AnJie Legal Update · Technology, Data Protection, Cyber Security

On May 28, 2020, the National People’s Congress passed the Civil Code of the People’s Republic of China (“Civil Code”), which will take effect on January 1, 2021. 

The Civil Code created some special provisions on the protection of privacy and personal information. Under the Civil Code, personal information of natural persons should be protected as a fundamental civil right. Processing of personal information, such as collection, storage, use, processing, transmission, provision, and disclosure of personal information, should adhere to the principles of lawfulness, legitimacy and necessity, and excessive and unreasonable processing is not allowed. In addition, processing of personal information is generally subject to the following conditions:

• Obtaining the consent of the natural person or his/her guardian, unless otherwise allowed by laws and administrative regulations;

• Publicizing rules for processing personal information;

• Expressly specifying the purpose, method and scope of processing information;

• Not violating the provisions of laws and administrative regulations and the agreement of the parties.

  
  

The Civil Code also provides that natural persons have the right to have access to and have a copy of their personal information; if they find their personal information is incorrect, they may raise objection and request to make timely correction; if they find the information processor process their personal information in violation of the laws and regulations or their agreement, they have the right to request the information processor to delete their information.

For more information please see

http://www.npc.gov.cn/npc/c30834/202006/75ba6483b8344591abd07917e1d25cc8.shtml.

On April 27, 2020, the Cyberspace Administration of China and other 11 departments jointly released the Cybersecurity Review Measures (“Measures”) to regulate the purchase of network the product or service by critical information infrastructure (“CII”) operators (“CIIOs”). The Measures took effect on 1 June 2020.

According to the Measures, CIIOs shall, prior to the purchase of a network product or service, assess the possible risks to national security if such product or service is put into use. Where national security would likely be affected, an application for cybersecurity review shall be filed with the Cybersecurity Review Office.

According to the Measures, the network products or services which fall under the cybersecurity review process include “core network equipment, high-performance computers and servers, large capacity storage equipment, large databases and application software, network security equipment, cloud computing services, and other network products and services that have a significant impact on the security of critical information infrastructure.”

With regard to procurement activities to which a cybersecurity review applies, the CIIO shall require the product or service provider to cooperate in the cybersecurity review, including seeking the provider's commitments not to take advantage of the provision of the product or service to illegally obtain user data, illegally control and manipulate user equipment, and not to suspend product supply or necessary technical support services without justified reasons. The CIIOs shall also urge the product or service provider to fulfill its commitments in the cybersecurity review.

The Measures provide that the following factors will be taken into consideration in the cybersecurity review:

1. risks that the CII might be illegally controlled, interfered with or destroyed, or risks that important data of the CII might be stolen, leaked or destroyed by using the product or services;

2. the damage that might be caused by the interruption of supply of the product or service to the continuity of CII operation;

3. safety, openness, transparency, and diversity of sources of the product or service, reliability of supply channels, and risks of supply interruption as a result of political, diplomatic, trade or any other factor; and

4. compliance with the PRC laws, administrative regulations and departmental rules by the product or service provider.

The cybersecurity review process will take 45 working days, subject to extension if the circumstances are considered “complicated”.

For more information please see:

http://www.cac.gov.cn/2020-04/27/c_1589535450769077.htm

On June 1, 2020, the Central Committee of the Communist Party of China and the State Council jointly issued the Master Plan for Construction of Hainan Free Trade Port (“Plan”), which aims to complete building the Hainan Free Trade Port in all respects into a globally influential duty-free trading center by the middle of the century.

The Plan states that Hainan Free Trade Port will expand the opening of telecommunications resources and services in an orderly manner:

1. Opening up value-added telecommunications services and gradually removing restrictions on enterprises’ shareholding ratio held by foreign investors;

2. Allowing enterprises which are registered and have service facilities in the Hainan Free Trade Port to conduct online data processing and transaction processing services for the entire Free Trade Port and the world, and gradually allowing them to provide services to all China;

3. Opening up basic telecommunications services in a safe and orderly fashion; and

4. Conducting pilot projects on the international Internet data interaction, building international submarine optical cables and landing points, and setting up international communication gateways.

For more information please see:

http://www.miit.gov.cn/newweb/n1146285/n1146352/n3054355/n3057674/n3057693/n3057695/c7915545/content.html

Recently, the Ministry of Industry and Information Technology (“MIIT”) released the Notice on Matters Related to the Pilot Opening of Relevant Value-Added Telecommunications Services in the Pilot Free Trade Zones (“Notice”).

According to the Notice, pilot free trade zones approved by the State Council may engage in the pilot businesses in the original area of Shanghai pilot free trade zone; the specific business scope of the relevant telecommunications businesses should comply with the Special Administrative Measures (Negative List) for Admission of Foreign Investment in Pilot Free Trade Zones (Year 2019) and other relevant laws and regulations; and the registration place and service facilities of the foreign-invested enterprise applying for the pilot business shall be within the free trade zones. It is allowed to set up business-related acceleration server nodes nationwide, but only to provide acceleration for its own services and not to operate content distribution network business. The scope of Internet access services (providing Internet access services to Internet users) is limited to the pilot free trade zones, while the scope of other services can be nationwide.

The notice also sets out application routes for different free trade zones: the Shanghai Piot Free Trade Zone is still subject to the special policies under the previously issued Administrative Measures for the Trial operation of Value-added Telecommunications Services by Foreign Investors in the China (Shanghai) Pilot Free Trade Zone. For foreign investment in value-added telecom sector in other free trade zones, the applicants need to follow those existing laws and regulations (e.g. PRC Telecom Regulations, Regulations on the Administration of Foreign-invested Telecommunication Enterprises and Administrative Measures for Business License of Telecommunication Business).

For more information please see:

http://www.miit.gov.cn/newweb/n1146285/n1146352/n3054355/n3057674/n3057693/n3057695/c7915545/content.html

On May 7, 2020, the State Administration for Market Regulation (“SAMR”) and the National Information Security Standardization Technical Committee (“NISSTC”) jointly released the Information Security Technology - Classification Guide for Classified Protection of Cybersecurity (“Guide”) to provide the methods and procedures for the classification and protection of information systems and other protection targets which do not involve state secrets (collectively “Targets of Classified Protection”).

According to the Guide, based on (1) the importance degree of the Targets of Classified Protection in national security, economic construction, and social life, and (2) the degree of infringement on the national security, social order, public interest, and the legitimate rights and interests of citizens, legal persons and other organizations once the Targets of Classified Protection are destroyed, lost function, or the data is tampered with, leaked, lost, or damaged, the Targets of Classified Protection are classified into five categories, from Grade 1, the lowest level to Grade 5, the highest one.

The Guide provides that, for Targets that are preliminarily determined as Grade 2 or higher by the network operator itself, the network operator should organize experts to review and apply to the competent authority to examine and approve the classification result to finally determine the classification grade. If the business information and system service scope of the Targets of Classified Protection changes and as a result, the infringed object and the infringement degree on the Targets of Classified Protection changes, the network operator should redetermine the Targets of Classified Protection and its grade according to this Guide.

According to the Notice of the People's Bank of China on Issuing Financial Industry Standards on Strengthening the Security Management of Mobile Financial Client Application Software, the National Internet Finance Association of China organized a real-name filing for mobile financial applications (“Apps”) and 73 Apps were in the first batch to be filed with the association, including Apps operated by Industry and Commerce Bank of China, China Mingsheng Bank, Alipay, Bank of China, China Construction Bank, etc.

For more information please see:

http://www.nifa.org.cn/nifa/2955675/2955761/2988187/index.html

声 明

文章仅代表作者观点，不视为安杰律师事务所正式法律意见或建议。如需转载或引用请注明出处。如有任何问题，欢迎与本所联系。