In response to the recent coronavirus outbreak (“2019-nCoV”), a wide range of Chinese regulators, including many levels of local governments (down to the neighborhood committee level) and local public security bureaus (“PSBs”), have been actively collecting personal information to monitor and potentially mitigate the spread of the outbreak.  For example, Shenzhen PSB has issued a notice requiring residents or visitors to Shenzhen to scan a QR code to fill in personal information, such as their contact details, addresses, travel information, and health status.  The Shanghai Municipal People’s Government also issued a similar notice requiring residents returning to Shanghai from an out-of-town trip or visitors to report a similar set of personal information.

In practice, numerous additional third party entities, including airports, train stations, employers, and landlords, could engage in collecting extensive personal information from travelers or visitors to a particular location or area, due to their own reporting obligations.  For instance, visitors to office buildings may be obliged to report their health status to the landlord or building management.  Also, employers are required to closely monitor the health status of employees if the employers apply to the local government to re-open their offices or factories.

With the widespread practice of information collection for public health purposes, data breaches and misuse of data become a major concern of the public.  For example, it has been reported that travelers from Wuhan to other cities within China have been victims of data breaches after submitting their personal information to transportation entities and local regulators.  A document entitled “List of Individuals Returning to Ningdu From Wuhan” was leaked to various WeChat groups in January 2020 and contained the personal information, including telephone numbers, national identification numbers, and home addresses, of approximately four to five hundred data subjects.  Similar incidents happened across China and the sources of the leaks remain uncertain.
Continue Reading Cyberspace Administration of China Releases Notice on the Protection of Personal Information in the Fight Against Coronavirus

On November 20, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for the Publication of Cybersecurity Threat Information (“Draft Measures”) for public comment.  (An official Chinese version is available here).  The comment period ends on December 19, 2019.

The release of the Draft Measures marks an important step forward in implementing Article 26 of China’s Cybersecurity Law (“CSL”), which establishes that the publication of cybersecurity information (such as those related to system vulnerabilities, computer viruses, cyberattacks and/or network intrusions) to “the public” must comply with unspecified “relevant rules.”  Article 26 does not specify what kind of entities or individuals are subject to this requirement; thus, it is unclear whether Article 26 applies to entities that have discovered vulnerabilities on their own networks and/or the activities of third parties that have uncovered cybersecurity threats to others’ networks, such as cybersecurity research firms.

The Draft Measures are intended to provide further guidance for these entities and individuals based in China that have threat information about other network operators’ network or information systems and outlines how they can publish the threat information in a compliant way.  The Draft Measures are silent as to whether these requirements will apply to entities or individuals that are based outside of China and, if these requirements are applicable for the publication of threat information globally, how entities or individuals outside of China can comply. It is also unclear about the extent to which the Draft Measures would apply to network operators who become aware of cybersecurity threat information related to their own networks.

Continue Reading China Seeks Public Comments on Draft Measures for the Publication of Cybersecurity Threat Information

On October 26, 2019, China enacted a landmark Encryption Law, which will take effect on January 1, 2020.  The Encryption Law significantly reshapes the regulatory landscape for commercial encryption, including foreign-made commercial encryption products, but leaves many questions to be answered in future implementing regulations.  In this blog post, we provide a few highlights of the new Encryption Law as enacted.
Continue Reading China Enacts Encryption Law

On July 5, 2019, China’s Standing Committee of the National People’s Congress (NPC) published a new draft Encryption Law (“the draft Law”) for public comment.  The draft Law, if enacted as drafted, would bring significant new changes to China’s commercial encryption regime.

The State Cryptography Administration (“SCA”) previously issued an initial draft of this law for public comment on April 13, 2017 (“the 2017 Draft”) (see Covington’s alert on the previous version here).  After the release of the 2017 draft, the regulatory regime in China for commercial encryption products was revamped significantly (see Covington’s previous alert here).  The State Council removed certain approval requirements for the production, sale, and use of commercial encryption products in late September 2017, and the SCA issued further notices reducing the burden imposed on manufacturers, distributors and users of commercial encryption products.  The draft Law proposes further changes to this revamped regime, including for example introducing different categories of encryption, and establishing license requirements for certain imports and exports, while carving out items in “general use.”

The comment period ends on September 2, 2019.

Continue Reading China Releases Updated Draft Encryption Law for Public Comment

On June 13, 2019, the Cyberspace Administration of China (“CAC”) issued the draft Measures on Security Assessment of the Cross-border Transfer of Personal Information (“Draft Measures”) for public comment. (The official Chinese version of the Draft Measures is available here, and an unofficial English translation is available here.) The comment period ends on July 13, 2019.

The issuance of the Draft Measures marks another major development in the implementation of China’s Cybersecurity Law (“CSL”) over the past month, aiming to create a cross-border data transfer mechanism that would govern all of the transfers of personal information conducted by network operators (defined as “owners and managers of networks, as well as network service providers”).

CAC has previously released two earlier versions of its draft Measures on Security Assessment of Cross-border Transfer of Personal Information and Important Data back in 2017, which imposed security assessment obligations on network operators when they transfer both personal information and important data outside of China (See Covington’s previous alert here). The latest and long-anticipated Draft Measures only focus on the cross-border transfer of personal information (the cross-border transfer of important data will be subject to a separate approval mechanism introduced by the draft Measures for Data Security Management released by CAC on May 28, 2019) and also set out new requirements that bear resemblance to the Standard Contractual Clauses under the EU’s General Data Protection Regulation (“GDPR”).

We discuss the key requirements of the Draft Measures in a greater detail below.

Continue Reading China Seeks Public Comments on Draft Measures related to the Cross-border Transfer of Personal Information

On May 31, 2019, the Cyberspace Administration of China (“CAC”) released the draft Regulation on the Protection of Children’s Personal Information Online (“Draft Regulation”) for public comment. (An official Chinese version is available here and an unofficial English translation of the Draft Regulation is available here.) The comment period ends on June 30, 2019.

As mentioned in our last blog post (available here), CAC issued the draft Measures for Data Security Management (“Draft Measures”) just last week, which set out the general regulatory framework that will govern the collection and use of personal information by network operators (broadly defined as “owners and managers of networks, as well as network service providers”). The release of this new Draft Regulation demonstrates CAC’s intention to set out more stringent requirements for network operators if they collect, store, use, transfer or disclose the personal information of minors under 14 years old. We discuss the key requirements of the Draft Regulation in a greater detail below.

Continue Reading CAC Releases Draft Regulation on the Protection of Children’s Personal Information Online

On May 28, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for Data Security Management (“Draft Measures”) for public comment. (An official Chinese version of the Draft Measures is available here and an unofficial English translation is available here.) The comment period ends on June 28, 2019.

The release of these Draft Measures demonstrates China’s continuing efforts to implement the data protection requirements imposed by China’s Cybersecurity Law (“CSL”). For example, under Article 41 of the CSL, network operators must notify individuals of the purposes, methods and scope of the information collection and use, and obtain their consent before collecting or using individuals’ personal information. Furthermore, under Article 42 and 43 of the CSL, network operators must not disclose, tamper with, or damage citizens’ personal information that they have collected, and they are further obligated to delete unlawfully collected information and amend incorrect information.

To implement the CSL, the CAC and the Standardization Administration of China issued a national standard for personal information protection (“Standard”) on January 2, 2018, which took effect on May 1, 2018 (see our previous blog post about that Standard here). A draft amendment to the Standard (“Draft Amendment”) was released for public comment on February 1, 2019 (see our previous blog post about the Draft Amendment here). The new Draft Measures incorporate some of personal information protection requirements specified in the Standard and the Draft Amendment, and also introduce a number of new requirements for the protection of “important data,” which was initially mentioned in Article 21 and 37 of the CSL, but was not defined.

Continue Reading China Releases Draft Measures for Data Security Management

On May 13, 2019, China’s State Administration for Market Regulation (“SAMR”) released three core national standards related to the country’s Cybersecurity Multi-level Protection Scheme (“MLPS”), describing technical and organizational controls that companies must follow when complying with MLPS-related obligations under the Cybersecurity Law (“CSL”).  These standards, which are commonly referred to as the “MLPS 2.0

On April 19, 2019, China’s Ministry of Public Security (“MPS”) released the final version of its Guideline for Internet Personal Information Security Protection (互联网个人信息安全保护指南) (the “Guideline”).  A previous version of the Guideline was released for public comments on November 30, 2018.

Under China’s Cybersecurity Law (the “CSL”), MPS is the key regulator tasked with protecting cybersecurity and combating cybercrime.  Following the issuance of the draft Regulations on Cybersecurity Multi-level Protection Scheme (the “Draft MLPS Regulation”, discussed in our previous post available here) and the Regulation on the Internet Security Supervision and Inspection by Public Security Agencies (also discussed in a previous post, available here) last year, the release of this new Guideline represents the latest efforts made by MPS to implement the CSL.

The stated goal of the Guideline is to “protect cybersecurity and individuals’ legitimate interests” and to “effectively prevent cybercrime involving personal information.”  Although not issued as a legally binding administrative regulation, this Guideline sets out the best practices recommended by MPS and will likely serve as an important reference for cybersecurity inspections that will be carried out by the agency and its local counterparts (i.e., local public security bureaus, “PSBs”).

To a large extent, this Guideline overlaps with China’s national standard on personal information protection, GB/T 35273-2017 Information Security Technology – Personal Information Security Specification (the “Standard”), which took effect on May 1, 2018.  The Guideline referred to the Standard as its “indispensable” reference, although at this stage, it is unclear how this Guideline will interact with other existing regulations and national standards.  Furthermore, this new Guideline provides more prescriptive requirements relating to a company’s cybersecurity infrastructure, both in terms of organizational support and technical measures to be implemented.

This post summarizes key requirements of the Guideline.

Continue Reading China’s Ministry of Public Security Issues New Personal Information Protection Guideline

On March 15, 2019, the State Administration for Market Regulation and the Cyberspace Administration of China (“CAC”) jointly issued the Announcement on the Implementation of App Security Certification (the “Announcement”), creating a voluntary (but state-sanctioned) security certification scheme for mobile applications (“Security Certification Scheme”).

Operators of mobile applications are encouraged to obtain this certification to demonstrate their compliance with China’s national standard, GB/T 35273 Information Security Technology — Personal Information Security Specification (“the Standard”), in terms of their collection and use of personal data (our previous blogpost about the Standard can be found here).  Search engines and mobile application stores are encouraged to recommend certified applications to users.

The Implementation Rules on Security Certification of Mobile Internet Application (“Implementing Rules”), which set out detailed procedural requirements for the Security Certification Scheme, were also released at the same time as an annex to the Announcement.

Although not mandatory, as the state-sanctioned certification scheme for personal information protection, the creation of this program illustrates the Chinese regulators’ willingness to use soft tools to encourage best practices in the marketplace.
Continue Reading China Introduces Mobile Application Security Certification Scheme