China Monthly TMT Update – July 2018

China

MIIT publishes guidelines on Industrial Internet Platforms

The Ministry of Industry and Information Technology (“MIIT”) published the Guide to the Development and Promotion of Industrial Internet Platforms ("Guide") and the Measures for the Assessment of Industrial Internet Platforms (“Measures”) on 9 July 2018.

The Industrial Internet Platform (“IIT”) refers to an Internet platform for industrial enterprises to: integrate complex data, give predictive analytics and drive the optimisation of operations.

By 2020, the Chinese government will cultivate and promote around 10 cross-sector and cross-region IITs and a batch of other IITs which focus on one particular sector or region. In addition, China will promote the standardisation of IITs by making a series of national standards that cover the key technology, which includes edge computing, data management, data security, etc. According to the Guide, these national standards will refer to international standards and encourage the cloud model. The aim is to realise the free transfer of data between different IITs.

Following the Guide, the Measures provide the main evaluating criteria for different types of IITs, which cover general requirements (e.g. resource management ability, application and service ability, fundamental technology, input and output ability), requirements for single industry-focused IITs (e.g. equipment accessibility, software development, user size), requirements for single sector-focused IITs (key-data integration, key-area optimisation), requirements for single region-focused IITs (e.g. co-operation, synergy and promotion ability within the region), and requirements for cross-industry and cross region IITs (e.g. cross-industry, cross-sector ability, and cross-region ability, open source, security and reliability).

Please click here to read the full text (Chinese only) of the Guide and the Measures.

The NPC’s third consultation on the Draft E-Commerce Law of the People's Republic of China

The Standing Committee of the National People's Congress (“NPC”) published the E-commerce Law of the People's Republic of China (Third Draft for Comments) (“Third Draft”) on 29 June 2018. The Third Draft will be open for public comments until 28 July 2018.

According to the Third Draft, e-commerce operators include “e-commerce platform operators, e-commerce operators on platforms and the e-commerce operators selling goods or providing services through their self-built websites or other online services (e.g. business activities through WeChat or streaming media).

While individuals that engages in small scale of online transactions are not required to make commercial registrations, they must report to the tax authorities to fulfil their tax obligations. E-commerce platform operators are required to report the identity and taxation information of business operators residing within the platform to the market supervision and administration authorities.

E-commerce operators are prohibited from using their technical, market share or other advantages to engage in unfair competition activities or impose unfair restrictions on the legal operation of other operators' business. They are also required to fulfil a series of obligations concerning privacy and personal data protection and consumer right protection.

If an e-commerce platform operator knows or should have known that the goods sold or services provided by an operator on its platform do not meet the requirements for safeguarding personal and property safety, or there are other infringements upon the legitimate rights and interests of consumers, and it fails to take necessary measures against these, it shall assume joint and several liability with this operator on the platform according to the law.

Please click here to read the main amendments provided in the Third Draft (Chinese only).

A draft regulation governing network multi-level security protection is published in China

The Ministry of Public Security (“MPS”) published the draft Network Multi-level Security Protection Regulation (“Draft Regulation”) on 27 June 2018 to solicit public opinions.

The Draft Regulation applies to the establishment, operation, maintenance and use of networks within China. According to the degree of importance of the network to national security, economic development, society, and the impact and damage that the network’s destruction, loss of function, or data corruption, disclosure, loss, or damage can have on national security, social order, public interests and any related citizens, the security protection of networks will be divided into five levels, with Level 5 enjoying the most significant security protection.

The Draft Regulation re-emphasises the importance of personal data protection, and makes it clear that a network operator shall report a security incident to the local MPS within 24 hours. For the operator of a network with a security protection level of Level 3 or higher, the key components of the network must be tested by professional institutions; and network products and services that might affect national security must pass security examinations organised by the relevant government authorities.

The Draft Regulation also sets out requirements regarding the operation and use of networks involving state secrets. In addition, it also provides requirements governing the use of encryption products in networks. For example, a network with a security protection level of Level 3 or higher must use encryption products and services approved by the national encryption administrative authorities.

Please click here for the full text (Chinese only) of the Draft Regulation.

New rules governing the testing and certification of critical security products are published

On 19 June 2018, two announcements, the Announcement on Releasing the List of Entities Undertaking Security Certification and Testing of Critical Network Equipment and Specialised Network Security Products (First Batch) (“Entities Announcement”) and the Announcement on the Requirements for Implementation of Security Certification of Critical Network Equipment and Specialised Network Security Products (“Certification Implementing Announcement”), were jointly published by the PRC authorities.

The Entities Announcement provides a list of 16 accredited entities that can undertake security testing or certification of Critical Network Equipment and Specialised Network Security Products (the “Products”).

The Certification Implementing Announcement sets out new information on the certification regime. It states that Product manufacturers who choose security certification for a Product should submit a security certification application to an accredited certification body. Certification bodies will use the Rules on the Implementation of Security Certification of Critical Network Equipment and Specialised Network Security Product when certifying a Product. These rules are yet to be released by the relevant authority.

Please click here to read a Law-Now article discussing the new rules in detail.

A government consultation on five standards to implement the Cybersecurity Law

The National Information Security Standardisation Technical Committee issued the following five national standards relating to cybersecurity and data protection for public comments. These standards are the detailed implementing measures of the Cybersecurity Law of the People’s Republic of China.

  • Information security technology – security impact assessment guide of personal information
  • Information security technology – security controls of critical information infrastructure
  • Information security technology – cybersecurity protection requirements of critical information infrastructure
  • Information technology — security techniques — network security — part 1: overview and concepts
  • Information technology — security techniques — network security — part 2: guidelines for the design and implementation of network security

The public will have 25 July 2018 to submit comments. It is expected that the industry will be able to obtain detailed guidelines regarding the implementation of the Cybersecurity Law requirements after these standards take effect.

Please click here to read the full text (Chinese only) of these standards.