An Annual Overview of China's Cybersecurity Law

The Provisions for Monitoring Inspections of Internet Security by Public Security Authorities (公安机关互联网安全监督检查规定), which was released by the MPS, provides detailed guidelines on the regulator and technical mechanisms, and business procedures for personal information protection.

Some draft regulations are also worth noting and they reveal the direction of administration by regulators in the years to come. In May 2019, CAC issued the draft Measures for the Administration of Data Security (数据安全管理办法), which provides for strict rules on the protection of personal information and important data, and new provisions for the use of data.  For the first time, it defines sensitive personal information under regulation and also sets out the basic approval systems for collecting and using sensitive personal information, important data, and cross-border data transfer.  The draft Provisions for the Administration of Cybersecurity Vulnerabilities (网络安全漏洞管理规定) released by MIIT aims to clarify the regulatory objects and competent authorities of cybersecurity vulnerability, as well as provide procedural regulations for dealing with the cybersecurity vulnerability. The draft Measures on Cybersecurity Reviews (网络安全审查办法) released by CAC provides clarity and are more comprehensive in respect of the target, principles and leadership for a review, and the circumstances for initiating and undertaking a review.

A special working group was established to crack down on the illegal collection and use of personal information by apps

Rules and Enforcement on Apps Strengthened

There is strengthening governance on the collection and use of personal information by apps. On Jan. 25, 2019, CAC, MIIT, the MPS and the State Administration for Market Regulation (SAMR) jointly issued the Announcement on Launching a Campaign Against Apps That Collect and Use Personal Information in Violation of Laws or Regulations (关于开展App违法违规收集使用个人信息专项治理的公告), launching what is proposed to be a one year special crackdown. A special working group was established to crack down on the illegal collection and use of personal information by apps. On Mar. 1, 2019 the special working group issued the Self-Assessment Guidelines on the Collection and Use of Personal Information by Apps in Violation of Laws or Regulations (App Guidelines) (App违法违规收集使用个人信息自评估指南). On Nov. 28, 2019 the CAC, MIIT, MPS and SAMR jointly issued the Rules on Determination of Illegal Collection and Use of Personal Information by Apps (App Rules) (App违法违规收集使用个人信息行为认定方法). This new document echoes the intense enforcement on information collection and use by apps seen recently in practice.

The App Guidelines detail the requirements for app operators to self-regulate by checking and correcting their own conduct in relation to personal information collection and use. There are 32 assessment items under nine headings, laid out in three main sections, namely: the privacy policy; the practice of an app's collection and use of personal information; and the protection of user rights when using apps. Major requirements under the App Guidelines include: (a) the privacy policy must clearly state each service and the types of the personal information collected for each function; (b) apps must clarify the purpose of information collection before obtaining authorization for system use; (c) the privacy policy must explicitly describe how user profiles will be used to personalize the display of content; (d) the types of personal sensitive information and the export of personal data must be clearly marked in the privacy policy; (e) an app must provide users with the right to close their accounts; and (f) if personal information is transmitted to the server of a third party via an embedded third party code, a plug-in or other means, the user must be explicitly informed through a method such as a pop-up prompt. The recent draft of the Information Security Technology – Basic Specification for Collecting Personal Information in Mobile Internet Applications (App) (信息安全技术移动互联网应用（App）收集个人信息基本规范)  in August 2019 also reflects the detailed new requirements under the App Guidelines.

The App Rules are formulated to provide reference and guidance for government authorities in practical enforcement, and for app operators to conduct self-examination and self-correction in implementation of the CSL. The App Rules provide detailed criteria for determining the general violations under the CSL, including: (a) not publishing use rules; (b) not specifying the purpose, method and scope of personal information usage; (c) collecting and using personal information without users' consent; (d) collection of personal information irrelevant to the services in violation of the necessity principle; (e) sharing personal information to third parties without consent; (f) not providing options to delete or correct personal information in accordance with laws and regulations; and (f) not publishing complaint and reporting methods.

The App Working Group focuses on the investigation of apps based on the App Guidelines. As of September 2019, the App Working Group had evaluated nearly 600 apps with a large number of users that were closely related to people's livelihood and informed app operators of more than 200 apps of serious problems with more than 800 rectification issues. For example, in July 2019, the App Working Group found that 40 apps did not have a privacy policy or forced users to agree to be subjected to multiple rights to collect personal information. The App working group required the companies to take corrective action within 30 days. The App Working Group may recommend relevant government authorities to take action if companies refuse to make corrections. A large number of companies have rectified their non-compliance in 2019.

Before the third quarter of 2019, CAC reviewed more than 2000 websites, and closed or revoked the ICP filing or telecom license of approximately 9000 websites in cooperation with MIIT

Enhanced Enforcement on Cybersecurity Protection and Effectiveness of MLPS 2.0

In 2019, there has been more vigorous implementation campaigns carried out by regulators such as MPS, CAC, MIIT, and SAMR in their respective responsibility scope. A large number of cases were investigated or received punishment by the regulators.

In January 2019, the MPS organized and deployed nationwide public security bodies to carry out the special "Net 2019" action, to severely crackdown on violations and crimes such as infringement of citizens' personal information, hacker attacks and sabotage. It was reported that by Oct. 31, 2019, 45,743 network-related cases had been reported and 65,832 criminal suspects arrested. Internet polices in Jiangsu, Hunan, Chongqing, Guangdong, Zhejiang, Shanghai, Beijing and other places have publicized a number of typical cases of administrative law enforcement for the "Net 2019" special action.

Before the third quarter of 2019, CAC reviewed more than 2000 websites, and closed or revoked the ICP filing or telecom license of approximately 9000 websites in cooperation with MIIT.

MIIT released a list of poorly performing telecom operators for each quarter, which includes enterprises violating cybersecurity and personal information protection obligations. For example, in the third quarter of 2019, MIIT organized a technical inspection of application software of 55 mobile phone application stores and found 31 illegal software used to collect and use the user's personal information, and the forced bundling and promotion of other application software.

With the adoption and effectiveness of the MLPS 2.0 national standards in 2019, such as the Information Security Technology – Basic Requirements for Graduated Cybersecurity Protection (信息安全技术网络安全等级保护基本要求), requirements on MLPS are more strictly followed. For example, Shanghai, Changsha and Ningxiang internet police imposed the punishment of shutdown of servers for rectification and fines to four companies for failing to comply with the MLPS.

Requirements on Cross-Border Data Transfer Updated under New Draft Regulations

Rules for cross-border data transfer have continuously been a widely discussed topic.  CAC issued two new drafts including relevant approval and assessment rules for public consultation, after the draft Measures for Security Assessments of the Transfer of Personal Information and Important Data Overseas (个人信息和重要数据出境安全评估办法) was released back in 2017.  The drafts are the draft Measures for the Administration of Data Security (数据安全管理办法) on May 28, 2019 (Draft Data Measures) and the draft Measures for Security Assessments of the Transfer of Personal Information Overseas (个人信息出境安全评估办法) (Draft PI Measures) on June 13, 2019.

According to the Draft PI Measures, any export of personal information by network operators should be submitted to CAC at the provincial level for security assessment before the export takes place. According to the Draft Data Measures, network operators are required to assess the potential risks and report to the industrial regulators at provincial level, and in case it is unclear which industrial regulator supervises the network operator, the network operator should report to the provincial CAC for approval before publishing, sharing, trading and exporting important data.

Compared to the 2017 Draft, the new draft regulations in 2019 have the following highlights: (a) the cross-border transfer of personal information and important data are separately regulated, i.e. security assessments for export of personal information and important data are to be conducted separately, and approvals may need to be sought from different regulators; (b) the application scope of assessment includes overseas institutions remotely collecting personal information of domestic users; (c) supervision of all export of personal information is escalated to be subject to government assessment and self-assessment is not an option; (d) the assessment focuses more on the protection of individual rights rather than national security and public interest; (e) separate security assessment is required for each recipient; (f) analysis report providing details of the export is required as the application document for security assessment; and (g) the necessity requirement and consent requirement for data export is removed, and more individual rights and interests are required to be protected through signature of the data transfer agreement.

For the coming year, it is expected that the practical implementation on personal information protection and MPLS 2.0 by relevant regulators will remain vigorous…

Outlook for 2020

For the coming year, it is expected that the practical implementation on personal information protection and MPLS 2.0 by relevant regulators will remain vigorous, and the legislation for implementing rules of the CSL may be wider and more specific. How the existing draft regulations are to be adopted should be closely followed, especially whether the stringent requirements under the draft regulations on cross-border data transfer will be implemented.  Industrial regulations such as those issued by the People's Bank of China for personal financial data are should also be closely monitored. Once implemented, such regulations may have a substantial impact on companies' daily data practices and cross-border transfer and compliance scheme.