China: China Monthly Data Protection Update - October 2022

Legislation

NISTC Solicits Comments on National Standard Information Security Technology Cybersecurity Information Reporting Guide (Draft for Comments)

On September 28, 2022, the National Information Security Standardization Technical Committee ("NISTC") issued the Information Security Technology Cybersecurity Information Reporting Guide (Draft for Comments) ("Guide") to solicit public opinion. The Guide intends to stipulate that when reporting cybersecurity threat information, it is necessary to report the discovery time and the threat intelligence, etc., while the recipient may request the reporting party to provide the measures it has taken against the threat, follow-up plans, as well as the situation of potentially affected assets and the consequences of harm.¹

NISTC Solicits Comments on National Standard Information Security Technology Cybersecurity Crowd Testing Service Requirements (Draft for Comments)

On September 27, the NISTC issued the Information Security Technology Cybersecurity Crowd Testing Service Requirements (Draft for Comments) to solicit public opinion. This standard regulates the security responsibilities, service processes and requirements of the roles involved in network security crowd testing services.²

Second Deliberation on Beijing Digital Economy Promotion Regulations (Draft)

On September 21, the forty-third meeting of the Standing Committee of the 15th Beijing Municipal People's Congress held a second review of the Beijing Digital Economy Promotion Regulations (Draft). The second draft proposed that people who have real difficulties in using digital public services should be provided with alternative services and products.³

NISTC Solicits Comments on National Standard Information Security Technology Network Data Classification and Grading Requirements (Draft for Comments)

On September 14, the NISTC issued the Information Security Technology Network Data Classification and Grading Requirements(Draft for Comments). This standard aims to support the implementation of the data classification and grading protection system proposed in Article 21 of the Data Security Law of the People's Republic of China ("DSL"), and solve the problem of the lack of national unified data classification and grading rules, resulting in the relevant national data security system, data classification and grading protection requirements not being easily implemented.⁴

CAC Issues Decision on Amending the Cybersecurity Law of the People's Republic of China (Draft for Comments)

On September 14, the Cyberspace Administration of China ("CAC"), together with other relevant departments, drafted the Decision on Amending the Cybersecurity Law of the People's Republic of China (Draft for Comments) and solicited public opinion.⁵

SHEITC Solicits Comments on Shanghai Public Data Opening Implementation Rules (Draft for Comments)

On September 13, in order to implement the Shanghai Data Regulations, Interim Measures for the Opening of Public Data in Shanghai and other relevant laws and regulations, and accelerate the city's public data opening at a higher level, Shanghai Municipal Commission of Economy and Informatization ("SHEITC") has taken the lead in drafting the Shanghai Public Data Opening Implementation Rules (Draft for Public Comments), and open for public comments.⁶

CAC, MIIT and SAMR Jointly Issue Provisions on the Management of Internet Pop-Up Information Push Service

On September 9, CAC, the Ministry of Industry and Information Technology ("MIIT"), and SAMR jointly issued the Provisions on Internet Pop-up Information Push Services, which comes into effect on September 30, 2022.⁷

CAC Issues Provisions on Administrative Enforcement Procedures of Cyberspace Administration Departments (Draft for Comments)

On September 8, in order to regulate and ensure the cyberspace administration departments to perform their duties in accordance with the law, protect the legitimate rights and interests of citizens, legal entities and other organizations, and safeguard national security and public interests, CAC revised the Administrative Enforcement Procedures for the Administration of Internet-based Information Contents and formed Provisions on Administrative Law Enforcement Procedures of Cyberspace Administration Departments (Draft for Comments) to solicit comments.⁸

Cyberspace Administration of Jiangsu Issues Guidelines for Application of Security Assessment for Cross-border Data Transfer of Jiangsu Province (1st Edition)

On September 2, in order to implement the Measures for Security Assessment of Data Cross-border Transfer, guarantee the safety of data cross-border flow and serve the development of Jiangsu's digital economy, Cyberspace Administration of Jiangsu Province formulated the Guidelines for Application of Security Assessment for Cross-border Data Transfer of Jiangsu Province (1st Edition) based on the Guidelines for Declaration of Security Assessment for Cross-border Data Transfer (1st Edition).⁹

Enforcement Authority

Shanghai Data Group to Undertake the Authorized Operation of Public Data and State-Owned Enterprise Data

On September 29, 2022, Shanghai Data Group Co., Ltd. ("Data Group") was officially established. Data Group is a competitive market enterprise with the function guarantee attribute, whose core business is data. Its function is to build a market for data elements, stimulate the potential of data elements, and ensure data security. Data Group will undertake the authorized operation of Shanghai public data and the data of state-owned enterprises.¹⁰

Shanghai Data Exchange Expands Data Market, Launches One Stop Financial Data Trading Section

On September 23, in order to expand the product supply of the data market, Shanghai Data Exchange ("SDX") launched the One-Stop financial data trading section, and released two contents: first, the full range of banking data in the financial section was launched; second, the "2022 Financial Data Trading Thrive Plan" of SDX was officially launched.¹¹

Guangdong to Promote the Government's Chief Data Officer Work System by the End of This Year

On September 22, the press office of Guangdong Provincial People's Government held a press conference to introduce the latest progress of Guangdong in promoting the reform of market-oriented allocation of data elements over the past year. According to the introduction, Guangdong Province has completed the construction of an integrated provincial and municipal "one network sharing" platform, released a total of 51,800 data resources catalog, and opened 28,400 public data sets to the society through the "Open Guangdong" platform. Next, Guangdong Province will further promote the reform of the market allocation of data elements, create a market infrastructure for data elements, smooth the circulation of data elements, and empower high-quality economic and social development, and fully promote the work system of the government's chief data officer in the province by the end of the year.¹²

Enforcement Cases

Shanghai Communications Administration Notifies 127 APPs Infringing Users Rights and Interests

On September 23, 2022, in accordance with the Cybersecurity Law of People's Republic China ("CSL"), the Telecommunications Regulations, and the Provisions on Protection of Telecommunications and Internet Users' Personal Information, etc., the Shanghai Communications Administration organized third-party testing agencies to review APPs for infringement of rights of users and ordered 127 APPs who were found collecting personal information in violation of regulations, illegal use of personal information and forcibly, frequently and excessively requesting permission with rectification requirements.¹³

100 Days of Action: Guangdong Internet Security Department Cracks Down on Crimes Against Citizens' Personal Information

On September 19, Guangdong Internet Security Department released the results of combating crimes against citizens' personal information. According to the work deployment of "100 Days of Action" and "Clean Net 2022", Guangdong Internet Security Department severely punished the behaviors of theft and trafficking of citizens' personal information. Recently, 104 cases of personal information infringement crime were uncovered, 279 individuals were detained and 149 individuals were prosecuted in accordance with the law, effectively safeguarding the security of citizens' personal information.¹⁴

MPS Briefs on "100 Days of Action" for Combating Cybercrime and Answer Reporters' Questions

On September 8, the Ministry of Public Security ("MPS") held a press conference in Beijing on the theme of "Welcome the 20th National Congress, Loyalty and Security". Wang Yingwei, director of the Network Security Bureau of the MPS, introduced the achievements of public security departments' "100 days of action" for crackdown on illegal network crime to the public and media.¹⁵

Beijing Communications Administration Notifies 41 Problematic APPs

On September 5, Beijing Communications Administration issued a notice on 41 problematic APPs. According to the CSL, DSL, the Personal Information Protection Law of the People's Republic of China ("PIPL"), Network Product Security Vulnerability Management Regulations and other laws and regulations, Beijing Communications Administration organized third-party testing agencies to carry out technical testing of APPs in Beijing. A total of 41 APPs were found in August 2022 to have infringed on user rights and security risks.¹⁶

Courts Litigation

Chongqing Consumer Council Files a Public Interest Litigation on Personal Information Protection

On August 5, 2022, the Chongqing Consumer Council filed a public interest litigation against Fei for purchasing and selling personal information of students and parents. On September 19, the First Intermediate People's Court of Chongqing heard the case, and the People's Procuratorate of Yubei District presented for support. The court held that the defendant's illegal trading of consumers' personal information had infringed on the rights and interests of many unspecified consumers and the public interest, which should bear the corresponding civil liability. The parties eventually reached a settlement agreement in court.¹⁷

Court Rules WeChat Accounts Sale Contract Invalid and Illegal

On September 5, it is reported that, recently, Jiangyin City People's Court in Jiangsu Province ruled on a dispute over the sale and purchase contract of WeChat accounts, making it clear that the sale and purchase of WeChat accounts constituted the sale and purchase of personal information, which was essentially a fraudulent act that violated the right to know of WeChat friends, conflicted with the basic principle of good faith and trustworthiness, and was against public order and morality, thus the contract should be invalid.¹⁸

Using Personal Information to "Grab a Bargain" Constitutes the Crime of Infringement of Citizens' Personal Information

Since April 2021, Fu has repeatedly purchased real-name cell phone number data in large quantities, obtaining more than 7,000 pieces of personal information illegally, and made profits by selling and using real-name mobile phone numbers. For endangering the personal information security of unspecified citizens and infringing on public interest, the People's Procuratorate of Xingtang County, Shijiazhuang City, Hebei Province, filed a civil public interest suit collateral to criminal proceedings against Fu. On August 31, the court sentenced the defendant to one year's imprisonment with one year and six months' probation, a fine of 45,000 yuan, surrendered the illegal income of 35,000 yuan, and made a public apology on national news media.¹⁹

Footnotes

1 https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20220928171256&norm_id=20201104200045&recode_id=48793

2 https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20220927144754&norm_id=20200112070012&recode_id=48743

3 http://www.bjrd.gov.cn/zyfb/zt/bjsswjrdcwhd43chy/mthc/202209/t20220921_2819934.html

4 https://www.tc260.org.cn/front/postDetail.html?id=20220914181019

5 http://www.cac.gov.cn/2022-09/14/c_1664781649609823.htm

6 http://sheitc.sh.gov.cn/gg/20220914/5b58744a4f4740fb8da5d003cd9b6d23.html

7 http://www.cac.gov.cn/2022-09/08/c_1664260384702890.htm

8 http://www.cac.gov.cn/2022-09/08/c_1664174174624227.htm

9 http://jswx.gov.cn/xinxi/shuzi/202209/t20220902_3068388.shtml

10 https://www.cnr.cn/shanghai/tt/20220930/t20220930_526024274.shtml

11 https://xhpfmapi.xinhuaxmt.com/vh512/share/11137410

12 https://www.gzdaily.cn/amucsite/web/index.html#/detail/1922732

13 https://mp.weixin.qq.com/s/0aS6eujat35b3Ibrhot1mA?scene=25#wechat_redirect

14 https://mp.weixin.qq.com/s/2nfMhkQfYAk9szKDZjO0EA?scene=25#wechat_redirect

15 https://mp.weixin.qq.com/s/bFzaInY9UaRvUyejKI1Vcw?scene=25#wechat_redirect

16 https://bjca.miit.gov.cn/zwgk/tzgg/art/2022/art_267bb2783f004f819080711b5d27c7db.html

17 https://mp.weixin.qq.com/s/cuYnBt8EsZq0Po8iNXVhPw?scene=25#wechat_redirect

18 http://rmfyb.chinacourt.org/paper/html/2022-09/05/content_220650.htm?div=0

19 http://www.hebeipingan.org.cn/system/2022/09/19/030190667.shtml

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.