Our Observations: In May 2023, China's TMT sector witnessed key legal developments that underscored a rigorous focus on cybersecurity, consumer protection, and personal information protection. Notably, the Cybersecurity Review Office's declaration that Micron Technology's products had not passed the Cybersecurity Review signaled an increased vigilance towards safeguarding China's Critical Information Infrastructure against significant cybersecurity risks. Furthermore, the CAC's introduction of the Guidelines for the Record-Filling of Standard Contracts for the Outbound Transfer of Personal Information clarifies the details for relevant enterprises to prepare the Standard Contract and relevant documents. Additionally, the implementation of the GB/T 42574-2023 by the SAC signified a proactive approach to regulate the "inform-consent" rule regarding personal information collection. Together, these regulatory developments convey an unequivocal message of China's dedication to fortifying cybersecurity, endorsing personal information protection, and fostering fair commercial practices within its evolving TMT sector.
Part I - Regulations, Policies & Judiciary Interpretations
- The State Council Issued the Regulations on the Commercial Passwords
On May 24, 2023, the State Council issued the Regulations on the Commercial Password (the "SC Regulations"), which is set to take effect on July 1, 2023. The SC Regulations primarily encompasses areas such as technological innovation and standardization, testing and certification, electronic certification, import and export, application promotion, supervision and management, among others.
The SC Regulations stipulates that network operators should, in line with the requirements of the national classified protection system for cyber security, employ commercial password to safeguard network security. The National Cryptography Administration has the responsibility of overseeing commercial password practices across the nation. The Cyberspace Administration of China, Ministry of Commerce, General Administration of Customs, and the State Administration for Market Regulation are among the relevant authorities that are responsible for managing commercial password within their respective jurisdictions.
According to the SC Measures emphasize critical information infrastructure operators should implement protection measures using commercial passwords, develop plans for its application, and allocate the necessary financial resources and professional staff to concurrently plan, construct, and operate a commercial passwords safeguard system, conducting a security assessment of commercial passwords application independently or by commissioning cryptography inspection institutions. The systems can only be launched upon successful evaluation and must undergo at least one annual review following commencement.
- The CAC Issued the Announcement on the Matters Regarding Adjustment of the Security Administration of Specialized Cybersecurity Products
Recently, the Cyberspace Administration of China (CAC) issued the Announcement on the Matters Regarding Adjustment of the Security Administration of Specialized Cybersecurity Products (the "CAC Announcement"). The Cybersecurity Law explicitly requires that network critical equipment and cybersecurity products must comply with mandatory national standards, in addition to passing the safety certification or safety inspection conducted by accredited institutions before they can be sold or provided. The specialized cybersecurity products enumerated in the Catalogues of Network Critical Equipment and Specialized Cybersecurity Products can be sold or provided only if one or more of following conditions are met:
- The specialized cybersecurity products are in compliance with mandatory national standards, such as Information Security Technology - Security Technical Requirements for Cybersecurity Dedicated Products and have passed the safety certification or safety inspection conducted by qualified institutions.
- The specialized cybersecurity products have previously been granted the "Sales License for Computer Information System Security Specialized Products," and such license remains valid.
The CAC Announcement further clarifies that since July 1, 2023, the specialized cybersecurity products that pass the safety certification or safety inspection will possess equivalent market access viability, and the manufacturers do not have to apply repetitively.
- The MOT Issued the Administrative Measures for the Security Protection of Critical Information Infrastructure for Highways and Waterways
Recently, the Ministry of Transport (MOT) issued the Administrative Measures for the Security Protection of Critical Information Infrastructure for highways and waterways (the "MOT Measures"), which will come into effect on June 1, 2023. The MOT Measures clarifies the rules for the determination of critical information infrastructure on highways and waterways, the obligations of the operator's responsibility, as well as the safeguard and supervision requirements. The MOT Measures specifies that the determination rules should consider three factors:
- the importance of network facilities and information systems to key core businesses of highways and waterways;
- whether the network facilities and information systems store or process core national data, and the potential harm that could be caused by damage, loss of functionality, or data leakage of these network facilities and information systems; and
- Relevance to other industries and fields.
Additionally, compared with the previous draft for comments version, the official MOT Measures has removed the section on "determination of important data", and has reduced the supervisory duties of local departments.
- The SAMR and Ten Other Departments Jointly Issued the Guidance Opinions on Further Strengthening the Supervision of the Medical Aesthetics Industry
Recently, eleven departments including the State Administration for Market Regulation, the National Health Commission, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Medical Products Administration jointly issued the Guidance Opinions on Further Strengthening the Supervision of the Medical Cosmetology Industry ("Guidance Opinions").
The Guidance Opinions clarify that medical aesthetic services are classified as medical activities, and that future supervisory focus will be placed on strengthening the management of market entity registration and enhancing the qualification audits of medical aesthetic institutions. In relation to associated fields and industries, the Guidance Opinions highlight the increased supervision of "guide-shopping" activities in the medical aesthetics industry, training activities in medical aesthetics, and the lifestyle beauty industry. The Guidance Opinions strictly prohibit personnel without corresponding medical qualifications or knowledge in medicine from engaging in medical aesthetic diagnosis and treatment consultation, medical guidance services, or publishing professional content related to the medical field either online or offline.
Part II - Sectorial Standards & Practice Guidance
- The CAC Has Issued the Guidelines for the Record-Filling of Standard Contracts for the Outbound Transfer of Personal Information (First Edition)
To provide robust guidance to personal information processors for the systematic and structured record-filling of standard contracts for the outbound transfer of personal information, the Cyberspace Administration of China introduced the Guidelines for the Record-Filling of Standard Contracts for the Outbound Transfer of Personal Information (First Edition) (the "Record-Filling Guidelines") on May 30, 2023. The Record-Filling Guidelines details specific requirements for record-filling methods, processes, and relevant materials.
Personal Information processors intending to transfer personal information with overseas recipients based on the Standard Contract should follow the Record-Filling Guidelines and the provisions of the Measures for Standard Contract of the Outbound Transfer of Personal Information, making their record-filling submissions to the Cyberspace Administration Office at the provincial-level.
The Record-Filling Guidelines offers a comprehensive reference for businesses to prepare the outbound Personal Information Assessment (PIA) reports. The report comprises a self-assessment summary, an overview of outbound activities, an impact assessment of proposed outbound activities, and assessment conclusions. The content of the outbound PIA parallels the required self-assessment report for security assessment under Guidelines for Self-Assessment of Outbound Data Transfer.
- The SAMR and the SAC have Jointly Issued the Information Security Technology - Implementation Guidelines for Notification and Consent in Personal Information Processing (GB/T 42574-2023).
On May 23, 2023, the State Administration for Market Regulation and the Standardization Administration of China jointly issued the recommended national standard Information Security Technology - Implementation Guidelines for Notification and Consent in Personal Information Processing (the "GB/T 42574-2023"). The purpose of GB/T 42574-2023 is to address practical issues concerning notification and consent during personal information processing activities and provides a clear path for implementation. GB/T 42574-2023 will come into effect on December 1, 2023.
GB/T 42574-2023 refines the path for implementing notification and consent as proposing specific principles, methods, and steps serving as an essential compliance reference for personal information processors. Furthermore, GB/T 42574-2023 recommended various implementation methods for notification and consent in 13 specific scenarios, providing precise scene-based guidance. GB/T 42574-2023 categorizes notifications into general notification, enhanced notification, and prompt notice. Personal information processors can choose a combination of one or more notification methods based on the characteristics of their product or service functionalities.
- The NISSTC Solicits Public Comments on the Cybersecurity Standards Practice Guide - Security Requirements for the Protection of Personal Information in Facial Recognition Payment Scenarios
Recently, the National Information Security Standardization Technical Committee issued the Cybersecurity Standards Practice Guide - Security Requirements for the Protection of Personal Information in Facial Recognition Payment Scenarios (Draft for Public Comment) (the "Guide").
The Guide is tailored specifically for facial recognition payment scenarios, detailing specific personal information protection requirements for diverse stakeholders involved in such payment settings. The Guide underscores the strict prohibition against utilizing facial data for any purpose beyond the immediate transaction, the non-permissibility of facilitating the export of facial data, and the requisite ability to ascertain the security status of the operating environment.
Moreover, the Guide establishes clear boundaries for the commencement and conclusion of facial data collections:
(1) Commencement: The collection of data should begin only subsequent to a definitive user interaction, such as a manual click.
(2) Termination: The collection of data should cease either upon the completion of facial recognition or one minute after data collection has begun.
Part III - Enforcement Highlights
- Micron Failed the Cybersecurity Review
On May 21, 2023, the Cybersecurity Review Office announced the results of its review, stating that products sold by Micron Technology in China failed to pass the Cybersecurity Review. The rejection was attributed to the discovery of significant cybersecurity issues within the products of Micron Technology, which pose a major security risk to the supply chain of Critical Information Infrastructure and threaten national security.
Significantly, pursuant to laws and regulations such as the Cybersecurity Law, Critical Information Infrastructure Operators should cease to procure products from Micron Technology. The announcement emphasized that the Cybersecurity Review conducted on Micron's products is a necessary measure aimed at mitigating cybersecurity risks to the nation's Critical Information Infrastructure, and thereby maintaining national security. China remains committed to pursuing high-level opening to the world and welcomes businesses from all countries and different platform products and services to enter the Chinese market, provided they comply with laws and regulations of the People's Republic of China.
- The CAC Conducted a Special Enforcement Action to Regulate False News
Recently, the Cyberspace Administration of China (CAC) conducted a Special Campaigns to Cleanse Cyberspace (the "Campaign") aiming to thoroughly eliminate information that disrupts the order of online communication, including illicit online content editing, unlawful online content reproduction, and fabrication of false news. The Campaign further targets improper accounts, such as those impersonating news anchors. To date, this initiative has resulted in the cleansing of approximately 107,000 accounts impersonating news organizations and anchors, and the removal of around 835,000 pieces of fabricated news. Notably, the campaign has publicized typical violative accounts and behaviors on various online platforms.
During the Campaign, the CAC has been guiding online platforms to issue special announcements, continuously display violative accounts, and establish dedicated reporting sections. These measures are designed to persistently remind internet content producers to operate in accordance with laws and regulations, prohibiting the impersonation of news organizations and anchors, and outlawing the publication of false news.
Part IV - Court Judgments
- Next of Kin Do Not Have the Right to Directly Log into the Deceased's Account to Review or Duplicate Personal Information
The Beijing Internet Court recently released a decision concerning the protection of deceased's personal information. The ruling established that while next of kin do retain a right to access the deceased's personal data, this does not extend to direct access to the deceased's account. The rationale behind this decision lies in the understanding that the content within the deceased's account could potentially encompass private information the deceased would not have wished to disclose, or that pertains to third parties.
Therefore, in safeguarding the rights of the deceased in relation to their personal information, next of kin are prohibited from directly logging into the deceased's account for data review. The court further elucidated that in parallel to ensuring the protection of the deceased's personal information, relative personal information processor is obligated to offer alternative reasonable methods for next of kin to exercise their rights.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.