China Monthly TMT Update February 2020

CAC publishes guidance for identifying illegal collection and use of personal data via apps

The Cyberspace Administration of China (“CAC”), together with other government authorities, published the Guidance for Identifying Illegal Collection and Use of Personal Data via Mobile Application (“Guidance”) on 30 December 2019.

The Guidance describes 31 specific types of illegal activities that are commonly seen in the operation and use of mobile applications. Illegal activities include not presenting a privacy policy to users within four clicks after they open the home page of the app, or not making it available in simplified Chinese; setting user consent as a default option; not informing the users of the purpose, method and scope of the collection and use by third-party SDKs and APIs; not giving the users the option of receiving pushed information based on user profiling; or failing to process user requests to correct or delete their personal data within 15 working days.

Please click here to read a Law-Now article for more details.

SPC publishes new provisions for electronic data in civil procedures in China

The Supreme People’s Court (“SPC”) published the Decision on Revising the Several Provisions on Evidence in Civil Procedure (“Decision”) on 26 December 2019. The Decision will take effect on 1 May 2020.

The Decision clarifies the scope of electronic evidence and the general principles for presenting electronic evidence. It also sets out the factors that should be considered when identifying the authenticity of electronic evidence, including whether (i) the hardware and software environment of the computer system on which the electronic data is generated, stored and transmitted (a) is complete and reliable; (b) has effective monitoring and verification methods to prevent errors; (c) is in a normal operating state; or (d) if in an abnormal operating state has an impact on the generation, storage, and transmission of electronic data; (ii) the electronic data has been completely stored, transmitted, and extracted, and the methods of storage, transmission and extraction are reliable; (iii) the electronic data is formed and stored during normal activities of exchange; (iv) the subject who stores, transmits, and extracts the electronic data is appropriate; and (v) there are other factors affecting the integrity and reliability of the electronic data.

Please click here for the full text (Chinese only) of the Decision.

Draft measures for disclosure of e-commerce information published for comments

The Ministry of Commerce published the draft Administrative Measures for the Disclosure of E-commerce Information (“Draft”) so that public comments can be solicited by 12 March 2020.

The Draft requires an e-commerce operator (e.g. an e-commerce platform operator, a vendor operating an online store on a public e-commerce platform, or a company providing goods or services via its own website) to display or provide links to its business licence and any required administrative licences on a clearly visible place on its homepage.

Every e-commerce platform operator is also required to publish online the terms and conditions of the platform, the credit grading policies and disciplinary rules for vendors operating via its platform, and dispute resolutions. To further implement the IP protection obligations of an e-commerce platform operator, the Draft also requires the operator to publish IP infringement complaints against an in-platform vendor from an IP right holder and the vendor's response, both within 48 hours of receipt. If the platform operator does not receive notice regarding further actions (e.g. litigation) from the right holder within 48 hours after the publication of the vendor’s response, the operator must terminate any measures taken against the vendor (e.g. webpage block or suspension of the vendor's online transactions) and publish the relevant information.

Please click here for the full text (Chinese only) of the Draft.

PBOC publishes Personal Financial Information Protection Technical Specification

The People's Bank of China (“PBOC”) published the Personal Financial Information Protection Technical Specification (“Specification”) on 13 February 2020, which sets out best practices for handling personal information in the finance industry.

The Specification divides personal financial information into three categories (C3, C2 and C1) according to the degree of sensitivity and the damages that might result from a data breach. The C3 category includes user authentication information such as bank card track data, verification numbers, passwords and user biometric information. C2 includes personal financial information that can identify a user and his financial status, and key information used for providing financial products and services (e.g. payment account and relevant ID information, one-time password, information reflecting a user’s finance status, and KYC or know-your-client information). C1 includes personal information used by financial institutions such as bank account opening dates, and other non-C3 and non-C2 personal financial information.

The Specification stipulates technical and organisational protection requirements for personal financial information in all aspects of its life cycle, including collection, transmission, storage, usage, deletion and destruction. In particular, non-financial institutions are now allowed to be entrusted with or authorised to collect C3 or C2 information. In addition, all C3 information and C2 user authentication support information cannot be outsourced to a third party for processing, and must not be shared or disclosed to the public. Personal financial information collected or generated within China must be stored and processed within China. If the business requires a cross-border transfer, user consent must be obtained, a security assessment must be passed, and the business conducting the transfer must also be responsible for monitoring the data protection status of the recipient (e.g. via contracts or on-site inspections). During processing, the Specification requires financial institutions to implement de-identification or anonymisation measures where necessary. Examples of these measures are provided in the Annex.

Please click here for the full text (Chinese only) of the Specification.

Rules published to guide use of big data for epidemic prevention and control

To guide the use of personal data during the current fight against COVID-19 in China and future epidemic prevention and control activities, the CAC published the Circular on Ensuring Effective Personal Data Protection and Utilisation of Big Data to Support Joint Efforts for Epidemic Prevention and Control (“Circular”) on 4 February 2020.

According to the Circular, no party other than the institutions authorised by government health departments in accordance with the law (i.e. Cybersecurity Law, the Law on the Prevention and Treatment of Infectious Diseases, and the Regulations on Emergency Response to Public Health Emergencies) can collect or use personal data without obtaining the consent of data subjects, even for the purpose of epidemic prevention and control. The principle of minimisation should be followed during all data collection activities. Personal data must only be collected from the “susceptible” and “infectious” group and their close contacts. In principle, collection must not target a specific geographic area to avoid potential discrimination against persons from that area. The data collected must only be used for epidemic prevention and control. Without obtaining consent, names, ages, ID numbers, phone numbers or home addresses cannot be disclosed to the public, unless the disclosure is necessary for epidemic prevention and control and the data has been annoymised. Big data companies with appropriate capabilities should actively conduct analyses under the guidance of government authorities to predict the movements of people in order to support the formulation of effective control measures.

Please click here for the full text (Chinese only) of the Circular Ltd.