A. Regulatory Developments
On 24 February 2023, the Cyberspace Administration of China (the "CAC") issued the Measures for Standard Contract for Outbound Cross-border Transfer of Personal Data (the "Measures") and published the Standard Contract for the Outbound Cross-border Transfer of Personal Data (the "SCC"), which came into force on 1 June 2023. For any outbound transfer of personal data that already happened before the Measures came into force which is not in compliance with the Measures, relevant parties still have the grace period until 30 November 2023 to fulfil the record-filling requirement.
On 30 May 2023, one day before the Measures came into force, CAC released the first edition of the Guideline for Filing the Standard Contract for Outbound Cross-border Transfer of Personal Data (First Edition) (the "Guideline"), explaining the specific requirements for filing methods, filing procedures and filing materials.
On 2 June 2023, Beijing CAC issued the Beijing Filing Guideline for Standard Contract for Outbound Cross-border Transfer of Personal Data on its WeChat public account. The Beijing guideline is the first local guideline and applies to personal data processors located in Beijing.
On 7 June 2023, Shanghai CAC also issued a notice on its WeChat public account on details of the filing management, including consultation methods and filing summaries to guide and help personal data processors standardise and orderly conduct filing.
On 6 June 2023, CAC published the Regulation on the Administration of Short Distance Ad Hoc Network Data Services (Draft for Public Consultation), which was released to the public for comments until 7 July 2023. The regulation applies to the use of proximity ad hoc network data services within the territory of China. Proximity ad hoc network data service refers to the use of Bluetooth, Wi-Fi and other information technology to set up a network in close proximity and provide services for publishing and receiving data.
On 24 May 2023, the Central Government released the revised Regulation on the Administration of Commercial Cryptography, which became effective as of 1 July 2023. The revisions focus on the following aspects: improving the commercial cryptography management system, promoting the innovation and standardisation of commercial cryptography technology, improving the commercial cryptography testing and certification system, strengthening the use of cryptography in electronic authentication services and the management of electronic authentication services, standardising the management of the cross-border transfer of commercial cryptography, promoting the application of commercial cryptography, etc.
The Regulation on Administrative Law Enforcement Procedures for Cyberspace Administration came into force on 1 June 2023. This regulation sets out the general principles, jurisdiction, procedural rules for the administrative law enforcement actions taken by the cyberspace administration bureaus, covering case filing, investigation and evidence collection, hearing and enforcement, etc.
B. Enforcement Developments
On 21 May 2023, the Cybersecurity Review Office under CAC announced the results of its recent cybersecurity review of Micron's products sold in China. The review found that Micron's products had serious cybersecurity problems, which posed major security risks to China's critical information infrastructure supply chain and affected China's national security. The Cybersecurity Review Office concluded that Micron's products do not pass the cybersecurity review. In accordance with the Cybersecurity Law and other laws and regulations, operators of critical information infrastructure in China shall stop purchasing Micron's products.
On 8 May 2023, Hubei CAC sent a working group to the Douyu platform to carry out a one-month centralised rectification and supervision in view of serious ecological problems such as pornography and vulgarity on the platform.
On 6 June 2023, BCA interviewed Resconda Technology Development Co., Ltd. BCA emphasised the importance of cyberspace security, and requested that Resconda earnestly performs its cybersecurity responsibility, immediately rectifies relevant problems, and carries out a comprehensive self-inspection. It is also necessary for the company to establish a long-term mechanism to strengthen compliance awareness, establish smooth channels for reporting vulnerability, and regulate vulnerability discovery, reporting, patching, and disclosure activities.
On 25 June 2023, Beijing CAC announced on its WeChat public account that the standard contract for export of personal data signed between Beijing Deyixin Data Co., Ltd. and Hong Kong Novartis Integrity Limited became the first successful filed SCC with Beijing CAC with the filing number "????202300001". This filing case marks the first publicly announced successful SCC filing case under the Measures and the Guideline.
On 31 May 2023, SCA issued the Guidance on the Establishment of the Chief Data Officer System in the Telecommunications and Internet Industry in Shanghai (for Trial Implementation), aiming to establish a Chief Data Officer (CDO) system on a pilot basis and guide enterprises to build and activate data management capabilities. The guidance clarifies on how to establish an enterprise CDO system and specifies the responsibilities and capacity requirements of CDOs. It also requires enterprises with CDO systems to fill out the Enterprise Chief Data Officer Filing Form (for Trial Implementation) and file the same with SCA.
On 19 June 2023, Shanghai CAC and Shanghai Administration for Market Regulation conducted interview with Starbucks, Shake Shack and Simply Thai regarding concerns of excessive collection of personal data. The companies were requested to conduct self-examination and rectification for excessive collection of personal data, including frequent inducement to collect users' mobile phone numbers and accurate location, frequent pop-up to induce consumers to register membership and frequent inducement to follow official accounts. All three companies issued official statements on the following day, stating that they would immediately conduct self-inspection and commit to complete the necessary rectification. No administrative penalties have been reported as taken against the three companies at this stage.
C. Industry Developments
On 23 May 2023, CAC issued the Digital China Development Report (2022) (the "Report"). CAC, together with relevant parties, systematically summarised the main achievements in promoting the construction of Digital China in 2022, carried out regional evaluations of Digital China developments, and looked forward to the development of Digital China in 2023. According to the Report, China's network infrastructure and data resource system are undergoing comprehensive developments, Digital China construction is fully empowering economic and social developments, China's digital technology innovation capabilities are gradually strengthening, and the domestic and foreign development environments are constantly optimised.
Recently, CSAC and the National Computer Network Emergency Response Technology Coordination Centre conducted a test to assess the collection of personal information by various popular audio-visual apps. The test selected and examined 8 audio-visual apps from across 19 app stores, with the cumulative app download times of 100 million. The test factors included system permission requests, personal information uploads, and network traffic usage for uploads.
On 6 June 2023, Hubei Data Group, wholly owned by Hubei United Investment, was officially registered and established in Wuhan East Lake New Technology Development Zone. It marks a breakthrough step in Hubei Province's promotion of the reform of market-oriented allocation of data element.
On 9 June 2023, the official website of the Shanghai Data Exchange officially launched the "Digital Commerce Ecology" service platform. The service rights and interests provided by the Shanghai Data Exchange for certified digital commerce include four aspects: qualification certification, business empowerment, training support and market support.
On 13 June 2023, SSTC issued the Shanghai Action Plan for Breaking through Key Technologies of "Metaverse"(2023-2025) (the "Plan"), which puts forward the overall goals to be achieved in 2025 and the main breakthrough directions and elaborates specific action measures from seven major aspects. The plan addresses that it is necessary to take immersive technology and Web3 technology as the two main breakthrough directions and create a new highland in key technology fields such as immersive video, immersive computing, perceptual interaction and blockchain.
D. International Developments
Recently, the Federal Trade Commission (FTC) charged that the genetic testing firm 1Health.io left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected. As the Director of the FTC's Bureau of Consumer Protection said, "The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data." As part of a proposed settlement with the FTC, 1Health will be required to strengthen protections for genetic data and instruct third-party contract laboratories to destroy all consumer DNA samples that have been retained for more than 180 days.
On 14 June, the European Parliament adopted its negotiating position on the Artificial Intelligence (AI) Act, which would ensure that AI developed and used in Europe is fully in line with EU rights and values including human oversight, safety, privacy, transparency, non-discrimination and social and environmental wellbeing. The rules follow a risk-based approach and establish obligations for providers and those deploying AI systems depending on the level of risk the AI can generate. Lists of prohibited AI practices and high-risk AI are therefore included, and the Members of the European Parliament (MEPs) imposed obligations for general purpose AI like ChatGPT based on foundation models and added exemptions for research activities and AI components to boost AI innovation.
Recently, on behalf of FTC, the Department of Justice filed a complaint and stipulated order against Microsoft in the U.S. District Court for the Western District of Washington state. According to the complaint, Microsoft violated the Children's Online Privacy Protection Act (the "COPPA") by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents' consent, and by illegally retaining children's personal information. As part of the proposed order, Microsoft will pay $20 million as monetary penalty and take several steps to bolster privacy protections for child users, such as notifying video game publishers that the user is a child which will require the publishers to apply COPPA's protections to that child. The order will have the force of law when approved by the District Court judge.
On 6 June, Verizon released its highly anticipated 16th annual Data Breach Investigation Report (the "DBIR"), aiming to provide security professionals with an in-depth analysis of data-driven, real-world instances of cybercrime and how cyberattacks play out across different organisations. DBIR is created by analysing 16,312 incidents that occurred between 1 November 2021 and 31 October 2022, of which 5,199 were confirmed data breaches. According to this report, 74% of all breaches included human elements, 83% of breaches involved external actors and 95% of breaches were financially driven. The three primary ways in which attackers access an organisation are stolen credentials, phishing and exploitation of vulnerabilities.
On 22 May, following the European Data Protection Board (EDPB) binding dispute resolution decision of 13 April 2023, Meta Platforms Ireland Limited (Meta) was issued a 1.2 billion euro fine following an inquiry into its Facebook service, by the Irish Data Protection Authority (IE DPA). This fine, which is the largest General Data Protection Regulation (the "GDPR") fine ever, was imposed for Meta's transfers of personal data to the U.S. on the basis of standard contractual clauses since 16 July 2020. Furthermore, Meta has been ordered to bring processing operations into compliance with Chapter V of GDPR, by ceasing the unlawful processing, including storage, in the U.S. of personal data of European users transferred in violation of GDPR, within 6 months after notification of the IE DPA's final decision.
On 30 June, the Sacramento County Superior Court granted the Chamber of Commerce's request for an injunction and pushed enforcement of the California Privacy Rights Act of 2020 (CPRA) regulations from 1 July to 29 March 2024. The court-ordered delay pertains only to CPRA rules, not the body of the CPRA statute. The California Privacy Protection Agency and the California Department of Justice can still bring enforcement actions on CPRA amendments to the California Consumer Privacy Act (CCPA) as of 1 July. CCPA established consumer data privacy rights for California residents. Two years later, CPRA was passed by ballot initiative, amending CCPA by establishing new requirements for the processing of consumer personal information and creating the California Privacy Protection Agency to implement and enforce the law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
