The Ministry of Commerce launches pilot program on security management for cross border data transfer
On August 14, 2020, the Ministry of Commerce (“MOC”) issued the Master Plan for Comprehensively Deepening the Pilot Program on Innovative Development of Trade in Services (“Plan”), covering 28 provinces and municipalities directly under the Central Government (regions), including Beijing, Tianjin and Shanghai, and the period for the pilot program will be three years.
The Plan proposes to：
- establish dedicated Internet data channel in pilot areas where feasible, and the Ministry of Industry and Information Technology(“MIIT”) shall formulate relevant policies;
- explore the classification and supervision model of cross-border data flow and carry out the pilot program for cross-border data transfer security management. Office of the Central Cyberspace Affairs Commission shall formulate relevant policies, pilot program work for cross-border data transfer security management shall be implemented in pilot areas such as Beijing, Shanghai, Hainan, and Xiong’an New Area;
- develop cross-border services such as big data collection, storage, processing, analysis, mining and trading based on industrial Internet in pilot areas;
- explore the rules and standards of data service collection, masking, application, trading, supervision, etc.;
- promote the commercialization and securitization of data assets, and explore the formation of new models for trading of big data;
- carry out security assessment on cross-border data flow in pilot areas; and
- establish data security management mechanisms on data protection capability certification, data circulation backup review, cross-border data flow and transaction risk assessment, etc.; encourage cooperation in international cooperation on digital rules in pilot areas and strengthen the protection of data.
For more information ，please refer to http://images.mofcom.gov.cn/fms/202008/20200814092010665.pdf
China proposes to tighten controls on import and export of commercial cryptography products.
On August 20, 2020, the State Cryptography Administration released the Regulations for the Administration of Commercial Cryptography (Draft for Comment) (“Draft Regulations”) to solicit public opinions by September 19, 2020.
The Draft Regulations provide that, import of the commercial cryptography in the “Commercial Encryption Import License List” and export of the commercial cryptography in the “Commercial Encryption Export Control List” should be subject to the import and export license for dual-use items issued by the competent commercial department of the State Council.
According to the Draft Regulations, operators of networks and information systems such as unclassified critical information infrastructure, network of Grade III or above (under the network graded protection regime), and national government information system shall:
• use commercial cryptography for protection;
• formulate commercial cryptography application scheme;
• have necessary funds and professionals;
• plan, construct and operate the commercial cryptography safeguard system synchronously;
• carry out the security assessment on commercial cryptography application by itself or commercial cryptography testing institutions.
The above-mentioned network and information systems can be put into operation only after the security assessment on commercial cryptography application. After operation, the assessment shall be conducted at least once a year, and the assessment results shall be filed with the local municipal cryptography administrative department.
The Draft Regulations provide that operators of networks and information systems such as unclassified critical information infrastructure, network of Grade III or above, and national government information system should use commercial cryptography products and services that have been tested or certified, and use commercial cryptography technology listed in the Guidance Catalog of Commercial Cryptography Technology.
The Draft Regulations stipulate that if operators of critical information infrastructure purchase network products and services involving commercial cryptography, which may affect national security, they shall pass the national security examination organized by the state cyberspace department, the state cryptography department and other relevant departments according to the law.
For more information ，please refer to http://www.oscca.gov.cn/sca/hdjl/2020-08/20/content_1060779.shtml
China released the revised Catalogue of Technologies Prohibited and Restricted from Export
On August 28, 2020, the Ministry of Commerce and the Ministry of Science and Technology jointly released the revised Catalogue of Technologies Prohibited and Restricted from Export (“Catalogue”). The revisions of the Catalogue removed 4 items of technologies prohibited from export, removed 5 items of technologies restricted from export, added 23 items of technologies restricted from export, and revised technical parameters of 21 items of technologies.
It is worth noting that, in the export restriction section, the Catalogue adds “personalized information push service technology based on data analysis” and “technology of unmanned aerial vehicles”.
For more information ，please refer to http://www.most.gov.cn/kjbgz/202008/t20200828_158546.htm
NISSTC seeks public opinions on the Information Security Technology – Cyber-data Process Security Specification
On August 31, 2020, the National Information Security Standardization Technical Committee (“NISSTC“) issued the Information Security Technology – Cyber-data Process Security Specification (Draft for Comment) (“Draft Specification”) for public comments by October 27, 2020.
Highlights of the Draft Specification include:
Provision of data to others: Before providing data to others, network operators should conduct security impact analysis and risk assessment. If national security, public security, economic security, and social stability will be endangered, they must not provide the data to others.
Responsible person for data security: When network operators carry out business and service activities and collect important data and personal sensitive information, they should clarify the person responsible for data security and provide them with necessary resources to ensure that they perform their duties independently. The person in charge of data security should have professional knowledge of data security and relevant management work experience, participate in important decisions related to data processing activities, and perform the following duties:
a) organizing and determining the data protection catalog, formulating a data security protection plan and supervising the implementation;
b) organizing and carrying out data security impact analysis and risk assessment, and supervising the rectification of security risks;
c) reporting data security protection and incident handling to the cyberspace administration and relevant departments as required; and
d) organizing to accept and handle data security complaints and reports.
Transmission and storage: Network operators should take security measures for data transmission and storage activities, including:
a) When transmitting important data and personal sensitive information, security measures such as encryption should be adopted;
b) When storing important data and personal sensitive information, security measures such as encryption, secure storage, access control, and security audits should be adopted; and
c) The storage of personal information should not exceed the storage period agreed with the personal information subject, unless otherwise provided by laws and regulations.
The Draft Specification also provides special rules for the protection of personal information in public health emergencies. For example, in the process of providing information services, when face recognition is used as the authentication method, other authentication methods should be provided for users to choose in principle. The original image that can extract the face recognition information shall not be retained in principle when using face recognition information for identity verification.
For more information ，please refer to https://www.tc260.org.cn/front/postDetail.html?id=20200830094619
MIIT: No user’s consent, No commercial SMS or calls
On August 31, 2020, the Ministry of Industry and Information Technology (“MIIT”) issued the Administrative Regulations on Short Messages and Voice Call Service (Draft for Comments) (“Draft Regulations”) to seek public comments by September 30, 2020.
According to the Draft Regulations, any organization or individual shall not send commercial short messages or make commercial telephone calls to the user without his/her consent or request, or if he/she has explicitly refused to receive such SMS/calls. If the user does not explicitly agree, it shall be deemed as refusal. If the user agrees previously and explicitly refuses to accept it later, sending commercial short messages or making commercial telephone calls shall be terminated. If a short message service provider sends port type commercial short messages, it shall ensure that the relevant user has agreed or requested to receive these messages and keep the user’s consent proof for at least five months. A voice call service provider shall not make platform commercial calls, or provide communication resources, platform facilities and other conditions for organizations and individuals who make commercial calls in violation of the Draft Regulations.
For more information ，please refer to http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057709/n3057717/c8067025/content.html
Ministry of Culture and Tourism: Big data analysis and other technical means must not be abused to violate tourists’ rights
On August 31, 2020, the Ministry of Culture and Tourism issued the Interim Provisions on Administration of Online Tourism Business and Services (“Provisions”), which will take effect on October 1, 2020.
According to the Provisions, online tourism operators should implement graded protection system of cyber security, take management and technical measures for cyber security, formulate contingency plans for cyber security and organize regular trainings according to the PRC Cybersecurity Law and other relevant laws to ensure the normal development of online tourism business and services.
Online tourism operators shall protect the tourists’ right of comment and shall not arbitrarily shield or delete tourists’ comments on their products and services, nor shall they mislead, induce, substitute or force tourists to make comments. Comments made by tourists shall be saved and made public.
Online tourism operators should protect the security of tourists’ personal information and other data, and clearly indicate the purpose, method and scope of the collection of tourists’ personal information in advance and obtain the consent of the tourists.
Online tourism operators must not abuse technical means such as big data analysis to set unfair trading conditions based on tourists’ consumption records, travel preferences, etc., and infringe on the legitimate rights and interests of tourists.
According to the Provisions, online tourism operators refer to natural persons, legal persons and unincorporated organizations engaged in online tourism business and services, including online travel platform operators, operators on the platform, and operators who provide travel services through self-built websites and other network services.
For more information ，please refer to http://zwgk.mct.gov.cn/auto255/202008/t20200831_874550.html?keywords=
Six government agencies call for recommendation of national green data centers in 2020
On August 6, 2020, the Ministry of Industry and Information Technology (“MIIT”) and five other government agencies issued the Circular on Organizing and Implementing the Recommendation of National Green Data Centers (2020) (the “Circular”).
According to the Circular, all regions shall recommend a batch of well-managed and representative data centers featuring high energy efficiency and advanced technology in major application fields of data centers, such as manufacturing, telecommunications, Internet, public institutions, energy, finance, and e-commerce, in accordance with the Evaluation Indicator System for Green Data Centers.
The Circular provides four basic conditions that a recommended data center shall meet：
- The owner of the data center shall have independent legal person status. The data center shall have clear property rights and shall abide by relevant laws, regulations, policies and standards in the process of construction and operation. In the past 3 years (including less than 3 years of establishment), it has had no major safety incidents, environmental protection incidents or other incidents, and no other serious illegal or untrustworthy conducts decided by judicial or administrative agencies;
- The data center shall have a clear and complete physical boundary, independent power supply and distribution, and a cooling system that meet the requirements of theAction Plan for Green and Efficient Refrigeration and has been officially operating for one or more consecutive years as of the application date;
- The construction and layout shall meet the requirements of the Guiding Opinions on the Construction Layout of Data Centers, and meet the requirements of the local construction planning and other local laws and regulations; and
- It is not included in the list of Special Supervision and Rectification for the Energy Efficiency of the Industrial Energy Conservation Supervision Data Center in 2019.
For more information ，please refer to http://www.miit.gov.cn/n1146295/n1652858/n1652930/n3757016/c8045053/content.html
China issues the Guide to the Building of National Standard Framework for New Generation Artificial Intelligence
On August 7, 2020, the Standardization Administration and other four government departments issued the Guide to the Building of National Standard Framework for New Generation Artificial Intelligence (“Guide”).
According to the Guide, the framework of standards for artificial intelligence includes eight aspects, namely basic generality, supporting technology and products, basic software and hardware platforms, key general technologies, technologies in key fields, products and service, industry application and safety/ethnics.
The Guide requires that, the top-level design of artificial intelligence standardization should be clarified by 2021, when more than 20 key standards in key general technologies, technologies in key fields, ethics, etc. have been preliminarily researched. By 2023, an artificial intelligence standard system should have been initially established, focusing on the development of key and urgently needed standards such as data, algorithms, system services, and taking the lead in manufacturing, transportation, finance, security, home furnishing, elderly care, environmental protection, education, healthcare, justice and other key industries and fields.
For more information ，please refer to http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057497/n3057502/c8048365/content.html
NISSTC seeks public opinions on its proposed national standards to identify the boundaries for Critical Information Infrastructure
On August 10, 2020, the National Information Security Standardization Technical Committee (“NISSTC”) released the Information Security Technology – Method of Boundary Identification for Critical Information Infrastructure (Draft for Comment) (“Draft Method”) to seek public opinions.
The Draft Method provides that, boundary identification for critical information infrastructure (“CII”) deals with further analysis and sorting after the competent authority’s identification of the critical business, which the CII operator will identify the network facilities and information systems that are indispensable for the continuous and stable operation of the critical business for the purpose of providing a basis for the protection, review, and emergency response.
The Draft Method provides six factors that should be considered in identifying the boundaries of CII: critical business, network facilities, information system, critical business information, critical business information flow, and basic operation environment.
- Critical business is the core element and the basis for boundary identification of CII;
- Critical business information is an indispensable information resource for the normal operation of critical business, and also a bridge and link for network facilities and information system to support the informatization for critical business;
- Network facilities and information system design, collect, integrate, process, present, apply, store and destroy critical business information according to business operation logic and functions to support the automated, intelligent and efficient operation of critical business;
- Critical business information flow is the flow process in the whole life cycle of critical business information. By sorting out the critical business information flow, network facilities and information systems supporting informatization for critical business can be obtained;
- Basic operation environment refers to the safety equipment, safety measures, rules and regulations, machinery, plant, water, electricity, etc. supporting basic operation for critical business.
For more information ，please refer to https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20200810142946595318&norm_id=20200112070029&recode_id=39652
NISSTC seeks public opinions on the Method for Evaluating Security Protection Capabilities of Critical Information Infrastructure
On August 10, 2020, the National Information Security Standardization Technical Committee (“NISSTC”) issued the Information Security Technology – Method for Evaluating the Security Protection Capabilities of Critical Information Infrastructure (Draft for Comment) (“Draft Method”) for public comments by October 9, 2020.
The Draft Method provides that the evaluation of security protection capabilities of critical information infrastructure (“CII”) includes three parts: capability domain level evaluation, graded protection evaluation, and cryptography evaluation. Before the evaluation of the security protection capability of CII, the CII should first pass the corresponding graded protection evaluation and related cryptography evaluation. Then, the organization should carry out the evaluation according to the evaluation content and evaluation operation method, give the judgment result and grade of each evaluation index, get each capability domain level, and finally obtain the security protection capability level of critical information infrastructure based on the evaluation results of capability domain level and graded protection.
For more information ，please refer to https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20200810142946548146&norm_id=20200112070019&recode_id=39650
MIIT seeks public opinions on Guidelines on the Construction of Data Security Standard System in Telecom and Internet Industries
On August 11, 2020，the Ministry of Industry and Information Technology (“MIIT”) issued the Guidelines on the Construction of Data Security Standard System in Telecom and Internet Industries (“Draft Guidelines”) to seek public opinions.
According to the Draft Guidelines, the data security standard system of telecom and Internet industries includes four categories of standards, namely the standards for basic generality, critical technologies, security management and critical fields:
- the standards for basic generality include definitions of terms, data security framework, and data category and classification;
- the standards for critical technologies deal with data security technology from the dimensions of the entire life cycle, including data collection, transmission, storage, processing, exchange, and destruction;
- the standards for security management include data security specifications, data security assessment, monitoring and early warning and handling, emergency response and disaster backup, and security capability certification; and
- the standards for critical fields mainly include 5G, mobile Internet, connected-car, Internet of Things, Internet of Industry, cloud computing, big data, artificial intelligence, blockchain and other critical fields.
For more information, please refer to http://www.miit.gov.cn/n1278117/n1648113/c8050746/content.html
The Ministry of Justice: To strengthen protection of trade secrets and confidential business information in administrative licensing
On August 14, 2020, the Ministry of Justice (“MOJ”) issued the Guiding Opinions on Strengthening the Protection of Trade Secrets and Confidential Business Information in Administrative Licensing (Draft for Comment) (the “Draft Opinions”) for public comments by September 30, 2020.
The Draft Opinions provide that applicants for administrative licenses shall expressly indicate their trade secrets pursuant to the Anti-Fair Competition Law or other laws or regulations, as well as their business information that are needed to be kept confidential when making an administrative license application to an administrative authority, and correctly identify the scope of confidentiality.
When applicants submit the application materials to the administrative authorities, they must clearly indicate the key points of confidentiality, and not generally regard all materials as trade secrets and confidential business information. Such information should be clearly marked on the first page of the paper-based or electronic materials submitted and the key points of confidentiality.
For more information, please refer to http://www.moj.gov.cn/government_public/content/2020-08/14/657_3254208.html
Shandong Province releases classification management rules on health care big data
On August 25, 2020, the People’s Government of Shandong Province issued the Measures for the Management of Health Care Big Data in Shandong Province (the “Measures”), which will take effect on October 1, 2020.
According to the Measures, health care big data falls into three categories:
- health care data involving trade secrets, personal privacy or other types of data which are not allowed to be accessed according to laws and regulations shall be categorized as inaccessible data;
- health care data with higher requirements for data security, processing capacity, and timeliness or that needs to be acquired continuously shall be categorized as conditional accessible data; and
- health care data other than the above two categories shall be categorized as unconditional accessible data.
The Measures also stipulate that:
- for unconditional accessible data, citizens, legal persons and other organizations can access it through the health care big data platform.
- for conditional accessible data, health care big data management institutions and data using organizations should sign data using agreements to access the data. The agreement shall specify the scope, conditions, data products, confidentiality responsibilities and security measures, etc. of the data.
- for inaccessible data, it can be accessed after the consent of the relevant obligees or after the desensitization and declassification, unless otherwise provided by laws and regulations.
For more information, please refer to http://www.shandong.gov.cn/art/2020/8/25/art_107851_108458.html
If you would like to receive our legal update via email, please contact firstname.lastname@example.org.
For more information, please contact:
Samuel Yang | Partner
AnJie Law Firm
P: +86 10 8567 2968
M: +86 1391 0677 369
Hongquan (Samuel) Yang is a partner with AnJie Law Firm. He has worked as in-house counsel and external lawyer in the technology, media and telecoms (TMT) sectors for nearly 20 years and is regarded as a true expert in these areas. He advises clients on a wide range of regulatory, commercial and corporate matters, especially in telecommunications, cybersecurity, data protection, internet, social networking, hardware and software, technology procurement, transfer and outsourcing, distribution and licensing, and other technology-related matters. He also advises clients on compliance and investigation matters.
Samuel has been recognized as a Leading Individual in PRC TMT firms (Legal 500, 2020), a Band 1 Cyber Security & Data Protection Lawyer (LEGALBAND, 2019, 2020) and one of the Top 10 Cyber Security and Data Protection Lawyers in China (LEGALBAND, 2018). Legal 500 commented that Samuel and his team at AnJie have a particular strength in “telecom-related regulatory and general commercial legal services” and “issues such as cyber security and data protection areas” and have “built a real niche” in these areas.
Samuel mainly serves Fortune 500 companies, large state-owned enterprises and leading Chinese internet companies. Samuel is a regular contributor to many legal journals and his publications regarding Chinese data protection and cybersecurity laws are well-received and widely reproduced.
Before joining AnJie, Samuel worked for British Telecom, CMS and DLA Piper.