Legislation
Four Departments Jointly Issues Implementation Measures on Carrying out Network Security Service Certification
On March 28, 2023, State Administration for Market Regulation ("SAMR"), the Office of the Central Cyberspace Affairs Commission, Ministry of Industry and Information Technology ("MIIT"), the Ministry of Public Security ("MPS") put forward nine implementation measures for carrying out the network security service certification in accordance with the Cyber Security Law ("CSL") and Certification and Accreditation Regulations. 1
NISTC Issues First Batch of Recommended National Standards Plan for Cybersecurity for 2023
On March 24, the Standardization Administration of the People's Republic of China issued the first batch of recommended national standards plan for 2023, of which the National Information Security Standardization Technical Committee ("NISTC") would be responsible for a total of 26 standard projects, including Information Security Technology - Information Security Control, Information Security - Data Security Risk Assessment Measures, etc. 2
CAC Issues the Provisions on Administrative Enforcement Procedures of Cyberspace Administrations
On March 23, the Cyberspace Administration of China ("CAC") issued the Provisions on Administrative Enforcement Procedures of Cyberspace Administrations ("Provisions"), which will come into effect on June 1, 2023. The Provisions is a comprehensive revision of the Provisions on the Administrative Law Enforcement Procedures for Internet Information Content Management issued on May 2, 2017. The Provisions regulates the administrative law enforcement procedures of the cyberspace administrations and the implementation and supervision of administrative penalties, and is of great significance in regulating the administrative law enforcement behavior of the cyberspace administrations. 3
Certification Requirements for Cross-border Transfer of Personal Information Published for Soliciting Comments
On March 16, the NISTC issued the Information Security Technology – Certification Requirements for Cross-border Transmission of Personal Information (Draft for Comments). This standard applies to certification agency conducting personal information protection certification for personal information handlers' cross-border transfer of personal information, and organizations such as competent authorities and third-party assessment agencies supervising, managing and evaluating personal information handlers' cross-border transfer of personal information. 4
The State Council Information Office Releases a White Paper on Building China's Cyber Ruled by Law in New Era
On March 16, the State Council Information Office released a white paper on Building China's Cyber Ruled by Law in New Era. The white paper aims to comprehensively introduce the status of building China's cyber ruled by law and share the experience and practices of building China's cyber ruled by law. The white paper points out that the rule of law is the basic way of Internet governance. 5
CSRC Releases Measures for the Administration of Cybersecurity and Information Security in Securities and Futures Industries
On March 3, the China Securities Regulatory Commission ("CSRC") released the Measures for the Administration of Cybersecurity and Information Security in Securities and Futures Industries, which will come into effect on May 1 this year. The Measures cover a comprehensive range of subjects including critical information infrastructures operators for securities and futures, core institutions, operating institutions, information technology system service institutions, etc., with safety and security as the basic principle, and put forward regulatory requirements for network and information security management. 6
Data Regulations of Suzhou and Xiamen Came Into Effect on March 1
On March 1, the Suzhou Data Regulations and the Xiamen Special Economic Zone Data Regulations came into force. The Suzhou Data Regulations is currently the only comprehensive local regulation covering public data, enterprise data and personal data in China. The Xiamen Special Economic Zone Data Regulations is the first municipal-level data regulation in China, which can enhance and guarantee the data governance capability of Xiamen and help to generate new data-related industries and business models. 7
Four Departments Jointly Issue New Rules on Confidentiality and File Management For Overseas-Listed Enterprises, Clarifying the Responsibility For Information Security of Listed Companies
On February 24, in order to further strengthen the confidentiality and file management related to overseas issuance and listing of domestic enterprises, clarify the responsibility for information security of listed companies, maintain national information security and deepen cross-border regulatory cooperation, the CSRC, together with the Ministry of Finance, the National Administration of State Secrets Protection and the National Archives Administration of China, issued the Provisions on Strengthening the Confidentiality and Archives Administration Concerning the Overseas Securities Issuing and Listing by Domestic Enterprises, amending the previous Provisions on Strengthening the Confidentiality and Archives Administration Concerning the Overseas Securities Issuing and Listing, and shall come into effect on March 31, 2023. 8
Enforcement Authority
NDRC Director Meets with Apple CEO, Proposes to Strengthen Data Security and Personal Privacy Protection
On March 27, 2023, Zheng Zhajie, director of the National Development and Reform Commission ("NDRC"), met with Apple CEO Tim Cook. Director Zheng Zhajie expressed the hope that Apple would continue to actively undertake corporate social responsibility and strengthen data security and personal privacy protection. Cook introduced Apple's investment and development in China. The two sides exchanged views on topics such as the prospects of the Chinese market and the stabilization of the industrial and supply chains. 9
MCT: Take Practical Measures to Avoid Infringement of Travelers' Rights and Interests Such as Big Data Killing
On March 24, the Ministry of Culture and Tourism ("MCT") issued the Opinions of the MCT on Promoting the High-Quality Development of the Online Tourism Market, which requires online tourism platform operators to strengthen the protection of tourists' personal sensitive information and take practical measures to avoid infringement of tourists' rights and interests such as discrimination through big data, false propaganda and false booking. 10
Shanghai CA Held Interviews with Catering Companies for "Extortion" of Personal Information and Warned Consumers of Risks
On March 15, in response to the behaviors that some catering companies force the users to provide mobile phone numbers and accurate location via WeChat ordering applets, the Shanghai Cyberspace Administration ("Shanghai CA"), together with the Shanghai Administration for Market Regulation and the Shanghai Consumer Protection Commission, carried out joint interviews with catering enterprises with serious problems and ordered them to rectify within a time limit, and warned consumers of eight types of violations of personal information rights and interests. 11
CAC Deploys A Special Action to "Clear and Strictly Rectify the 'We Media' Chaos"
On March 10, the CAC organized a video conference on the national cybersecurity system, and deployed a special action to "clear and strictly rectify the 'We Media' chaos". The meeting emphasized that to explore the use of economic means to strengthen the supervision of "We Media" and maintain good order in the dissemination of online information content. 12
Shanghai CA: More Than 270 Pieces of Application Materials for Data Export Security Assessment Received
On March 6, the Shanghai CA stated that as of March 6, 2023, the Shanghai CA has answered more than 2,000 consultation calls and received more than 270 pieces of formal application materials. On the same day, Shanghai held the lectures on data export security assessment policies to guide Shanghai data handlers to declare data export security assessment. 13
China Consumers Association Report: Significant Improvement in the Protection of Personal Information of Consumers in China by 2022
On March 10, the China Consumers Association released a report on personal information protection of consumers in 2022. The report points out that the protection of consumers' personal information in China in 2022 has been significantly improved in the areas of legislative, judicial and administrative law enforcement, and social governance has also played an important role. 14
Shanghai Launches Special Action on Telecom and Internet Data Compliance Circulation and Utilization
On March 7, the Shanghai Communications Administration organized the "Pujiang Escort" 2023 Shanghai Telecom and Internet Industry Data Security Special Action Launch Meeting, and proposed specific requirements and guidelines for key telecom and Internet enterprises in Shanghai to enhance their data security protection capabilities and management levels. 15
China Establishes National Data Bureau, Under the Management of NDRC
On March 7, according to the motion on the institutional reform of the State Council submitted for consideration, the National Data Bureau will be formed under the management of the NDRC, which is responsible for: (1) coordinating and promoting the construction of data basic system; (2) coordinating the integration, sharing, development and utilization of data resources; (3) coordinating and promoting the planning and construction of digital China, digital economy and digital society, etc. 16
"Data Protection and Data Cross-Border Service Platform" Released in Guangzhou
On March 3, the "Data Protection and Data Cross-border Service Platform" was officially launched in Nansha, Guangzhou. The platform will build and open services such as personal information protection impact assessment, data export self-assessment, APP compliance self-examination, etc., to help enterprises build an effective path for data cross-border security compliance, and is expected to officially serve the public in the middle of this year. 17
Suzhou City's Data Export Security Assessment Filing Platform Launched
On March 2, Suzhou Municipal CA launched the Suzhou data export security assessment filing platform on the "Sushangtong" website and mobile APP, opening a convenient channel for enterprises to "one-stop" noitification of data export security assessment, providing five types of services including guidance, putting notification on record, objection against notification, consultation on notification, and policy dynamics. 18
Wuxi City: First Batch of Personal Data Re. Epidemic Destroyed
On March 2, Wuxi City held a ceremony for the destruction of personal data related to the epidemic, with the first batch of 1 billion pieces of data destroyed. To ensure that the data were completely destroyed and irreversible, a third-party audit and notary office were invited to participate in the work. 19
Beijing CA Holds Review and Guidance Meeting for Annual Report on Auto Data Security Management, Urging Car Companies to Rectify Within Time Limit
Recently, the Beijing CA held a review and guidance meeting for the annual report of automobile data security management to further understand the data processing activities of automobile enterprises, supervise targeted rectification, and promote the reasonable development and utilization of automotive data. The Beijing CA has organized the annual report of auto data security management within Beijing since November 2022, and has received a total of 33 reports from 30 auto enterprises, including Mercedes-Benz, BMW, Audi, Baidu and Drip, etc. 20
Enforcement Cases
Sichuan and Chongqing Communications Administration Notifies 19 APPs Infringing Users Rights and Interests
On March 27, 2023, in accordance with the Personal Information Protection Law of the People's Republic of China ("PIPL"), the CSL, the Telecommunications Regulations, the Provisions on Protetion of Telecommunications and Internet Users' Personal Information, and Notice by the Ministry of Industry and Information Technology of Launching a Special Campaign to Further Crack Down on APP Infringements on Users' Rights and Interests, etc., the Sichuan and Chongqing Communications Administration organized third-party testing agencies to inspect mobile Internet applications (APPs) in mainstream application stores in Sichuan and Chongqing. Up to now, there are still 19 APPs (applets) that have not completed the rectification as required. 21
MIIT Notified 55 Apps (SDKs) That Illegally Collect and Transmit Personal Information
On March 21, MIIT notified the inspection results of mobile Internet applications (APPs) and third-party software development kits (SDKs) for life services, leisure and entertainment, utilities, etc. A total of 55 APPs (SDKs) were found to have infringed on users' rights and interests, and were required to rectify according to the regulations. 22
China's First On-Market Transaction of Industrial Data Tools Landed in Shenzhen Data Exchange
Recently, Shenzhen Data Exchange, China Academy of Information and Communications Technology, Sichuan Changhong Electronics Holding Group Co., Ltd., and Shenzhen Shuxin Technology Co., Ltd., reached the first on-market data business cooperation based on dataspace technology through the application of trusted dataspaces technology, which marks the official realization of domestic commercialization of trusted dataspaces technology. 23
MPS Announced 8 Typical Cases of Cracking Down on Crimes of Infringing Citizens' Personal Information
On March 15, MPS announced 8 typical cases of combating crimes against citizens' personal information. The network security departments of the national public security organs have been continuously cracking down on crimes against citizens' personal information, solving a number of major cases and vigorously maintaining the security of cyberspace and social public security. 24
Changsha's First Fine for Violating the Data Security Law: Failure to Formulate Data Security Management System and Carry Out Filing of Graded Protection
On March 6, a company in Changsha was sentenced to an administrative warning and a fine of CNY 50,000 for failing to develop a data security management system and carry out the filing of graded protection, in serious violation of the provisions of Articles 27 and 29 of the Data Security Law. 25
Shanghai Explores Assetization of Data Trading, and First Data Trading Chain in China Launched
On March 3, the National Engineering Laboratory of Big Data Circulation and Trading Technology and Shanghai Data Exchange officially launched the construction of the first data trading chain in China, which is also a new generation of infrastructure construction project in the field of data circulation and trading in China. 26
MIIT Releases Typical Cases of Important Data & Core Data Identification and Data Export Security Management
On February 27, the General Office of the MIIT announced 29 typical pilot cases of data security management in the industrial field, including cases of the identification of important data and core data, and data export security management. 27
Courts Litigation
The Supreme People's Procuratorate Releases Typical Cases of Prosecutorial Public Interest Litigation on Personal Information Protection
On March 30, 2023, the Supreme People's Procuratorate released a batch of typical cases of personal information protection procuratorial public interest litigation, including 1 civil public interest litigation case, 4 administrative public interest litigation pre-litigation supervision cases, and 3 criminal incidental civil public interest litigation cases. 28
Supermarkets Use Facial Recognition to Prevent Thieves Without Consent, Shanghai Putuo District Procuratorate Issues Pre-Litigation Suggestion
Since the end of 2022, several markets have installed cameras that can collect facial information to "tag thieves", allegedly infringing on consumers' personal information. Recently, the public interest prosecution department of Shanghai Putuo District Procuratorate issued a pre-litigation procuratorial suggestion on public interest litigation to the relevant units and companies, suggesting the relevant departments to deal with the illegal act of improper collection and storage of sensitive personal information. 29
Strictly Punish Crimes of Infringing Citizens' Personal Information, More Than 9,300 People Prosecuted in 2022
On March 2, the Supreme People's Procuratorate issued an announcement stating that more than 9,300 people were prosecuted for crimes against citizens' personal information in 2022. At present, crimes of infringement of citizens' personal information continue to be high, and the procuratorate will cooperate with relevant departments to further strengthen law enforcement. 30
Footnotes
1. https://www.miit.gov.cn/jgsj/waj/gzdt/art/2023/art_f61bbcddc170426ab4e34c46526cc7a1.html
2. https://www.tc260.org.cn/front/postDetail.html?id=20230324115102
3. https://mp.weixin.qq.com/s/_QtXvwbRgxV-Mk9dk3Q9xg
4. https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20230316143506&norm_id=20221102152946&recode_id=50381
5. http://www.scio.gov.cn/zfbps/32832/Document/1738207/1738207.htm
6. http://www.csrc.gov.cn/csrc/c101953/c7202800/content.shtml
7. https://www.01caijing.com/article/332778.htm
8. http://www.csrc.gov.cn/csrc/c101954/c7162474/content.shtml
9. https://mp.weixin.qq.com/s/HlVmKQAeh99EzRVfUZoakw
10. https://zwgk.mct.gov.cn/zfxxgkml/zcfg/gfxwj/202303/t20230327_940941.html
11. https://mp.weixin.qq.com/s/TrusvZcsNzieGpyb3p2qfQ
12. https://mp.weixin.qq.com/s/t0ffvKXEy328rYOW1zNLpw
13. https://mp.weixin.qq.com/s/LfYPBxxQIsgpuoshmY53yg
14. https://www.cca.cn/xxgz/detail/30617.html
15. https://mp.weixin.qq.com/s/t15seGiLQE2CQCeLrdmY-A
16. http://www.news.cn/politics/2023lh/2023-03/08/c_1129420084.htm
17. https://news.ifeng.com/c/8NrPsCztVcJ
18. https://mp.weixin.qq.com/s/Cqr-X64C3ffGqMPxB7Enhw
19. https://mp.weixin.qq.com/s/8MdHEAudW6C2gOsZ575Dkg
20. https://mp.weixin.qq.com/s/9bKVYazAYww5gKPIj6deuQ
21. https://scca.miit.gov.cn/zwgk/wlaqgl/art/2023/art_0fd61ea24aa3418d82d5ae0c1cfd2e49.html
22. https://mp.weixin.qq.com/s/GAJqX0cNLu3KwWBkJ7KdWw
23. https://www.stcn.com/article/detail/819762.html
24. https://www.mps.gov.cn/n2254098/n4904352/c8922483/content.html
25. https://baijiahao.baidu.com/s?id=1759903338940001899
26. https://baijiahao.baidu.com/s?id=1759783086213319683&wfr=spider&for=pc&sa=vs_ob_realtime
27. https://www.miit.gov.cn/jgsj/waj/wjfb/art/2023/art_b0ac4edb14b64b438d59b530547a7316.html
28. https://www.spp.gov.cn/spp/xwfbh/wsfbt/202303/t20230330_609756.shtml?spm=C73544894212.P99766666351.0.0#3
29. https://www.163.com/dy/article/I0E3KP9U0514QU8E.html
30. https://mp.weixin.qq.com/s/LaTnhVYB31JBPVV8DzPXvA
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.