China Monthly TMT Update - June 2019

China

CAC issues Draft Measures for Security Assessment of Cross Border Transfer of Personal Information

On 13 June 2019, the Cyberspace Administration of China (“CAC”) issued the draft Measures for Security Assessment of Cross-Border Transfer of Personal Information (the “Draft”) for public comment.

In accordance with the Draft, if a network operator intends to transfer any personal information collected in China out of China, it shall go through security assessments conducted by the competent provincial CAC branch. If the transfer is considered to have negative influence on national security, public interest or security of personal information, the transfer shall be prohibited.

The Draft also provided that, the provincial CAC shall regularly conduct inspections regarding cross-border transfers of personal information. If any infringement of legitimate rights of personal information subjects or data leakage occurs, the competent local CAC shall require the network operator or the receiver of information via the network operator to rectify. If any significant data leakage or data abuse is incurred, or data subjects are unable to protect their legitimate rights, or a network operator or receiver cannot protect the security of personal information, the competent local CAC shall suspend or stop the cross border transfer of personal information.

It is worth noting that, the Draft refers to network operators as “network owners and administrators, and network service providers”, therefore, if this Draft is implemented, it could potentially affect all entities that operate a business through the Internet in China. We will continue to monitor the status of the Draft and update accordingly.

Please click here to read the full text of the Draft (Chinese only).

CAC issues the draft of Regulations of Personal Information Protection of Children

CAC issues the draft of Regulations of Personal Information Protection of Children (“Regulation”) on 31 May 2015.

Under the Regulation, a child refers to an individual under the age of 14. The Regulation provides that internet operator (each an “Operator”, together “Operators”) shall establish specific rules aiming to protect personal information of Children and name a designated person to take charge of personal information of Children. If an Operator collects or uses any personal information of children, it shall expressly notify and obtain express consent from the guardian of the child. Operators shall take encryption measures to store personal information of children.

If an Operator entrusts any third party to process the personal information of children, it shall conduct a security assessment of the entrusted party, and execute entrustment agreements to pinpoint the respective obligations. If an Operator and any third party use personal information of children together, it shall obtain express consent from the guardian of the child. If an Operator transfers personal information of children, it must conduct a security assessment and obtain express consent of the guardian.

Please click here to read the full text (Chinese only) of the Regulation.

CAC issues the draft of Administrative Measures on Data Security

CAC issued the draft of Administrative Measures on Data Security (“Draft”) on 28 May 2019.

In respect of data collections, the Draft provides that if an internet operator (each an “Operator” and together “Operators”) collects personal data by the web and an app separately, it shall establish and publish separate rules regarding both collections. Operators shall not discriminate any users based on the authorised scope of personal data. If an operator collects important or sensitive personal information for the purpose of business operations, it shall record this within local competent authorities and designate a specific person to take charge of the data security.

In respect of data processing and usage, Operators shall not violate the collection rules when using and processing personal data. If an Operator pushes any content, such as news or advertisements, to the users, it must expressly mark these with “push”, and provides options for users to stop pushing content. If an Operator publishes shares or transfers any important data overseas, it shall assess the security risks and get approval from the competent authorities.

Please click here to read the full text (Chinese only) of the Draft.

CAC issues the draft of Review Method of Cyber Security

The Cyberspace Administration of China (“CAC”) issued the draft of the Review Method of Cyber Security (“Draft”) on 21 May 2019.

The Draft focuses on the procurement of cyber products and services by operators of critical information infrastructure (“CII”) (each a “CII Operator”, collectively “CII Operators”), which may have or had influence on national security. Under the Draft, Operators are these who have been affirmed by relevant protective government departments of CII.

The Draft requires that when a CII Operator procures any cyber products or services, it shall predict and assess the potential risks of the implementation of these cyber products or services, and produce a security risk report. If the procurement may lead to any of the following circumstances, the CII Operator shall submit the procurement for a cybersecurity review:

(i) CII ceases functioning fully or its main functions are not able to operate;
(ii) a significant amount of personal information and important data is disclosed, lost, damaged or transmitted overseas;
(iii) maintenance, technical support, upgrade of the CII may threaten the security of the supply chain;
(iv) other severe potential security risks for CII.

In addition, CII Operators shall require providers of products or services, by way of binding legal instruments, to co-operate with cybersecurity reviews, and to agree expressly that the binding instruments shall come into effect upon the approvals of cybersecurity reviews.

When conducting a cybersecurity review, the relevant competent authority will mainly consider the following factors:

(i) the influence on the continuous stable operations of CII, including the possibility of CII being controlled, being disturbed, or being damaged;
(ii) a significant amount of personal information and important data is disclosed, lost, damaged or transmitted overseas;
(iii) the controllability, transparency of the products and services, and the security of the supply chains, including the non-technical reasons, such as political, diplomatic, trading, etc., which may cause the interruption of the supply of the products and services;
(iv) the influence on the relevant technologies and industries of national defense and military projects or CII;
(vi) the circumstances of products and services providers being controlled or funded by foreign governments; and
(vii) other factors which may cause harm to national security and security of CII.

In respect of security and controllability, it states providers of the products and services shall not facilitate the illegal obtainment of users’ data, illegal control or manipulation of users’ devices, and shall not extract improper interest from the reliance of the users, or force users to upgrade.

Please click here to read the full text (Chinese only) of the Draft.

CAC issues the Affirmation Method of Illegally and Improperly Collecting and Using Personal Information via Apps

The CAC issued the Affirmation Method of Illegally and Improperly collecting and Using Personal Information by Apps (the “Affirmation Method”) on 6 May 2019.

The Affirmation Method provides detailed circumstances of various illegal and improper collection and usage of personal information by Apps. In general, the Affirmation Method mainly focuses on the following aspects:

(i) Apps that do not publicize the collection and usage rules of personal information;
(ii) Apps that do not expressly state the purpose, the methods and the scope of collections and usage of personal information;
(iii) App that collect personal information without consent;
(iv) Apps that collect personal information that is related to the service provided by the Apps;
(v) Apps that provide personal information to others without consent;
(vi) Apps that do not provide deletion or collection methods of personal information required by law; and
(vii) Apps that infringe legitimate cyberspace rights of minors.

Please click here to read the full text (Chinese only) of the Regulations.

SAMR issues the Administrative Measures on Internet Transactions

The State Administration for Market Regulation (“SAMR”) issued the Administrative Measures on Internet transactions (“Measures”) on 30 April 2019. The Measures focus on certain important issues regarding various aspects of internet transactions.

The Measures require that, unless exempt, all internet transaction operators (each an “Operator”, collectively “Operators”) must register under the relevant competent authorities. Operators must publicise their business licences and related administrative licenses or the links to them on home pages or marked places of their website; if an operator is not required to obtain a business licence, it shall publicise its statements which state it does not require to obtaining a business licence, its business address, its contact information, or the links to them. Platform operators are required to submit information of all operators on its platforms which have completed registrations, such as business licences, administrative licences, to relevant competent authorities.

Operators shall collect or use information of users or Operators legally, and shall keep strictly confidential the personal information and trade secrets they obtained. Operators are not allowed to set unreasonable rules for users regarding inquiries, corrections, and deletion of personal information.

Operators shall behave themselves when trading online. They shall disclose information of products or services fully and accurately, and shall place the pricing information clearly. Operators shall not fabricate transactions, users’ reviews or delete negative reviews. In addition, they shall not illegally tie products or services for sales, shall not abuse a market dominant position, restrict transactions or charge unreasonable fees.

Platform operators shall establish fair service agreements and trading rules, establish and strengthen credit and review systems, display search results to users by various ways, verify and register the identities of Operators who would like to enter the platform, and establish an inspection system for the products and services on the platform, and deal with illegal information on the platform properly.

Please click here to read the full text (Chinese only) of the Measures.