CAC issues the regulation on the safety assessment for internet services capable of creating public opinions or social mobilization
The Cyberspace Administration of China (“CAC”) issued the Regulation on the Safety Assessment for Internet Services Capable of Creating Public Opinions Or Social Mobilization ("Regulation") on 15 November 2018, which will come into effect on 30 November 2018.
Under the Regulation, internet services capable of creating public opinions (“Service”) includes (1) running BBS, blogs, microblogs, chat rooms, communication groups, public accounts, short videos, online streaming，information sharing, small program and other information services with corresponding functions; (2) other internet information services that provides a channel for public opinions or is capable of encouraging the public to conduct such activities.
The Regulation requires that, under the following circumstances, an internet information service provider (“Provider”) must conduct a safety assessment: (1) when a Service is made available or adds the relevant corresponding functions; (2) using new technologies or applications, which results in a significant change in the capacity of the Service; (3) a significant increase in the size of users, which results in a significant change in the capacity of the Service; (4) the spread of illegal or harmful information, which would indicate that the existing safety measures are not capable of preventing and controlling cybersecurity risks; and (5) any other circumstances requiring a safety assessment in writing as stipulated by the competent authorities.
A Provider may conduct a safety assessment by itself or by entrusting a third party. The focus of the safety assessment should be based on the legitimacy of the internet information service, new technology and applications, the effectiveness of the safety measures stipulated by the relevant laws and regulations and the effectiveness of preventing and controlling the security risks. Following the completion of the safety assessment, the Provider must submit a safety report to the competent authorities.
Please click here to read the full text (Chinese only) of the Regulation.
MIIT issues the work plan for soliciting units to undertake key tasks of innovation in the next generation artificial intelligence industry
The Ministry of Industry and Information Technology (“MIIT”) issues the Work Plan for Soliciting Units to Undertake Key Tasks of Innovation in the Next Generation Artificial Intelligence Industry (“Plan”) on 14 November 2018.
The Plan aims to select a group of units with key technologies and strong innovation capabilities to develop a number of artificial intelligence (“AI”) products, platforms and services. The Plan calls for intensive efforts in 17 different directions and segments, and states the tasks and expected goals respectively.
As for AI products, the tasks include the innovation of AI connected vehicles, AI service robots, AI unmanned aerial vehicles, medical imaging auxiliary diagnostic systems, video image personal identity verification systems, AI voice interaction systems, AI translation systems and AI home appliance. Other core innovation tasks includes intelligent sensors, neutral network chips, open-source and open platforms, among others.
Under the Plan, relevant enterprises, universities, research institution and other related legal entities engaged in AI may, individually or jointly, apply to become a task undertaker. The applicants must possess strong innovation capabilities and relevant IP rights for the applied task. The applicants should promise to deliver the task result within specified time limit.
Please click here to read the full text (Chinese only) of the Plan.
MIIT issues the implementation opinions of the standardisation of industry and communication field to serve the construction of “one belt one road”
The MIIT issued the Implementation Opinions of the Standardisation of Industry and Communication Field to Serve the Construction of "One Belt One Road" (“Opinions”) on 12 November 2018.
The Opinions emphasize the requirements on promoting the standardisation of co-operation in the information and communication field and the internet and advanced manufacturing field, amongst others.
For the information and communication field, the Opinions list various key areas for strengthening the co-operation and standardisation of this field with the countries along the “One Belt One Road” initiative, including co-operation on new generations of information technology, smart cities, Beidou satellite navigation, construction of communication engineering, network interconnection, and telecoms business services. For the internet and advanced manufacturing field, the key areas include intelligent manufacturing, industrial internet, and car networking, amongst others.
Please click here to read the full text (Chinese only) of the Opinions.
MIIT issues the action plan for promoting comprehensive action against nuisance calls
The MIIT issued the Action Plan for Promoting Comprehensive Action Against Nuisance Calls ("Action Plan") on 2 November 2018.
The Action Plan requires basic telecoms enterprises to (1) conduct inspections on certain telephone number sources; (2) not provide telephone numbers for any outgoing calls businesses of any operational call centers; (3) not provide telephone numbers to any illegal operations; (4) strictly implement standing book management and ensure the accuracy of such records; (5) strictly review the profiles and qualifications of users and the actual usage of telephone number resources; (6) strengthen contract management with their clients; (7) implement calling authentication and intercept all unauthenticated calls; and (8) establish and improve the interception system of nuisance calls.
Call centers enterprises are also required to (1) not conduct business beyond the agreed scope with telecoms providers, or transfer or sublet its telephone number source illegally; (2) obtain consent from their clients prior to conducting outgoing marketing calls and keep a corresponding record for the purposes of inspection; and (3) not call a client if such client explicitly refuses any specific calls.
The other businesses affected include: (1) Internet enterprises, who are required to cut off and clear out all harassment software and applications on their platform; (2) mobile terminal manufacturers and other related enterprises, who required to install and develop useful functions and applications to help end users to mark and alert nuisance numbers; and (3) basic telecoms enterprises and mobile communications resale enterprises, who are required to establish and improve the complaints mechanism of nuisance calls.
Please click here to read the full text (Chinese only) of the Action Plan.
MOHURD issues the draft technical standards for internet cyber security facilities
The Ministry of Housing and Urban-Rural Development (“MOHURD”) issued the Draft Technical Standards for Internet Cyber Security Facilities (“Draft Standards”) on 18 October 2018, which will be a compulsory national standard once finalised and published.
The Draft Standards were drafted in accordance with the requirements stipulated in the PRC Cybersecurity Law, which states that key information infrastructure and the technical security measures should be planned, established and used concurrently.
The design of a cybersecurity project is the focus of the Draft Standards. The design must satisfy the project requirements of related functions, performance, quality and project investment of internet cyber security. To be specific:
- The design of the protection facilities (including access control, users authentication, intrusion prevention, abnormal traffic cleaning, virus filtering, spam filtering and sensitive encryption facilities) must consider the use of various security protection facilities, in order to realise the protection and defence in depth.
- The design of the monitoring facilities (including intrusion detection, leak scanning detection, website security monitoring, virus scanning detection, sensitive information monitoring, and security situational awareness facilities) must consider implementing comprehensive security monitoring measures, to ensure the identification and analysis of security threats, flaws and incidents in time.
- The design of the audit facilities (including network audit, database audit, application audit and user behaviour audit facilities) must multiple types of audit measures to the identification, tracing and evidence collection of cybersecurity attacks.
- The design of the emergency disaster recovery facilities shall be based on the technical requirements of the corresponding disaster recovery capability levels, and the corresponding disaster recovery system technical solutions shall be formulated in accordance with the disaster recovery strategy, including the requirement of a data backup system, backup data processing system and back network system.
The Draft Standards also provide requirements on implementation, acceptance and inspection of a cybersecurity project and maintenance of cybersecurity facilities.
Please click here to read the full text (Chinese only) of the Standards.