Our Observations: in China, the People's Court and supervisory authorities are very active in the TMT sector this March. First, the supervisory authorities' jurisdictions will be reshuffled as the National Data Bureau to be established will be vested with the power to regulate national data governance. In addition, the CAC officially released the administrative procedure laws as the baseline for its enforcement actions, marking up the trend of more transparent and standardized enforcement procedures in the future. Besides, on the 3.15 Consumer Rights Day, the People's Court, at different levels, published typical cases where the consumers' rights are infringed. Overall, Data governance, protection of consumers' rights, and rectification of the mobile applications' non-compliant functionality are the core subjects widely discussed by lawmakers, practitioners, and enterprises in the TMT sector.

PART I – REGULATIONS, POLICIES & JUDICIARY INTERPRETATIONS

1. Provisions on Administrative Law Enforcement Procedures for the Cyberspace Administration of China Will Take Effect on June 1, 2023

On March 23, 2023, the Cyberspace Administration of China (CAC) issued the Provisions on Administrative Law Enforcement Procedures for the Cyberspace Administration of China (the "Provisions"), which will come into effect on June 1, 2023. The Provisions consists of five chapters and 58 articles, including general provisions, jurisdiction and application scope, administrative punishment procedures, implementation and case closing, and supplementary provisions, which ink CAC's jurisdiction and administrative enforcement procedures into statutes. The Provisions lay down to:

  • Clarify the specific procedural requirements, such as how to file a case or collect evidence.
  • Improve the withdrawal, complaint, and defense mechanism to effectively protect the parties' rights.
  • Clarify the procedures for administrative appeal.
  • Clarify the collective deliberation and decision-making system for complex or major violations.
  • Stipulate the time limit of cases handled by CAC and the specific circumstances of ending the cases.

The Provisions specifies that CAC has the authority to issue administrative penalties. These administrative penalties cover areas such as network information content, network security, data security and personal information protection. In addition, as network operators, enterprises need to record the necessary information to better cooperate with the enforcement actions of regulatory authorities.

2. SAMR Issued Administrative Measures for Internet Advertising

On February 25, 2023, the State Administration for Market Regulation (SAMR) issued Administrative Measures for Internet Advertising (the "SAMR Measures"). The SAMR Measures are enacted to regulate internet advertising activities, protect the legitimate rights and interests of consumers, develop a healthier ecosystem of the internet advertising industry and maintain the economic order of fair market competition.

The SAMR Measures defines and determines the responsibilities of advertisers, advertising agencies and publishers, internet information service providers, internet platform operators and other subjects in internet advertising activities and regulates sensitive advertisement activities such as pop-up advertisement, open-screen advertisement, and the use of smart devices to publish advertisements. Besides, The SAMR Measures specifies advertising requirements regarding important areas such as online advertisement with add-in jump links, advertisement rank biddings, advertisement personalized and recommended by algorithm, and live-stream advertisement. The SAMR measures also set out limitations to the advertising endorsers' activities to enhance the supervision and law enforcement of internet advertising.

3. CSRC Issued Administrative Measures for Cybersecurity and Information Security in the Securities and Futures Industry

On February 27, 2023, China Securities Regulatory Commission (CSRC) issued Administrative Measures for Cybersecurity and Information Security in the Securities and Futures Industry (the "CSRC Measures"), which aims to ensure sectorial cybersecurity and information security, protect the legitimate rights and interests of investors, and enhance sectorial stability and healthiness.

The CSRC Measures comprises eight chapters and 75 articles, including the methods to determine Critical Information Infrastructure Operators (CIIO), core agencies, business operators, and information technology system service providers in the securities and futures industry. Specifically, the CSRC measures puts forward the following requirements:

  • Core agencies and business operators shall, in compliance with the principle of ensuring security and promoting development, establish and improve their cybersecurity and information security protection systems, improve the level of security protection, ensure simultaneous advancement of informatization, and promote the steady and healthy development of relevant work of the corresponding agencies.
  • Information technology system service providers who provide products or services for the securities and futures industry shall jointly safeguard cybersecurity and information security with core agencies and business operators.
  • Operators of CIIO in the securities and futures industry shall take security management measures, technical protection and other necessary means to ensure the safe and stable operation of critical information infrastructure, and maintain completeness, confidentiality and availability of data.

4. SAMR Issued Four Supplementary Regulations to the Anti-Monopoly Law

On March 24, 2023, the State Administration for Market Regulation (SAMR) issued four supplementary regulations to the Anti-Monopoly Law, which are Provisions on Curbing Abuse of Administrative Power to Exclude or Restrict Competition, Provisions on Prohibition of Monopoly Agreements, Provisions on Prohibition of the Abuse of Market Dominance, and Provisions on the Review of Concentrations of Undertakings.

These regulations elaborate on the new Anti-Monopoly Law, which took effect on August 1, 2022. Specifically, these regulations stipulate that the ability to master and process data should be considered a factor in determining a dominant market position. They also explicitly prohibit algorithm collusion, stipulating that operators cannot use algorithms, platform rules, etc., to enforce horizontal or vertical monopoly agreements.

PART II - SECTORIAL STANDARDS & PRACTICE GUIDANCE

1. CPC Central Committee and the State Council Released a Plan for Reforming Party and State Institutions, a National Data Bureau will be Established.

On March 16, 2023, the Communist Party of China (CPC) Central Committee and the State Council released a plan on reforming CPC and state institutions. Particularly, the National Data Bureau will regulate national data governance according to the reforming plan. The reforming plan noted that the institutional reshuffle must be fully adapted to the new tasks to build an efficient, well-develop, procedure-based ecosystem of the CPC and state institutions.

The proposed National Data Bureau, to be administered by the National Development and Reform Commission (NDRC), will be responsible for advancing nationwide data governance, including but not limited to coordinating data integration, data sharing, data resources application, and planning for a digitalized China, the development of digital economy and digital society, among others.

2. TC260 Issued Information Security Technology — Personal Information Cross-Border Transmission Authentication Requirements (Draft for Public Comments)

On March 16, 2023, the Secretariat of the National Information Security Standardization Technical Committee (TC260) issued Information security technology — Certification for the cross-border transfer of personal information (Draft for Public Comments) (the "Certification"), which provides national standards for certification organizations to carry out personal information protection certification for cross-border transfer of personal information.

The Certification outlines the basic principles and requirements for personal information processors to transfer personal information abroad. The Certification, upon its official release, will become a recommended national standard replacing the precedent Practice Guideline for Cybersecurity Standards - Safety Certification Specification for Cross-border Processing Activities of Personal Information V2.0.

3. Four Constituent Departments of the State Council Jointly Issued the Implementation Opinions on Carrying out the Certification Work for the Network Security Services

On March 15, 2023, the SAMR, CAC, MITT, and the Ministry of Public Security (the "Issuance Departments") jointly issued the Implementation Opinions on Carrying out the Certification Work for the Network Security Services (the "Implementation Opinions"). In the Implementation Opinions, the Issuance Departments have proposed eight principles to unify the certification works and to establish high-quality internet security services certification systems. The main content of the principles is summarized as follows:

  • The network security service certification work shall follow the basic principles of "unified management, joint implementation, unified standards, and operation in order" under the supervision of the Issuance Departments.
  • Catalogs of the network security service certification will be confirmed or adjusted by the Issuance Departments.
  • The Issuance Departments will coordinate with other institutions or departments to solve the technical problems occurred during the practice of the certification work or establishment of the certification systems, and Issuance Departments will constantly study to rectify the certification catalogs and rules.
  • Institutions carrying out the network security service certification shall follow relevant certification rules, establish a traceable mechanism, publicize its fee standards and certificate status, and submit the certifying detail and certificate information in accordance with relevant laws and regulations.
  • Certified network security service institutions shall ensure that their works are constantly in compliance with the certification requirements prescribed by laws and regulations.

PART III - ENFORCEMENT HIGHLIGHTS

1. MIIT Notified 55 Mobile Applications and SDKs that Infringed Users' Rights and Interests

On March 21, 2023, The Ministry of Industry and Information Technology (MIIT) issued a public notice regarding 55 mobile applications and SDKs that infringed users' rights and interests. Forty-four mobile applications and 11 SDKs cover areas such as daily life services and entertainment.

These mobile applications and SDKs have problems inducing users by deception, excessive demand for rights, and illegal personal information collection, which may result in illegally disclosing personal information and infringing on users' rights and interests. MIIT immediately investigated and punished relevant companies and stressed that it would continue to enhance the technical testing, supervision and inspection of mobile applications and SDKs, strengthening the upstream and downstream management of mobile applications, SDKs and other application services.

PART IV – COURT JUDGMENTS

1. The Supreme People's Court Released 10 Typical Cases regarding Online Consumption

On March 15, 2023, the Supreme People's Court released ten typical cases regarding online consumption, involving the validity of contracts that suppress negative comments from customers, consumers' personal information protection, online paid services for minors, online travel booking services, limited-time free offer, second-hand goods trading, online leasing, platform operators' responsibilities, online food safety, and the validity of standard terms. Ten typical cases further clarify the types of liabilities that e-commerce platforms should undertake under different circumstances, such as joint liability, punitive compensation liability, liability for the breach, etc. Besides, some of the typical cases clarify the liability boundary of the platform and emphasize the platform's obligations protection of consumers' rights and interests. Finally, Supreme People's Court believes that the ten typical cases signify the national determination to develop sustainable and healthy digital economy.

2. Beijing Intellectual Property Court Adjudicated that Scrapping Data from Short-Video Platforms May Constitute Unfair Competition

On March 16, 2023, Beijing Intellectual Property Court returned the judgment about the data scrapping of short videos. The decision found that the defendant took improper means to scrap and transport substantive short videos from DouYin, which adversely affected the market competition order of the short video industry. Beijing Intellectual Property Court rejected the appeal and required the defendant to compensate the plaintiff for economic losses of 5 million yuan.

As the first case of unfair competition in the short-video platform, this case defines the legal nature and independent economic value of the non-original data set, distinguishes the rights protected by copyright law from the legal interests of law against unfair competition, and focuses on the application of law in cases of unfair competition about internet platform data set. From this case, legal protection is now given to protect the legitimate rights and interests of the operators of short-video platforms during data collection, storage, processing and transfer.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.