China: China Monthly Data Protection Update - April 2022

LEGISLATION

Shenzhen Special Economic Zone Consumer Rights Protection Regulations (Draft for Comments) Released, Protecting "Personal Information Rights"

On March 23, 2022, Shenzhen Administration for Market Regulation issued the Shenzhen Special Economic Zone Consumer Rights Protection Regulations (Draft for Comments). It provides that, consumers have the right to protection of personal information, and business operators shall not infringe on consumers' personal information and privacy. The draft also stipulates special provisions on the protection of personal information in the Internet scenario, for example, consumers' personal information shall not be transferred in any form; consumers shall not be recorded and tracked without the consent of consumers, mined and analyzed consumer data information, or treated with big data-enabled price discrimination or commercial information push, etc.¹

MST Publishes the Rules for the Implementation of the Regulations on the Management of Human Genetic Resources (Draft for Comments)

On March 22, Ministry of Science and Technology ("MST") published the Rules for the Implementation of the Regulations on the Management of Human Genetic Resources (Draft for Comments) ("Rules"). The Rules proposed to stipulate that the collection, storage, utilization and external provision of China's human genetic resources shall respect the privacy rights of the human genetic resources providers and obtain the informed consent in advance. In the interim, foreign organizations, individuals and institutions established or actually controlled by them are not allowed to collect or preserve domestic human genetic resources in China, and are not allowed to provide China's human genetic resources abroad.²

CAC Publishes the Regulations on Internet Protection of Minors (Draft for Comments)

On March 14, Cyberspace Administration of China ("CAC") published the Regulations on Internet Protection of Minors (Draft for Comments) to solicit public comments again. Chapter IV Personal Information Protection of the draft specifically regulated the protection of minors' personal information. In addition, the draft also stipulates corresponding legal liabilities for relevant illegal acts in Chapter VI.³

MIIT Publishes the Guidelines for the Construction of Cybersecurity and Data Security Standard System for the Internet of Vehicles

On March 7, Ministry of Industry and Information Technology ("MIIT") issued the Guidelines for the Construction of Cybersecurity and Data Security Standard System for the Internet of Vehicles, which plans to initially build the standard system for cybersecurity and data security of the internet of vehicles by the end of 2023, focusing on the research of basic commonality, terminal and facility cybersecurity, network communication security, data security, application service security, security assurance and support standards, and completing the development of more than 50 urgently needed standards. By 2025, a relatively complete cybersecurity and data security standard system for the internet of vehicles shall be established, with the completion of more than 100 standards to improve the coverage of standards in subdivided fields, strengthen the standard service capability, improve the standard application level, and support the safe and healthy development of the internet of vehicles industry.⁴

ENFORCEMENT AUTHORITY

NDRC Solicits Comments on the Opinions on Data Basic System

On March 21, 2022, NDRC published the Opinions on Data Basic System on its official website for comments with the deadline of April 5, 2022. The Opinions on Data Basic System summarizes several perspectives on the basic rules such as the general idea of constructing basic system of data, data property rights, circulation transactions, income distribution, and security governance, and provides guidance for the next policy formulation.⁵

ENFORCEMENT CASES

CAC Introduces the Relevant Issues of the "Qinglang" Series of Special Actions in 2022

On March 17, 2022, the State Council Information Office held a press conference. CAC summarized the series special actions named "Qinglang" in 2021, and introduced the plan of 2022, including the ten major tasks, seven types of problems to focus on, measures to regulate internet rumors, and promotion of comprehensive governance on algorithms.⁶

The People's Bank of China Imposes Administrative Penalties on Guangdong Huaxing Bank for Enquiring Personal Information Without Consent

On March 16, the People's Bank of China Jiangmen Central Sub-branch decided to impose a fine of RMB 30,000 to Jiangmen Sub-branch of Guangdong Huaxing Bank Co., Ltd., for the reason that the bank enquired personal information without consent. The direct person in charge was fined for RMB 5,000 as well.⁷

MIIT Notifies 14 APPs with Problems Including Collecting Personal Information Beyond Scope

On March 14, MIIT published the Notice on Problems Discovered During the "Looking Back" and Rectification of APP Infringement on User Rights. MIIT organized third-party testing agencies to focus on testing memory cleaning and mobile phone optimization apps that had many problems reported by users in the early stage, and conducted random tests on apps which found problems last year. A total of 14 apps were still found to have problems. The main problems of the notified apps include deceiving and misleading users to download, collecting personal information beyond the scope, harassing pop-up information, and excessively requesting permissions.⁸

Administration for Market Regulation of Anhui Publishes Typical Enforcement Cases of 2021 Regarding Infringement of Consumers' Personal Information

On March 14, Administration for Market Regulation of Anhui published the typical enforcement cases of 2021 regarding infringement of consumers' personal information on its website. The cases include the investigation and punishment by the Market Regulation Bureau of Feixi County, Hefei, to a real estate company who collected consumers' personal information without consent, the investigation and punishment by the Market Regulation Bureau of Wuhu to a decoration business company who infringed the personal information of the consumers, the investigation and punishment by the Market Regulation Bureau of Quanjiao County, Chuzhou, to a barber shop who collected consumers' personal information without consent, the investigation and punishment by the Market Regulation Bureau of Lu'an to a building materials seller who collected consumers' personal information without consent, etc.⁹

CVERC Reports 17 APPs with Privacy-Related Non-Compliance Issues

On March 4, National Computer Virus Emergency Response Center ("CVERC") released the news that 17 mobile applications were recently found to have had non-compliance behaviors concerning privacy, which violated the relevant provisions of the Cybersecurity Law and the Personal Information Protection Law, suspected of collecting personal privacy information beyond the legal scope.¹⁰

COURTS LITIGATION

An Internet Company Ordered to Pay RMB 1.05 Million for Stealing Others' Data to Attract Users

On March 29, 2022, Beijing Chaoyang District People's Court ordered RMB 1.05 million in compensation to an internet company for stealing others' data to attract users. The court held that the defendant used more than 50,000 complaints information on plaintiff's website, which is essentially an improper use of the plaintiff's complaint information, illegal possession of the information, and violation of the principle of good faith and recognized business ethics. It caused the actual losses to the plaintiff, and the general terms of the Anti-unfair Competition Law shall apply.¹¹

SPP Releases a Guiding Case on Public Interest Litigation Involving Infringement of Children's Privacy

On March 7, the SPP held a press conference on "Actively Fulfilling the Procuratorial Duty of Public Interest Litigation and Protection of Legitimate Rights and Interests of Minors" and released the 35th batch of guiding cases. These guiding cases include a public interest lawsuit against a short video APP for failing to manage children's accounts separately. According to the SPP, if internet operators fail to fulfill their cyber protection obligations in accordance with the law, and relevant administrative authorities fail to supervise them properly, which infringes children's personal information rights and interests, the procuratorial authorities can carry out both civil and administrative public interest lawsuits in accordance with the law.¹²

Footnotes

1. http://amr.sz.gov.cn/gkmlpt/content/9/9633/mpost_9633688.html#928

2. http://www.most.gov.cn/tztg/202203/t20220322_179904.html

3. http://www.gov.cn/xinwen/2022-03/14/content_5678971.htm

4. https://www.miit.gov.cn/zwgk/zcwj/wjfb/tz/art/2022/art_e36a55c43a3346c9a4b31e534b92be44.html

5. https://hd.ndrc.gov.cn/yjzx/yjzx_add.jsp?SiteId=378

6. http://www.scio.gov.cn/xwfbh/xwbfbh/wqfbh/47673/48033/index.htm

7. http://m.ce.cn/bwzg/202203/25/t20220325_37434933.shtml

8. https://www.miit.gov.cn/xwdt/gxdt/sjdt/art/2022/art_05240d52758845d0b9116dfd814b8d61.html

9. http://amr.ah.gov.cn/xwdt/gsgg/146511371.html

10. http://www.news.cn/2022-03/04/c_1128437535.htm

11. http://society.people.com.cn/n1/2022/0329/c1008-32386958.html

12. https://www.spp.gov.cn/jczdal/202203/t20220307_547759.shtml

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.