On May 31, 2019, the Cyberspace Administration of China (“CAC”) released the draft Regulation on the Protection of Children’s Personal Information Online (“Draft Regulation”) for public comment. (An official Chinese version is available here and an unofficial English translation of the Draft Regulation is available here.) The comment period ends on June 30, 2019.

As mentioned in our last blog post (available here), CAC issued the draft Measures for Data Security Management (“Draft Measures”) just last week, which set out the general regulatory framework that will govern the collection and use of personal information by network operators (broadly defined as “owners and managers of networks, as well as network service providers”). The release of this new Draft Regulation demonstrates CAC’s intention to set out more stringent requirements for network operators if they collect, store, use, transfer or disclose the personal information of minors under 14 years old. We discuss the key requirements of the Draft Regulation in a greater detail below.

Continue Reading CAC Releases Draft Regulation on the Protection of Children’s Personal Information Online

On May 28, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for Data Security Management (“Draft Measures”) for public comment. (An official Chinese version of the Draft Measures is available here and an unofficial English translation is available here.) The comment period ends on June 28, 2019.

The release of these Draft Measures demonstrates China’s continuing efforts to implement the data protection requirements imposed by China’s Cybersecurity Law (“CSL”). For example, under Article 41 of the CSL, network operators must notify individuals of the purposes, methods and scope of the information collection and use, and obtain their consent before collecting or using individuals’ personal information. Furthermore, under Article 42 and 43 of the CSL, network operators must not disclose, tamper with, or damage citizens’ personal information that they have collected, and they are further obligated to delete unlawfully collected information and amend incorrect information.

To implement the CSL, the CAC and the Standardization Administration of China issued a national standard for personal information protection (“Standard”) on January 2, 2018, which took effect on May 1, 2018 (see our previous blog post about that Standard here). A draft amendment to the Standard (“Draft Amendment”) was released for public comment on February 1, 2019 (see our previous blog post about the Draft Amendment here). The new Draft Measures incorporate some of personal information protection requirements specified in the Standard and the Draft Amendment, and also introduce a number of new requirements for the protection of “important data,” which was initially mentioned in Article 21 and 37 of the CSL, but was not defined.

Continue Reading China Releases Draft Measures for Data Security Management

On May 24, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures on Cybersecurity Review (“Draft Measures”) for public comment. (An official Chinese version of the Draft Measures is available here and an unofficial English translation is available here). The comment period ends on June 24, 2019.

The publication of these Draft Measures marks a critical step forward in implementing the cybersecurity review, which is designated by Article 35 of China’s Cybersecurity Law (“CSL”) to safeguard the procurement of network products and services by Critical Information Infrastructure (“CII”) operators that may impact the national security of China. To implement Article 35 of the CSL, the CAC previously released the Measures on the Security Review of Network Products and Services (Trial) (“Trial Measures”) on May 2, 2017, which established a process for CAC to conduct a cybersecurity review in a range of key sectors. (For more information, please see Covington’s alert on the Trial Measures here). These Draft Measures update the review process and, once finalized, will replace the previous Trial Measures.

Continue Reading China Seeks Public Comments on Draft Regulation on Cybersecurity Review of Network Products and Services

On May 13, 2019, China’s State Administration for Market Regulation (“SAMR”) released three core national standards related to the country’s Cybersecurity Multi-level Protection Scheme (“MLPS”), describing technical and organizational controls that companies must follow when complying with MLPS-related obligations under the Cybersecurity Law (“CSL”).  These standards, which are commonly referred to as the “MLPS 2.0

On April 19, 2019, China’s Ministry of Public Security (“MPS”) released the final version of its Guideline for Internet Personal Information Security Protection (互联网个人信息安全保护指南) (the “Guideline”).  A previous version of the Guideline was released for public comments on November 30, 2018.

Under China’s Cybersecurity Law (the “CSL”), MPS is the key regulator tasked with protecting cybersecurity and combating cybercrime.  Following the issuance of the draft Regulations on Cybersecurity Multi-level Protection Scheme (the “Draft MLPS Regulation”, discussed in our previous post available here) and the Regulation on the Internet Security Supervision and Inspection by Public Security Agencies (also discussed in a previous post, available here) last year, the release of this new Guideline represents the latest efforts made by MPS to implement the CSL.

The stated goal of the Guideline is to “protect cybersecurity and individuals’ legitimate interests” and to “effectively prevent cybercrime involving personal information.”  Although not issued as a legally binding administrative regulation, this Guideline sets out the best practices recommended by MPS and will likely serve as an important reference for cybersecurity inspections that will be carried out by the agency and its local counterparts (i.e., local public security bureaus, “PSBs”).

To a large extent, this Guideline overlaps with China’s national standard on personal information protection, GB/T 35273-2017 Information Security Technology – Personal Information Security Specification (the “Standard”), which took effect on May 1, 2018.  The Guideline referred to the Standard as its “indispensable” reference, although at this stage, it is unclear how this Guideline will interact with other existing regulations and national standards.  Furthermore, this new Guideline provides more prescriptive requirements relating to a company’s cybersecurity infrastructure, both in terms of organizational support and technical measures to be implemented.

This post summarizes key requirements of the Guideline.

Continue Reading China’s Ministry of Public Security Issues New Personal Information Protection Guideline

On March 15, 2019, the State Administration for Market Regulation and the Cyberspace Administration of China (“CAC”) jointly issued the Announcement on the Implementation of App Security Certification (the “Announcement”), creating a voluntary (but state-sanctioned) security certification scheme for mobile applications (“Security Certification Scheme”).

Operators of mobile applications are encouraged to obtain this certification to demonstrate their compliance with China’s national standard, GB/T 35273 Information Security Technology — Personal Information Security Specification (“the Standard”), in terms of their collection and use of personal data (our previous blogpost about the Standard can be found here).  Search engines and mobile application stores are encouraged to recommend certified applications to users.

The Implementation Rules on Security Certification of Mobile Internet Application (“Implementing Rules”), which set out detailed procedural requirements for the Security Certification Scheme, were also released at the same time as an annex to the Announcement.

Although not mandatory, as the state-sanctioned certification scheme for personal information protection, the creation of this program illustrates the Chinese regulators’ willingness to use soft tools to encourage best practices in the marketplace.
Continue Reading China Introduces Mobile Application Security Certification Scheme

On February 1, 2019, China’s National Information Security Standardization Technical Committee (“TC260”) released a set of amendments to GB/T 35273-2017 Information Technology – Personal Information Security Specification (“the Standard”) for public comment.  The comment period ends on March 3.

Although not legally binding, the Standard has been highly influential since becoming effective in May 2018, as it set out the best practices expected by Chinese regulators (see our previous blogpost on the Standard here).  The Standard has been widely used by companies to benchmark their compliance efforts in China.

The draft amendments reflect Chinese regulators’ evolved thinking on a number of important topics that are hotly debated around the world, such as enhanced notice and consent requirements and requirements for target advertising.  The draft amendments would also introduce new requirements for third party access to data and revise notification requirements for data beaches, among other proposed changes.
Continue Reading China Releases Draft Amendments to the Personal Information Protection Standard

Mobile phone manufacturer BLU Products, Inc. entered into a settlement agreement with the FTC last week to resolve allegations that one of BLU’s China-based vendors collected personal information about its consumers without proper consent.

The settlement agreement, which took the form of a consent order, applies not only to BLU but also to its CEO and any other companies he owns and controls.  It requires that the company clarify its disclosures regarding customer data use and protection. It also requires BLU to implement a new data security program. In the new security program, BLU must address security risks related to the development and management of new and existing covered devices and must better protect the security, confidentiality, and integrity of personal information. These improved protections include developing and using reasonable steps to select and retain service providers capable of appropriately safeguarding consumer personal information. “Personal information” is defined in this context to include persistent identifiers such as cookies.
Continue Reading Mobile Phone Manufacturer Settles with FTC Over Allegations that Its Vendor Collected Personal Data without Consent

On January 2, 2018, the Standardization Administration of China (“SAC”) released the final version of the national standard on personal information protection, officially entitled GB/T 35273-2017 Information Technology – Personal Information Security Specification (GB/T 35273-2017 信息安全技术 个人信息安全规范) (hereinafter “the Standard”).  The Standard will come into effect on May 1, 2018.

As highlighted in our previous coverage of drafts of the Standard (see here and here), although it is nominally a voluntary framework, the Standard effectively sets out the best practices that will be expected by regulators auditing companies and enforcing China’s existing (but typically more generally-worded) data protection rules, most notably the 2016 Cybersecurity Law.  Drafts of the Standard — even prior its finalization — have also in some cases been the basis for non-compliance remediation plans and undertakings agreed between companies and the Cyberspace Administration of China (“CAC”) following CAC audits, as we reported here.

The Standard applies to “personal information controllers,” namely any private or public organization that has “the power to decide the purpose and method” of processing personal information.  This is seemingly modelled on European law’s “data controller” concept.

The Standard regulates the use of “personal information” by these controllers, a term largely aligned with strict conceptualizations of “personal data” under the EU’s General Data Protection Regulation (“GDPR”).  Examples of “personal information” listed in an annex to the Standard include device hardware serial codes, IP addresses, website tracking records, and unique device identifiers, among other things.  The definition of “sensitive personal information,” however, takes a different approach to the GDPR: rather than applying only to specific types of data, the Standard takes a risk-based approach, defining “sensitive” personal information as any personal information which, if lost or misused, is capable of endangering persons or property, easily harming personal reputation and mental and physical health, or leading to discriminatory treatment.  According to the Standard, this could for example include national identification card numbers, login credentials, banking and credit details, a person’s accurate location, information on a person’s real estate holdings, and information about a minor (under 14 years old).

Similar to general principles of most data protection laws, the Standard requires transparency, specificity and fairness of processing purpose, proportionality (use and retention of only the minimum information necessary to achieve the stated purpose), security, risk assessment, and the respect of individuals’ rights to control the processing of information about them.  It also requires either consent from individuals, or reliance on a limited range of exceptions set out in the Standard, for the purpose of collection and processing of personal information.

This article looks at some of these aspects in more detail, including some of their key divergences from European data protection law, including the GDPR.  (Please note that this is not an exhaustive description of the Standard, nor is it a detailed comparison with the GDPR.)
Continue Reading China Issues New Personal Information Protection Standard