This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].
In June 2024, developments in China’s cybersecurity and data protection field have seen notable progress in data export, data security, and digital construction.
Follow the links below to view the official policy documents or public announcement.
The MIIT issued the Implementation Details for Data Security Risk Assessments in the Industry and Information Technology Sector (Trial). These details stipulate that processors of important data and core data should conduct at least one data security risk assessment annually, with the results valid for one year, starting from the date the assessment report is first issued. The assessment report should include the basic information of the data processor, the basic information of the assessment team, the types and quantities of important data, the conditions under which data processing activities are conducted, the environment of the data security risk assessment, as well as the analysis of data processing activities, compliance assessment, security risk analysis, assessment conclusions, and countermeasures.
The Cyberspace Administration of China (“CAC”), together with the Office of the Central Cyberspace Affairs Commission, the MIIT, and the Ministry of Public Security, jointly issued the Regulations on the Security Management of Internet Government Applications. The regulations require that the construction and operation of Internet government applications comply with relevant laws, administrative regulations, and mandatory national standards. They must take technical and other necessary measures to prevent risks such as content tampering, attacks causing paralysis, and data theft, ensuring the secure and stable operation of Internet government applications and data security.
The State Administration for Market Regulation (“SAMR”) officially issued the Interim Provisions on Combating Unfair Online Competition, which detail the criteria and factors for identifying unfair online competition behaviors under the Anti-Unfair Competition Law. These provisions aim to comprehensively assess the unfairness of the behaviors involved, avoid undue interference with market free competition, and prevent hindrances to technological development and innovation. The regulations list unfair online competition behaviours such as fake reviews, malicious interception or blocking, illegal data acquisition, and unreasonable restrictions or conditions imposed by platform operators on the businesses within their platforms and clarify the applicable legal provisions.
4. Lingang New Area in Shanghai releases the first batch of cross-border data scenarios general data list (17 May)
The Lingang New Area of the China (Shanghai) Pilot Free Trade Zone has released the General Data List of Cross-Border Data Scenarios (“General Data List”) and its accompanying operation guide, building on the previously issued Classified and Graded Management Measures for Cross-Border Data Flow in the China (Shanghai) Pilot Free Trade Zone Lingang New Area (Trial). The first batch of the General Data List includes three fields: intelligent connected vehicles, public funds, and biomedicine. It covers 11 scenarios involving multinational production and manufacturing of intelligent connected vehicles, pharmaceutical clinical trials and research, and information sharing in fund market research, divided into 64 data categories with over 600 data fields.
5. Tianjin Free Trade Zone releases the negative list for cross-border data management (9 May)
The Administrative Committee of the Tianjin Free Trade Zone and the Tianjin Municipal Bureau of Commerce jointly issued the Negative List for Cross-Border Data Management in the China (Tianjin) Pilot Free Trade Zone (2024 Edition), which specifies situations where companies in the Tianjin Free Trade Zone must apply for a data export security assessment, sign standard contracts for the export of personal information, and pass personal information protection certification when providing data overseas. Companies in the Tianjin Free Trade Zone that provide data not included in the negative list are exempt from applying for a data export security assessment, signing standard contracts for the export of personal information, and passing personal information protection certification. Data involving state secrets, core data, and government data are not included in the negative list management and must comply with relevant laws, regulations, and provisions for data export.
6. The State Council plans to formulate relevant regulations to further manage network data security (9 May)
The General Office of the State Council issued the State Council’s 2024 Legislative Work Plan (“Plan”), which clearly mentions the formulation of the “Regulations on Network Data Security Management” to improve the national security legal system. It is reported that as early as 14 November 2021, the CAC had released the Regulations on Network Data Security Management (Draft for Comments), which supplement and enhance data protection laws such as the Cybersecurity Law, Data Security Law, and Personal Information Protection Law, more clearly and explicitly defining the responsibilities and obligations of data processors.
The Ministry of Finance (“MOF”) and the CAC jointly issued the Interim Measures for the Data Security Management of Accounting Firms, which stipulate the establishment and improvement of data lifecycle security management systems, the establishment of sound data security management organisational structures, and the implementation of data classification and grading, among other basic data security management requirements. Additionally, these measures set out several specific or additional data management requirements for accounting firms within their scope, such as data storage, log retention, data export, and national security review requirements.
8. TC260 plans to release national standards defining critical information infrastructure (30 May)
The National Technical Committee 260 on Cybersecurity of Standardisation Administration of China (“TC260”) is seeking public comments on the national standard Network Security Technology - Methods for Defining the Boundaries of Critical Information Infrastructure. This standard, from a protection perspective, provides methods and models for determining the boundaries of critical information infrastructure. It starts with the identification of critical information infrastructure functions, analyses key business chains and key business information, forms key business information flow and asset identification results, and then determines the boundaries based on this analysis.
The TC260 released the draft national standard Network Security Technology - Basic Security Requirements for Generative Artificial Intelligence Services for public comment. This standard details the security requirements for training data, including security measures for data sources, content, and labeling; model security requirements, covering the security of model training, output, and monitoring; and overall service security measures, such as service transparency, handling of user input information, and complaint mechanisms. The document also includes appendices that list the main security risks of training data and generated content and provide reference points for security assessments.
The Ministry of Natural Resources (“MNR”) released drafts of the Basic Requirements for the Security Processing of Spatial-Temporal Data of Intelligent Connected Vehicles (“Processing Requirements”) and the Basic Requirements for the Security of Spatial-Temporal Data Sensing Systems of Intelligent Connected Vehicles (“Sensing Requirements”) for public comment. The Processing Requirements apply to intelligent connected vehicles sold to the public and operated within China, specifying basic security requirements for the confidential processing of spatial-temporal data and the handling of geographic information during storage and transmission. The Sensing Requirements are aimed at intelligent connected vehicles equipped with spatial-temporal data sensing systems, sold to the public and operated within China, and set forth the security requirements for functions involving the sensing and processing of spatial-temporal data.
The Nanshan District Government Services and Data Management Bureau of Shenzhen released the Interim Measures for the Authorised Operation of Public Data in Nanshan District, Shenzhen (Draft for Comments), aimed at regulating activities related to the aggregation, authorisation, processing, and operation of public data. The document specifies the principles, processes, division of responsibilities, security guarantees, and supervision requirements for the authorised operation of public data. It clarifies the selection and management mechanisms for public data authorised operating units and partners, emphasises the compliance and security of data use, and promotes the safe and orderly development and utilisation of public data.
12. Shenzhen plans to release local standards to regulate compliance assessment activities for data transactions (7 May)The Shenzhen Administration for Market Regulation issued the local standard Specifications for Compliance Assessment of Data Transactions, aiming to regulate the compliance assessment of data transactions. The document specifies the principles, framework, and levels of data transaction compliance assessment, and provides detailed descriptions of the requirements for subject compliance, target compliance, and circulation compliance. The document is applicable to relevant parties in data transactions, including regulatory authorities, transaction entities, and third-party legal service organisations. It covers multiple dimensions such as legality, security, trustworthiness, and rights protection to ensure the legality, compliance, and security of data transactions.
Recently, some online accounts have fabricated rumours about public policies and emergencies, misleading the public, causing panic, and disrupting social order. The CAC has strengthened monitoring and handling of these issues and has lawfully shut down 10,859 illegal and non-compliant accounts.
14. MIIT announces the list of apps (SDKs) infringing user rights, with a total of 50 apps (SDKs) listed (24 May)
The MIIT released the third batch of 2024’s list of apps and SDKs infringing on user rights, involving 50 apps and SDKs. The related infringements include unauthorised collection of personal information, frequent mandatory permission requests, and improper pop-up redirects.
15. Jiangsu Province conducts a province-wide survey on data export situations (21 May)
The Cyberspace Administration of Jiangsu issued a notice to thoroughly implement the Data Export Security Assessment Measures, Personal Information Export Standard Contract Measures, and Regulations on Promoting and Regulating Cross-Border Data Flow. The aim is to promote the lawful and orderly free flow of data, serving the high-quality development of Jiangsu’s digital economy. According to the relevant work arrangements, the Cyberspace Administration of Jiangsu, Jiangsu Provincial Department of Commerce, and Jiangsu Provincial Data Bureau jointly organised a province-wide survey on data export situations. The reporting period is from 20 May to 20 June.
The Cyberspace Administration of Shanghai and the Administration for Market Regulation jointly held a compliance guidance and legal education training session for the coffee industry to protect consumers’ personal information rights in coffee consumption scenarios. This meeting is part of the “Bright Sword Pujiang 2024” special enforcement action for the protection of personal information rights in the consumer sector, involving 24 chain coffee companies such as Starbucks and Luckin Coffee, covering over 3,600 stores across the city. The meeting provided legal education on six types of illegal issues, including mandatory or default agreement to privacy policies and the absence of privacy policies. Companies are required to follow the principles of “minimum necessary” and “inform and consent” for personal information collection and conduct self-examination and rectification. In the future, municipal and district-level departments will strengthen inspections and public supervision to ensure that consumer rights are not infringed.
17. In April 2024, 20.078 million reports of illegal and harmful information were received nationwide (11 May)The Reporting Center of the CAC guided cyberspace reporting departments at all levels and major website platforms across the country to receive 20.078 million reports from netizens about illegal and harmful information such as pornography, gambling, infringement, and rumours, a month-on-month increase of 8.3% and a year-on-year increase of 14%. Among these, the CAC Reporting Center received 426,000 reports, a month-on-month increase of 2.7% and a year-on-year decrease of 42.5%. Local cyberspace reporting departments received 1.511 million reports, a month-on-month increase of 46.7% and a year-on-year increase of 204%. Major website platforms nationwide received 18.14 million reports, a month-on-month increase of 6.2% and a year-on-year increase of 10.8%.
18. Chongqing CAC announces data export security assessment and standard contract filing status (17 May)
Cyberspace Administration of Chongqing announced that West Air Co., Ltd. has passed the national CAC data export security assessment, making it the first company in Chongqing to achieve this. As of now, Chongqing has officially completed data export security assessments for one company and standard contract filings for the export of personal information for six companies. This marks the establishment of compliance demonstration cases in the fields of intelligent manufacturing and logistics in Chongqing.
19. CAC and other departments release action plan for informatisation standard construction (29 May)
The CAC, together with the SAMR and the MIIT, jointly released the Action Plan for Informatisation Standard Construction (2024-2027), aiming to enhance the comprehensive capabilities of informatisation development by improving the national informatisation standard system and promoting the construction of a cyber powerhouse. The plan outlines four major tasks: innovating standard work mechanisms, promoting the development of standards in key areas, advancing standard internationalisation, and enhancing fundamental capabilities. It also emphasises strengthening overall coordination, policy support, and creating a favourable environment to ensure the achievement of the plan’s objectives.
20. NDRC, CAC, and other departments release new guidelines to guide digital rural construction (16 May)
The NDRC and five other departments released the Digital Rural Construction Guidelines 2.0, covering the construction of digital infrastructure, agricultural data resources, smart agriculture, digital prosperity industries, digital culture, digital governance, and public service benefits. The guidelines propose specific construction methods and safeguard measures, aiming to empower rural governance and improve residents’ living standards through digital technology, promoting the digital, intelligent, and modern transformation and upgrading of rural areas.
The NDRC, NDB, MOF, and MNR jointly issued the Guiding Opinions on Deepening Smart City Development and Promoting Urban Digital Transformation. The document clearly states that by 2030, cities across the country will gradually achieve comprehensive digital transformation and establish a globally competitive modern urban system. Key points include establishing a secure and reliable urban data infrastructure, comprehensively improving data resource application levels, promoting a data classification and grading protection system, strengthening urban network security management and emergency response mechanisms, and ensuring personal privacy protection and data security. The document also advocates for promoting the security management of urban digital spaces, building a resilient and trustworthy data circulation system, and improving the data security monitoring and early warning mechanism to ensure the security of data in all stages of collection, storage, and use.
22. Digital Fujian 2024 key work points released, promoting digital empowerment across industries (15 May)
Fujian Province released the Digital Fujian 2024 Key Work Points, proposing multiple measures to promote digital empowerment across industries. These measures include upgrading network infrastructure, advancing 5G applications, developing the digital economy, deepening digital government reforms, accelerating smart urban and rural construction, and enhancing digital innovation capabilities. The aim is to improve the overall, systematic, and coordinated development of Digital Fujian, providing strong digital support for the modernisation of Fujian.
The NDB released the 2023 National Data Resources Survey Report, based on the results of the national data resources survey conducted in February 2024. The report covers data production, computing power and storage, data circulation and trading, public data, and data applications. It notes that in 2023, China’s total data production reached 32.85 zettabytes, a year-on-year increase of 22.44%; the total national data storage was 1.73 zettabytes, but only 2.9% of the data was preserved. The national computing power center’s computing power scale was about 0.23 exaFLOPS, a year-on-year increase of 30%; the storage space utilisation rate was 59%. The total data circulation increased by 7.6% year-on-year, but the activity level of data trading was low, with a product transaction rate of 17.9%. The amount of public data opened increased by more than 16% year-on-year, but only 8.3% of large enterprises achieved data reuse and value-added.
24. NDB clarifies key tasks for Digital China construction in 2024, deploying major tasks (21 May)
The NDB released the Key Tasks List for Digital China Construction 2024, outlining key tasks such as accelerating the construction of digital infrastructure, promoting digital economy innovation, improving the digital government service system, fostering digital culture development, building a digital society, advancing digital ecological civilisation, strengthening digital technology innovation and security, enhancing digital governance ecology, and expanding international cooperation. The aim is to deepen the market-oriented reform of data elements, enhance the overall, systematic, and coordinated development of Digital China, promote the deep integration of the digital economy and the real economy, drive economic development, improve people’s livelihoods, and elevate the modernisation level of social governance.
Suzhou established the Suzhou Data Resources Court, responsible for handling first-instance criminal, civil, and administrative cases related to data resources. The court aims to regulate the compliance management of the data lifecycle, explore data property rights systems and data dispute resolution, and promote data circulation and innovation. During the event, the Suzhou Enterprise Data Compliance Management Guide and the Negative Behaviour List for the Data Lifecycle of Enterprises were released, providing legal opinions and risk prevention references for enterprise data processing.
26. A conference was held to discuss new blueprint for cyberspace work development (29 May)
The 2024 Yangtze River Delta Cyberspace Work Collaborative Development Conference was held in Suzhou, Jiangsu, with the theme “Network Integration for High-Quality Development,” promoting the collaborative development of cyberspace work in the three provinces and one city. The conference emphasised the importance of actively integrating into the Yangtze River Delta integration strategy, strengthening collaboration mechanisms, and promoting synchronous development of industry, ecology, and mechanisms. The Cyberspace Administrations of Shanghai, Jiangsu, Zhejiang, and Anhui signed a memorandum of understanding on online celebrity work and cybersecurity cooperation and launched related activities to accelerate the collaborative development of cyberspace work and support high-quality regional integration.
27. Shanghai holds a seminar on online protection to discuss creating a healthy online environment for minors (27 May)
The “Collaborative Governance, Protecting Growth” seminar on online protection for minors was held in Xuhui District, Shanghai. Guided by the Shanghai Municipal Cyberspace Administration and the Shanghai Municipal People’s Procuratorate, the seminar focused on issues such as regulating online content for minors, promoting online literacy, protecting personal information, and preventing internet addiction. Experts and representatives at the meeting discussed measures to create a healthy online environment and emphasised the importance of collaboration among all parties. In recent years, Shanghai has strengthened online protection for minors, legally addressed related violations, and launched legal education activities to create an orderly, safe, and healthy online environment.
28. Hangzhou Internet Court releases behaviour guidelines to guide the healthy development of enterprise data (26 May)
The Hangzhou Internet Court held a data elements industry ecosystem co-construction event in “China Data Valley” and released the Guidelines for Guiding the Healthy Development of Enterprise Data on-site. The guidelines are divided into six parts: data collection and storage, data development and utilisation, data processing, data transactions, data export, data risk identification and security protection, and supplementary provisions. These guidelines aim to help enterprises explore and enhance the value of data.
29. Shanghai CAC changes consultation phone number for cross-border data business (11 May)
To facilitate consultation for data processors on cross-border data business, the Cyberspace Administration of Shanghai has changed its consultation phone number to 64271056, effective immediately. The original number, 64743030-2711, will be deactivated starting 20 May 2024. Until then, the original number will continue to provide consultation services.