China Cybersecurity and Data Protection: A round up of recent developments - September 2018

In this briefing we summarise recent updates relating to cybersecurity and data protection in China to give you guidance on, and a comprehensive understanding of, these developments. We focus on three areas: regulatory developments, enforcement developments and industry developments.

Our insights

Please see our article entitled “What you need to know about China’s own GDPR” for our insights on China’s first set of national standards on personal information protection in China.

Regulatory developments

The Supreme People’s Court releases its first batch of internet-related judgements for representative internet-related cases

On 16 August 2018, the Supreme People’s Court released a series of internet-related judgements, [the first released under the new law] cases. These first ten cases involved privacy infringement, internet-related small loan contract disputes, online shopping contract disputes, online service contract disputes, intellectual property rights and competition disputes. These judgements will serve as important guidance for trials of internet-related cases.

Nine successful enforcement cases combating network chaos since the launch of “Clean Net 2018” campaign

According to the Ministry of Public Security’s website, since the launch of its special operations office, “Clean Net 2018” campaign, in February it has targeted cyber-crime cases and investigated network service providers to effectively combat cybercrimes. The Ministry of Public Security has announced nine successful enforcement actions so far under this initiative.

Guangdong’s 2017 top ten internet-related cases

On 6 August 2018, the Guangdong Higher People’s Court published details of its 2017 top ten internet cases, which representative criminal, civil, administrative and enforcement cases concerning malware, data protection, Ecommerce, car sharing, virtual asset, etc. These cases provide clear guidance to the legal relationships, rights, and scope of responsibilities between virtual network entities.

Beijing Internet Court to focus on first-instance cases

According to the Beijing High Court news, a new Beijing Internet Court is being set up to centrally try certain types of internet-related first-instance cases within its jurisdiction. It will explore an appropriate trial mode for the internet age and promote the entire litigation process being completed on the internet, including prosecution, mediation, filing, trial, judgment and execution. The new court will create procedural rules in line with those used during internet trials and establish a standardised and intelligent trial process for all types of cases. The court will adapt to the requirements of the information era, be well suited to handling cross-regional trials and facilitate litigation.

Network security inspections planned for the telecommunications and internet industries

On 13 August 2018, the Ministry of Industry and Information Technology issued a notice detailing planned network security inspections for the telecommunication and internet industries in 2018. The key inspection targets are the networks and systems built and operated by telecommunications infrastructure companies, internet companies and organisations involved in the management and service of domain name registrations, all of which are licensed by the telecommunications authorities. The main focus of the inspections is to assess the proper implementation of the laws and regulations (including the Cyber Security Law of the People’s Republic of China, the Administrative Measures on Security Protection of Communication Networks, and the Provisions on the Protection of Personal Information of Telecommunications and Internet Users).

Guiyang releases regulations on big data security management

Guiyang’s Regulations on Big Data Security Management of Guiyang City will come into force on 1 October 2018. These regulations cover, among other thing, security guarantees, monitoring and early warning and emergency response requirements, supervision and inspection and legal liability associated with big data., The regulations clarify the responsibilities and working arrangements between the key regulators, namely the Municipal People’s Government, the Municipal Cyberspace Administration and the Municipal Public Security Authorities.

Enforcement developments

Qdaily ordered to rectify non-compliance on its online platforms

On 2 August 2018, the Beijing and Shanghai Offices of the Cyberspace Affairs Commission interviewed Qdaily about its internet news and information services, original news columns and news collection team which had been operating without permission for a long time. Qdaily was ordered to stop its illegal and non-compliant practices and immediately carry out a comprehensive rectification exercise. Qdaily issued a notice stating that from 3 August 2018 to 2 September 2018, all of its online communication platforms would be suspended and rectified.

First case involving the violation of personal information rights by a company

Recently, the Jiangsu police investigated its first case involving the violation of personal information rights contrary to the Cyber Security Law committed by a company. A decoration engineering company in Yancheng colluded with staff in residential property management companies to obtain information on the property owners for promoting its business. Following a police investigation, the company was fined RMB 100,000. Separately, suspects who illegally sold more than 100,000 pieces of personal information have been prosecuted under the criminal law.

6.727 million reports of illegal online information on the internet in July

In July 2018, there were 6.727 million countrywide reports of illegal information on the internet. The main websites attracted 5.539 million reports (with 71.1% of those reports coming from the major commercial websites including Sina (Sina Weibo, Sina), Tencent (WeChat, QQ, Tencent Security Service Platform, Tencent, Tencent Weibo), Baidu and Alibaba. The departments of local offices of Cyberspace Affair Commission received 1.109 million reports and the China Internet Illegal and Bad Information Reporting Centre received 78,000 reports. The total monthly reports for July are a 16.1% decrease compared to reports from June 2018 and a 0.7% decrease compared to last July.

Biggest data theft case exposes 3 billion pieces of stolen personal information

In the largest case to date involving the theft of personal information, a criminal group illegally obtained over 3 billion pieces of user’s personal information by signing marketing advertising system service agreements with several operators in more than ten provinces. In turn, the group manipulated the users’ social accounts and obtained illegal profits. During their investigation, the police found that the case involved almost all domestic internet platforms. Based on their IP addresses, the police found that the conduct was carried out by several companies linked to Beijing Ruizhi Huasheng Technology Corporation and the actual controller of the companies and the criminal group were the same entity. The case is under further investigation.

Difficulties in terminating user accounts found in 20 companies

A recent random inspection of more than 80 internet companies by the Shanghai Communications Administration found that 20 of them had problems where users could not terminate their accounts or had difficulties doing so. The inspection also found that their user information protection measures were not well-implemented and the problem of account termination was a major issue. The Shanghai Communications Administration ordered the relevant companies to immediately rectify the issue.

Industry developments

Huazhu Hotels personal data leak

On 28 August 2018, data from Huazhu Hotels was sold for 8 bitcoins (about RMB 350,000) on the Darknet. The data sold included registration information of users of Huazhu Hotel’s official website (including the user’s name, mobile phone number, email address and ID number) totalling 53G and about 123 million pieces of data; the hotel registration information totalling 22.3G and about 130 million people’s identity information; and the check-in records (including internal ID number, associated room number, check-in time and consumption information) totalling 66.2G and about 240 million pieces of data.

300 million pieces of SF Express’ customer data o reportedly stolen and sold

Recently, SF Express has been under suspicion for data leakage. Darknet sellers claimed to have up to 300 million pieces of SF Express customer information which was sold for 2 bitcoins (about RMB 100,000). Given the leakage rumour, the SF Group responded through its official Weibo account that, based on cross verification, the data sold on the Darknet was not from SF Express and the company has reported the matter to the police immediately.

Tencent Cloud’s failure causes customers data loss leading to huge claims

On 5 August 2018, Cutting-edge CNC Technology New Media claimed on Weibo that after using Tencent Cloud for eight months, the data stored on Tencent Cloud was irreparably lost. Tencent Cloud responded via its WeChat Account the following day that it proposed to return 3,569 yuan of actual costs and to provide an additional 129,900 yuan in cash compensation or additional cloud resources. However, the parties have been unable to agree on the compensation plan and Cutting-edge CNC Technology New Media has filed a claim for 11.01 million yuan in compensation.

Toutiao’s new community product “Pipixia” publishes its own community convention

Recently, Toutiao’s new community product “Pipixia” has launched its own community convention. The convention includes principles of upholding and promoting correct values, complying with the common code of conduct and assuming social responsibility for protecting minors. The convention is detailed, with each of the three major sections contained more than forty articles. In addition, Pipi Shrimp has clearly been screening content, with content related to the ‘Duanzi’ community and any content with the ‘Neihan’ watermark or related keywords being reviewed and blocked.

Toutiao penalises 2475 non-compliant accounts in July

Toutiao announced that the headline platform had penalized 2,475 illegal accounts identified through self-examination and user reporting in July 2018. Based on the severity of the illegal behaviour, Toutiao has lowered scoring and banned publications from 2,173 illegal accounts and permanently banned 302 accounts.

Xiaohongshu questioned about leak of customers’ personal information

Media coverage has exposed telemarketing scams targeting customers after shopping on Xiaohongshu. In scam phone calls, persons claiming to be Xiaoongshu customer service personnel induced consumers to open loan platform accounts to increase their credit scores to facilitate refund payments to Alipay. Xiaohongshu has said that the third party sellers involved in the incident are actually controlled by the same company. Xiaohongshu has closed all of its online shops at present and reported the matter to the local police. However, it did not address the user information protection issues. Given its similar responses to previous scam incidents, netizen trust in Xiaohongshu has been shaken.

Cyber security attack and defence competition held for financial industry

The People’s Bank of China has announced that Alipay has won first prize in the recently held cyber security attack and defence competition. The competition was jointly sponsored by the People’s Bank of China, the Ministry of Public Security, the China Banking and Insurance Regulatory Commission, the China Securities Regulatory Commission and other relevant departments. It was held to test the capabilities of various institutions to resist cyber-attacks. A total of 510 institutions participated.