LEGISLATION

NDRC, Ministry of Commerce: Encourage Foreign Investment in IT R&D, Design and Services

On 31 July 2020, NDRC and Ministry of Commerce jointly issued the Catalogue of Industries Encouraging Foreign Investment (2020 Edition) (Draft for Comment) ("Draft for Comment") for soliciting public comments. Compared with Catalogue of Industries Encouraging Foreign Investment (2019 Edition), Draft for Comment newly adds or expands the research and development of information technology, services and other items, including the "Internet of Things terminal development and manufacturing", "online education, online health care, online office system development and application of service", "DNA encoding compound library technology research and development", "fifth generation mobile communication technology development and application", "block chain technology research and development and application", etc. 1

Guangdong Explores to Include Internet Personal Information Protection into the Scope of Public Interest Litigation

On 29 July, the Standing Committee of the Guangdong Provincial People's Congress issued the Decision on Strengthening the Procuratorial Work on Public Interest Litigations. According to the Decision, procuratorial organs shall perform legal supervision duties, comprehensively utilize the methods of prelitigation suggestions, litigation, urging and supporting the file of litigation to explore and expand the scope of civil and administrative public interest litigations into new fields, such as internet personal information protection, and to establish and promote preventive public interest litigation system. 2

To Prevent Personal Information Security Risks, Guidelines for App Systems to Apply and Use Permissions Solicits Comments from the Public

On 29 July, The National Technical Committee for The Standardization of Information Security("TC260") issued the Practice Guide for Cybersecurity Standards -- Guidelines for Mobile Internet Application System (App) to apply and use permissions, and solicited comments from the public. This specification helps App operators to regulate the App systems' application and usage of permissions and prevent personal information security risks caused by improper use of system permissions. 3

The Security Requirements for the Supply Chain of Technology Products (Draft for Comment) is Issued, Supplier Shall Ensure that There is No Precedent of Supply Failure Due to Political Factors

On 27 July, TC260 solicited comments from the public on the Security Requirements for the Supply Chain of Information and Technology Products. The document set out the basic security requirements of the supply chain to be met by both the supplier and demander of information technology products and required the supplier to ensure that there is no precedent of supply failure due to political factors. 4

TC260 Issues the Self-Assessment Guidelines for Collection and Use of Personal Information by Mobile Internet Applications (App)

On 22 July, TC260 issued the Practice Guide for Cybersecurity Standards - Self-Assessment Guidelines for the Collection and Use of Personal Information by Mobile Internet Applications (App). The guideline summarizes 6 assessment points for Apps to collect and use personal information for App operators' references during self-assessment. Operators of small programs and fast apps can also refer to the applicable terms while conducting self-assessment. 5

SPC and NDRC to Strengthen the Protection of Data Rights and Personal Information Security

On 22 July, SPC and NDRC jointly issued the Opinions on Providing Judicial Services and Guarantees for Accelerating the Improvement of the Socialist Market Economy in the New Era, which outlines 31 points, including strengthening data rights and personal information security protection. The Opinions required to respect the rule of the socialist market economy and development practice of data related industries, protect the data collection, use, trade, and the resulting intellectual achievements, improving the law system of data protection, proper handle data related disputes, promote deep fusion of large data and other new technologies, new areas and new formats, provide services for the market of data element to innovate and develop. The Opinions also requires to implement the provisions of the Personality Rights Section of the Civil Code on the protection of personality interests, improve the judicial protection mechanism for the rights and interests of personal information such as natural persons' biological and social data, grasp the boundary between the development of information technology and the protection of personal information, and balance the relationship between personal information and public interests. 6

Tianjin Releases Interim Measures for the Open and Management of Public Data Resource

On 22 July, the Tianjin Cyberspace Administration released the Interim Measures of Tianjin Municipality for the Open and Management of Public Data Resource (Interim Measures"), aiming at standardizing and promoting the opening of public data resources and promoting the development of the digital economy. The Interim Measures consists of 37 articles under the following 7 chapters: (i) general provisions; (ii) opening mechanism; (iii) opening platform; (iv) development and utilization; (v) supervision and guarantee; (vi) legal liability; and (vii) supplementary provisions. According to the Interim Measures, public data resource is divided into the unconditional open category, conditional open category and non-open category. For public data resources included in the conditional open category, the users of resource shall submit an application through the open platform, and the resource providers shall sign public data resource use agreements with the resource users, specify the purpose, time limitation and the security measures for using the resource. The Interim Measures will be implemented on August 1, 2020 and will be valid for 2 years. 7

The Shenzhen Justice Bureau Solicits Public Comments on the Regulations on Data of Shenzhen Special Economic Zone

On 15 July, the Shenzhen Justice Bureau released the Regulations on Data of Shenzhen Special Economic Zone (Draft for Comment) to solicit public comments. This was the first government document in China to propose that individuals have the data right. At the same time, it also put forward some points. For example, property attribute of data rights shall be determined, the collection of important data or private data by the data factor market subject should be put on record with the municipal competent network security department, the public data belongs to the new state-owned assets, and the data rights belong to the state. 8

Draft Amendment ? to the Criminal Law Publicly Solicits Comments, Adding Provisions to Protect Human Genetic Resource Information

On 13 July, the Standing Committee of the National People's Congress released the Amendment ? to the Criminal Law and solicited public comments. The draft amendment adds a new provision which is attached after the Article 334 in the current Criminal Law as Article 334 (A) for the protection of human genetic resource information: "Whoever commits any of the following acts in violation of relevant provisions, endangering public health or public interests, if the circumstances are serious, shall be sentenced to fixed-term imprisonment of not more than 3 years, criminal detention or public surveillance and shall also, or shall only be fined; if the circumstances are especially serious, he shall be sentenced to fixed-term imprisonment of not less than 3 but not more than 7 years and shall be fined: (1) unlawfully collecting national human genetic resources; (2) unlawfully transporting, mailing or carrying national human genetic resource materials out of the territory of China; (3) providing national human genetic resource information or opening the access to any organizations, individuals or the institutions established or actually controlled by them outside the territory of China without the security scrutiny." 9

Regulations on the Security Protection of Critical Information Infrastructure Is Included in the State Council's Legislative Work Plan for 2020

On 8 July, The State Council's Legislative Work Plan for 2020 was released on the website of the People's Government of China. It includes 26 administrative regulations to be formulated or revised, including the Regulations on the Security Protection of Critical Information Infrastructure ("Regulations") drafted by CAC, MIIT and the Ministry of Public Security. In 2019, the Regulations was also included in the State Council's Legislative Work Plan for 2019. 10

The Draft of Data Security Law Has Been Released: Clearly Distinguish Data and Information, Local Agencies Can Formulate Protection Catalogues of Important Data

On 2 July, the Data Security Law of the People's Republic of China (Draft) was officially released for public comments. The draft law clearly distinguished between data and information, aiming to ensure data security, promote data development and utilization, and protect the legitimate rights and interests of citizens and organizations. The draft also stipulated that operators engaged in online data processing and other businesses should apply to the competent authorities for approval or for the record in accordance with specific implementation measures formulated by the competent authorities. An operator engaged in data trading intermediary services shall require the data provider to explain the source of the data, examine the identities of both parties to the transaction, and keep the audit and transaction records. The draft stipulated that in case of violation of this law, the competent authority may order a correction or ban, confiscate the illegal gains and impose a fine of not less than one time but not more than ten times the illegal gains. In addition, supervisors directly responsible and other persons directly responsible may also be fined.11

ENFORCEMENT AUTHORITY

CAC and Other Three Departments Hold a Meeting, Kicking Off the Campaign to Curb the Illegal Collection and Use of Personal Information by Apps in 2020

On 22 July 2020, CAC, MIIT, the Ministry of Public Security and SAMR held a meeting in Beijing, kicking off the campaign against the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations in 2020. The meeting summarized the positive progress made in 2019 when the four departments jointly launched a special campaign to control the illegal collection and use of personal information in Apps, and pointed out that in 2020, the government would further strengthen the rectification work on the basis of last year.12

The 2020 Work Plan of the Industrial Internet Task Force: To strengthen Data Construction and Ensure Internet Security

On 10 July, MITT unveiled the 2020 Work Plan of the Industrial Internet Task Force ("Work Plan"). The Work Plan details 10 task categories including improving infrastructure capacity, constructing identification analysis system, building industrial internet platforms, 28 priorities including building industrial internet data centers, improving security management system, and 54 specific initiatives including formulating the Guidelines on the Management of Classification and Gradation of Cybersecurity for Industrial Internet Enterprise, the Action Plan for the Industrial Internet Innovation and Development (2021-2025), the Measures on the Management of Industrial Internet Identification Analysis, and the Action Plan for the Industrial Internet Data Cooperation and Sharing. 13

ENFORCEMENT CASES

MITT Promotes the Rectification Campaign against Infringement of Users' Rights and Interests by Apps, 400,000 Mainstream Apps are Under Test

On 22 July 2020, MITT has issued a notice on a special campaign to further promote the rectification of infringement of users' rights and interests by Apps. The notice required that the national App technical testing platform management system be put into operation by the end of August 2020, and that the testing work covering 400,000 mainstream apps be completed by December 10. The focus of the rectification includes such aspects as the illegal handling of users' personal information, the setting of obstacles, the frequent harassment of users, the deception and misleading of users, and the inadequate implementation of the responsibilities of the application distribution platform. 14

MITT Demands Serious Investigation and Punishment on the Violations in the Information and Communications Field Exposed on "3.15" Gala

As for the issue that SDK illegally collect users' personal information reported on the "3. 15" evening party broadcast by CCTV on July 16, 2020, MITT immediately organized relevant units to conduct serious verification and severely punished the enterprises involved in the case in accordance with laws and regulations. Next, MITT would take regular supervision measures to strengthen the comprehensive rectification towards mobile internet application (Apps). 15

COURTS LITIGATION

TikTok Is Found Infringing Users' Personal Data Right Due to Illegal Collection of Users' Social Relationship and Geographic Location Information

On 30 July 2020, Beijing Internet Court made the first-instance judgment on the case Mr. Ling v. Weibo Shijie, holding that the behaviors of defendant's App TikTok including processing plaintiff's personal information without his consent, recommending "may know" to the plaintiff through his phone number , and collecting the plaintiff's data concerning geographic location and social relationship infringed on the plaintiff's personal information and privacy. Since the abovementioned information are not private information, TikTok's act of recommending the limited "may know" to the plaintiff did not cause harassment to his life and did not constitute a privacy violation. 16

The First Case Involving the Violation of Citizen's Personal Information through Dark Net Is Published by Zhanjiang, Guangdong

Recently, the suspect Zheng was sentenced to four years in prison in Zhanjiang as the first case involving the violation of citizen's personal information through dark net. In 2019, through VPN, Zheng logged in the illegal "dark net" and used the virtual currency Bitcoins to buy and illegally gain a large number of citizens personal ID information , accommodation information through the hacker BBS, and then used the illegally obtaining personal information to register various Apps to make money and register a foreign company, illegally gaining CNY 5,200. On March 30, 2020, the People's Procuratorate of Jingkai filed a public prosecution against him for the crime of violating personal information. 17

Footnotes

1. http://file.mofcom.gov.cn/article/gkml/202007/20200702988205.shtml

2. http://www.xfrb.com.cn/article/zgxf-fzjs/09550383513860.html

3. https://www.tc260.org.cn/front/postDetail.html?id=20200729195232

4. https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20200727164941&norm_id=20200720112800&recode_id=39642

5. https://www.tc260.org.cn/front/postDetail.html?id=20200319113609

6. http://www.court.gov.cn/zixun-xiangqing-242901.html

7. https://mp.weixin.qq.com/s/8Scofen1MTmmcBJd3IKubQ

8. http://sf.sz.gov.cn/ztzl/zflf/lfxmyjzj/content/post_7892074.html

9. https://www.lawbus.net/articles/1275.html

10. http://www.gov.cn/zhengce/content/2020-07/08/content_5525117.htm

11. http://www.ahwx.gov.cn/zcfg/gfxwj/202007/t20200708_4629245.html

12. http://www.gov.cn/xinwen/2020-07/25/content_5530048.htm

13. http://www.miit.gov.cn/n1146295/n1652858/n1652930/n3757020/c8001762/content.html

14. http://www.gov.cn/zhengce/zhengceku/2020-08/02/content_5531975.htm

15. http://xiaofei.people.com.cn/n1/2020/0717/c425315-31788154.html

16. https://www.thepaper.cn/newsDetail_forward_8507001

17. http://kb.southcn.com/content/2020-07/11/content_191150934.htm

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.