application software, and that the risk of sensitive data transmission should be assessed. It also stipulates data theft prevention, maintaining data integrity, etc.

44. China Academy of Information and Communications Technology released White Paper on Data Elements (2023)

On 26 September, the China Academy of Information and Communications Technology(“CAICT”) released the White Paper on Data Elements (2023) (the “White Paper”), which on the basis of the White Paper on Data Elements (2022), further explores the theoretical understanding of data elements, focuses on the new modes, new forms and new hotspots that have continued to emerge in the process of exploring data elements over the past year, and focuses on the development of four major aspects, namely, resources, main body, market and technology. The White Paper suggests promoting consensus on data elements classification, with a focus on data classification and grading, authorszation and operation of public data, inclusion of data assets in financial statements, and protection of personal data rights. The government should establish a fair and efficient mechanism, combining efforts from both on and off the market, to promote the optimal allocation of data resources. Enterprises should prioritise enhancing data management and application capabilities.

45. 2023 World Intelligent and Connected Vehicle Conference kicks off in Beijing

On 21 September, the 2023 World Intelligent Networked Vehicle Conference opened in Beijing. Vice Minister Xin Guobin of the Ministry of Industry and Information Technology delivered a speech, emphasizing the following points: (1) Strengthen innovation-driven development and support upstream and downstream companies in establishing innovation alliances, empowering each other, and making breakthroughs in key technologies; (2) Improve standards and regulations by expediting the revision of important and urgently needed standards, and enhancing the coordination of standards between automobiles and areas such as infrastructure and information communication; (3) Deepen pilot demonstrations by launching intelligent connected vehicle access and on-road testing pilots as soon as possible, creating a portfolio of characteristic demonstration projects in which domestic and international market entities participate together; (4) Optimise the industrial ecosystem by promoting the construction of vehicle-infrastructure coordination infrastructure, establishing a multi-level cloud-based control platform, and building an integrated and interactive industrial ecosystem encompassing automobiles, energy, smart cities, and more.

46. The first national automotive data elements circulation summit in 2023 was held to promote data elements as a new engine for automotive development

On 15 September, the inaugural National Automotive Data Element Circulation Summit was held, at which it was proposed that in the automotive industry chain, the demand for development through data empowerment exists in different segments, including research and development, validation testing, sales, after-sales use and other stages. As a core resource and element endowment for the rapid development of the automotive industry in the new period, data elements contain great commercial value and will become a new engine for automotive development.

47. Beijing High-Level Autonomous Driving Demonstration Zone releases Data Classification and Rating White Paper 2.0

On 22 September, the Beijing High-Level Autonomous Driving Demonstration Zone released the Beijing High-Level Autonomous Driving Demonstration Zone Data Classification and Grading White Paper 2.0 (the “White Paper 2.0”). The White Paper 2.0 aims to fully summarise the achievements of industry innovation and governance as well as provide insights for the establishment of an open, comprehensive, and iterative data security governance system in Beijing. Data classification and grading are important measures for the governance of data in the demonstration zone. Building upon the foundation laid by the 1.0 version, White Paper 2.0 further refines the content of data attributes and updates the data grading, sharing industry-leading management achievements and enterprise practices for the first time. Currently, the demonstration zone has released two leading industry datasets, enabling over 200 units to conduct research in related fields. Additionally, an initial platform for high-precision map crowdsourcing updates has been established, achieving data loop verification.

48. Shanghai CAC released Analysis of Cases of Illegal Collection and Use of Personal Information in Online Wealth Management and Small Loan Scenarios (I) (II)

On 13 and 14 September, the Shanghai CAC released two issues of the “Analysis of Violations and Illegal Use of Personal Information in Online Financial and Small Loan Scenarios.” These cases analyse common violations and illegal practices in the online financial and small loan scenarios. For example, forcing consumers to agree to unrelated third-party product privacy policies, collecting unnecessary personal information from consumers, collecting and using personal information without the consent of consumers, failing to inform consumers of the purpose of collecting personal information, and setting unreasonable conditions for deleting personal information. The Shanghai Cyberspace Administration advises financial and wealth management service institutions to conduct self-inspections and rectify their practices in accordance with the analysis of these cases. They should strictly adhere to the principles of collecting consumers’ personal information “minimally and necessarily” and obtaining informed consent, ensuring compliance with their obligations to protect personal information.

49. Zhejiang CAC issued data cross-border security assessment declaration work Q&A (IV)

On 19 September, Zhejiang CAC issued data cross-border security assessment declaration work Q&A (IV). The content covers the requirements for filling in the "data size" and "number of natural persons involved" in the data cross-border security assessment declaration form, the requirements for filling in the data cross-border risk self-assessment report and the requirements for filling in the legal documents.

50. The first personal information compliance flow transaction in China was completed in Guiyang

Recently, the first compliant circulation transaction of personal data was completed at the Guiyang Big Data Trading Exchange in China. It is reported that this transaction was supervised and managed throughout all stages, representing an innovative practice by the Guiyang Big Data Trading Exchange to promote the compliant use of personal data, regulate transactions, and ensure legal benefits. In this transaction, Guiyang Big Data Trading Exchange collaborated with HaoHuo (Guizhou) Network Technology Co., Ltd. to collect personal resume data from job seekers using technologies such as digitisation and privacy computing. The transaction was carried out with the informed consent and explicit authorszation of individual users. While ensuring the availability of user data, the transaction utilised the “Data Product Transaction Price Calculator” provided by Guiyang Big Data Trading Exchange. Combining HaoHuo Technology’s resume price calculation model and application scenarios, the transaction provided transaction valuation references for personal resume data, particularly in the context of flexible employment services. The transaction process encompassed aspects such as individual data authorisation, collection and processing, security and compliance, scenario application, and profit distribution. By completing this transaction, Guiyang Big Data Trading Exchange has showcased its commitment to facilitating the compliant and beneficial utilisation of personal data, while maintaining the privacy and security of individuals.