China Cybersecurity and Data Protection: Monthly Update - August 2024 Issue

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.

Key Highlights

In July 2024, China strengthened the publication and implementation of regulations and policies in the areas of data governance, personal information protection, and geographic information management for intelligent connected vehicles. These efforts aim to standardise data processing, promote data flow, and ensure data security and user rights protection:

• Data Governance: Various provinces and cities, including Hunan and Guangzhou, released or proposed data-related regulations to enhance data management, promote data flow, and protect data rights. These regulations focus on standardising data processing, promoting data sharing and cross-border flow, facilitating data transactions, and ensuring high-quality development of the data element market. The Global Digital Economy Conference also issued norms for data right confirmation and authorisation processes to address issues related to data transfer rights in complex scenarios.
• Personal Information Protection: The Ministry of Public Security, the Cyberspace Administration of China (“CAC”), and local CACs have released and implemented various regulations and policies aimed at enhancing the protection of citizens’ personal information, standardising data processing, promoting data flow, and safeguarding user rights. Key measures include the release of management measures concerning network identity authentication, standards for personal information protection compliance audit, and guidelines on APP information protection. Special rectification actions, such as the “Clear and Bright” initiative, inspections, and governance actions, have been launched. Local CACs also conducted inspections and imposed penalties on illegal personal information collection and usage, with case analyses published to raise compliance awareness and information security.
• Intelligent Connected Vehicles: The Ministry of Natural Resources (“MNR”) and Shanghai released several regulations and standards related to intelligent connected vehicles and geographic information data management. These aim to enhance geographic information data security management, regulate surveying activities, promote data sharing, and ensure the safe and compliant development of the intelligent connected vehicle industry. The MNR mandated that geographic information data must be stored domestically and strengthened the management of classified information. The MNR also proposed provisions for standard data of basic geographic information. Additionally, Shanghai released guidelines for intelligent connected vehicle data sharing systems, providing recommendations to ensure secure, compliant, and efficient data sharing.

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. Ministry of Public Security and CAC jointly issue management measures regulating network identity authentication (26 July)

The Ministry of Public Security and the CAC issued the National Network Identity Authentication Public Service Management Measures (Draft for Comments) to enhance personal information protection and advance public network identity authentication services, promoting the digital economy. The measures specify the usage of “network ID” and “network certificate,” data protection obligations of public service and internet platforms, and corresponding legal responsibilities. The measures further encourage voluntary use of network IDs and certificates for identity registration and verification, minimizing the collection and storage of plaintext identity information to ensure data security and protect user rights.

2. MNR required strengthening geographic information security management for intelligent connected vehicles, with data stored domestically (26 July)

The MNR issued a notice requiring local authorities to regulate surveying activities, strengthen the management of classified and sensitive geographic information data, rigorously review navigation electronic maps, enforce data storage and export regulations, and improve security oversight. The notice also mandates compliance with data storage and export requirements while encouraging the exploration of safe applications and optimising public geographic information services. Additionally, it calls for improving the security oversight system and enhancing legal revisions and public education to ensure the safe and compliant development of intelligent connected vehicles.

3. TC260 proposed national standard for personal information protection compliance audits (12 July)

The National Information Security Standardisation Technical Committee (“TC260”) issued the Data Security Technology: Requirements for Personal Information Protection Compliance Audits (Draft for Comments). This standard outlines principles and requirements for compliance audits related to personal information protection, applicable to personal information processors. The standard emphasises principles of legality, independence, objectivity, and confidentiality. It details the audit process, evidence management, and auditor requirements, and provides guidelines on audit flowcharts, evidence types, content, and methods to ensure lawful, compliant, and secure personal information processing activities.

4. MNR proposed mandatory national standard for basic geographic information standard data (5 July)

The MNR issued the Basic Provisions for Standard Data of Basic Geographic Information (Draft for Comments), setting requirements for basic geographic information standard data from four aspects, namely: spatiotemporal benchmarks, data content, production processes, and data recognition. The standard aims to ensure the reliability and standardisation of geographic information platforms and related information systems, promote information sharing and integration, and protect the interests of producers and users of basic geographic information data.

5. State Council held executive meeting to discuss and plan high-quality development of the digital economy (5 July)

Premier Li Qiang presided over the State Council executive meeting to discuss and plan the advancement of high-quality development in the digital economy. The meeting emphasised the deep integration of the digital economy with the real economy, the promotion of innovative drug development, and the enhancement of the overall strength of the western regions and coastal new areas. Additionally, the meeting called for deepening reforms and innovations in free trade zones to better support the role of the Beijing-Tianjin-Hebei region as a driving force for high-quality development.

6. MIIT and three departments issued 2024 guidelines to guide the construction of the national AI industry comprehensive standardization system (2 July)

The Ministry of Industry and Information Technology (“MIIT”) issued the Guidelines for the Construction of the National AI Industry Comprehensive Standardization System (2024 Edition). These guidelines aim to accelerate AI standardisation efforts and establish a high-quality development standard system, emphasising the deep integration of AI technology with the real economy, enhancing overall industry strength, and ensuring industry safety. The guidelines cover seven sections, namely, basic commonalities, foundational support, key technologies, intelligent products and services, enabling new industrialisation, industry applications, and security/governance. The goal is to formulate over 50 national and industrial standards by 2026, promoting enterprise innovation and international cooperation.

7. Shanghai issued local standards for intelligent connected vehicle data sharing systems (23 July)

Shanghai released the Guidelines for Intelligent Connected Vehicle Data Sharing Systems (Draft for Comments), offering guidance on intelligent connected vehicle data sharing systems, from aspects including data types, functionalities, management, and security, etc. The guidelines, applicable to vehicle manufacturers and related industry platforms in Shanghai, emphasise secure, compliant, and efficient data sharing. The guidelines also cover the entire data lifecycle, from access and processing to transmission, storage, sharing, and application, aiming to promote the effective use and development of data concerning intelligent connected vehicle.

8. Shanghai Internet Association issued compliance guidelines on APP personal information and user rights protection (17 July)

The Shanghai Internet Association released the Compliance Guidelines for Personal Information and User Rights Protection in Mobile Internet Applications. These guidelines provide detailed instructions for developers and operators of mobile internet applications to comply with national and local laws and regulations, ensuring the security of personal information and the protection of user rights. The guidelines cover the management during the entire lifecycle of personal information, including collection, storage, use, transmission, sharing, and disposal, as well as specific requirements for protecting user rights.

9. Hunan Province proposed data regulations to enhance data management and utilisation (16 July)

Hunan Province sought public comments on the Hunan Province Data Regulations (Draft), aimed at standardising data processing activities, strengthening data management and utilisation, and protecting data rights. The regulations cover data rights protection, data resource management, data market development, data application, and data security supervision. Key aspects include defining public and non-public data, protecting personal information and data processors’ rights, promoting data sharing and openness, regulating data transactions, and establishing data security responsibilities and legal liabilities. The regulations emphasise rational development and security of data resources to foster a healthy data market.

10. Guizhou Province issued regulations to promote data circulation and regulate data element registration services (31 July)

The Standing Committee of the Guizhou Provincial People’s Congress officially passed the Guizhou Province Data Circulation and Trading Promotion Regulations, effective from 28 August 2024. The regulations consist of eight chapters, addressing aspects such as data trading venues, authorised data use, data rights protection, fostering a data circulation and trading ecosystem, security guarantees, and legal responsibilities.

Guangzhou released the Guangzhou Data Regulations (Draft for Public Comment) to protect data rights, promote data circulation, ensure data security, and support high-quality development. The regulations cover responsibilities for data management, protection of data rights, management of public data, development of the data element market, promotion of data applications, and data cooperation within the Guangdong-Hong Kong-Macao Greater Bay Area. Emphasis is placed on establishing data security mechanisms, legal accountability, supporting data innovation, and integrating traditional services, fostering regional data sharing and cross-border data flow.

Enforcement Developments

12. MIIT announced the 6th batch of APPs (SDKs) violating user rights in 2024, involving 17 APPs and SDKs (29 July)

The MIIT released the 6th batch of 2024 APPs (SDKs) that infringe on user rights, involving 17 APPs and SDKs. The violations include unauthorised collection of personal information, frequent forced permission requests, disruptive pop-up ads, and incomplete SDK usage instructions.

13. Ministry of Public Security reported a property management company in Guangxi fined for failing to protect personal information (25 July)

A property management company in Guangxi was fined by the Ministry of Public Security for failing to fulfil personal information protection obligations. The company collected a large number of residents’ personal information during property management but did not secure the computers storing the information, lacked management systems, and carelessly handled the data, leading to a risk of information leakage. The company was required to rectify these issues following the administrative penalty.

14. Supreme People’s Court published a summary of key judgments on cases involving the crime of infringing on citizens’ personal information (15 July)

The Supreme People’s Court published key judgments related to the crime of infringing on citizens’ personal information, highlighting illegal activities such as the unauthorised acquisition, sale, and provision of personal information, including ID details, WeChat accounts, online shopping orders, and property information. These cases clarify the elements and applicable laws for this crime, emphasise the importance of proper information management and security, and apply to illegal online exposure of personal privacy. The summary also discusses standards for information sensitivity assessment.

15. CAC revealed that 19.923 million reports of illegal and harmful information were accepted nationwide by June 2024 (15 July)

In June 2024, the CAC’s Reporting Centre, along with local departments and major website platforms, accepted 19.923 million reports from the public concerning illegal and harmful information, such as pornography, gambling, infringement, and rumours. The Reporting Centre received 469,000 reports, while local departments received 1.273 million. Major website platforms will continue to streamline reporting channels and handle public complaints efficiently. Citizens are encouraged to actively participate in maintaining a clean cyberspace.

16. CAC launched the special action, namely, “Clear and Bright - 2024 Summer Internet Environment Rectification for Minors” (13 July)

The CAC launched the special action, namely, “Clear and Bright - 2024 Summer Internet Environment Rectification for Minors”, focusing on six key areas: short videos, live streaming, social media, e-commerce platforms, imitation APPs spreading harmful information, and inappropriate content on children’s smart devices. The campaign targets issues such as violent content, illegal information dissemination, soft-porn product sales, and disabled minor modes, etc. Local CAC will enforce these measures, crack down on violations, and hold platforms accountable to ensure a healthy and safe online environment for minors.

17. CAC released the second batch of typical cases in the special action of “Clear and Bright - Optimising the Online Business Environment by Rectifying Corporate Infringement Information Chaos” (2 July)

The CAC reported the second batch of typical cases involving online accounts that were shut down or silenced for publishing false information, coercing commercial cooperation, and defaming business reputations. These regulated actions including actions that distorting facts, spreading rumours, inciting group conflicts, maliciously interpreting business strategies, publishing negative information to extort cooperation, and fabricating relationships with entrepreneurs for hype, seriously disrupting business operations and damaging the reputation of companies and entrepreneurs.

18. Shanghai CAC conducted a special inspection on 21 Apps for personal information collection (30 July)

The Shanghai CAC conducted a special inspection on 21 apps, uncovering over 80 issues related to personal information collection. Problems included incomplete privacy policies, mandatory collection of unnecessary information, unclear disclosure of sensitive information usage, default acceptance of privacy policies, collection of irrelevant information, excessive frequency of data collection, lack of public collection rules, ineffective deactivation mechanisms, unauthorised information collection, and use of information beyond stated purposes. All APP operators have since rectified these issues. The administration reminds operators to comply with laws, ensure lawful and necessary data collection, provide clear privacy policies, and safeguard information security.

19. Shanghai CAC released the second batch of cases on illegal personal information collection in coffee consumption scenarios (2 July)

In the enforcement action of “Bright Sword Pujiang 2024”, the Shanghai CAC released the second batch of case analyses focusing on personal information protection in coffee consumption scenarios. Key issues including inducing the collection of phone numbers or following public accounts, not providing an option to disable targeted push notifications, and not offering a way to delete personal information. This action aims to encourage coffee businesses to self-inspect and rectify issues, adhere to the principles of “minimum necessary” and “informed consent,” and protect consumers’ personal information rights. Companies that fail to address issues adequately will face following legal actions.

20. Chongqing CAC launched a special governance action on personal information protection in QR code consumption (4 July)

The Chongqing CAC initiated a special governance action on personal information protection in QR code consumption, focusing on parking, dining, and shopping scenarios. The action addresses issues such as excessive collection, mandatory collection, induced solicitation, and misuse of personal information. Measures include reporting supervision, law enforcement inspections, public interest litigation, and media exposure, targeting four main problems: undisclosed personal information collection rules, unauthorised collection and use, collection of irrelevant information, and failure to fulfil information protection responsibilities. The aim of conducting this action is to strengthen compliance awareness, enforce responsibility, strictly penalise violations, and regularly publish governance outcomes and typical cases.

21. Zhejiang Communications Administration launched 2024 network and data security inspection in telecom and internet sectors (2 July)

The Zhejiang Communications Administration issued a notice for a special inspection on network and data security in the telecom and internet sectors from July to October 2024. The inspection covers 5G applications, internet data centres, online service halls, and more, focusing on the implementation of security protocols, technical protections, network security for major events, and data and personal information protection. All units must self-examine and rectify issues. Non-compliance may result in administrative penalties and blacklisting.

Industry Developments

22. Hangzhou Internet Court and comprehensive bonded zone signed cooperation agreement to support high-quality development of cross-border digital trade (24 July)

The Hangzhou Internet Court and Hangzhou Comprehensive Bonded Zone signed the 2.0 version of the Cooperation Agreement on Innovative Governance Mechanisms to Ensure High-Quality Development of Cross-Border Digital Trade and released the Guidelines for the Behaviour of Multiple Subjects in Cross-Border E-Commerce. This aims to improve the coordinated governance system for cross-border digital trade disputes, promote high-quality cross-border e-commerce development, and provide judicial support and guidance for building Zhejiang Free Trade Zone (Hangzhou Area) and the digital free trade zone.

23. National Data Bureau accelerated the improvement of institutional documents on data property rights and revenue distribution (22 July)

The National Data Bureau is accelerating the improvement and development of regulatory documents on data property rights, data circulation, revenue distribution, and security governance. The goal is to establish a sound data infrastructure system, address practical challenges, provide clear rules and guidance, build a unified national data market, and ensure efficient promotion of data supply, circulation, use, and security governance, thereby driving the market-oriented allocation reform concerning data elements.

24. Central Finance Office emphasised establishing an efficient and secure data cross-border flow mechanism (19 July)

Office of the Central Finance and Economic Committee emphasised the need to establish an efficient, convenient, and secure mechanism for data cross-border flow. Despite a current decline in foreign investment utilisation, improvements in the business environment and increasing market opportunities are expected to reverse this trend. The office highlighted the importance of creating a transparent, stable, and predictable institutional environment, easing market access, expanding service sector openness, and ensuring national treatment and legal rights for foreign enterprises.

25. Shenzhen CAC announced cross-border data policy consultation hotline and work guidelines (14 July)

The Shenzhen CAC released a consultation hotline and some work guidelines for cross-border data policies. The initiative includes a dedicated service hotline and a comprehensive guide to assist personal information processors in legally and orderly conducting cross-border data activities. The guidelines cover topics such as reporting entities, scenarios, methods, and processes, emphasising risk assessment and security management to ensure compliance with relevant laws and regulations during cross-border data transfers.

26. Beijing Arbitration Commission established Digital Economy Arbitration Centre at Global Digital Economy Conference (4 July)

The Beijing Arbitration Commission established the Digital Economy Arbitration Centre at the 2024 Global Digital Economy Conference to specialise in resolving data disputes and promoting the compliant and efficient development of the data element market. The centre aims to provide legal support for the Beijing International Big Data Exchange and related enterprises, advance Beijing’s “Two Zones” development, and enhance China’s influence in international digital economy rulemaking.

27. Global Digital Economy Conference successfully held, issued norms for data right confirmation and authorisation processes (5 July)

At the 2024 Global Digital Economy Conference, the Data Right Confirmation and Authorization Process Specifications were released, focusing on issues of data transfer rights confirmation and authorisation in complex scenarios. The specifications propose a widely applicable rights analysis model and standardised authorisation process, providing compliance standards and tool support for data circulation and cross-regional and cross-industry data integration. This initiative promotes the establishment of a data compliance circulation trust mechanism for mutual recognition of identity, rights, and authorisation.

28. Hangzhou issued implementation opinions to promote data element circulation and build “China Data Valley” (17 July)

The Hangzhou Municipal Government released the Implementation Opinions on High-Standard Construction of “China Data Valley” to promote data circulation and industrial development through market-oriented data element allocation reform. The opinions emphasise building a data institutional system, advancing data infrastructure, enhancing data resource supply, accelerating data market industry aggregation, exploring cross-regional data cooperation, leading data application scenarios, and establishing a support system. The goal is to establish high-quality data sets, promote public data authorised operations, gather data businesses, list data products and services, and create a public service demonstration platform for the data element industry by the end of 2026, fully realising the value of data elements.

29. Ningbo proposed policies to promote high-quality development of the data element market (3 July)

Ningbo released the Several Policies to Promote the High-Quality Development of the Data Element Market (Draft for Comments), aiming to implement opinions on national data infrastructure and execute the three-year action plan of “Data Element ×” to boost data market development. The policies include building an urban computing power network, ensuring existence of high-quality data sets, developing industry data circulation platforms, and securing high-quality development of data businesses, etc. The goal is to achieve a data product transaction volume of 1.5 billion yuan by 2027, driving high-quality economic and social development and fostering a thriving data industry.