This summary provides a selection of the most interesting recent legal and regulatory developments in the TMT sector in China:
Standard published to guide the classification of cybersecurity protection levels
The long waited "GB/T 22240-2020 Information Security Technology - Classification Guide for Classified Protection of Cybersecurity” (“Guide”) was published on 28 April 2020 and will come into force on 1 November 2020.
This Guide is one of the most fundamental technical standards setting out how a network operator can assess and determine the cybersecurity protection level of information systems (e.g. websites and OA systems, cloud computing platforms, IoTs, and industrial control systems), systems adopting mobile internet technologies (e.g. a system including mobile terminals, mobile applications and wireless networks), and communication network infrastructures (or “Targets”) that it operates.
According to the Guide, Targets will be classified into five levels depending on their importance to national security, economic, and social life, and the damage that they could cause to national security, public interests, and lawful rights of relevant parties if their functionalities are disrupted.
The assessment will focus on both the business information security and the system service security aspects of a Target. The two aspects will first be classified separately. The final cybersecurity protection of the Target will be determined by the higher one of the two.
Please click here for the full text (Chinese only) of the Guide.
List released of non-compliant violating personal data protection requirements
On 15 May 2020, the Ministry of Industry and Information Technology (“MIIT”) published a list of 16 mobile applications (“Apps”). The operators of these Apps violated personal data protection requirements and failed to make corrections within the designated remedy period.
The common violations included collecting or sharing personal data with third parties without obtaining the users’ consent; excessive collection of user personal data beyond the necessary scope; refusing to provide basic services unless users consented to excessive collection; disallowing users to disable targeted-push functions; requesting user consent too frequently; and setting unreasonable difficulties for users to de-register accounts.
This list is part of the results of nation-wide inspections in recent months on the personal data-protection status of Apps, which were organised by the authorities. The common violations that were identified are likely to become the enforcement focus for authorities in the future.
Please click here for the full text (Chinese only) of the Notice.
China publishes Cybersecurity Review Measures
On 27 April 2020, the Cyberspace Administration of China together with 11 other government departments published the Cybersecurity Review Measures (“Measures”), which applies to critical information infrastructure operators or CII Operators. The Measures will come into force on 1 June 2020.
According to the Measures, when a CII Operator purchases any network products or services (NPSs) with a potential effect on national security, this purchase must go through a cybersecurity review.
Factors that will be considered in the review include: the risks that the critical information infrastructure could be illegally controlled, interrupted or destroyed, and that important data can be breached, leaked or damaged when the NPSs are put into use; the ability of the critical information infrastructure to be able to function if the NPS supply is disrupted; important features of NPSs, including safety, openness, transparency, diversity of sources, and reliability of supply channels, and the risks of the supply being disrupted due to political, diplomatic, and trade factors; the compliance status of NPS suppliers under relevant Chinese laws, administrative regulations, and departmental regulations; and other factors that may jeopardise the critical information infrastructure and national security.
Please click here for the full text (Chinese only) of the Measures and here for a Law-Now article discussing this Measures in further detail.
Enforcement case reported against illegal collection of face images
On 7 May 2020, a fitness club in Jiangsu Province received an administrative warning and was ordered by the local public security bureau to correct its illegal collection of personal data including names, mobile phone numbers, and face images of more than 20,000 members, without informing authorities on the purpose of the collection, obtaining consent from the members, or taking necessary technical measures to protect the data collected. The local authority considers such activities a severe violation of personal data protection requirements, in particular the protection of biometric and other sensitive personal data including face images. This is reported to be the first enforcement case against illegal collection of face images in China.
In the new version of the Personal Information Security Specifications (which will take effect on 1 October 2020), the collection and processing of biometric personal data are subject to a series of strict requirements (e.g. explicit consent, and special protection measures). This case has been interpreted as a sign that more enforcement actions might be taken in this area.
FDI restrictions on telecom service operations further lifted in free trade zones
The MIIT published a notice on 18 May 2020 to further open a few categories of value-added telecom services (e.g. operation of App stores, domestic IP-VPN services, domestic multi-party communication services, store and forward services, call centre services and internet access services) to foreign direct investment in free trade zones in China.
In order to enjoy the beneficial foreign investment policies and apply for the relevant operational licences, a foreign invested enterprise applicant must be registered within a free trade zone and must locate all the service facilities within the zone. (The exception is that server nodes can be located outside of the zone for the purposes of speeding up services). Within the original Shanghai free trade zone (i.e. the original coverage of 28.8 km2), the special local policies remain applicable that were published in 2014 concerning qualification requirements and application procedures. Within other free trade zones, the general requirements and procedures applicable to all foreign invested enterprise applicants (e.g. those registered outside of the zones) will apply. Except for internet access services, the service scope of a successful applicant can be nation-wide.
Please click here for the full text (Chinese only) of the notice.