This e-newsletter summarizes the newest developments in cybersecurity and knowledge safety in China with a deal with the regulatory, enforcement and trade developments on this space.
If you want to subscribe for our newsletters and be notified of our occasions on China cybersecurity and knowledge safety, please contact James Gong at [email protected].
Key highlights
On 29 April 2022, the National Information Security Standardization Technical Committee (“TC260”) launched the draft Technical Specification for Certification of Personal Information Cross-border Processing (“Draft Specification”) for public session. The Draft Specification is step one that has been taken towards establishing the Certification Regime launched by the PIPL. Some important parts of the Certification Regime are left not addressed, such because the accredited certification our bodies, the certification process and the efficient interval of the certification, which we count on to be lined by future rules and tips.
On 29 April 2022, the China Securities Regulatory Commission (“CSRC”) launched the draft Administrative Measures for Cybersecurity in Securities and Futures Industry (《证券期货业网络安全管理办法(征求意见稿)》) (“Draft Measures”) for public session. The Draft Measures are the response of CSRC to tightened cybersecurity and knowledge safety necessities below the regulatory framework established by the CSL, the DSL and the PIPL. The CSRC is becoming a member of its fellow monetary regulators in implementing these necessities within the monetary trade. The monetary establishments within the securities and futures trade in addition to their IT suppliers ought to hold themselves abreast with the event and be ready for the brand new necessities that will probably be applied within the close to future.
Please learn our articles on the hyperlinks under for extra particulars.
Our Views
China Health and Medical Data Protection (I): Human Genetic Resources Information
China’s Certification for Personal Information Export: Underway?
China will Tighten Cybersecurity in Securities and Futures Industry
1. The Practice Guideline for Network Security Standards – Technical Specification for Certification of Personal Information Cross-border Processing Activities (Draft for Comments) was launched
On 29 April, the National Information Security Standardization Technical Committee (TC260) launched the Practice Guideline for Network Security Standards – Technical Specification for Certification of Personal Information Cross-border Processing Activities (Draft for Comments) (the “Certification Technical Specification”) for public feedback. The Certification Technical Specification offers sensible tips on the institution of the certification mechanism in accordance with Art. 38 of the Personal Information Protection Law (PIPL). The Certification Technical Specification describes the fundamental ideas, authorized constraints, organizational administration, cross-border processing guidelines, affect evaluation, and safety of the rights and pursuits of people within the context of the certification mechanism.
2. The Cybersecurity Management Measures for the Securities and Futures Industry (Draft for Comments) was launched
On 29 April, the China Security Regulatory Commission launched the Cybersecurity Management Measures for the Securities and Futures Industry (Draft for Comments) (the “Measures”) for public feedback. The Measures put ahead necessities on cybersecurity supervision and administration system, cybersecurity operation, knowledge safety coordination and administration, cybersecurity emergency dealing with, cybersecurity important data infrastructure safety, cybersecurity promotion and growth, supervision and administration and obligation, and many others.
3. MIIT and different 5 departments issued the Guidance on additional strengthening the safety system of latest vitality automobile enterprises
On 8 April, the Ministry of Industry and Information Technology (MIIT) and different 5 departments collectively issued the Guidance on additional strengthening the safety system of latest vitality automobile enterprises (the “Guidance”). The Guidance identified that new vitality automobile enterprises ought to enhance the cybersecurity safety system, implement the actual title registration of Internet-of-automobile playing cards and automobile product safety vulnerability administration, strengthen community safety safety, strengthen knowledge safety safety, and implement private data safety safety.
4. The Information safety strategies – Guidelines for the evaluation of Information safety Controls (Draft for Comments) and different 3 nationwide requirements had been launched
On 7 April, TC260 secretariat issued a discover to solicit public feedback on three nationwide requirements, particularly the Information safety strategies – Guidelines for the evaluation of Information safety Controls (Draft for Comments), the Information safety know-how – Information safety administration for inter-sector and inter-organizational communications (Draft for Comments), and the Information safety know-how—Security functionality necessities for giant knowledge companies (Draft for Comments).
5. The Information Security Technology – Basic Requirements for Collecting Personal Information in Mobile Internet Applications and different 10 data safety know-how nationwide requirements had been launched
On 15 April, based on the Announcement on National Standards of the People’s Republic of China (2022 No.6) issued by the State Administration for Market Regulation and the Standardization Administration, 10 nationwide requirements ready by TC260, together with the Information Security Technology – Basic Requirements for Collecting Personal Information in Mobile Internet Applications, the Information Security Technology-Cyber-Data Process Security Specification, the Information Security Technology – Information Security Risk Assessment Method, will probably be printed within the “National Standards Full Text Public System” inside 20 working days after the discharge of the Announcement.
6. The China Banking and Insurance Regulatory Commission issued the Notice on Further Strengthening Financial Support for the Development of Small and Micro-sized Enterprises in 2022
On 8 April, the China Banking and Insurance Regulatory Commission issued the Notice on Further Strengthening Financial Support for the Development of Small and Micro-sized Enterprises in 2022 (the “Notice”). The Notice offers a collection of necessities for knowledge safety and privateness safety for banks and insurance coverage establishments, together with enhancing inside knowledge administration system, strengthening the development of data programs, enhancing knowledge safety and privateness safety, and conducting safety evaluation prematurely to make sure the legality of third-celebration knowledge sources.
7. The State Council issued the Opinions on Establishing Unified Domestic Market
On 10 April, the State Council issued the Opinions on Establishing Unified Domestic Market (the “Opinions”). Opinions purpose to speed up the cultivation of knowledge parts market, set up and enhance primary programs and requirements in relation to knowledge safety, rights safety, cross-border switch administration, transaction circulation, open sharing, safety certification, and promote knowledge assets growth and utilization.
8. The Practice Guide for Network Security Standards – Information System Disaster Backup Practice Guidelines (Draft for Comments) was launched
On 26 April, TC260 secretariat launched the Practice Guide for Network Security Standards – Information System Disaster Backup Practice Guidelines (Draft for Comments) (the “Guidelines”) for public feedback. The Guidelines suggest safety measures that organizations can take when it comes to requirement evaluation, practical design, operation and upkeep for service suppliers and service demanders.
9. The China Security Regulatory Commission launched 4 monetary trade requirements
On 15 April, the China Security Regulatory Commission launched 4 monetary trade requirements, particularly the Data Model for Securities and Futures Industry Part 4: Fund Company Logic Model, the Carbon Financial Products, the Mobile Internet Application Design Specification for Securities and Futures Industry for the Elderly, and the Mobile Internet Application Design Testing Specification for Securities and Futures Industry for the Elderly.
Enforcement Developments
1. CAC carried out “Qinglang – 2022 Algorithm Comprehensive Management“ special action
On 8 April, the Secretary Bureau of the Cyberspace Administration of China (CAC) issued the Notice on The Implementation of the “Qinglang – 2022 Algorithm Comprehensive Management” particular motion. From April 8, 2022 to the start of December 2022, the CAC will take the result in perform work in 5 features, particularly, organizing self-checks and self-corrections, finishing up on-web site inspections, supervising the file-submitting of algorithms, clarifying duties of topics, and ordering rectification of issues throughout the prescribed time restrict, in order to strengthen the excellent administration of algorithms for the Internet data companies, and successfully promote the implementation of the Provisions on the Administration of Algorithm-generated Recommendations for Internet Information Services.
2. CAC carried out “Qinglang – Network Violence Special Management Action”
On 24 April, the CAC introduced the “Qinglang – Network Violence Special Management Action”, specializing in the 18 influential web site platforms the place community violence vulnerable to extra frequent for the entire chain of administration. The individual in control of the CAC mentioned that, to facilitate the entire administration course of, this particular motion can be carried out by establishing and enhancing the monitoring and identification, actual-time safety, intervention and disposal, traceability and accountability, publicity and publicity measures, and many others. The web site platforms are required to determine and enhance the identification and early warning mechanism, refine the classification requirements of community violence data, well timed filtering of internet violence content material, set up and enhance the actual-time safety mechanism of community violence victims, strengthen publicity and steering, and many others., to strictly forestall the unfold of community violence data.
3. The Supreme People‘s Court launched 9 typical civil circumstances of judicial safety of character rights
On 11 April, the Civil Division of the Supreme People’s Court launched 9 typical civil circumstances of judicial safety of character rights. Through a collection of circumstances, together with a case involving the infringement on the suitable to character by “AI company software”, a case involving the infringement on the privateness proper of neighbors by face recognition gadgets and a civil public curiosity lawsuit involving unlawful sale and buy of non-public data, the Supreme Court clarified that the unauthorized use of synthetic intelligence software program to create digital characters constitutes infringement, the set up of visible doorbells at a detailed distance constitutes infringement on the privateness proper of neighbors, and giant-scale unlawful buying and selling of non-public data infringes on the suitable of character and social public pursuits.
4. CCTV disclosed an essential case of spying and illegally offering excessive-velocity railway knowledge for abroad enterprises
On 13 April, the CCTV Focus Interview program “Miscalculated Data Trading” disclosed an essential case of spying and illegally offering excessive-velocity railway knowledge for abroad enterprises. The knowledge collected and supplied by the home enterprises concerned within the case for the abroad enterprises contained delicate railroad GSM-R alerts, and the related knowledge was recognized as intelligence by the state secrecy administration. The conduct of the home enterprises was an unlawful act strictly prohibited by the Data Security Law (DSL), the Radio Management Regulations and different legal guidelines and rules. The acts of the authorized consultant, gross sales director and salesman of the home enterprise concerned within the case are suspected of the crime of spying and illegally offering intelligence for international nations as stipulated in Art. 111 of the Criminal Law. The related individuals had been arrested by the Shanghai State Security Bureau on December 31, 2021. This case is the primary case wherein the information concerned was recognized as intelligence for the reason that implementation of the DSL, and the primary case in China involving the safety of excessive-velocity rail operation that endangers nationwide safety.
5. MIIT will proceed to reinforce its enforcement actions to guard private data
On 14 April, the State Council Information Office held a press convention on the progress of combating and managing telecommunication community fraud crimes. At the convention, the director of the Cybersecurity Bureau of the MIIT responded to the problem of extreme assortment of non-public data and introduced that in 2022, the MIIT would proceed to reinforce its enforcement actions within the following areas, i.e. enhancing the administration system, persevering with to hold out particular marketing campaign, defending the rights and pursuits of customers, and finishing up collaborative administration.
6. The State Post Bureau and different 3 departments collectively launched a particular motion of non-public data safety administration within the subject of put up and categorical
On 21 April, the State Post Bureau, the Ministry of Public Security, the CAC collectively held a teleconference to deploy a six-month particular motion of non-public data safety administration within the subject of put up and categorical. The teleconference identified that efforts needs to be made to make sure that the infringement on residents’ private data crime within the subject of put up and categorical has been considerably curbed; to crack down unlawful acts within the subject of put up and categorical, akin to telecommunications fraud, empty bundle “click farming”; to vigorously promote the appliance of digital safety numbers, privateness waybill, community identification authentication and different applied sciences; to strengthen the safety of important data infrastructure safety; to determine and enhance cybersecurity monitoring and warning and cybersecurity incidents emergency response plan.
7. The first case involving legal infringement on residents‘ private data and incidental civil public curiosity lawsuit in Beijing was concluded
April 14 information, lately, the People’s Court of Shunyi District concluded the primary case involving legal infringement on residents’ private data and incidental civil public curiosity lawsuit in Beijing. The People’s Procuratorate of Shunyi District filed a legal infringement on residents’ private data and incidental civil public curiosity lawsuit towards defendant Li for buying and selling greater than 9 million items of non-public data. The court docket sentenced Li to 3 years’ imprisonment and a superb of 110,000 CNY for infringement on residents’ private data. In addition, the defendant was sentenced to compensate 106,859.84 CNY for the lack of residents’ private data, to delete the saved data, and to ship public apologies within the media.
8. MIIT launched the Notice on App Infringing on Users‘ Rights and Interests (third batch in 2022, twenty third batch in complete)
On 20 April, the MIIT launched the Notice on App Infringing on Users’ Rights and Interests (third batch in 2022, twenty third batch in complete) (the “Notice”), notifying 37 apps which have infringed on customers’ rights and pursuits. According to the Notice, by the point the Notice was launched, there have been nonetheless 37 apps that had not accomplished rectification.
9. The Beijing Communications Administration carried out the Special Action for Comprehensive Management on the App in Beijing in 2022
On 18 April, the Beijing Communications Administration issued the Notice on the Special Action for Comprehensive Management on the App in Beijing in 2022 (the “Notice”). The Notice introduced a six-month particular motion for the excellent administration on the App in Beijing. The particular motion entails 4 kinds of entities, together with App retailer operators, App operators, primary telecommunication enterprises and Internet entry service suppliers. The entities involved shall perform self-testing and self-investigation based mostly on related requirements, such because the Measures for the Determination of the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations, the Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications and the Provisions on the Administration of Network Products Security Vulnerabilities. From April, the Beijing Communications Administration would perform random testing for Apps below its jurisdiction, notify the Apps with non-compliant check outcomes, and require the related entities to hold out rectification.
10. The National Computer Virus Emergency Response Center discovered 17 unlawful cell Apps
On 24 April, the National Computer Virus Emergency Response Center lately discovered that 17 cell Apps have privateness non-compliant acts via Internet monitoring, which violate the Cybersecurity Law, the PIPL and different related provisions, and are suspected of accumulating private privateness data past the scope. The issues concerned embrace: not expressing all privateness rights utilized for to customers; beginning to accumulate private data earlier than acquiring customers’ consent; not offering efficient features for correcting and deleting private data and canceling customers’ accounts, or setting unreasonable situations for canceling customers’ accounts; not establishing and asserting private data safety complaints and reporting channels, or exceeding the time restrict for promised processing responses.
11. The National Intellectual Property Administration responded to the points with regard to the mental property rights for knowledge
On 24 April, a press convention on the event of mental property rights in China 2021 was held. At the convention, the Director of the National Intellectual Property Administration launched that they might acknowledge and shield the cheap earnings of knowledge processors, bearing in mind knowledge safety, public curiosity and private data safety. In addition, the National Intellectual Property Office has launched knowledge mental property safety pilot tasks in Zhejiang, Shanghai and Shenzhen.
12. Two monetary establishments fined for violating the rules on credit score data assortment, provision and enquiry
On 22 April, the executive punishment data printed by the Business Administration Department of the People’s Bank of China Chengdu Branch confirmed that Jincheng Consumer Finance and Xinwang Bank had been each punished for violating the rules on credit score data assortment, provision, enquiry and different associated rules, amongst which Xinwang Bank was fined 200,000 CNY.
13. The China Banking and Insurance Regulatory Commission issued the Notice on the Prominent Problems of Data Quality of the Banking and Insurance Institutions‘ Supervisory Information System for Equity and Related Transactions
On 26 April, the China Banking and Insurance Regulatory Commission issued the Notice on the Prominent Problems of Data Quality of the Banking and Insurance Institutions’ Supervisory Information System for Equity and Related Transactions (the “Notice”). The Notice confirmed that the Banking and Insurance Institutions’ Supervisory Information System for Equity and Related Transactions and the Commercial Bank Equity Supervision Information System recognized that some banking and insurance coverage establishments had distinguished issues akin to knowledge misreporting, omission and concealment, together with premature reporting, inaccurate knowledge filling and inappropriate knowledge penetration.
Industry Developments
1. The first cross-border knowledge internet hosting service platform in China put into use
On 14 April, the Beijing Data Hosting Service Platform developed by the Beijing International Data Exchange has been formally put into use, changing into the primary knowledge internet hosting service platform that may help the cross-border circulation of enterprise knowledge in China. The platform offers companies akin to knowledge internet hosting, desensitization output, fusion calculation, file constructing and submitting. The platform permits knowledge and mannequin system encryption earlier than put up-internet hosting, delicate knowledge approval earlier than put up-circulation, and ensures the protection of knowledge cross-border circulation.
2. The China Academy of Information and Communications Technology launched the Data Center White Paper (2022)
On 20 April, the China Academy of Information and Communications Technology launched the Data Center White Paper (2022) (the “White Paper”). The White Paper factors out that China’s knowledge middle trade continues to develop and develop steadily in total scale and market income and have sturdy market demand. The knowledge middle trade associated insurance policies have been repeatedly improved to comprehensively promote the event of knowledge facilities in a low-carbon, excessive-high quality and collaborative innovation means. The innovation of knowledge middle know-how continues to be energetic, and inexperienced, low-carbon, environment friendly and clever knowledge middle know-how improvements are rising.
3. MIIT issued the Industrial Internet Task Force Work Plan for 2022
On 13 April, the MIIT issued the Industrial Internet Task Force Work Plan for 2022 (the “Work Plan”). The Work Plan factors out that in 2022, the Office of the Industrial Internet Task Force will work on six features, i.e. community system strengthening motion, platform system strengthening motion, knowledge aggregation empowerment motion, key normal growth motion, safety strengthening motion, and stimulating the potential of knowledge parts.
4. CAC and different 3 departments collectively issued the Work Arrangement for Deepening IPv6 Scale Deployment and Application in 2022
On 25 April, the CAC, the National Development and Reform Commission, and the MIIT collectively issued the Work Arrangement for Further Promoting IPv6 Scale Deployment and Application in 2022 (the “Work Arrangement”). The Work Arrangement describes ten key duties, i.e. strengthening community bearing capability, enhancing terminal help capability, optimizing the efficiency of utility services, increasing trade convergence functions, accelerating the transformation of presidency functions, selling the deployment of business functions, strengthening innovation and ecological building, selling the event of requirements and specs, strengthening safety, and strengthening coordination.
5. The Action Plan for the Opening of the Whole Industry Chain of Beijing’s Digital Economy (Draft for Comments) was launched
On 15 April, the Beijing Municipal Bureau of Economy and Information Technology solicited public feedback on the Action Plan for the Opening of the Whole Industry Chain of Beijing’s Digital Economy (Draft for Comments) (the “Plan”). The Plan strives to speed up the method of knowledge factorization, perform knowledge asset registration and analysis, speed up the event of related automobiles, digital healthcare, digital finance, sensible cities and different industries, set up cybersecurity and knowledge safety evaluation mechanisms, and develop full life-cycle knowledge compliance tips.
6. Shanghai launched the Implementation Plan for the Standardization of Urban Digital Transformation in Shanghai
On 20 April, the General Office of Shanghai Municipal People’s Government issued a discover on the Implementation Plan for the Standardization of Urban Digital Transformation in Shanghai (the “Plan”). The Plan specifies 5 key duties for the standardization of Shanghai’s digital transformation, particularly enhancing the fundamental requirements that help the general state of affairs, enhancing the financial digital transformation requirements for built-in growth, enhancing the digital transformation requirements for folks’s livelihood, enhancing the digital transformation requirements for superb administration governance, and constructing a standardization work sample that adapts to the brand new growth stage.
7. The Industry Development Centre of MIIT Equipment issued the Notice on The Development of Automotive Software Online Upgrade for The Record
On 15 April, the Equipment Industry Development Center of the MIIT issued the Notice on The Development of Automotive Software Online Upgrade for The Record (the “Notice”). In accordance with the Notice, submitting necessities apply to the car producers who’ve obtained the street motor vehicle manufacturing entry license, in addition to their vehicle merchandise with OTA improve operate and their implementation of OTA improve actions. The entities of the appliance shall be the car producers. Enterprises can fill within the file data and associated supporting supplies via the “automotive software online upgrade filing system” (https://ota.miit-eidc.org.cn/).