This newsletter summarizes the latest cybersecurity and data protection developments in China, with a focus on regulatory, enforcement, industry and international developments in this area.
If you would like to subscribe to our newsletters and be informed of our cybersecurity and data protection events in China, please contact James Gong at [email protected] .
Highlights
The Cyberspace Administration of China (CAC) has released the draft Network Data Security Administrative Regulations, which, if promulgated, will become the first regulations to be issued by the State Council to implement the Personal Information Protection Act (PIPL) and Data Security Act (DSL) after promulgation, with higher legal authority over regulations issued by government departments.
With an emphasis on data security, the draft regulations extended the obligations of processors under the PIPL and DSL and created a wide range of reporting, filing and reporting requirements. ‘Evaluation. In addition to data security, the draft regulation also addresses broader issues relating to data protection and internet platforms. We will publish a series of articles on this important draft regulation in January. Please stay tuned.
Shanghai becomes the second first-tier city after Shenzhen to publish its own data regulations (Shanghai settlement). The Shanghai Regulations share many similarities with their Shenzhen counterpart in structure and scope, but focus more on using data to develop the local and regional economy. Notably, the Shanghai Regulations did not impose any penalties on private parties in addition to those provided for by existing laws and regulations.
Our opinions
Employee Data Protection Series (III): Impact of Privacy Law on Internal Employer Investigations
Employee Data Protection Series (IV): Handling a Candidate’s Personal Information During Recruitment
Regulatory developments
On November 14, the draft Network Data Security By-Law was released for public comment, with a deadline of December 13. The draft sets out the implementing rules in accordance with the PRC Cyber ​​Security Law, the PRC Data Security Law and the PRC Personal Information Protection Law. It consists of 9 chapters and 75 articles. This is one of the most important administrative regulatory projects in the field of network data security.
On November 12, the draft classification methods for applications preinstalled on smart mobile terminals was published by the National Technical Committee for Information Security Standardization (TC260) for public comments, reducing the scope of non-installable apps to apps with the following functions: system settings, phone calls, text messages, contact management, time display, and app downloads. In addition, only one application can be defined as non-installable under each function group.
On November 12, the draft guidelines for identifying personal information on instant messaging service platforms were released by the TC260 for public comment, establishing standards for differentiating between personal and non-personal information in messaging services. instant messaging contexts. Based on the draft guidelines, information sent to a specific recipient that cannot be retransmitted would be considered personal information. Information disseminated in a group of more than 50 people, as well as information that may be retransmitted by members of the group other than the sender to recipients outside the group, will not be considered as personal information.
On November 25, the Shanghai Data Regulations were formally adopted by the Shanghai Municipal People’s Congress and will come into force on January 1, 2022. Updates to the second draft include: Allowing government departments to collect data data needed for emergency response; have a municipal committee of data experts to conduct security assessments of the use of public data, etc.
As reported by Shanghai Municipal AMR on November 12, guidelines for applying the algorithm in online marketing activities have been released for trial implementation. The guidelines refine the requirements for fair outcomes of automated decision-making in Section 24 of the Privacy Act by specifying the setting, consumer profiling and design of decision rules.
On November 3, the China Cyberspace Security Association (“CSACâ€) released two draft standards for application stores and smart mobile devices on the protection of personal information.
App stores are allowed to reject an app if it violates the requirements for developer information disclosure, privacy policy, access permission request, and personal information processing activities. Smart mobile devices are needed to strengthen user controls over access to personal information, automatic application start-up, device identification code, sensitive permissions, storage space and recording and display of processing activities.
Application developments
On November 10, the National Computer Virus Emergency Response Center identified 12 illegal e-commerce mobile applications: 11 applications did not display all requested privacy permissions; 1 provided personal information to third parties without anonymization; 1 started collecting personal information before obtaining user consent; 1 failed to provide effective functions to correct and delete personal information and cancel user accounts or set unreasonable conditions for cancellation of accounts; 2 has not established and informed any complaint and reporting channels related to the security of personal information or has not exceeded the time promised for processing responses.
On November 3, the Ministry of Industry and Information Technologies published a “Flashback†notice following its previous enforcement measures and accused 55 applications of their illegal processing of personal information, in particular excessive permission requests and user personal information and misleading downloads. The reported apps include major marketing apps like Xiaohongshu, Tantan, 58 Tongcheng and Douban, etc.
On November 3, the Hainan Province Cyberspace Administration reported the illegal collection and use of personal information in 11 mini-programs, including “KFC self-service ordering” and demanded corrections in the 15 working days. This is the first execution operation focused on mini-programs in China.
On November 2, AMR of Zhejiang Province held an administrative orientation meeting for the platforms to report their progress on self-rectification and highlighted the ban on misleading pricing based on profiling, in especially during the “Double 11” shopping festival.
On November 5, the Zhejiang Provincial Consumer Council held a regulatory interview with those responsible for 9 video and audio websites, including Sohu and Aiqiyi, demanding a prominent explanation of premium membership fees before users subscribe. and a reasonable cancellation location option for consumers to opt out.
On November 11, the Ministry of Industry and Information Technology issued a notice on the launch of “Operation 524” to improve public perception of the information communications service. The notice outlines improvement requirements for basic telecommunications companies, applications and application stores, makes known the first batch of Internet companies to implement the “double list” and other regulatory requirements in customer responses, privacy policies, and permission call postings.
Since November, several regional tax authorities have gradually issued notices to implement the models issued by the State Tax Administration, including a consent form for the notification of protection of personal information and facial recognition and its form. withdrawal request. The models are applicable to personal information processing activities at tax office premises, electronic tax office, and tax payment channels such as self-service terminals.
On November 3, the Wenzhou Intermediate People’s Court ruled in favor of the public interest plaintiff and asked defendant Xiao to pay RMB 56,787 in public interest damages for stealing and selling more than 400,000 pieces of personal information and issued a public apology to the company. in the national news media.
On November 24 and 30, the Beijing and Shanghai Banking and Insurance Regulatory Commissions imposed consequential administrative sanctions on the Bank of Beijing and its Shanghai Zhangjiang sub-branch for material breaches of prudent operations, relating to the reporting of critical information system emergencies, information security and personnel conduct management. . The highest single fine was RMB 500,000, and two people directly responsible were given a life ban on employment in the industry.
On November 9, the Jiangsu Provincial Consumer Council reported on the results of the investigation of the following shared issues of 7 e-commerce platforms and suggested improvement suggestions: default collection of unnecessary information, not easily accessible channels to disable personalized viewing or unclear anonymization measures in sharing personal information.
Industry developments
On November 17, the Chinese Academy of Information and Communication Technologies in Beijing organized 8 net disk companies, including Baidu Netdisk, Tencent Drive and Aliyundrive, to sign the self-regulation agreement of the guarantee of experience. personal online disk service user, promising to provide undifferentiated download / upload rate services. for all types of users and smooth complaints channels.
