We summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on three areas: regulatory developments, enforcement developments, and industry developments.
Our insights - China Cybersecurity and Data Protection: 2018 regulatory and enforcement review
Regulatory developments
New regulations covering financial information services
On 26 December 2018, the Cyberspace Administration of China issued new regulations on financial information services which will become effective on 1 February 2019. The regulations define the scope of financial information services, clarify the main responsibilities on financial information service providers and the penalties for breaches. The new regulations prohibit financial information service providers from producing, copying, publishing or disseminating information containing false financial information or information which may distort national fiscal and monetary policies.
New measures on managing information technologies of securities and funds operators
The China Securities Regulatory Commission has recently issued measures on managing the information technologies of securities and funds operators. The new measures, which will come into effect on 1 June 2019, highlight governance, security and compliance as three priorities for securities and funds operators. The measures also strengthen the responsibilities on management and aim to support operators in employing information technologies to boost service efficiency. Punitive measures are also being introduced to encourage market players to perform their duties.
China releases policy paper on the European Union
On 18 December 2018, the Chinese government released its policy paper on the European Union. The policy paper encourages making good use of the China-EU Cyber Taskforce and advancing reform of the global internet governance system for a peaceful, secure, open, cooperative and orderly cyberspace. The policy paper also notes the higher EU requirements on privacy protection, data security and trade and investment for corporations with digital businesses in Europe imposed by the General Data Protection Regulation and hopes that this will not affect normal business interactions between Chinese and EU entities.
Trial administrative measures for electronic business licenses
On 17 December 2018, trial administrative measures were introduced for electronic business licenses. The measures implement, on a trial basis, the electronic business license system which is a national, uniform identity verification system supporting the general verification and identification of nationwide market participants. The market regulation authority is appointed as the statutory authorised body responsible for issuing and managing electronic business licenses which shall be issued free of charge.
New judicial interpretation on cybercrimes expected in first half of 2019
On 25 December 2018, the Supreme People’s Court held a press conference on guiding cybercrime cases. It is currently drafting judicial interpretations on three new types of cybercrime which were added to the PRC Criminal Law by Amendment (IX). These are (i) refusing to fulfil information network security management obligations; (ii) illegal use of information networks: and (iii) assisting with criminal activities on information networks. The Supreme People’s Court has completed its investigation and consultation work and is expected to officially release its interpretations on these new cybercrimes in the first half of 2019.
New negative list issued covering internet market access
On 25 December 2018, the National Development and Reform Commission and the Ministry of Commerce issued the new negative list for market access which covers internet market access. The new negative list includes six licensing items which were previously prohibited, namely (i) the operation of online ride-hailing services; (ii) key network equipment and specific products for network security; (iii) internet cultural and entertainment services; (iv) agency and business services; (v) finance information services; and (vi) information transmission and related services. The new negative list also includes a prohibited category on illegally operating internet-related business activities (previously covered by the prohibition measures in the prohibition and license catalogue of internet market access).
27 new national information security standards approved by the technical standards committee
On 28 December 2018, the National Information Security Standardization Technical Committee officially issued 27 new national standards which will be implemented from 1 July 2019. These include guidelines for assessing graded network security protection and the technical requirements for security technologies of e-mail systems.
Enforcement developments
Testing institutions for graded network security protection face regulatory criticism
On 17 December 2018, a number of testing institutions for graded network security protection (including Jiangsu Xun’an Information Security Technology Co., Ltd. and Tianjin Shengmu Information Security Technology Co., Ltd.) received notices of criticism following regulatory inspections. The notices, issued by the Office of the National Graded Security Protection Work Coordination Group, also ordered rectification measures to be taken within a specified time. The rectification period varied from three to 12 months depending on the nature, severity and specific issues found during the inspection.
Tongcheng Yilong interviewed by regulators over protection of user’s personal information
In response to the problems in the Tongcheng Yilong Wechat mini program, regulators interviewed Suzhou Tongcheng Yilong Network Technology Co., Ltd. on 3 December 2018. The issues identified include a failure to publish rules for collecting and using personal information, the default acceptance of the user agreement of third-party ticketing website, and the failure to fulfil some service commitments. The company has agreed to carry out a comprehensive rectification exercise in accordance with regulatory requirements.
The Supreme Court publishes five guiding cases on cybercrime
On 25 December 2018, the Supreme People’s Court published five guiding cases on cybercrime. The cases cover criminal activities such as destroying computer information systems and operating an online casino.
Beijing police announce first case involving underground assistance for cybercrime
On 19 December 2018, the Beijing Haidian Public Security Bureau announced its first case against the underground industry of assisting cybercrime activities. It has caught three underground groups who were providing technical support and payment and settlement service, as well as promoting cybercrime activities, and held six individuals in criminal detention.
Non-compliance found at 13 app stores in Beijing
The Beijing Communications Administration investigated mobile application stores and found non-compliances at 13 new stores. These stores have collected and used personal information without user’s consent and engaged in forced bundle promotions of other applications and malicious fee charging. The administration did not disclose the specific names of the app stores involved.
14 Apps over collect personal information
On 29 December 2018, an expert panel organised by the Internet Society of China assessed the collection and use of personal information of mobile users in Beijing. The assessment found that 14 Apps (such as QQ Music, Kuwo Music, and Ctrip) have over-collected user’s personal information or collected user’s personal information without user’s consent. The relevant internet companies agreed to rectify the issues identified.
Mobike faces probe by Berlin data protection regulator
On 10 December 2018, Berlin’s data protection regulator stated that China’s Mobike was under investigation in Germany over suspicions that Mobike’s data and privacy policies might breach European data laws. Berlin’s data protection commissioner is responsible for upholding data laws against all companies based in the German capital, including Mobike. The regulator has the power to fine companies breaching the General Data Protection Regulation as much as 4 per cent of their annual turnover or €20m, whichever is greater.
Industry developments
Cybersecurity threat situation analysis published for the third quarter of 2018
On 3 December 2018, the Ministry of Information Technology released its cybersecurity threat situation analysis and work overview for the third quarter of 2018. In the third quarter, many network security incidents seriously endangered the legitimate rights and interests of users. The main findings in the report include: user data leakage incidents occur frequently; cloud computing platforms have successive failures; blackmail viruses seriously endanger the legitimate rights and interests of network users; and network security vulnerabilities remain one of the major security threats facing the internet. The ministry’s next steps include: improving the network security pilot demonstration projects and enforcing regulations against malicious mobile programs.
White paper on protection of personal information in the intelligent terminal industry
The China Academy of Information and Communications Technology has jointly issued with other institutions a 2018 white paper on the protection of personal information in the intelligent terminal industry. The white paper includes a comprehensive discussion on issues such as corporate responsibility, industry self-discipline, public supervision and user notices of personal information security.
Information security law conference held in Beijing
The theme for the ninth China information security law conference was “rule of law for network security: past, present and future”. The conference, held from 17 to 18 December 2018, reviewed achievements in the rule of law for network security in China over the past 30 years. At the same time, two important research papers were published: the first covering a review of the rule of law on cyberspace security in China in the past 30 years and the future prospectus, and the second, a blue paper on China’s cloud computing security policy and law studying the legal responsibility of the relevant cloud computing platform subjects.
Thirty-six internet companies sign social responsibility initiative
Thirty six internet companies (including Alibaba, Tencent, Baidu, and JD) signed the 2018 China internet enterprises social responsibility initiative. This proposes jointly creating a healthy internet ecological environment and promoting the long-term healthy development of the industry.
Research report on investment and financing of the global cybersecurity industry published
The 2018 research report on investment and financing of the global cybersecurity industry was released at the 2018 cybersecurity industry innovation forum in Shanghai on 19 December 2018. 17 Chinese cybersecurity enterprises were included in the Top 100 list of cybersecurity companies, including Huawei, Sangfor Technologies and DBAPPSecurity.
White paper on internet law released
The China Academy of Information and Communications Technology has recently released a white paper on internet law. The paper analyses important legislative activity in the internet field in the past year both domestically and overseas and looks forward to future legislative activity.
Tencent publishes white paper on privacy protection
On 27 December 2018, Tencent released a white paper on privacy protection at the 2018 big data cooperation and compliance summit. The white paper shows Tencent’s privacy protection capabilities and summarised its experience and practice in privacy protection.
Legal Notice
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2024