China - Cyber security and data protection April round up

The financial regulators have continued to increase their efforts to develop and protect financial data. The People’s Bank of China released new standards on enhancing the data capability of financial institutions. Further, several banks were penalized for violating data protection rules in relation to processing of personal information.

MIIT has maintained its focus on its push for data protection in mobile apps remain. In addition to drafting a dedicated regulation for data protection for mobile apps, the MIIT and its local branches have run continuous enforcement campaigns against data privacy violations made by mobile app operators.

Regulatory developments

1. New guidelines issued for financial industry data capacity building

On 9 February, the People’s Bank of China (PBC) issued the Guidelines for Financial Industry Data Capability Building. The Guidelines specify the division of data strategy, data governance, data architecture, data specification, data protection, data quality, data application, and data life cycle management capabilities. The guidelines aim to provide basis for financial institutions to carry out data work, guide financial institutions to strengthen data strategic planning, focus on data governance, and strengthen data security protection.

2. General Requirements for the Safety of Critical Cyber Equipment

On 20 February, the State Administration for Market Regulation and the Standardization Administration approved seven mandatory national standards (including a telecommunications mandatory national standard) and made one amendment to the General Requirements for Safety of Critical Cyber Equipment, which will come into force on 1 August 2021. These requirements (including security function and security protection requirements) serve as important standards for the implementation of the Cybersecurity Law relating to security requirements of critical cyber equipment There are 10 parts to the security function requirements which focuses on ensuring and improving the security technology capabilities of devices. They are, device identification security, redundant backup recovery and abnormal detection, vulnerability and malicious program prevention, pre-installed software start up and update security, user identification and authentication, access control security, log audit security, communication security, data security and password requirements. Separately, security protection requirements focus on standardizing the security capability of critical cyber equipment providers throughout the equipment life cycle.

3. Five draft standards on national information security technology released for public comments

On 3 February, the Secretariat of the National Information Security Standardization Technical Committee (NISSTC) issued two draft standards on instance message service and express logistics for public comments. Further, on 24 February, NISSTC issued three draft standards on online shopping services, internet payment services and online audio and video services, for public comments. This series of standards set requirements for the type, scope, methods, conditions, and data security protection of data collection, storage, use, transfer and delete. They also provide examples of data classification and guidance for the operators to regulate data activities and for supervision authority and third-party assessment agencies to carry out supervision, management and assessments.

4. New rules on app governance to strengthen personal information protection to be published

On 7 February, the Ministry of Industry and Information Technology (MIIT) announced that it has been drafting the interim provisions on personal information protection of apps. The provisions will define the basic principles of informed consent and minimum necessary personal information protection. The principle of informed consent requires that for app-related personal information processing activity, the entities (i.e. entity processing the data) should inform users of the rules of personal information processing in a clear and easy to understand manner, and the user should voluntarily make clear their consent. The minimum necessary principle requires that there shall be clear and reasonable consent during the personal information processing, and it shall not go beyond the scope of users’ consent or unrelated to service scenarios.

Enforcement developments

1. Second group of apps 2021 declared to be infringing users’ rights released, 11th group in total

On 5 February, MIIT published a notification on apps which violated user rights by the misuse of microphones, address books and photo albums. It noted that 26 apps had failed to take the necessary rectification measures, with the deadline for doing so being 10 February. If rectification is not made within the time limit, MIIT will organize and carry out relevant disposal work in accordance with laws and regulations. The issues with the apps were due to violations of mobile phone personal information, frequent and excessive requests for permissions, making mandatory for users to use the targeted push notification function, and inadequate indication to users of app information on the application distribution platform.

2. 37 apps in violation of user rights were removed from the app store

On 3 February, MIIT announced that it had removed 37 apps from the app store that violated user rights and failed to take necessary rectification measures. The removed apps collect personal information beyond the necessary scope and were involved in other issues that violated user rights. To recap, MIIT has carried out special rectification actions for two consecutive years against apps that illegally handled users’ personal information. In addition, MIIT also announced that it will strengthen rectification efforts by promoting the development of relevant standards, and actively applying new technologies such as artificial intelligence and big data to promote the construction of a national app technology testing platform.

3. Guangdong Communications Administration ordered to rectify 215 apps infringing users’ rights

On 22 February, Guangdong Communications Administration notified 215 apps that required rectification. The type of apps can be divided into 13 categories, which include, games, shopping, social networking, financial management, etc. Of the 215, 116 of them have cybersecurity issues. The infringement on user rights and interests include: (1) failing to specify the purpose, method, and scope of personal information collected and used by the third-party SDK integrated by the apps in the privacy policy; (2) applying for terminal permission in advance before the user has read and agreed to the privacy policy; (3) applying for opening address book, location, SMS, recording, camera in advance when users are not using relevant functions or services; (4) no effective account cancellation function provided and no cancellation guidance on the privacy policy nor on the actual platform.

4. Two financial institutions fined for illegal processing of personal information

On 2 February, according to the administrative penalty information form released by the business management department of PBC, Beijing Guoxu Small Loan Co., Ltd. was fined 160,000 yuan for dislcosing personal information without notifying the data subject. . Further, Xinhan Bank (China) Co., Ltd. was fined 570,000 yuan for inquiring about personal credit information without consent, and the relevant person in charge was also fined 114,000 yuan.

5. ICBC Liaocheng branch was fined 36,000 yuan for data breach

On 18 February, according to the announcement of the PBC Liaocheng branch, Liaocheng branch of ICBC was fined 36,000 yuan for inquiring about personal information without the consent of the data subject. Wang Hongqing, the general manager of bank card center, the person in charge, was also fined 8,000 yuan.

6. Liaoning Branch of Bank of China was fined for failing to collect and use consumers’ personal financial information as required

On 3 February, the administrative penalty information published by the Shenyang Branch of PBC showed that the Liaoning Branch of the Bank of China which had five counts on data protection violations, was fined 1.147 million yuan. . The violations included, among other things, failure to collect and use consumer personal financial information as required.

7. Qianbao Pay was punished for failing to keep customer identity information as required

On 24 February, according to the administrative penalty information publicity form published by the Chongqing Business Management Department of PBC, Chongqing Qianbao Technology Service Co., Ltd. which had 10 counts of data protection violations was fined 8.68 million yuan. These violations included failure to keep customer identity information as required. The company’s deputy general manager and chief compliance officer, and other five relevant persons were also jointly fined, ranging from a warning to a fine between50,000 to 135,000 yuan. The company’s violations in personal information protection and data security related to them in the midst of ensuring consistency of transaction information in the whole payment process, they had failed to perform the customer identification obligations and retain the required customer’s identity.

8. Maimai was convicted of infringement for sending text messages to unregistered users

On 7 February, Beijing Haidian District Court announced the judgment of Maimai’s infringement of data privacy. In brief, it was found that the Maimai’s website operated by Beijing Taoyou Tianxia Technology Development Co., Ltd., had sent text messages to users in the name of a friend without the user’s permission. It disclosed the user’s real name, and included a message that certain former colleagues have identified the user and many friends are waiting for them to join via a link .When the user clicks the link, the webpage will direct them to the registration page of Maimai’s website. The user subsequently sued Maimai at court by claiming for specific performance including for the website to cease the infringement of his privacy, permanently deleting his personal information, and publishing an apology statement on China Consumer News. The Beijing Haidian District Court found that the defendant’s actions illegally obtained and retained the plaintiff’s personal information such as mobile phone contact information, personal information of the plaintiff’s friend and resume. Further, Maimai had sent unsolicited messages for commercial gain to the plaintiff without consent, which disturbed the plaintiff’s right of peace and privacy. The judgment awarded all the claims of the plaintiff.

Industry developments

1. The National Information Security Standardization Technical Committee released the key action pointsfor 2021

On 25 February, the National Information Security Standardization Technical Committee released the key action points for in 2021, covering seven categories including focusing on the urgent need of national network security work and improving the effective supply of standards. The document points out that it will further develop national standards for network security in the fields of industrial Internet, blockchain, artificial intelligence and algorithms, Internet of things and digital currency, prepare white papers or research reports on network security standardization such as 5G security, face recognition security and network security talents, as well as practical guidelines for data classification and classification and data sharing security.

2. The National Equity Exchange and Quotations Company participated in the 11th joint emergency drill on network security

On 27 February, according to the Circular of the China Securities Regulatory Commission on the 11th joint emergency drill on network security of securities and futures industry, the National Equity Exchange and Quotations Company participated in the joint emergency drill on network security. Other participants included China Securities Depository and Clearing Corporation Limited, Shenzhen Securities Communication Co., Ltd., China Securities Index Co., Ltd. and other host securities companies.

International developments

1. EDPB held the 45th plenary session and adopted a wide range of documents

On 2 February, the European Data Protection Board held the 45th plenary session. It adopted a statement on the draft provisions on a protocol to the Cybercrime Convention, recommendations on the adequacy referential under the Law Enforcement Directive (LED), an opinion on the draft Administrative Arrangement (AA) for transfers of personal data between the Haut Conseil du Commissariat aux Comptes (H3C) and the Public Company Accounting Oversight Board (PCAOB), and response to the European Commission questionnaire on processing personal data for scientific research, focusing on health related research. EDPB also had an exchange of views on Whatsapp’s recent Privacy Policy update.

2. EDPS published Opinions on the Digital Services Act and the Digital Markets Act

On 10 February, the European Data Protection Supervisor (EDPS) published Opinions on the Digital Services Act and the Digital Markets Act. It aims to protect individuals’ fundamental rights, including the data protection. For the Digital Services Act, EDPS recommended additional measures to better protect individuals in relation to content moderation, online targeted advertising and recommender systems used by online platforms, such as social media and marketplaces. For the Digital Markets Act, it recommended regulating large online platforms, to promote fair and open digital markets and the fair processing of personal data, to foster competitive digital markets to provide individuals additional choices..

3. German adopted draft law on data protection in telecommunications and telemedia

On 10 February, German Federal Cabinet adopted the draft law on data protection and the privacy protection in telecommunications and telemedia. It plans to replace the existing provisions of the Telecommunications Act 2004 and the Telemedia Act 2007, and implement the Directive on Privacy and Electronic Communications (2002/58/EC). The draft includes provisions on the confidentiality of communications, location data, caller ID display and suppression, end-user directories, technical and organisational precautions, consent for storage of information in terminal equipment, and penalties.

4. Vietnam released the Draft Decree on Personal Data Protection for public comments

On 9 February, the Ministry of Public Security (MPS) of Vietnam released the second version of the Draft Decree on Personal Data Protection. It plans to set more robust rules and provide provisions on data subjects’ specific rights, cross-border transfer of data, and processing of sensitive personal data. Violation may cause temporary suspension of operation, revocation of permission for cross-border data transfer and monetary fines.

5. Virginia passed the Consumer Data Protection Act

On 2 March, the Virginia Consumer Data Protection Act (CDPA) was signed by the governor and will come into effect on 1 January 2023. The CDPA establishes rights for Virginia consumers to control how companies use individuals’ personal data. It stipulates that companies shall protect personal data in their possession and respond to consumers exercising their rights.

6. Danish Data Protection Authorities published Quickguide for setting cookies

On 12 February, the Council for Digital Security, the Danish Business Authority and the Danish Data Protection Agency published a Quickguide for the use of cookies. The Quickguide can be used as a checklist for organizations that set cookies, guiding them on how to comply with both the e-Privacy Directive’s rules for the placement of cookies and the Data Protection Regulation’s rules for the processing of personal data in associated with it.

7. UK ICO published Toolkit for data analytics

On 17 February, the Information Commissioner’s Office of UK (ICO) published Toolkit for organisations considering using data analytics. It aims to help recognise risks to individuals’ rights and freedoms created by the use of data analytics, from the beginning of data analytics project lifecycle. The Toolkit begins by asking questions to determine the legal regime, including lawfulness, accountability and governance, the data protection principles, and data subject rights. It will then produce a report containing tailored advice for the specific data analytics project.