China Cybersecurity And Data Protection: Monthly Update – Feb 2021 Issue.
Legal News & Analysis - Asia Pacific - China - Cybersecurity
23 February 2021
The People’s Bank of China and the China Banking and Insurance Regulatory Commission have introduced regulations and released draft regulations which relate to data protection in the banking, insurance credit reporting, third-party payment and insurance agent industries. This is in line with the focus of financial regulators continuing to place importance in data protection in the financial sector.
The newly released draft Administrative Measures of Internet Information Services have also put an emphasis on cybersecurity and data protection with an enhanced role of the Ministry of Public Security to police compliance.
On 5 January 2021, the China Banking and Insurance Regulatory Commission published new measures on regulatory data security management for trial, which came into force on 23 September 2020. The measures aim to establish a coordinated administrative system on regulatory data security with the collaboration of multiple departments. Regulatory data activities include all aspects of data collection, processing, storage, and usage. In terms of data collection and usage, data collection shall be conducted in accordance with the principles of safety, accuracy and integrity. Data transfer shall be traceable by technical means. In addition, the management department shall establish a data security incident reporting mechanism to supervise and report data security incidents in a timely manner.
On 8 January 2021, the Cyberspace Administration released the draft Administrative Measures on Internet Information Services for public comment. The deadline for comments was 7 February 2021. The draft measures require Internet service providers to take necessary technical measures to ensure the security of the personal information collected and to prevent any leakage, damage, or loss of information. Organizations and individuals are not allowed to publish false information or provide information release service for the purpose of profit or illegal benefit.
On 11 January 2021, the People’s Bank of China released the draft measures for credit investigation administration for public comment. The deadline for comments was 10 February 2021. In terms of data protection, the measures set requirements for collecting, processing and storing credit information to protect the legitimate interests of individuals and companies. It also sets requirements for data security and cross border transfer. The measures require the credit investigation agencies to follow the minimum and necessary principle and to not collect information in an illegal manner. While collecting individual information, the data subjects shall be informed of the purpose for collection and extent by the credit investigation agencies. During the collection of non-public information of companies, consent shall be obtained.
On 22 January 2021, the Cyberspace Administration issued the newly revised regulations on the administration of Internet public account information services, which will come into effect on 22 February 2021. The regulations aim to strengthen the supervision of official accounts. The regulations require the official account to establish rating and credit evaluation systems, improve the management in account registration and qualification review, establish the early warning mechanism for illegal information, and protect the account, data and personal information security. Account operators shall establish a content review mechanism to ensure the authenticity and legality of the content. Engagement in false information, incitement of extreme thoughts, copyright infringement, violence is illegal.
On 12 January 2021, the China Banking and Insurance Regulatory Commission published new measures for the supervision of informatisation of insurance intermediaries, which came into effect on 1 February 2021. The measures require the insurance intermediaries to independently carry out informatisation work. The informatisation mechanisms, facilities and management should remain independent and be effectively isolated from their affiliates. The access, transfer and copy of information and data shall be strictly under control. Disclosure of personal information to affiliated companies is in violation of the measures.
On 25 January 2021, the National Administration of State Secrets Protection published new measures for the qualification administration of the integration of confidential information systems, which will come into force on 1 March 2021. These measures regulate the application, acceptance, review, use and supervision of confidential integration qualifications. Qualified entities shall undertake confidential printing business within the business category permitted by the secrecy administrative department. Those who have obtained the license for the overall business category can also engage in software development and security monitoring businesses.
On 20 January 2021, the People’s Bank of China released the draft regulations on non-bank payment institutions for public comment. is the deadline for comments was on 19 February. In terms of data protection, the draft regulations sets forth requirements for collecting and processing user information. The collection and process of information shall be under the principles of lawfulness, fairness and necessity, with explicit consent of the users. It is the users right to require the non-bank payment institutions to correct or delete their personal information. In terms of cybersecurity, the draft regulations sets forth requirements for information system localization and risk reporting system. If a non-bank payment institution is identified as a critical information infrastructure, the storage, processing and analysis of user information in China shall be carried out domestically. In the event of a risk incident, the entities shall immediately report to the local branch of the People’s Bank of China.
On 13 January 2021, the Ministry of Industry and Information Technology issued a notice on carrying out multi-level protection scheme for industrial Internet enterprises in selected areas. Local administrations will select local key industries and enterprises to carry out the multi-level protection scheme. Next, the local administrations will organize the selected enterprises to carry out the rating system and to form a rating report by the end of February 2021. Following which, security measures shall be taken based on its level by the end of September 2021.
On 22 January 2021, the Secretariat of the National Information Security Standardization Technical Committee released four draft standards on information security technology for public comment. The deadline for comments is 22 March 2021. This series of standards cover security requirements and guidelines on public domain name, block chain, information security multi-level protection scheme, and information security management systems. The standards provide guidance for third-party assessment agencies to carry out security assessments. The drafts also provide basis for security reviews by the national security departments.
On 8 January 2021, a public interest lawsuit brought by the Hangzhou Internet Court was heard against the defendant who had used the internet to infringe the privacy rights of others. The defendant had purchased and exchanged more than 40,000 personal information containing names, phone numbers, and e-mail addresses and subsequently sold them to others. Those information were then used for fraud and had negatively affected many citizens. Although the defendant’s act occurred before the Civil Code came into force, as the Civil Code hve detailed provisions on the protection of privacy rights and its application in this case could afford better privacy rights protection, the court held that the defendant should pay 34,000 yuan in damages for infringement of social public interests. The compensation should be used specifically for personal information protection and other public welfare matters. The court also required the defendant to make a public apology on “Zhejiang Legal News”.
On 19 January 2021, the Ministry of Industry and Information Technology announced that it had removed 12 apps that violated user rights and had failed to take the necessary rectification measures subsequently. Categories include social media, short video, and live broadcast apps.
On 3 January 2021, the Ministry of Industry and Information Technology published the first in its series of notifications containing details of apps which have infringed users’ rights and interests. It noted that 157 apps had failed to take the necessary rectification measures by 29 January 2021 deadline. In addition, among the 10 batches series in 2020, the apps in default accounts for 22.3%, 12.0%, 10.3%, 9.9%, and 8.8% in Tencent App Store, Mi App Store, Pea Pod, OPPO App Store, and Huawei App Market. The authority had required these infringing platform companies to take responsibilities for supervision.
On 5 January 2021, the Cyber Security Administration of the Ministry of Industry and Information Technology organized an inspection of the network security protection of telecommunication companies, Internet companies and domain name agencies. In the inspection, 49 companies were found to be in violation of relevant regulations. These companies include Beijing Baidu Netcom Science and Technology Co.,Ltd. and Tencent Cloud Computing (Beijing) Co., Ltd. The administration reported the problems to these companies and requested for rectification.
On 25 January 2021, the Supreme People’s Procuratorate released 11 common cases of cyberspace crimes to clarify the proof of evidence and application of law. The cases include online fraud, illegal sale of telephone cards, illegal banking business, online loan, online gambling, and online drug deals.
On 13 January 2021, the Ministry of Industry and Information Technology published the industrial internet innovation and development plan (2021-2023). It proposed to fulfil the law-based responsibility of enterprises, develop the innovation of supply, promote the growth of industry, and improve the ability of technology support regarding cybersecurity. Specifically, it will comprehensively promote the multi-level protection scheme of industrial Internet enterprise, select enterprise models, and create demonstration areas for cybersecurity innovation and application.
On 7 January 2021, the Shenzhen Stock Exchange published guidelines on information disclosure of cybersecurity GEM industry. It required companies to disclose (i) the sales and operation of key cybersecurity products based on their specific fields and functions; (ii) the law-based governance proofs including qualifications, change of policies and regulations, cybersecurity safeguards of products or services, relevant facilities; and (iii) the risks of violating regulations, having large-scale data breaches, receiving administrative penalties, and having major loopholes with their products or services.
On 12 January 2021, Guangdong Cybersecurity Emergency Response Centre was established by Guangdong Provincial Public Security Department jointly with Guangzhou Municipal Public Security Bureau and Government of Huangpu District. Using the “information + order + settlement” model, it will assist entities offering critical information infrastructures and systems, and high-tech enterprises, monitor and manage cybersecurity risks and publish warnings regarding cybersecurity.
On 18 January 2021, the European Data Protection Board released the guidelines 01/2021 on examples regarding data breach notification for public comment. These guidelines supplement the preliminary guidelines on data breach notification under the EU General Data Protection Regulation (GDPR) issued in February 2018, and summarises the practical experience in data breach since the application of GDPR in May 2018.
On 15 January 2021, the European Data Protection Commission (EDPB) and the European Data Protection Supervisor (EDPS) adopted a joint opinion on the draft Standard Conditions of Contract (SCCs) issued by the European Commission in November 2020. The draft SCCs is applicable to both international transfers and the controller-processor relationship in the European economic area.
On 19 January 2021, the US Department of Commerce (DOC) promulgated the new rule of securing the information and communications technology and services supply chain to implement provisions of Executive Order 13873. It aims to create and improve the process and procedures to identify, assess and address certain transactions between U.S. and foreign persons, involving information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, with an undue or unacceptable risk. The DOC is now welcoming public comments and the final rule will take effect on March 22 2021.
On 14 January 2021, South Korea’s Personal Information Protection Committee released the final draft of amendments to the Personal Information Protection Act 2011 for public comments. This draft included the self-regulation mechanism, the introduction of the right to data portability for data subjects, clarifications on the regulation of use and processing of personal data during offline activities, and cross-border data transfers. To recap, on 4 February 2020, South Korea merged the Personal Information Protection Law, the Law on the Use and Protection of Credit Information and other relevant regulations into Personal Information Protection Law. Subsequently, in March 2020, it amended the Personal Information Protection Law again on pseudonym processing, the institutional setting of the Personal Information Protection Commission, personal information processing of information and communication service providers among others.
On 22 January 2021, the first association of Southeast Asian Nations (ASEAN) Digital Ministerial Conference was held. The conference approved the ASEAN Data Management Framework (DMF) and Model Contractual Clauses for Cross Border Data Flows (MCCs). DMF and MCCs were formulated by the Digital Data Governance Working Group led by Singapore. They are not binding on ASEAN Member States and organizations, and do not create new rights and obligations of ASEAN Member States or international law. ASEAN member states and organizations may adopt them on a voluntary basis.
On 21 January 2021, the Scottish Environmental Protection Agency (SEPA) confirmed that its internal network system was attacked by an international cyber-criminal gang on Christmas eve, 24 December 2020. More than 4,000 files were stolen and 1.2GB of data leaked, including regulated site permits, authorisations and enforcement notices, corporate plans, priorities and change programmes, information regarding commercial work with international partners and personal information relating to SEPA staff.
On 8 January 2021, German enterprises, notebooksbilliger.de AG, was fined 10.4 million Euros by the Data Protection Commissioner for the Federal State of Lower Saxony, for installing cameras in workplaces, warehouses and public areas and unlawfully monitoring its staff and customers for at least two years. The fine has been the highest issued so far by Lower Saxony’s data protection authority under the GDPR.
For further information, please contact:
James Gong, Herbert Smith Freehills