Our Observations: for the past two months (December 2022 - January 2023), enhancing the re-use of data and facilitating data sharing has become THE TOPIC that draws the attention of policymakers and legislators. To maximize the role of data as a new element of production, the 20 Data Measures creatively set the tone that the data property system must be laid down. The super metropolis – Shanghai also issued implementation rules on the disclosure and re-use of public data on the provincial level. Among other things, the courts' and supervisory bodies' eyes are also on AI compliance, protection of personal information, outbound data transfer, NFT compliance, online content purification, and sectorial cybersecurity standardization for the last two months.
Part I – Regulations, Policies &Judiciary Interpretations
On December 19, 2022, the Central Committee of the CCP and the State Council issued the Opinions on Building Basic Systems for Data to Maximize the Role of Data Elements (the "20 Data Measures"). The 20 Data Measures note that as a new element of production and the basis for digitization, networking, and intelligence empowering, data has been rapidly integrated into various aspects of production, distribution, circulation, consumption, and social service management, profoundly changing the mode of production, lifestyle, and social governance.
The 20 Data Measures emphasizes 4 major systems and 4 safeguard measures to promote compliance and efficient circulation and use of data and empower the real economy.4 major systems mentioned by the 20 Data Measures include data property rights system, data element circulation and trading system, data element profit distribution system, and data element governance system. The 4 safeguard measures are: strengthening organizational leadership, increasing policy support, encouraging experimentation and exploration, and promoting institutional construction.
According to the 20 Data Measures, the National Development and Reform Commission ("NDRC") will enact relevant rules for data ownership identification and utilization.
On December 9, 2022, the Supreme People's Court issued the Opinions on Regulating and Strengthening the Judicial Application of Artificial Intelligence (the "Opinions"), aiming to:
- Further promote the deep integration of artificial intelligence with judicial work.
- Comprehensively reinforce the construction of smart courts.
- Create a higher level of digital justice.
- Promote the construction of smart rule of law to a higher level.
The Opinions focus on five basic principles that the judicial application of artificial intelligence should follow, including the principle of (1) security and legality; (2) fairness and impartiality; (3) auxiliary trial; (4) transparency; and (5)public order and good morals. In addition, the Opinions also emphasize the need to strengthen the classification and grading of judicial data and the protection of important data and sensitive information, improve the safe sharing and application model of judicial data, prevent and eliminate security risks arising in the process of artificial intelligence application through the judicial artificial intelligence ethics committee and other mechanisms by adopting ethics review, compliance review and security assessment.
On December 8, 2022, the Ministry of Industry and Information Technology (MIIT) issued the Measures for Data Security Management in Industry and Information Technology Sector (for Trial Implementation) (the "Measures"), aiming to:
- Regulate data processing activities in the industry and information technology sector.
- Strengthen data security management.
- Protect data security.
- Promote data development and utilization.
- Protect the legitimate rights and interests of individuals and organizations, and national security.
The issuance of the Measures reflects that the MIIT's eyes are on the issue of data security in the sector of industry and information technology, and it is also a timely response to the concerns raised by the public. The MIIT provides an institutional framework for the supervision of data security in the form of departmental rules.
The Measures consist of 8 chapters and 42 articles, clarifying the compliance requirements for data security management for data handlers in the industry and information technology sector and the supervision and review responsibilities of relevant regulators, as well as special requirements for the management of central enterprises, in terms of classified and graded management of data, data lifecycle security management, data security monitoring, early warning and emergency management, and management of data security testing, certification and evaluation.
On December 12, 2022, the National Energy Administration issued the Measures for Cybersecurity Management in the Power Industry (the "Measures"), which aims to strengthen the supervision and management of cybersecurity and regulate the work of cybersecurity in the power industry.
The Measures consist of 5 chapters and 35 articles, including the General Provisions, Supervision and Administration Responsibilities, Responsibilities and Obligations of Power Enterprises, Supervision and Inspection, and Supplementary Provisions. The Measures specify the responsibilities and obligations of power enterprises, including but not limited to establishing a sound cybersecurity responsibility system, designating the chief cybersecurity officer, strengthening cybersecurity protection, establishing cybersecurity risk assessment, developing contingency plans for cybersecurity incidents, establishing a sound disaster recovery backup system and a sound data security management system throughout the whole process and personal information protection system, conducting special summary reporting and submission of cybersecurity work and the security protection work for critical information infrastructure.
On December 31, 2022, the Shanghai Municipal Commission of Economy and Informatization and CAC, Shanghai Office issued Implementation Rules on Access to Public Data in Shanghai (the "Implementation Rules"), aiming to promote a deeper and higher level of access to public data to support the digital transformation of Shanghai city. The Implementation Rules consist of 7 chapters and 39 articles, including General Provisions, Data Disclosure, Data Access, Information Systems and Disclosure Platforms, Data Utilization, Security Measures, and Supplementary Provisions, which apply to the activities of public data disclosure, access, utilization, and security management in Shanghai.
The Implementation Rules specify that public data refers to data collected and generated by state organs, institutions, organizations authorized by law to manage public affairs, and organizations providing public services such as water supply, electricity supply, gas supply, public transportation, etc., in the course of performing public service responsibilities. Public data disclosure refers to public services that public management and service institutions provide to society with original, machine-readable, and socially reusable data.
On January 1, 2023, the Regulations on the Promotion of Digital Economy in Beijing (the "Regulations") came into effect. The Regulations provide detailed rules on digital infrastructure, data resources, digital industrialization, industrial digitalization, smart city development, digital economy security, and safeguard measures. The Regulations point out that the digital economy refers to a new economic form that uses data resources as the key elements, modern information networks as the main carrier, integrated application of information and communication technologies and digital transformation of all elements as important driving forces to promote fairness and efficiency.
Part II - Sectorial Standards & Practice Guidance
On December 16, 2022, the Secretariat of the National Information Security Standardization Technical Committee (TC260) issued the Practice Guideline for Cybersecurity Standards – Safety Certification Specification for Cross-border Processing Activities of Personal Information V2.0 (the "Guideline"), which aims to support the implementation of personal information protection certification and guide personal information handlers to regulate their cross-border processing activities of personal information.
Compared to the Draft Guideline issued on November 8, the Guideline has some amendments, mainly including:
1) Emphasize the continuous supervision right of certification bodies on the cross-border processing activities of personal information.
2) Clarify the civil liability of personal information handlers and overseas recipients regarding the rights and interests of personal information subjects.
3) Require that the agreement signed by personal information handlers and overseas recipients stipulate both parties' legal liabilities.
4) Encourage personal information handlers conducting cross-border personal information processing activities to apply for personal information protection certification voluntarily.
Provide that the competent court for the personal information subject to file a legal action is not only the People's Court at the location of the personal information subject's habitual residence but also the specific competent court as stipulated in the Civil Procedure Law.
On January 6, 2023, the Secretariat of the National Information Security Standardization Technical Committee (TC260) issued the Practice Guideline for Cybersecurity Standards – Verification of the Effect of Local Contouring of Out-of-Car Screens (Draft) (the "Guideline") for public comments, which clarifies the process, method and verification criteria for the verification of the effect of local contouring of the face and license plate of out-of-automobile screens, in order to guide automobile data handlers to standardize the out-of-automobile screen data collection and verify the effect of local contouring of the face and license plate of out-of-automobile screens.
The Guideline applies to the automobile data handler's own verification of the effect of local contouring of the face and license plate of out-of-automobile screens. Also, it applies to the third-party agencies to verify the local contouring effect. "Local contouring" refers to the process of removing areas of video and images that contain information such as faces and license plates, or replacing these areas with other images that cannot be associated with the personal information subject and cannot be recovered. However, the Guideline does not explain the technical means to carry out local contouring.
On December 1, 2022, the Secretariat of the National Information Security Standardization Technical Committee (TC260) issued the Cybersecurity of Industrial Internet Enterprises – Part 4: Data Protection Requirements (the "Draft") for public comments, clarifying that industrial internet data refers to industrial internet data generated and collected in various industries and fields under the industrial internet model, including any data collected and generated in the process of R&D design, manufacturing, operation and management, operation and maintenance, platform operation, and so forth.
The "Draft" clarifies the process and specific requirements of industrial internet data security protection. It sets level-by-level enhanced security protection requirements for general, important, and core data based on the idea of graded protection, including the classification and grading methods and requirements of industrial internet data, graded protection requirements of the entire lifecycle of industrial internet data, the classification and grading requirements of other data processing activities and the management requirements of industrial internet data.
On January 13, 2023, 16 Departments including the MIIT, the CAC, the National Development and Reform Commission jointly issued the Guiding Opinions on Promoting the Development of the Data Security Industry (the Opinions), which aim to:
1) Promote the implementation of the Data Security Law and the work of the national data security coordination mechanism.
2) Clarify the tasks of data security industry development.
3) Create a healthy ecology for data security industry development.
The Opinions focus on the data security protection and the need for the development and utilization of data resources; specifically, it clarifies:
1) The overall requirements for promoting the development of the data security industry, including guidelines and basic principles, and two stages of industry development goals by 2025 and 2035.
2) The seven key tasks to promote the development of the data security industry.
3) The need to strengthen organizational coordination and policy support and optimize the industry development environment to ensure the implementation of the Opinions and effectively promote the healthy development of the industry.
On December 7, 2022, the State Administration for Market Regulations (SAMR) issued the Guidelines for Enforcement on Absolute Terms in Advertising for public comments (the "Guidelines"). The Guidelines aim to:
1) Further strengthen and standardize the supervision and enforcement activities against commercial advertising with absolute terms.
2) Maintain the order of the advertising
3) Protect the legitimate rights and interests of natural persons, legal persons and other organizations.
Based on the Advertising Law, the Guidelines provide more implementation details on the supervision and enforcement on absolute terms in advertising, mainly in terms of exceptions to absolute terms.
On January 6, 2023, the CAC, Zhejiang Office issued Guidelines for Declaration Materials of Security Assessment for Outbound Data Transfer (the "Guidelines"). The Guidelines are drafted on the basis of the Security Assessment Measures for Outbound Data Transfers and the Guide to Applications for Security Assessment of Outbound Data Transfers (First Edition). The Guidelines aim to guide and help data handlers within Zhejiang Province to conduct the self-assessment work on the risks of the outbound data transfer and improve the completeness, accuracy and consistency of their declaration materials.
Part III - Enforcement Highlights
On December 12, 2022, the CAC kicked off nationwide campaign of "Purifying the Online Environment – Rectification of Chaos in the Field of Mobile Internet Applications," aiming at:
1) Regulating the management of mobile Internet application information services.
2) Deeply governing the chaos in applications such as APP, WeChat mini programs and fast applications.
3) Further solidifying the main responsibility of application distribution platforms.
In accordance with the requirements of the Administrative Provisions on Mobile Internet Applications Information Services, this campaign urges application distribution platforms to fulfill the responsibilities and rectify the problems in all links (including links of searching, downloading and installing, and operating and using).
On January 1, 2023, The Primary People's Court of Chongzhou City issued China's first Personal Safety Protection Order – "Protecting Women's Privacy and Personal Information" [(2023) Sichuan 0184 Civil Protection Order No. 1 Civil Ruling], prohibiting the respondent Li XX from continuing to disclose and disseminate the privacy and personal information of the applicant Chen. Article 29 of the Law of the People's Republic of China on the Protection of Rights and Interests of Women, which came into force on January 1, 2023, stipulated that it is prohibited to pester or harass women or to disclose or disseminate women's privacy or personal information on the excuse of a love relationship or making friends or after the termination of a love relationship or divorce, and a woman suffering from the said infringement or facing the real risk of the said infringement may apply to People's Court for a Personal Safety Protection Order.
Part IV – Court Judgments
On December 26, 2022, the Supreme People's Court issued the 35th batch of four guiding cases (No. 192 to No. 195), all of which are criminal cases against the infringement of citizens' personal information. This is the first time that the Supreme People's Court issued criminal guiding cases against personal information infringement. The types of personal information involved in the case include facial information, ID card information, social media account information, and mobile phone verification code information. The defendants in the four cases all committed the crime of infringement of citizens' personal information as stipulated in Article 253 of the Criminal Law, among which Case No. 192 and Case No. 195 were criminal cases with incidental civil public interests action.
On December 5, 2022, the Hangzhou Internet Court released a judgment regarding a dispute over the sale and purchase contract of information network in terms of the transaction of NFT digital collections. The plaintiff claimed more than 90,000 yuan for the defendant's forced refund of the "NFT digital collection blind box" he purchased. The court dismissed the plaintiff's claim because of a mistake in filling in his personal information. It is worth noting that the court held that the transaction object in the case was NFT digital collection, not NFT equity certificate, and NFT digital collections have the characteristics of property rights such as value, scarcity, controllability, and tradability. They also have the unique attributes of virtual network property, such as network virtuality. Therefore, they constitute virtual network property. The contract involved in the case does not violate the laws and regulations of China, nor does it violate the policy and regulatory guidelines of China that prevent economic and financial risks, and should be protected by the laws of China.
The case has certain guiding significance for the development of China's digital collection industry, playing an important guiding role for enterprises to operate the platforms, control the risks and for the judiciary to define the assets of digital collections. This judgment fills the judicial precedents gap in China's NFT digital collection industry and is a typical case with much reference value.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
