REGULATIONS

CAC seeks comments on scope of necessary personal information required for 38 types of Apps

On December 1, 2020, the Cyberspace Administration of China ("CAC") issued the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications (Draft for Comment) (the "Draft for Comment") for public comments by December 16, 2020.

The Draft for Comment stipulates the scope of necessary personal information required for 38 common types of Apps such as map navigation App, online car-hailing App, and instant messaging App. In particular, the Draft for Comment provides that as long as a user gives consent to the collection of its necessary personal information required for an App, such App shall not refuse the user's installation and use. Meanwhile, a total of 12 types of Apps, including online live streaming App, online audio and video App, short video App, and browser App, shall provide basic functional services without asking personal information of users.

http://www.cac.gov.cn/2020-12/01/c_1608389002456595.htm

Three departments released the Announcement on Issuing the Import Licensing List and Export Control List of Commercial Cryptography and Relevant Administrative Measures

On December 2, 2020, the Ministry of Commerce (the "MOC"), the State Cryptography Administration (the "SAC") and the General Administration of Customs (the "GAC") jointly released the Announcement on Issuing the Import Licensing List and Export Control List of Commercial Cryptography and Relevant Administrative Measures (the "Announcement").

Main contents of the Announcement are as below:

  1. In order to safeguard national security and public interests, it is hereby decided to carry out import licensing and export control for relevant commercial cryptography.
  2. Regarding the import of items and techniques set out in the Import Licensing List of Commercial Cryptography, i.e., encrypted telephone sets, encrypted fax machines, cryptographic machines (cards) and encrypted VPN equipment, the import license of dual-use items and techniques shall be applied for with the MOC.
  3. Regarding the export of items and techniques specified in the Export Control List of Commercial Cryptography, including security chips, key management products, special cryptographic equipment and cipher development and production equipment, the export license of dual-use items and techniques shall be applied for with the MOC.

This Announcement shall enter into force on January 1, 2021, and the Announcement No. 18 of the State Cryptography Administration and the General Administration of Customs, the Announcement [2012] No. 64 of the General Administration of Customs and the State Cryptography Administration, the Announcement No. 27 of the State Cryptography Administration and the General Administration of Customs, and the Announcement No. 38 of the State Cryptography Administration, the Ministry of Commerce and the General Administration of Customs are to be repealed simultaneously.

http://www.mofcom.gov.cn/article/zwgk/zcfb/202012/20201203019733.shtml

MIIT announced the seventh batch of Apps for infringement on users' rights and interests

On December 21, 2020, the Ministry of Industry and Information Technology ("MIIT") announced the seventh batch of apps for infringement on users' rights and interests. The main problems involved are as follows:

  1. collecting and using personal information in violation of laws and regulations;
  2. asking for permission mandatorily and in an excessively frequent way;
  3. deceiving and misleading users to download Apps; and
  4. App information on the App distribution platform is not clear.

https://www.miit.gov.cn/jgsj/xgj/gzdt/art/2020/art_13136b980ab444519feac1c3b3c48086.html

MHRSS: A human resource service agency shall ensure personal information security

On December 23, 2020, the Ministry of Human Resource and Social Security ("MHRSS") issued the Administrative Provisions on Online Recruitment Services (the "Provisions"), which will take effect from March 1, 2021.

On personal information protection, the Provisions provide:

  • A human resource service agency engaged in online recruitment services shall strengthen cybersecurity management, fulfill cybersecurity protection obligations, and take technical or other necessary measures in accordance with the requirements of national cybersecurity laws, administrative regulations and multi-level protection system of cyber security, to ensure the security of the recruitment service network, information system and user information.
  • A human resource service agency shall establish and improve the information protection system for online recruitment service users, and shall not disclose, tamper with, damage or illegally sell, or illegally provide other people with the ID card number, age, gender, address, contact information and business status of the employer.
  • A human resource service agency shall conduct self-examination on the information protection of online recruitment service users at least once a year, record the self-examination situation, and timely eliminate the security risks found in the self-examination.
  • Where a human resource service agency engaged in online recruitment services does need to provide an overseas institution with the personal information and important data collected and generated in its operations within the territory of China due to business needs, it shall comply with relevant laws and administrative regulations of the State.

http://www.mohrss.gov.cn//xxgk2020/fdzdgknr/zcfg/bmgz/202012/t20201223_406512.html

MIIT issued the Construction Guidelines of Data Security Standard System in Telecom and Internet Industry

On December 25, 2020, the Ministry of Industry and Information Technology ("MIIT") issued the Construction Guidelines of Data Security Standard System in Telecom and Internet Industry (the "Guidelines")

The Guidelines include standards of basic generality, critical technology, safety management and critical areas. The standards of basic generality include the definition of terms, data security framework, data classification and grading, etc., which provide basic support for various standards. The critical technology standards regulate the critical technology of data security from a whole life cycle dimensions of data collection, transmission, storage, processing, exchange, destruction, etc. Security management standards include data security specification, data security assessment, monitoring, early warning and disposal, emergency response and disaster backup, security capability certification, etc. Critical areas standards include 5G, mobile Internet, Internet of vehicles, Internet of things, industrial Internet, cloud computing, big data, artificial intelligence, blockchain and other critical areas.

Data security standards in the field of the Internet of vehicles mainly include the data security of the cloud platform of the Internet of vehicles, the data security of V2X communication, the data security of the intelligent connected vehicle, and the data security of the mobile App of the Internet of vehicles, etc.

Data security standards in the field of mobile Internet mainly include personal information protection of mobile applications, SDK security of mobile applications, etc.

Data security standards in the field of artificial intelligence mainly include data security of artificial intelligence platform, personal information protection of artificial intelligence terminal, etc.

https://www.miit.gov.cn/zwgk/zcwj/wjfb/txy/art/2020/art_4a6aca0048b742ea97cfb280e981125e.html

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.