China Monthly TMT Update – March 2020

China

China publishes guidelines for industrial data classification

On 4 March 2020, the Ministry of Industry and Information Technology published the Guidelines for Industrial Data Classification (for Trial Implementation) (“Guidelines”).

The Guidelines apply to data generated and applied throughout the life cycle of products and services in the industrial field (including but not limited to data generated and used by industrial enterprises in research and development, design, manufacturing, operation management, and operation and maintenance services), and data generated and used by industrial internet platform enterprises (e.g. industrial control systems ICS) in the process of device access, platform operation, and industrial APP applications.

The Guidelines, when being used together with the Data Management Capability Maturity Assessment Model (DCMM) (GB/T 36073-2018), are expected to guide enterprises to apply suitable data-protection technologies, optimise management processes, reform organisational systems, and improve overall industrial data management capabilities.

In regard to data sharing, the Guidelines encourage the sharing and big data analysis of Category I data to fully utilise the value of the data. Category II data should only be shared with parties who have a legitimate need to obtain such data. Category III data in principle shall not be shared.

Please click here for the full text (Chinese only) of the Guidelines.

China publishes new Personal Information Security Specification 

On 7 March 2020, China published an updated version of the Personal Information Security Specification (“New Specification”), which will take effect on 1 October 2020 and substitute the current 2017 version.

The New Specification adds a series of requirements to prevent excessive collection of personal data, sets out new rules for user profiling and personalised display, imposes additional requirements on data controllers when including third-party plugins, and adjusts certain requirements on the necessary internal organisational measures that a data controller must establish. The New Specification also introduces a new set of special rules applicable to the collection and processing of personal biometric data.

For more details, please click here to read the Law-Now article.

Guidance published to guide remote working cybersecurity protection

In light of the outbreak of COVID-19, more Chinese companies have started to implement remote work-from-home policies. The National Information Security Standardisation Technical Committee published the Practical Guidance for Implementing Cybersecurity Standards - Remote Working Security Protection (“Guidance”).

The Guidance analyses the cybersecurity risks concerning the operation and use of communication networks, office systems, terminal devices, data and personal information, which are involved in typical remote working scenarios. It also  recommends both technical and organisational measures that companies and end users can implement to prevent or mitigate risks.

Please click here for the full text of the Guidance (Chinese only).

China publishes innovative development strategy for intelligent vehicles

On 10 February 2020, the National Development and Reform Commission together with ten other departments published the Innovative Development Strategy for Intelligent Vehicles (“Strategy”).

According to the Strategy, by 2025 vehicle wireless communication networks (e.g. LTE-V2X) will cover main regions, and the new generation of the vehicle wireless communication network (5G-V2X) will be available in certain cities and highways. High-precision space-time reference service networks will basically cover all regions in China. The carrying out of larger scale road testing is encouraged in designated cities with a focus on testing the accuracy of vehicle environment perception, scene-positioning accuracy, and decision-control rationality.

Legal issues including the liability allocation (e.g. among manufacturers, registered owners and system developers), cybersecurity, and insurance requirements are also expected to be included in the legislator's agenda.

Please click here for the full text of the Strategy (Chinese only).

Draft guidance for personal data impact assessment  available for mobile application operators

Statistics show that mobile applications (Apps) have become one of the most important channels for collecting personal data. To guide the impact assessment work of App operators, a draft guidance was published and public opinions are being solicited on it until 2 April 2020.

The guidance suggests that App operators consider the following critical aspects when assessing the impact of their personal data collection and processing activities, which include whether all necessary information (e.g. the scope, purposes and any third-parties involved) on privacy policies have been communicated to data subjects in an easily accessible and reader-friendly way; whether data subjects’ consent (e.g. on collection, processing and potential sharing) is duly obtained; whether the collection is in line with the minimisation principle without excessive collection; and whether effective mechanisms are established to enable data subjects to exercise their legal rights (e.g. right to access, correction and erasure) and register complaints.

Please click here for the full text of the guidance (Chinese only).