China Monthly Data Protection Update - January 2023 - Data Protection

Legislation

CBIRC formulated and promulgated the Administrative Measures for the Protection of Consumers' Rights and Interests by Banking or Insurance Institutions

On December 30, 2022, in order to maintain a fair and equitable financial market environment, effectively protect the legitimate rights and interests of consumers in the banking and insurance industries, and promote the high-quality and healthy development of the industries, the China Banking and Insurance Regulatory Commission ("CBIRC") formulated and promulgated the Administrative Measures for the Protection of Consumers' Rights and Interests by Banking or Insurance Institutions, which requires to standardize personal information processing of banking and insurance institutions, so that the industries can effectively protect the personal information security of consumers while giving full play to the data value. ¹

MIIT Solicits Comments on the Notice of the Ministry of Industry and Information Technology on Further Improving the Service Capability of Mobile Internet Applications (Draft for Comments)

On December 27, in order to optimize service supply, improve user experience, create a good information consumption environment and promote the high-quality development of the industries, the Ministry of Industry and Information Technology ("MIIT") organized and drafted the Notice of the Ministry of Industry and Information Technology on Further Improving the Service Capability of Mobile Internet Applications (Draft for Comments) in accordance with its administrative responsibilities for industries and openly solicited comments from the society. According to the draft, protection of personal information shall be strengthened by adhering to the principle of lawfulness, legitimacy and necessity, making clear the personal information processing rules and applying for the right of use reasonably. ²

State Council Issues the Opinions of the CPC Central Committee and the State Council on Building Basic Systems for Data and Putting Data Elements to Better Use

On December 19, in order to accelerate the construction of basic systems for data, give full play to the advantages of China's vast data and rich application scenarios, activate the potential of data elements, give a big boost to the digital economy, enhance the new momentum of economic development and build a new national competitive advantage, the Communist Party of China ("CPC") Central Committee and the State Council jointly released the Opinions of the CPC Central Committee and the State Council on Building Basic Systems for Data and Putting Data Elements to Better Use (which is also known as "The 20 Key Data Measures"). ³

NISSTC Publishes Practice Guidelines on Cybersecurity Standards –Security Certification Specifications for Cross-border Personal Information Processing Activities (Version 2.0)

On December 16, in order to support the implementation of personal information protection certification and guide personal information handlers to standardize the cross-border processing activities of personal information, the Secretariat of the National Information Security Standardization Technical Committee ("NISSTC") organized the preparation of the Practice Guidelines on Cybersecurity Standards –Security Certification Specifications for Cross-border Personal Information Processing (Version 2.0) ("Practice Guidelines"). The Practice Guidelines stipulates the basic principles to be followed in cross-border processing activities of personal information, the protection of personal information by personal information handlers and overseas recipients in cross-border processing activities of personal information, and the protection of the rights and interests of personal information subjects. ⁴

MIIT and CAC Publishes Notice of the Ministry of Industry and Information Technology and Cyberspace Administration of China on Further Regulating the Pre-Installation of Application Software for Mobile Intelligent Terminals

On December 14, in order to further regulate the pre-installation of application software for mobile intelligent terminals, protect the rights and interests of users, improve the quality of supply of mobile Internet application services, build a safer and more dynamic industrial ecology, and promote the sustainable prosperous development of the mobile Internet, the MIIT and the Cyberspace Administration of China ("CAC") issued the Notice of the Ministry of Industry and Information Technology and Cyberspace Administration of China on Further Regulating the Pre-Installation of Application Software for Mobile Intelligent Terminals in accordance with the Cybersecurity Law of the People's Republic of China , the Personal Information Protection Law of the People's Republic of China and the Telecommunications Regulations of the People's Republic of China. ⁵

NEA Issues the Administrative Measures for Cybersecurity in Electric Power Industry and Administrative Measures for the Hierarchical Protection of Cybersecurity in Electric Power Industry

On December 15, in order to strengthen the supervision and management of cybersecurity in the electric power industry and standardize the cybersecurity work in the electric power industry, China's National Energy Administration ("NEA") formulated and issued the Administrative Measures for Cybersecurity in Electric Power Industry and the Administrative Measures for the Hierarchical Protection of Cybersecurity in Electric Power Industry. ⁶

MIIT Promulgated the Administrative Measures on Data Security in the Field of Industry and Information Technology (for Trial Implementation)

On December 13, the MIIT promulgated the Administrative Measures on Data Security in the Field of Industry and Information Technology (for Trial Implementation) ("Measures"), which comes into effect on January 1, 2023. The person in charge from the MIIT said that the Measures, as the top-level institutional document for data security management in the field of industry and information technology, focuses on solving the problem of "who should be in charge, what should be regulated and how to regulate" as for data security in the field of industry and information technology, constructs a two-level regulatory mechanism - "The MIIT and local industry regulatory departments", and adheres to the general principle of grade-based data protection by requiring strengthening the security management of the whole life cycle for general data, specially protection for important data on the basis of general data protection, and stricter protection for core data on the basis of important data protection. ⁷

CAC Jointly Issues Regulations on the Deep Synthesis of Internet Information Services with MIIT and MPS

On December 11, the CAC, the MIIT and the Ministry of Public Security ("MPS") jointly issued the Regulations on the Deep Synthesis of Internet Information Services ("Regulations"), which shall come into effect from January 10, 2023. The person in charge from the CAC said that the introduction of the Regulations aims to strengthen the management of deep synthesis of Internet information services, promote core socialist values, safeguard national security and social public interests, and protect the legitimate rights and interests of citizens, legal persons, and other organizations. ⁸

Data Regulation of Sichuan Province Voted in

On December 2, after three deliberations, the 38th Session of the Standing Committee of the 13th People's Congress of Sichuan Province voted to adopt the Data Regulation of Sichuan Province, which shall be effective from January 1, 2023. The introduction and implementation of this regulation will promote the use of data resources in Sichuan in an orderly manner, focusing on activating new elements, promoting new governance, creating a new ecology, safeguarding data security, accelerating the construction of a province with strong network industry, digital Sichuan, and an intelligent society, and maintaining Sichuan's pioneering and proactive role in the implementation of the national big data strategy. ⁹

MOT Releases Revised Version of Administrative Measures on the Real-Name System for Railway Passenger Tickets and Focuses on Protection of Personal Information

On December 2, the Ministry of Transport ("MOT") released the newly revised Administrative Measures on the Real-Name System for Railway Passenger Tickets. The revision mainly includes the adjustment of the scope of the management of the real-name ticket system, refinement of the requirements for the purchase of real-name tickets, improvement of the provisions for real-name ticket inspection and increase of legal liabilities, etc. The document has come into effect since January 1, 2023. The document also further refines and perfects the obligations of railway transport enterprises in the protection of passengers' personal information and the relevant protective measures required, and clarifies that railway transport enterprises and their staff shall keep strictly confidential the personal information obtained through the implementation of the real-name ticket system regarding passengers' identity, ticket purchase and travel, and shall not unlawfully collect, use, process, transmit, trade, provide or disclose it. ¹⁰

Enforcement Authority

SPB: Further Strengthening Protection of Personal Information in Field of Postal Delivery

On December 28, 2022, the State Post Bureau of the People's Republic of China ("SPB") held a meeting of General Directors to consider and adopt in principle several opinions, programs as well as industry standards, listen to a report on the awarding of the 2022 Gold Medal Project for Express Service to Modern Agriculture and the selection of Chinese Model Cities for Express Services, and emphasize the need to further strengthen the protection and governance of personal information in the field of postal and express delivery. ¹¹

Cyberspace Administration of Hubei Opens Channel for Cross-border Data Transfer Security Assessment Notification

On December 9, in order to standardize and orderly carry out the notification of cross-border data transfer security assessment, according to the Security Assessment Measures for Outbound Data Transfers and Guide to Applications for Security Assessment of Outbound Data Transfers (First Edition) issued by the CAC, the Cyberspace Administration of Hubei officially opened a cross-border data transfer security assessment channel for receiving the notification materials submitted by data handlers in Hubei Province. ¹²

Sichuan and Chongqing Jointly Provide "ID Cards" and "Property Rights Certificates" for Data Resources through Launch of 1st Local Standard in Data Field

On December 2, the first local standard in the field of data jointly formulated by Sichuan province and Chongqing city – Specification for Labeling of Public Information Resources ("Specification") has been officially released and implemented, which will provide "ID cards" and "property rights certificates" for data resources in Sichuan and Chongqing and help promote data governance, sharing and traceability, as well as cultivate data element markets in both provinces. The Specification specifies the labeling classification, coding and management rules for public information resources in Sichuan and Chongqing, and is applicable to the labeling, cataloguing and publication of public information resources of government organizations, non-government organizations and residents in both provinces. ¹³

Courts Litigation

Beijing Internet Court: Compulsory Collection of User Portrait Information for Personalized Pushing by APP Constitutes Infringement Act

On December 28, 2022, the Beijing Internet Court concluded a case of infringement of the compulsory collection of user portrait information by an APP. In the case, the plaintiff, Luo, argued that the software operated by the defendant infringe his personal information rights by forcibly collecting user portrait information for personalized pushing when users first logged in. The court held that the software in question collected user portrait information on the first login page without setting the path of "skip" or "reject", which was a compulsory collection and constituted infringement, and ruled that the defendant was liable for the infringement act. After the judgment was delivered, the defendant appealed, and the judgment was upheld in the second instance. ¹⁴

SPC Issues Several Opinions on Provision of Judicial Services and Guarantee to Boost Consumption and Calls for Enhanced Judicial Protection of Consumers' Personal Information

On December 26, in order to implement the new development philosophy in a complete, accurate and comprehensive manner, accelerate the building of a new development pattern, strive to promote high-quality development, further give play to the functional role of the people's courts, serve and guarantee the comprehensive promotion of consumption and acceleration of the quality improvement and upgrading of consumption, and help implement the strategy of boosting domestic demand, the Supreme People's Court ("SPC") issues several opinions on provision of judicial services and guarantee to boost consumption and calls for enhanced judicial protection of consumers' personal information. ¹⁵

SPC Issues 4 Guiding Cases: Facial Recognition Information, ID Card Information, Social Media Accounts and Mobile Verification Codes Belongs to Citizens' Personal Information under the Criminal Law

On December 26, the SPC issued four guiding cases, all of which are criminal cases on the protection of citizens' personal information. The cases involve the scope and nature of citizens' personal information protected by the Criminal Law, such as facial recognition information, resident ID card information, social media accounts such as WeChat account and mobile verification codes, and are of great guiding significance in clarifying the rules for adjudicating similar cases and protecting citizens' personal information in accordance with the law. ¹⁶

Deputy Director of 8th Department of SPP: Promoting Transformation of Personal Information Security Governance towards Ex-ante Prevention

On December 22, the "Woodpecker Data Governance Forum 2022" was held in Beijing. In this forum, Jinghui Qiu, the Deputy Director of the 8th Department of the Supreme People's Prosecutor ("SPP"), pointed out that in order to strengthen the protection of personal information, prosecutorial public interest litigation needs to be transformed, and that the state needs to promote the transformation of the personal information data security governance model from ex-post punishment to ex-ante prevention, and that personal information data security should be incorporated into the public security system to implement more stringent protection. ¹⁷

SPC Issues Opinions on Judicial Application of Artificial Intelligence and Stresses Building Intelligent Courts while Protecting Data Security

On December 9, the SPC issued the Opinions on Regulating and Strengthening the Judicial Application of Artificial Intelligence, which calls for strengthening the management of artificial intelligence-assisted justice and supporting intelligent applications such as early warning of deviations of judgments, verification of final judgments, automatic inspection of irregular judicial behavior, and prevention and control of judicial integrity risks. It also emphasizes strengthening the classification and grading management of judicial data and strengthening the protection of important data and sensitive information. ¹⁸

SPP Releases 5 Typical Cases of Punishing Crimes against Citizens' Personal Information

On December 7, the SPP released five typical cases of punishing crimes against citizens' personal information in accordance with the law. The typical cases cover the comprehensive protection of different types of personal information such as citizens' credit information, biometric information, track information, health and physiological information, reflecting the policy direction of the procuratorial authorities to strictly punish crimes against citizens' personal information in accordance with the law and the typical cases have also reiterated or clarified the application of the relevant laws involving personal information in judicial cases. ¹⁹

Academia

Dacheng Lawyer Speak at United Nations Internet Governance Forum 2022 on Cross-border Data Flows

The 17th Annual Meeting of the United Nations Internet Governance Forum ("IGF") was held in Addis Ababa, Ethiopia from 28 November to 2 December 2022, both online and offline. On November 29, Jet Deng, Senior Partner of Dacheng Beijing Law Firm was invited as a speaker in the workshop on "Governing Cross-Border Data Flows, Trade Agreements and Limits" under the theme of "Governing Data and Protecting Privacy". The panel also included Associate Professor Yik Chan Chin from Beijing Normal University, Professor Locknie Hsu from Singapore Management University, Professor Rolf H. Weber from the University of Zurich, Switzerland, and Mansi Kedia, Researcher at the Indian Council for Research on International Economic Relations. ²⁰

Footnotes

1. https://mp.weixin.qq.com/s/QRu3S2LooLXfc3SwYP3XEg?scene=25#wechat_redirect

2. https://baijiahao.baidu.com/s?id=1753343794400182468&wfr=spider&for=pc

3. http://www.gov.cn/zhengce/2022-12/19/content_5732695.htm

4. https://www.tc260.org.cn/front/postDetail.html?id=20221216161852

5. http://www.cac.gov.cn/2022-12/14/c_1672656825925035.htm

6. http://zfxxgk.nea.gov.cn/2022-11/16/c_1310683245.htm

7. https://www.miit.gov.cn/jgsj/waj/wjfb/art/2022/art_e4d9ba53a8014d85a4f80d47272f486d.html

8. http://www.cac.gov.cn/2022-12/11/c_1672221949354811.htm

9. http://www.scspc.gov.cn/flfgk/scfg/202212/t20221206_42859.html

10. https://view.inews.qq.com/wxn2/20221202A00PMZ00?qq=12

11. https://baijiahao.baidu.com/s?id=1753464513780907125&wfr=spider&for=pc

12. https://mp.weixin.qq.com/s/Bif2J5SoZjhOvHgzwb2NUg?scene=25#wechat_redirect

13. https://h.xinhuaxmt.com/vh512/share/11244884?d=1348d12

14. https://mp.weixin.qq.com/s/UTA52jnPw2erTgJg1jKQhg?scene=25#wechat_redirect

15. https://www.court.gov.cn/fabu-xiangqing-384291.html

16. https://mp.weixin.qq.com/s/vvF86a_Thfe_3RUqIoSuKw?scene=25#wechat_redirect

17. https://www.163.com/dy/article/HP996Q8I05129QAF.html

18. http://www.21jingji.com/article/20221209/herald/962213d652fca0ce5e01ba6227e7d0de.html
#:~:text=12%E6%9C%889%E6%97%A5%EF%BC%8C%E6%9C%80%E9%AB%98,%E5%92%8C%E6%95%8F%E6%
84%9F%E4%BF%A1%E6%81%AF%E4%BF%9D%E6%8A%A4%E3%80%82

19. https://www.spp.gov.cn/spp/xwfbh/wsfbt/202212/t20221207_594915.shtml#2

20. https://mp.weixin.qq.com/s/6v3xGNZowne4-IVyhuqgfw

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

China: China Monthly Data Protection Update - January 2023

Login to Mondaq.com

Why Register with Mondaq

Your Organisation