Our Observations: In the TMT sector, the promulgation of the Measures for Standard Contract for Cross-Border Transfers of Personal Information and its attachment (the "Standard Contract") is the most important piece of legislation in February 2023. Together with the Security Assessment and the Cross-Border Data Transfer Certification, the final "missing piece" to the cross-border data transfer laws is now complete. Corporations that do not (1) qualify as CIIO; (2) transfer important data or core data; (3) exceed the threshold of transferring 100,000 individuals' personal information; and (4) exceed the threshold of transferring 10,000 individuals' sensitive personal information can choose the Standard Contract for cross-border data transfer, provided that certain required materials have been recorded with the CAC at the provincial level. Other than the Standard Contract, enhancing the innovative capability of AI technology and overhauling the harmful functions of the applications are still the central issues keenly followed by relevant supervisory authorities during the last month.

PART I – REGULATIONS, POLICIES & JUDICIARY INTERPRETATIONS

1. CAC Issued Measures for Standard Contract for Cross-border Transfers of Personal Information

On February 24, CAC Issued Measures for Standard Contract for Cross-border Transfers of Personal Information, aiming to implement the Personal Information Protection Law, protect the rights and interests of personal information, and regulate cross-border transfers of personal information.

The Standard Contract, comprised of 13 articles, elaborates on the scope of application of the Standard Contract, required conditions before entering into the Standard Contract, record-filing requirements, and the superseding effect of the Standard Contract clauses over other supplement clauses, so as to provide specific guidelines for the cross-border transfer of personal information. The Measures will be implemented from June 1, 2023, and corporations plan to apply the Standard Contract shall rectify the non-compliant practices and complete the record-filling before December 1, 2023.

2. The Central Committee of CPC and the State Council Issued the Outline for Building a Country Strong on Quality

On February 6, 2023, the Central Committee of CPC and the State Council issued the Outline for Promoting High-Quality Development (the "Outline"), proposing that the essence of promoting development is to improve quality and efficiency, and to cultivate new advantages of economic development in technology, standards, brands, quality, services, and other core areas.

The outline specifies the six development goals by 2025 as follows:

  1. Improving the quality and efficiency of economic development;
  2. Enhancing the competitiveness of industries' quality;
  3. Improving the quality of products, projects and services;
  4. Making greater progress in brand construction;
  5. Making the quality infrastructure more modern and efficient; and
  6. Improving the quality governance system.

In addition to the principal goals, the Outline also stipulates that the PRC aims to:

  1. Accelerate the thorough application of big data, networks, artificial intelligence and other new technologies to promote the integration of modern service industries, advanced manufacturing industries and modern agriculture industries;
  2. Improve the quality and safety of agricultural products, food and drug;
  3. Promote the standardized and orderly development of new models such as online shopping and mobile payment, encourage the diversified integration of supermarkets, e-commerce platforms and other retail formats;
  4. Strengthen the quality supervision of goods sold through online platforms, and improve cross-regional and cross-industrial supervision and coordination mechanisms, and promote the integration of online and offline supervision.

3. The General Office of the State Council Issued the Guiding Opinions on Further Promoting Integrated Supervision across Departments

On February 17, 2023, the General Office of the State Council issued the Guiding Opinions on Further Promoting Integrated Supervision Across Departments (the "Guiding Opinions"), aiming to further strengthen integrated supervision across departments, maintain a fair and orderly market environment, and effectively reduce institutional transaction costs for market players.

The Guiding Opinions proposes the following measures:

  1. Promote the exchange and sharing of regulatory information, which means all local authorities and all departments shall strive to break down data barriers to support integrated supervision across departments through data exchange and sharing across departments, regions, and levels;
  2. Connect with the information databases of natural persons, legal persons, spatial geography, electronic certificates, public credit, and regulatory practices on the basis of the existing government data sharing and exchange platform;
  3. Require that regional government data shall be shared subject to the needs of cross-departmental business scenarios. And data backflow and exchange rules shall be specified to ensure an orderly data collection and the secure and efficient use of data; and
  4. Require that relevant departments should consider the business needs of cross-departmental integrated supervision of specific matters such as risk monitoring and collaborative law enforcement, to clarify the scope, method, procedures, time limits, frequency, and confidentiality requirements for information sharing.

4. The Shanghai Municipal People's Government Issued the Administrative Measures for the Information Infrastructure in Shanghai

On February 19, 2023, the Shanghai People's Government issued the Administrative Measures for the Information Infrastructure in Shanghai (the "Administrative Measures"), which will come into effect on March 1, 2023. The Measures consists of 30 articles, which regulate the planning, construction, maintenance, protection and supervision of information infrastructure activities, aiming to regulate and promote the construction and management of Shanghai's information infrastructure, ensure the security of information infrastructure, and promote the comprehensive digital transformation of economy, livelihood and governance. According to the Administrative Measures, information infrastructure includes equipment, lines and other supporting facilities that provide communication services, radio and television services, and information services such as data transfer, storage and computing for the public.

The Administrative Measures also includes special provisions for data centers, i.e., the city's economic and information technology department shall, in conjunction with the city's development and reform department, communications department and other departments, coordinate and promote the construction, transformation and upgrading of data centers, guide the construction of edge computing resource pool nodes and substations and other facilities, improve energy utilization efficiency, and promote the formation of a new type of data center with reasonable layout, advanced technology, green and low-carbon, and the scale of computing power commensurate with the growth of the digital economy.

5. The Hangzhou Data Resources Administration Bureau Issued the Implementation Plan for the Authorized Operation of Public Data in Hangzhou (for Trial Implementation) for Public Comments

On February 17, 2023, the Hangzhou Data Resources Administration Bureau issued the Implementation Plan for the Authorized Operation of Public Data Operation in Hangzhou (for Trial Implementation) for public comments (the "Draft"). The Draft stipulates four aspects, which are:

  1. general requirements;
  2. data scope;
  3. main tasks; and
  4. work guarantee.

The Draft is the first detailed implementation plan on the procedure of the authorized operation of public data within Zhejiang Province, which marks a significant milestone for releasing and enhancing the value of public data resources and promoting the circulation of data elements. The call for public comments will last until March 18, 2023.

6. The Development and Reform Commission of Shenzhen Municipality Issued the Interim Measures for the Management of Data Property Rights Registration in Shenzhen (Draft) for Public Comments

On February 20, 2023, the Development and Reform Commission of Shenzhen Municipality issued the Interim Measures for the Management of Data Property Rights Registration in Shenzhen for public comments (Draft) (the "Interim Measures"). The Interim Measures aims to regulate the registration of data property rights, protect the legitimate rights and interests of data elements market participants, and promote the open flow, development and utilization of data as elements of production.

The Interim Measures specifies that the registry shall use blockchain and other relevant technologies to save the registered information and properly preserve the original documents and other documents and materials of the registration. The retention period shall not be less than 30 years. The registry and its staff are legally obliged to keep confidential the data, documents and materials related to the data property registration. The Interim Measures also mentions that the regulatory authorities should strengthen the collection and sharing of registered data, and implement new regulatory methods such as off-site regulation, credit regulation and risk warning, so as to enhance the level of regulation.

PART II - PRACTICE GUIDANCE & ENFORCEMENT HIGHLIGHTS

1. IIT Announced 46 APPs (SDKs) with Infringement of Users' Rights and Interests

On February 8, 2023, the Ministry of Industry and Information Technology (MIIT) organized third-party inspection agencies to inspect mobile internet applications (APP) in the category of life services and third-party software development kit (SDK) according to the Personal Information Protection Law, Cybersecurity Law, Telecommunications Regulations, Provisions on the Protection of Personal Information of Telecommunications and Internet Users, and other laws and regulation. Harmful functions of 46 APP (SDK) were identified, involving infringement on users' rights and interests including:

  1. Illegal collection of personal information
  2. Illegal use of personal information
  3. Collection of personal information beyond the scope of necessity
  4. Forced collection of unnecessary personal information
  5. Insufficient disclosure and notification of personal information collection
  6. Insufficient disclosure and notification of APP information on the application distribution platform
  7. Illegal Internet pop-up information push service
  8. Deceiving, misleading and forcing users
  9. Forced, frequent, excessive requests for access by apps
  10. Illegal use of third-party services

2. MIIT Issued the Notice on Several Reform Measures for the Network Access Licensing System for Telecommunications Equipment

On February 6, 2023, MIIT issued the Notice on Several Reform Measures for the Network Access Licensing System for Telecommunications Equipment (the "MITT Notice"), and the relevant measures will be implemented from March 1 this year. The MITT Notice includes five reform measures, including:

  1. Adjusting supervision methods for some telecommunications equipment;
  2. Streamlining and optimizing network access license testing items;
  3. Announcing the time limit for network access license approval commitments;
  4. Extending the valid period of network access trial approvals; and
  5. Implementing family management of telecommunications equipment products.

3. SAMR Exposed Ten Cases regarding Illegal Advertising:

On February 3, 2023, the State Administration for Market Regulation (SAMR) promulgated the results of the special rectification actions carried out since 2022 for commercial marketing hype on the occasion of the 20th National Congress of the CPC and other illegal advertising that undermine national dignity, hinder social stability, obstruct public order and violate good morals of the society, and selected ten typical cases that have been handled to be exposed, including:

  1. Using the name of the 20th National Congress of the CPC, the centenary celebrations of the CPC and special dates for illegal promotion and hyping;
  2. Using the name or image of state agencies or staff of state agencies for marketing and publicity without authorization;
  3. Making gimmicks;
  4. Undermining national dignity;
  5. Violating good morals of the society.

4. Guangdong Communications Administration Plans to Carry Out Inspection of Network Data Security and Application Compliance for 2023

On February 13, 2023, Guangdong Communications Administration released the Notice on Carrying out 2023 Administrative Inspection on Network Data Security and Application Compliance in the Telecommunication and Internet Industries (the "Inspection Notice"). Guangdong has become the first province in China to carry out province-wide inspections of network data security and application compliance in 2023. The 2023 National Work Conference for Industry and Information Technology emphasized that the Industry and Information Technology Authority shall continue to take the whole-process and whole-chain governance of Apps, personal information protection, and the protection of user rights and interests as one of the key tasks in 2023.

Compared with its 2022 inspection requirements, Guangdong Province's regulatory inspection for 2023 will be implemented at a deeper level as follows:

  1. The range of objects and the contents for the inspection will become wider;
  2. The relevant enterprises will not be given a period for self-inspection and self-rectification; and
  3. The inspection work of the regulatory authorities will be arranged on a random basis.

Therefore, enterprises shall always effectively conduct self-inspection and compliance rectification, fulfilling the obligations of cybersecurity and data compliance.

5. MIIT Issued the List of Administrative Law Enforcement Matters of MIIT (2022 Edition)

On February 16, 2023, MIIT issued the List of Administrative Law Enforcement Matters of MIIT (2022 Edition) (the "List"), taking into account the revision of relevant laws and regulations and the administrative law enforcement activities according to the requirements of the Interim Implementation Plan for MIIT to Fully Implement the Administrative Law Enforcement Publicity System, the Record System of the Whole Process of Law Enforcement, and the Legal Review System for Significant Law Enforcement Decisions.

It should be noted that MIIT has added a total of 15 items (Articles 247-261) to the list of administrative law enforcement matters related to data security in combination with the provisions of the Data Security Law and the Security Assessment Measures for Outbound Data Transfers. The inclusion of such law enforcement matters reflects the implementation of MIIT's security supervision responsibilities as a competent department in the field of industry and information technology.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.