Standard published to guide the classification of cybersecurity protection levels
The long waited "GB/T 22240-2020 Information Security Technology - Classification Guide for Classified Protection of Cybersecurity” was published on 28 April 2020 and will come into force on 1 November 2020.
This Guide is one of the most fundamental technical standards setting out how a network operator can assess and determine the cybersecurity protection level of information systems (e.g. websites and OA systems, cloud computing platforms, IoTs, and industrial control systems), systems adopting mobile internet technologies (e.g. a system including mobile terminals, mobile applications and wireless networks), and the communication network infrastructures (or “Targets”) that it operates.
According to the Guide, Targets will be classified into five levels depending on their importance to national security, economic, and social life, and the damage that they could cause to national security, public interests, and lawful rights of relevant parties if their functionalities are disrupted. The assessment will focus on both the business information security and the system service security aspects of a Target. The two aspects will first be classified separately. The higher one of the two will determine the final cybersecurity protection of the Target.
Please click here for the full text (Chinese only) of the Guide.
Privacy and data protection requirements emphasised in China’s first Civil Code
China published the first Civil Code on 28 May 2020, which will take effect on 1 January 2021. It is a wide-ranging legislative package that includes strengthening protection of privacy and personal data. Many privacy and data protection requirements that were previously scattered in different regulations and technical standards have now been included in the Civil Code, which not only indicates the regulators’ attitudes to better enforce the requirements in practice, but also suggests that more gaps and uncertainties existing in the current consumer-protection regime might be further clarified by following implementation rules.
For example, for the first time, “privacy” has a definition at the statutory level; virtual identities (e.g. nicknames, stage names) can enjoy certain protections under personality rights; data subjects’ rights to erase are confirmed, and protections on minors’ interests are emphasised.
FDI restrictions on telecom service operations further lifted in free trade zones
The MIIT published a notice on 18 May 2020 to further open a few categories of value-added telecom services (e.g. operation of App stores, domestic IP-VPN services, domestic multi-party communication services, store and forward services, call centre services and internet access services) to foreign direct investment in free trade zones in China.
In order to enjoy the beneficial foreign investment policies and apply for the relevant operational licences, a foreign invested enterprise applicant must be registered within a free trade zone and must locate all the service facilities within the zone. (The exception is that server nodes can be located outside of the zone for the purposes of peeding up services). Within the original Shanghai free trade zone (i.e. the original coverage of 28.8 km2), the special local policies remain applicable that were published in 2014 concerning qualification requirements and application procedures. Within other free trade zones, the general requirements and procedures applicable to all foreign invested enterprise applicants (e.g. those registered outside of the zones) will apply. Except for internet access services, the service scope of a successful applicant can be nation-wide.
Please click here for the full text (Chinese only) of the notice.
China tech giants to seek secondary listings in Hong Kong
On 20 May 2020, the US Senate passed the Holding Foreign Companies Accountable Act, which will impose more general scrutiny on Chinese companies listed in the US. The bill will need to pass the House of Representatives and be signed by the President to be effective. If the bill becomes law, it requires, among other things, US-listed foreign companies to provide documents to the US Securities and Exchange Commission (SEC) to establish and confirm that a company is not owned or controlled by a foreign government, and further, to bar trading in any shares where the foreign companies’ auditors cannot be inspected by the Public Company Accounting Oversight Board for three consecutive years.
Amid rising tensions between the US and China in trade and technology, it is expected that a growing number of US-listed Chinese tech companies will aim for a secondary listing in Hong Kong (if they haven't already) as a hedge against geopolitical risks. According to Chapter 19C of the Main Board Listing Rules, companies with the following characteristics are eligible for a secondary listing route in Hong Kong:
- Companies involved in “innovation,” with at least two years of listing status on the New York Stock Exchange, Nasdaq or premium listings on the London Stock Exchange and good records of compliance for at least two financial years.
- Companies capitalised at no less than HKD 10 billion (USD 1.27 billion).
- If their shareholding structures are based on weighted voting rights (WVR), and they are based anywhere in Greater China, companies need to have at least HKD 1 billion in revenue in the most recent financial year, if they are capitalised at less than HKD 40 billion.
Shares of Nasdaq-listed NetEase and JD.com will begin trading on the Hong Kong stock exchange on 11 June and 18 June respectively.
Advisory on Handling Personal Data by Business Premises
Earlier on 1 May 2020, Malaysia passed a Conditional Movement Control Order (CMCO) which set out various restrictions that apply in response to Covid-19. On 29 May 2020, the Ministry of Communications and Multimedia of Malaysia (KKMM) issued an Advisory Notice, specifying specific personal data collection and processing requirements for business premises during the period under the CMCO period.
Specifically, business premises can only collect names, contact numbers, date and time of attendance of the visitor or customer for recording, whether manually or digitally. Business premises are also required to display a notice in a conspicuous place for visitors and customers on the purpose of collecting such personal data, and that personal data collected is for informational purposes for contact tracing in accordance with the Malaysian Prevention and Control of Infectious Diseases Act 1988 (Act 342). The KKMM also specified that the information collected must be destroyed and permanently deleted within 6 months after the end of the CMCO period, and non-compliance with the Advisory Notice will result in an offence under the Malaysian Personal Data Protection Act 2010 (Act 7090).
The official press release relating to the advisory notice (in Malaysian) can be found here.
Public consultation on Singapore Personal Data Protection Act and Spam Control Act
On 14 May 2020, the Singapore Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (PDPC) released an online public consultation on a draft bill proposing changes to the Personal Data Protection Act and Spam Control Act. The tabled changes were consolidated and gathered from feedback received by the MCI and PDPC during three public consultations held between 2017 and 2019. Consultations officially closed on 28 May 2020.
The key amendments in this draft bill included positions more aligned with data protection laws of other jurisdictions, including mandatory breach notification and enhanced financial penalties for breaches of up to 10% of the offending organisation’s annual turnover or SGD 1 million: whichever is higher. Other amendments included updating the law based on modern developments, including tightening anti-spam laws to cover unsolicited messages over instant messaging accounts (e.g. Telegram and WhatsApp), expanding the scope for deemed consent and introducing two new exceptions to consent (“legitimate interests” and “business improvement”). A new data-portability right granted to individuals, allowing individuals to request personal data to be transferred to another organisation in a commonly used machine-readable format, is an example of amendments included to enhance choice for consumers between data-driven service providers.
For the detailed Law-Now update, please click here.
Cross-border personal data transfer rules recognising APEC certifications
On 20 February 2018, Singapore joined the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) System to enable Singapore companies to obtain certification under the APEC CBPR to facilitate transfers of personal data between member states.
As a next step, the Personal Data Protection Commission has revised regulations in order to recognise, from 1 June 2020, APEC CBPR certification as a means of complying with the transfer obligation under the Personal Data Protection Act.
APEC CBPR certification now provides an additional basis to meet the restrictions on cross-border personal data transfer from Singapore, in addition to other commonly used mechanisms, such as consent, entering into a legally binding data transfer or a data processing agreement (between third parties) or binding corporate rules (between related entities).
Collaboration for first 5G Industry 4.0 trial
IBM, Singapore’s Infocomm Media Development Authority (IMDA), M1 Limited (M1) and Samsung announced on 6 May 2020 that they will collaborate on Singapore’s first 5G Industry 4.0 trial. The trial will focus on three partnership areas: 5G innovation (to design, develop, test and benchmark 5G-enabled industry 4.0 solutions across industries), 5G solution showcase (to feature solutions powered by 5G while leveraging on Internet-of-Things and Artificial Intelligence), and 5G solutions roll-out (to evaluate successful solutions for possible use within operations of IBM and Samsung in a broad range of markets and sectors). In particular, this partnership will focus on manufacturing "uses", such as automated visual inspection using AI, improved equipment monitoring and predictive maintenance using AI, and assembly and debugging using augmented reality to improve productivity and quality.
Official press release by the IMDA can be accessed here.