China Monthly Data Protection Update

摘要:The State Council Releases the Regulations on Network Data Security Management:On September 24, Premier Li Qiang of the state Coun

Data Protection Highlights

The State Council Releases the Regulations on Network Data Security Management: On September 24, Premier Li Qiang of the state Council signed the 790th State Council Order, officially promulgating the Regulations on Network Data Security Management. The regulations were adopted on August 30, during the 40th executive meeting of the State Council and will come into effect on January 1, 2025.

Ministry of State Security: Foreign Companies Illegally Obtain Surveying and Mapping Data under the Guise of Intelligent Car Driving: On October 16, the Ministry of State Security stated that in recent years, as the national security organs have intensified their crackdown on illegal surveying and mapping activities, some overseas organizations have gradually turned to so-called project cooperation with domestic enterprises to evade supervision, illegally collecting China’s original surveying and mapping data, and threatening our national security. The state security organs have discovered that an overseas enterprise, in collaboration with a Chinese company, which has surveying and mapping qualifications, has been illegally conducting geographical information surveying activities within China under the pretext of automotive intelligent driving research.

MIIT Announced to Research and Develop Policies for Facilitating Cross-Border Data Flow of Intelligent Connected Vehicles:On October 17, the three-day 2024 World Intelligent Connected Vehicles Conference opened in Beijing. Jin Zhuanglong, the Minister of Industry and Information Technology (“MIIT”) stated that China will promote the industry's new development from the aspects of integrated innovation and expanding application scenarios. Jin Zhuanglong also indicated that under the framework of the United Nations International Standardization Organization, China will strengthen cooperation with other countries on standardization and regulatory issues, and study policies to facilitate the cross-border flow of data.

Data Protection

Legislation

MIIT Issued the Emergency Plan for Data Security Incidents in the Field of Industry and Information Technology (for Trial)

The National Data Bureau Solicited Comments on The Interpretation of Terms in the Data Domain

The National Development and Reform Commission Released the Interim Measures for the Registration Management of Public Data Resources (Draft for Comments)

The National Data Bureau Released the Interim Measures for the Authorization Operation of Public Data Resources (Trial) for Public Comments

The State Council Releases the Regulations on Network Data Security Management

Authorities

National Data Standardization Technical Committee Officially Established, First Plenary Session Convened in Beijing

Beijing, Shanghai, Hainan, and Shenzhen Launched Pilot Program to Open Up Value-added Telecommunications Services to Foreign Investment

Beijing CA Organized Compliance Training Session on the Collection and Use of Personal Information by Vending Machines

MIIT Announced to Research and Develop Policies for Facilitating Cross-Border Data Flow of Intelligent Connected Vehicles

Ministry of State Security: Foreign Companies Illegally Obtain Surveying and Mapping Data under the Guise of Intelligent Car Driving

Shanghai CA Comprehensively Rectifies the Misuse of Facial Recognition Technology in Subway Vending Machines

National Data Bureau: Public Data Involving Personal Information Must Conduct Desensitization and Anonymization Processing

Enforcement Cases

Shanghai Authorities Receive Prosecutorial Advice on Privacy Breach in Public Notices

Illegal Acquisition of Over 100 Million Citizen Personal Information via External Networks Leads to a Technology Company Employee’s Conviction

Shanghai CA Penalized Shanghai Medical Technology Company for Failing to Fulfill Protection Obligations

WeBank Fined 13.87 Million RMB for Violations Including Failure to Keep Customer Identity Information and Transaction Records as Required

Courts Litigation

SPP: “Scraping” Citizen Information for Profit Lands Data Brokers in the Legal Net

Beijing Internet Court Received 113 Cases Related to Personal Information Protection in Past Year and Issued Eight Typical Cases.

Shanghai Court: SMS Provider’s Failure to Exercise Due Diligence Over Fake Messages Violated Privacy and Personal Information

Beijing Internet Court: “Reposting” Publicized Employment Lists May Constitute Infringement

Data Protection

Legislation

On October 29, 2024, the MIIT issued the Emergency Plan for Data Security Incidents in the Field of Industry and Information Technology (for Trial), aiming to construct a data security incident emergency management system and enhance incident response capabilities. The plan specifies the roles and responsibilities of various parties, including the MIIT, local industry regulatory authorities, data processors, and emergency support institutions, to ensure effective management and response to data security incidents.[1]

On October 21, the National Bureau of Data issued a notice of opinions on the Interpretation of Terms in the Data Domain, and the deadline for soliciting opinions is November 20, 2024. The purpose of this solicitation of opinions is to further build consensus and promote a unified understanding of data field terminology among all sectors of society.[2]

On October 12, to implement the requirements of the documents such as Opinions on Accelerating the Development and Utilization of Public Data Resources by the General Office of the Central Committee of the Communist Party of China and the General Office of the State Council, to promote the compliant and efficient development and utilization of public data resources, to build a national integrated public data resource registration system, and to standardize the registration work of public data resources, the relevant departments of the National Development and Reform Commission drafted the Interim Measures for the Registration Management of Public Data Resources and is now soliciting public opinions. The deadline for submitting comments is November 11, 2024.[3]

On October 12, to implement the requirements of documents such as Opinions on Accelerating the Development and Utilization of Public Data Resources by the General Office of the Central Committee of the Communist Party of China and the General Office of the State Council, and to regulate the authorized operation of public data resources, the relevant departments of the National Data Bureau has drafted the Interim Measures for the Authorization Operation of Public Data Resources (Trial) (Draft for Comments), and is now soliciting public opinions. The deadline for submitting comments is November 11, 2024.[4]

On September 24, Premier Li Qiang of the State Council signed the 790th State Council Order, officially promulgating the Regulations on Network Data Security Management. The regulations were adopted on August 30, 2024, during the 40th executive meeting of the State Council and will come into effect on January 1, 2025.[5]

Authorities

National Data Standardization Technical Committee Officially Established, First Plenary Session Convened in Beijing

On October 28, 2024, the National Data Standardization Technical Committee convened its establishment ceremony and the first general meeting of all members in Beijing. The meeting reviewed and approved the committee’s constitution, guidance of secretariat work, procedures for the formulation and revision of standards, and other institutional documents, as well as the focal points for 2024-2025’s work and the composition plan for its subordinate working groups. The conference was guided by the SAMR and the National Data Bureau, organized by the National Data Standardization Technical Committee, and hosted by the committee's secretariat (China Electronics Technology Standardization Research Institute).[6]

Beijing, Shanghai, Hainan, and Shenzhen Launched Pilot Program to Open Up Value-added Telecommunications Services to Foreign Investment

On October 23, Beijing, Shanghai, Hainan, and Shenzhen officially launched the pilot work of expanding the opening up of value-added telecom services to the outside world. In areas approved to carry out pilot projects, foreign-invested enterprises are allowed to wholly own and operate value-added telecommunications services such as internet data centers. By the end of September, a total of 2,220 foreign companies had been approved to operate telecommunications businesses in China.[7]

On October 17, the Beijing Cyberspace Administration (“CA”), in conjunction with the Beijing AMR and the Beijing Branch of the National Internet Emergency Center, conducted a compliance training session for 18 vending machine operators in Beijing. The training focused on three objectives: 1) helping enterprises to understand the Personal Information Protection Law, 2) mastering a set of compliance standards for the collection and use of personal information in vending machine consumption scenarios, 3) carrying out a deep self-inspection according to the training requirements to rectification promptly.[8]

On October 17, the three-day 2024 World Intelligent Connected Vehicles Conference opened in Beijing. Jin Zhuanglong, the Minister of MIIT stated that China will promote a new era of industrial development through integrated innovation and expanding application scenarios. Jin Zhuanglong also indicated that under the framework of the United Nations International Standardization Organization, China will strengthen cooperation with other countries on standardization and regulatory issues, and study policies to facilitate the cross-border flow of data.[9]

On October 16, the Ministry of State Security stated that in recent years, as the national security organs have intensified their crackdown on illegal surveying and mapping activities, some overseas organizations have gradually turned to so-called project cooperation with domestic enterprises to evade supervision, illegally collecting China’s original surveying and mapping data, and threatening our national security. The state security organs have discovered that an overseas enterprise in collaboration with a Chinese company, which has surveying and mapping qualifications, has been illegally conducting geographical information surveying activities within China under the pretext of automotive intelligent driving research.[10]

On October 14, Shanghai CA investigated the issue of vending machines misusing facial recognition technology to illegally collect personal information, as reported by citizens. The administration, in conjunction with relevant departments, held joint discussions with the companies involved, demanding rectification measures. Guided by the administration, the Shanghai Metro Corporation carried out an investigation and rectification of vending machines within subway stations, suspending the facial payment function of 829 problematic vending machines, which will be reactivated after the rectification is completed. The Shanghai CA emphasized that companies should take strict legal protective measures when collecting, storing, using, transmitting, and deleting facial information, and will carry out special rectification actions to enforce penalties and media exposure for illegal activities.[11]

On October 10, during a press conference held by the State Council Information Office, the person in charge of the National Data Bureau stated that in the process of developing and utilizing public data resources, public data involving personal information must strictly comply with the Personal Information Protection Law and conduct desensitization and anonymization processing.[12]

On October 30, 2024, the People’s Procuratorate of Yangpu District in Shanghai discovered that several administrative organs within their jurisdiction had failed to take security measures such as encryption on personal information, including ID numbers and addresses when announcing administrative penalties and compulsory legal documents involving natural persons via the internet. Consequently, the Yangpu Procuratorate issued prosecutorial suggestions to the relevant administrative organs following the law, demanded the relevant administrative organs to review and promptly deal with personal information disclosed in administrative cases on the internet to prevent the risk of personal information leaks. They also advised the establishment and improvement of rules for handling personal information, protecting personal information rights and interests according to the law, and regulating activities involving personal information processing. Upon receiving the prosecutorial suggestions, the relevant administrative organs immediately held a symposium with the procuratorial organs and reached a consensus on rectification.[13]

On October 28, the People’s Procuratorate of Yangpu District in Shanghai held a press conference to report on the handling of cases involving the infringement of citizens’ information privacy since 2020 and to release related case examples. Wu, an employee of a security technology company, was sentenced to one year and six months in prison, suspended for one year and six months, and fined 2,000 RMB by the court for the crime of infringing on citizens’ personal information. Wu had illegally accessed overseas platforms through VPN software to download and store over 100 million pieces of citizens’ personal information. The procuratorial authority emphasized that obtaining citizens’ personal information from abroad in violation of national regulations is illegal and that Wu’s actions posed a serious threat to society. However, considering Wu’s voluntary surrender and the fact that the information was not used, a mitigation of punishment was given.[14]

On October 14, the Shanghai CA received a tip-off indicating that a medical technology company within its jurisdiction had a cybersecurity vulnerability, leading to a massive leak of personal information data accessed and stolen by foreign IPs. Upon verification, the involved medical technology company is a private medical institution primarily engaged in developing technology services for medical education and training. The system involved in the case was an internal production testing system of the company, deployed on a cloud service platform, with a database storing a large amount of personal information, including names, organization names, provinces/cities affiliation, townships/streets, and mobile phone numbers (with encryption measures in place). The company failed to fulfil its obligations regarding cybersecurity and data protection, resulting in the data breach and theft, which violated Article 27 of the Data Security Law. Consequently, the Shanghai CA, following Article 45 of the Data Security Law, issued a warning and imposed a administrative fine on the medical technology company.[15]

WeBank Fined 13.87 Million RMB for Violations Including Failure to Keep Customer Identity Information and Transaction Records as Required

On September 30, a penalty notice from the Shenzhen branch of the People’s Bank of China showed that WeBank was fined 13.87 million RMB for five violations, and five department heads at the time were fined a total of 247,500 RMB. The administrative penalty decision stated that Shenzhen Qianhai WeBank Co., Ltd. was involved in five regulatory violations, including: violating account management regulations; failing to fulfill customer identity identification obligations as required; failing to keep customer identity information and transaction records as required; failing to report large transactions or suspicious transactions as required; and conducting transactions with customers whose identities were unknown. [16]

On October 31, 2024, the Supreme People’s Procuratorate of China (“SPP”) reported a significant personal information leak case: Wang and others used over 100 pieces of software developed by hackers to illegally invade 51 systems across 29 industries, including social security and healthcare, in 21 provinces and cities nationwide, illegally acquiring and selling personal information of citizens to debt collection companies for illegal profits exceeding 5 million yuan. The Procuratorate in Xindu District, Chengdu, Sichuan Province, conducted a comprehensive review and discovered a hidden industry chain involving data brokers, hackers, and online debt collection companies. In cooperation with public security organs, the procuratorial organs formulated a comprehensive crackdown plan to combat this illegal industry chain. The case was prosecuted by the People’s Procuratorate of Xindu District, Chengdu, Sichuan Province, in November 2023, and the court sentenced the perpetrators to corresponding penalties for the crimes of infringing on citizens’ personal information and providing programs for invading computer information systems.[17]

On October 30, on the third anniversary of the implementation of the Personal Information Protection Law of the People's Republic of China, the Beijing Internet Court reported on the handling of cases related to personal information and data and released eight typical cases to regulate personal information processing activities. Such an act aims to promote the rational use of data and drive the high-quality development of the digital economy. Meanwhile, the Network Data Security Management Regulations issued by the State Council also put protecting personal information rights as important content, emphasizing the primary responsibility of network data handlers, requiring the establishment and improvement of a comprehensive network data security management system to ensure data safety.[18]

On October 28, the Shanghai Baoshan District People’s Court concluded a privacy and personal information protection dispute case, where the court ruled that the short message service (“SMS”) provider should undertake joint liability with the short messege content provider for failing to exercise due diligence over fake messeges. The court found that the short messege content provider had sent false debt collection-related short messages to the plaintiff’s mobile phone number through the information company (SMS provider) without the plaintiff’s consent, which impacted the plaintiff’s private life tranquility and infringed upon the plaintiff’s right to privacy and personal information.[19]

On October 18, the Beijing Internet Court announced a judgment in which the defendant’s published article revealed the plaintiff’s name, school, major, and educational background. Although the above information had been made public through the employer’s public disclosure process, the employer had deleted the publicized information after seven days. The plaintiff argued that the defendant infringed upon their right to reputation, privacy, and personal information rights. The court, after review, concluded that the defendant’s actions did not infringe upon the plaintiff’s right to reputation and privacy. However, the plaintiff had clearly indicated to the defendant in June 2023 that their name was visibly included in the article and expressed that the defendant’s actions constituted an infringement, which was a clear refusal to allow the defendant to process their personal information. Under these circumstances, the defendant failed to provide evidence that they had modified or deleted the content of the article in question, and thus should bear the civil liability for infringing upon the plaintiff’s personal information rights.[20]

[1] https://www.miit.gov.cn/jgsj/waj/wjfb/art/2024/art_b051a6efc2ac4f3c94123c5bb8cb9b22.html

[2] https://mp.weixin.qq.com/s/uMcMcauaM6Hy0E-3vJMvyw?scene=25#wechat_redirect

[3] https://yyglxxbsgw.ndrc.gov.cn/htmls/article/article.html?articleId=2c97d16b-9091ce05-0192-7ffe5fd4-0023#iframeHeight=807

[4] https://mp.weixin.qq.com/s/Mewd4PC29jN-z1CC-myhcQ?scene=25#wechat_redirect

[5] https://mp.weixin.qq.com/s/gKL0_z5CdmD02JGly2YtQQ?scene=25#wechat_redirect

[6] https://mp.weixin.qq.com/s/bFIvtxvEZFLAbF7qqRKekQ?scene=25#wechat_redirect

[7] https://cn.chinadaily.com.cn/a/202410/23/WS6718886da310b59111d9f685.html

[8] https://mp.weixin.qq.com/s/f1gLYCwTRfF_qym3R0XU8A?scene=25#wechat_redirect

[9] https://news.cctv.com/2024/10/17/ARTIAbYTXCVVtjKWy7heLp4K241017.shtml

[10] https://mp.weixin.qq.com/s/RGoSED4ch0aDq9JFD3uviQ?scene=25#wechat_redirect

[11] https://mp.weixin.qq.com/s/h0LJiqtPd0jPT5fjIiga5w?scene=25#wechat_redirect

[12] https://mp.weixin.qq.com/s/w_DIHH7ifbtSrnC--pYhlg?scene=25#wechat_redirect

[13] https://www.jfdaily.com/wx/detail.do?id=812203

[14] https://m.thepaper.cn/newsDetail_forward_29169381

[15] https://mp.weixin.qq.com/s/p1zx0XpCV6nQwNb9vnD0dQ?scene=25#wechat_redirect

[16] https://news.qq.com/rain/a/20241010A03EZX00

[17] https://mp.weixin.qq.com/s/xh54byNqNnj8ALbr5W-SYA?scene=25#wechat_redirect

[18] https://mp.weixin.qq.com/s?__biz=MzA3MTk1OTI1NA==&mid=2247683626&idx=1&sn=565b99ec74c1c58aed3e366f97cf2bf2&scene=25#wechat_redirect

[19] https://m.thepaper.cn/newsDetail_forward_29168831

[20] https://mp.weixin.qq.com/s/oVx8bJcZuXlUvoqevkAP-A?scene=25#wechat_redirect

About the Lawyer

戴健民

大成上海合伙人

jianmin.dai@dentons.cn

戴律师是最早一批在中国数据与隐私保护以及网络安全领域进行实践的律师之一,自2012年开始就已在该领域为众多跨国公司和大型企业提供法律服务,目前已为近百家在华运营的企业提供了涉及数据生命周期各个阶段的法律服务,涉及医药与生命科学、汽车(包括零配件与自动驾驶)、化工、广告与传媒、时尚与奢侈品、大数据与互联网、物流与供应链等诸多行业,并获得了2024年名律堂联合法佬汇发起的《中国知名企业法总推荐的优秀律师律所》之年度客户尊选律师;2024年律新社数据合规领域品牌之星:领先律师;2024年《亚洲法律杂志》(ALB China)十五佳网络安全和数据保护律师;2024年LEGALBAND中国顶级律师排行榜:网络安全和数据合规推荐律师等众多荣誉。

大成北京合伙人

zhisong.deng@dentons.cn

邓律师开始在中国从事网络安全与数据保护的法律实务。在新兴的中国数据保护领域是为数不多的具有丰富经验的律师之一,曾为国内外诸多客户提供合规体系建设、商业模式设计以及应对行政调查和民事诉讼等方面的法律建议并获得高度评价。邓律师是国家工信安全中心数据合规标准专家,中国网络空间安全协会个人信息保护专家组成员,中国法学会网络与信息法学研究会会员。2021年,邓律师被ACE LEGALTECH AWARDS评选为“2021年度十五佳数据隐私律师”。

来源:大成上海4

相关推荐