China: China Monthly Data Protection Update - December 2022

LEGISLATION

Standing Committee of Beijing Municipal People's Congress Passes Beijing Digital Economy Promotion Regulations

On November 25, 2022, the forty-fifth meeting of the Standing Committee of the 15th Beijing Municipal People's Congress passed the Beijing Digital Economy Promotion Regulations ("Regulations"), which comes into effect on January 1, 2023. The Regulations stipulates rules of data collection, utilization, opening, and transactions, etc., and will establish a data catalog and pricing mechanism.¹

NISTC Solicits Comments on National Standard Information Security Technology - Framework for Cybersecurity Emergency System of Critical Information Infrastructure (Draft for Comments)

On November 17, the National Information Security Standardization Technical Committee ("NISTC") issued the Information Security Technology - Framework for Cybersecurity Emergency System of Critical Information Infrastructure (Draft for Comments) ("Framework") to solicit public opinion. The Framework is applicable for critical information infrastructure operators to establish a sound cybersecurity emergency response system and carry out cybersecurity emergency response activity. The content includes organization establishment, analysis and recognition, emergency plan, monitoring and warning, emergency handling, post-event recovery and summary, incident reporting and information sharing, emergency protection, and drills and training.²

CAC Issues Newly Revised Provisions on the Management of Internet Comment Threading Services

On November 16, the Cyberspace Administration of China ("CAC") issued the newly revised Provisions on the Management of Internet Comment Threading Services ("Provisions"), which comes into effect on December 15, 2022. The Provisions consists of 16 articles, focusing on the management responsibilities of comment threading service providers as well as the relevant requirements that comment threading service users and public account operators should comply with.³

Shenzhen Administration for Market Regulation Issues Requirements for Public Data Security

On November 14, Shenzhen Administration for Market Regulation approved and issued three Shenzhen local standards, including the Requirements for Public Data Security ("Requirements") and its official interpretation. The Requirements came into effect on December 1, 2022. It's the first local standard in the field of public data security.⁴

NISTC Solicits Comments on Cybersecurity Standard Practice Guide - Security Certification Regulations on Personal Information Cross-border Process (V2.0-Draft for Comments )

On November 8, the NISTC issued the Cybersecurity Standard Practice Guide - Security Certification Regulations on Personal Information Cross-border Process (V2.0-Draft for Comments). The draft improves the requirements for the foreign recipients in terms of fundamental principles, legal agreements, and responsibilities and obligations.⁵

National Standard Information Security Technology - Cybersecurity Requirements for Critical Information Infrastructure Protection (GB/T 39204-2022) Published

On November 7, Standard and Technology Department of SAMR, Cybersecurity Coordination Department of CAC and Cybersecurity Protection Department of Ministry of Public Security jointly held a press briefing in Beijing to issue the National Standard Information Security Technology - Cybersecurity Requirements for Critical Information Infrastructure Protection (GB/T 39204-2022). The standard put forward three fundamental principles, six aspects of activities, and 111 pieces of security requirements for critical information infrastructure security protection.⁶

CAC and SAMR Jointly Issues Personal Information Protection Certification Implementation Rules

On November 4, in order to regulate personal information processing and promote the reasonable use of personal information, CAC and SAMR decided to implement personal information protection certification and encourage personal information handlers to improve their personal information protection capabilities through certification. Certification agencies engaged in personal information protection certification shall carry out relevant certification activities upon approval and make certification in accordance with the Personal Information Protection Certification Implementation Rules.⁷

MIIT Solicits Comments on Notice on Carrying out the Pilot Program on Intelligent Connected Vehicle Access and Driving (Draft for Comments)

On November 2, Ministry of Industry and Information Technology ("MIIT") issued the Notice on Carrying out the Pilot Program on Intelligent Connected Vehicle Access and Drive (Draft for Comments). It puts forward the requirements of management capabilities for cybersecurity and data security of vehicles at four levels: pilot cities, pilot vehicle manufacturers, pilot products, and pilot users. It emphasized that intelligent connected vehicle manufacturers should have data security protection capabilities.⁸

Click here to continue reading . . .

Footnotes

1. https://www.bjnews.com.cn/detail/166938081914483.html

2. https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20221117111713&norm_id=20201104200013&recode_id=49437

3. https://mp.weixin.qq.com/s/9Nu9OitcAGbXlLpKNPFzvA?scene=25#wechat_redirect

4. http://amr.sz.gov.cn/xxgk/qt/tzgg/bzh/content/post_10242457.html

5. https://www.tc260.org.cn/front/postDetail.html?id=20221108180519

6. https://mp.weixin.qq.com/s/7G_agdnbtbjVLcjkVaAk_A?scene=25#wechat_redirect

7. https://mp.weixin.qq.com/s/n2vtPj6_XC2Uy0HfE_BFmQ

8. https://www.miit.gov.cn/gzcy/yjzj/art/2022/art_4ae46de7edee4a72adb611b3c67b9d6e.html

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.