China Monthly TMT Update – April 2020 

Draft published to guide the formulation of network data security standards

The Ministry of Industry and Information Technology (“MIIT”) published the draft Guide on the Establishment of the Network Data Security Standard System (“Draft”) and will solicit public opinions until 9 May 2020. According to the Draft, a network data security standard system includes fundamental and common standards, key technology standards, security management standards and standards for vital areas.

Fundamental and common standards mainly focus on term definitions, data security framework, and data classification. Key technology standards focus on the technologies involved in data collection, transmission, storage, processing, exchange, destruction and other dimensions of data lifecycle. Security management standards guide the industry to effectively implement the requirements concerning data security specifications, data security assessment, monitoring, early warning and disposal, emergency response and disaster backup, and security capability certification. The standards for vital areas focus on areas such as 5G, mobile networks, IoTs, cloud computing, big data and AI.

A list of the main standards to be formulated under the system will be attached with the draft, indicating the areas where further detailed standards and specifications will be available to guide its practice.

Click here for the full text (Chinese only) of the Draft.

Draft guidelines for personal information security protection available for mobile application operators

Mobile internet applications have become one of the most important channels to collect personal information. To guide the data security operation of application operators, the National Information Security Standardisation Technical Committee published draft Guidelines for the Safety Protection of Personal Information via Mobile Internet Applications (“Draft”) on 30 March 2020.

The Draft describes the common personal information protection issues involved in the operation of mobile applications, which include collecting personal information beyond the consented scope, setting unreasonable restrictions on de-registration of user accounts, bundling functions and requesting one-blanket consent from users, not providing privacy policies, setting users’ consent as the default choice, not fully stating the rules for the use of sensitive personal information, not clarifying the purpose of processing, not providing the function or channel for users to request the deletion or correction or submit complains, not following the content of the consented privacy policies, and not informing users of the collection of personal information by third party SDKs.

Tailor-made to each non-compliant issue, the Draft recommends corrective actions, and includes the major standards and rules that operators should take as a reference when formulating future compliance plans.

Click here for the full text (Chinese only) of the Draft.

China publishes strategy for accelerating 5G development

On 24 March 2020, the MIIT published the Circular on Accelerating 5G Development (“Circular”). It contains 18 measures on different aspects of 5G, including accelerating the construction and establishment of basic infrastructure, expanding the use of 5G technologies in different contexts (e.g. intelligent vehicles and health care services), enhancing 5G-related R&D activities, and establishing relevant cyber security and data security protection systems.

The high-level principles mentioned in the Circular are expected to be further developed and implemented by the relevant government authorities within their jurisdictions. Following the launch of commercial 5G ahead of schedule in November 2019, this new strategy aims to set new goals for expediting the development and broader application of 5G technologies in China.

Click here for the full text (Chinese only) of the Circular.

Measures published for facilitating the further development of industrial internet

On 20 March 2020, the MIIT published the Circular on Facilitating the Expedited Development of Industrial Internet (“Circular”).

Among the 20 measures in the Circular, enterprises are encouraged to expedite the transfer of industrial device networks and business systems from local clients to the cloud. New standards will be published to guide enterprises in classifying their industrial networks into different security protection levels, and to take the required protection measures. The government plans to impose on-site or remote inspections on the security operation of 20 selected industrial platforms and 100 selected industrial applications, and to increase the monitoring capability to cover 150 key platforms and more than 100,000 enterprises in the future.

Click here for the full text (Chinese only) of the Circular.

Report published on personal information protection status in different industries

China's Academy of Information and Communications Technology (“CAICT”) published the “Internet Plus Industry - Research Report on Personal Information Protection” (“Report”) for March 2020.

The Report discusses the personal information protection status of different industries, with a focus on the online business models involved. In particular, it discusses the risks and challenges of personal information protection in the context of e-commerce, healthcare, smart home and travel services. The report includes rich statistical data and real-case analysis, and a tracker of the major enforcement actions taken by government authorities. It also includes recommended actions for operators engaging in similar business activities.

CAICT was established under MIIT and works under its supervision. The information shared via this Report indicates the views and administrative approaches that MIIT might consider in future administrative work.

Click here for the full text (Chinese only) of the Report.