China - Cybersecurity And Data Protection: Monthly Update – April 2020 Issue

Legal News & Analysis - Asia Pacific - China - Cybersecurity

24 April 2020

 

Introduction
 

This e-bulletin summarises the latest developments in cybersecurity and data protection in China. We will focus on four areas: regulatory, enforcement, industry and international developments.

 

Our highlights

 

The revised Personal Information Security Specification was released in March after three rounds of pubic consultation. The updated draft has made a number of important changes and will continue to serve as a non-mandatory good practice guide for data protection , which all network operators in China are recommended to adhere to. Two draft standards on data processing by mobile applications were released publication. One is a guide for mobile application developers or operators to self-evaluate their apps for data protection compliance, which is an update on the version that was released last March. The other is a new guide for mobile application developers or operators to deal with common data protection problems that have been discovered recently. Companies that operate mobile applications should watch out for the development of these two guides.

 

Regulatory developments

 

1. New personal information security specification released

 

On 6 March 2020, the State Administration for Market Regulation and the Standardisation Administration of China issued new specifications on personal information security in information security technology which will take effect from 1 October 2020. Compared to the standards issued in 2017, the main changes include the addition of user’s right to choose from multiple business functions], adding restrictions on the use of user profiles and adding personalised displays, as well as converging personal information collected for various business purposes. The new specifications also contain new provisions on managing third-party access, personal information security engineering and recording personal information processing activities. They provide for exceptions to obtaining authorised consent, and include provisions on account suspensions by data subjects and responding to data subjects’ requests. The new specifications also clarify the responsible departments and personnel and the requirements for conducting personal information security impact assessments. They also refine the requirements for personal biometric data.

 

2. Consultation on cybersecurity standards practice guide for protecting security of remote working

 

On 13 March 2020, the National Information Security Standardisation Technical Committee issued a draft consultation paper on the cybersecurity standards practice guide for protecting remote working security. The consultation paper lists out typical scenarios for remote working, such as online meetings, instant messaging, document collaboration, and the creation of a collaborative office. The consultation paper also analyses the risks associated with remote working in terms of the office security system, data security, equipment security and personal information protection. It recommends suggested security control measures as well as offering guidance on secure remote working.

 

3. Consultation on self-assessment guide for the collection and use of personal information by mobile internet applications

 

On 19 March 2020, the National Information Security Standardisation Technical Committee issued a consultation paper relating to the draft self-assessment guide for the collection and use of personal information by mobile internet applications. The draft summarises the assessment criteria to evaluate an app’s collection and use of personal information, based on relevant law, regulations and national standards. These include whether the rules on the collection and use of personal information have been published; whether there is an express statement on the purpose, methods and scope for collecting and using the personal information; and whether user consent for collecting and using personal information has been obtained. Other criteria include whether the personal information collected is directly related to the services provided in accordance with the principle of necessity; whether personal information has been provided to others without the users’ consent; whether there is a function for deleting or correcting personal information; and whether information for filing complaints or reports has been published.

 

4. Consultation on draft guidelines on the security and protection of personal information on mobile internet applications

 

On 30 March 2020, the National Information Security Standardisation Technical Committee issued a consultation paper on draft guidelines on the security and protection of personal information on mobile internet applications. Based on statistical data from relevant assessment tools and issues identified during the prevention and control of COVID-19, the draft guidelines highlight common compliance issues for apps in respect of personal information protection. These include the failure to collect personal information that is within scope, the lack of a deregistration function or setting unreasonable conditions for deregistration, as well as compulsory bundled consent. The consultation paper proposes preventive strategies for the issues identified.

 

5. New opinions on implementing the testing and authentication of commercial encryption

 

On 31 March 2020, the State Administration for Market Regulation and the State Cryptography Administration issued new opinions on implementing the testing and authentication of commercial encryption. These set out the principles and mechanisms for the testing and authentication of commercial encryption, specifying the issuer of the commercial password for the authentication catalogue and authentication rules, and establishing a technical committee for commercial encryption authentication. The opinions set out a number of requirements on the implementation of authentication, covering (i) the qualification of commercial encryption authentication agencies; (ii) the relationship between commercial encryption authentication agencies and testing agencies; (iii) the establishment of traceable working mechanisms; (iv) the obligations of commercial encryption authentication agencies on information disclosure and reporting; and (v) the confidentiality obligations owed by commercial encryption authentication agencies and testing agencies. In terms of supervision and administration, the opinions also specify the relevant regulatory authorities and provide for the right to appeal and complain.

 

Enforcement developments

 

 

1. Bank fined for illegally accessing and using customers’ personal information

 

On 13 March 2020, the People’s Bank of China announced its decision to fine the Nanjing branch of the Bank of Hangzhou as a result of certain illegal activities, namely: failing to submit materials for the opening and closing of bank accounts, knowingly allowing accounts to be opened in the name of natural persons for the deposit of funds belonging to institutions, failing to perform obligatory customer identification procedures and illegally accessing and using customers’ personal information. The bank received a warning and was fined RMB420,000. The relevant person-in-charge of the bank was also fined RMB28,000.

 

2. Bank fined RMB1.845 million for infringing consumers’ personal information rights

 

On 17 March 2020, the Chongqing branch of the People’s Bank of China announced that it had imposed various administrative penalties on Chongqing Fumin Bank. This stems from a number of illegal activities carried out by the bank, namely: falsely reporting or concealing financial statistical information, failing to submit materials on the opening, changing and closing of accounts, failing to manage the barcode payment business, failing to handle objections in accordance with credit reporting regulations, failing to perform obligatory customer identification procedures, failing to submit reports on suspicious transactions and infringing the customer’s rights to have their personal information protected in accordance with the law. The bank received a warning and was fined RMB1.845 million, and its illegal gains of RMB303,489.56 were confiscated.

 

3. Sina Weibo App data leak incident inquiry

 

On 21 March 2020, the cybersecurity management bureau of the Ministry of Industry and Information Technology conducted an inquiry into a data leak incident by the Sina Weibo App and interviewed the relevant person-in-charge. The bureau urged Sina Weibo to improve its privacy policies in accordance with relevant laws and regulations and adopt security protection measures such as enhanced protection of user information (by classification and grade) as well as internal data security management and other security protection strategies. The bureau also recommended carrying out self-assessment with data security compliance and reporting of major data security incidents to eliminate hidden risks associated with data security.

 

 

Industry developments

 

1. Ministry of Industry and Information Technology promotes the development of 5G

 

On 24 March 2020, the Ministry of Industry and Information Technology issued a circular on accelerating the development of 5G. The circular requires faster deployment of 5G network construction, including accelerating the progress of 5G construction, increasing site resources and support for base stations, strengthening the guarantee of electric power and radiofrequency, and promoting network sharing and inter-network roaming. The circular also provides for diversifying the application of 5G technology, including cultivating new consumption habits, [promoting the development of “5G + healthcare” innovation, implementing the “5G + industrial internet” project, promoting the coordinated development of “5G + Internet of Vehicle” initiative, and building a 5G application ecosystem. The circular states that the Ministry of Industry and Information Technology will continue to increase its research efforts and development of 5G technologies, focus on building a 5G security system, and strengthen organisational implementation and accountability.

 

2. Pilot projects in big data industry for 2020

 

On 26 March 2020, the Ministry of Industry and Information Technology issued a list of 200 pilot projects in the big data industry for 2020. These include 90 projects in the field of industrial big data convergence and application, 70 in the field of innovation and application of big data in people’s livelihoods, 20 in the field of big data key technology pilot application, and 20 in the field of improving big data management capability.

 

3. Key points for 2020 national information security standardisation work plan

 

On 9 March 2020, the National Information Security Standardisation Technical Committee announced the key points for its 2020 plan, focusing on six areas. These include improving the national standards on cybersecurity, focusing on key projects and promoting the development of urgently needed key standards, taking effective measures to strengthen the promotion and implementation of the standards as well as initiating a new international standard. The other aspects include strengthening the management of the process of setting standards and improving the level of standardisation capabilities, as well as exploring new mechanisms for training talent and integrated development of technology and industry.

 

 

International developments

 

1. Japan adopts amendments to its Act on the Protection of Personal Information

 

On 10 March 2020, the Cabinet of Japan adopted amendments to the Act on the Protection of Personal Information. The amendments cover a number of areas such as the rights of data subjects, responsibilities of enterprises and self-improvement mechanisms for enterprises. Data utilisation strategies, penalties and extraterritorial application of the Act, as well as cross-border data transfer, were also included in the amendments.

 

2. The US adopts national strategy to secure 5G

 

On 23 March 2020, the US adopted a national strategy to secure 5G which proposes four measures to achieve its objectives. Firstly, it includes measures to facilitate the domestic 5G rollout. Secondly, it requires an assessment of the risks and the identification of core security principles for 5G infrastructure. Thirdly, it sets out requirements to manage the risks to economic and national security from the development and deployment of 5G infrastructure worldwide. Finally, the strategy promotes responsible global development and deployment of 5G.

 

 

3. Australia to amend its Telecommunications (Interception and Access) Act

 

On 5 March 2020, the Australian government introduced a bill to parliament, proposing amendments to its Telecommunications (Interception and Access) Act to allow Australian communications providers to intercept and disclose electronic information in response to an incoming request from the Australian government and a foreign country with which Australia has an agreement. It is expected that countries with which Australia has an agreement will be allowed access to communications data across borders for law enforcement purposes after the proposed amendment is passed. 

 

 

herbert smith Freehills

 

For further information, please contact:

 

Gareth Thomas, Partner, Herbert Smith Freehills

gareth.thomas@hsf.com