Several“Must-knows” after the Cyber Security Law Took Effect

By Susan Ning, Wu Han, Li Huihui , Zhang Lejian King & Wood Mallesons’ Commercial & Regulatory group

Over two months has passed since the Cyber Security Law of the People’s Republic of China (Cyber Security Law), a fundamental law in cyber security, took effect. Such a short period of time saw numerous changes: in legislation, implementing regulations dealing with “personal information protection”, “security assessment of cross-border transfer of personal information and important data” and “protection of critical information infrastructure (CII)” are under formulation; in law enforcement, regulatory authorities are taking resolute efforts to implement the Cyber Security Law, with specialized law enforcement campaigns in various places. Meanwhile, conflicts among network operators arise among others, in relation to ownership of personal information and data owners. All circles of the society are focusing on development in regulations associated with the Cyber Security Law and in law enforcement.

Against this background, this article streamlines and summarizes key facts in “personal information protection”, “CII” and “network operation security” after the Cyber Security Law took effect.

Personal information protection

1. Law enforcement

(1) Regulatory authorities investigated 15 big data companies to regulate data non-compliance

According to media report, from late May to early June, 2017, regulatory authorities launched a campaign against illegal data transactions and other data non-compliances in the market. Brought under investigation were 15 big data companies, some of whose valuation are over billions of RMB. According to Caixin Weekly, “The Public Information Network Security Supervision Bureau of the Ministry of Public Security is formulating a plan for specialized rectification, and expands the list to cover over 30 companies in its investigation, covering all well-known big data companies in the industry, and even some applying for IPO.” [1]

Comment

This specialized rectification campaign may serve as a “warm up” before the Cyber Security Law is implemented; it may be the prelude to a comprehensive rectification of the big data industry. The cover story of Caixin Weekly published on 7 August discusses grey zones of big data in three articles, stressing the importance to rectify the industry chain. With the thriving of big data industry, law enforcement authorities will further regulate compliance issues in the collection and use of data, especially personal information, by big data companies. Therefore, it is a priority for companies to establish internal cyber security environment and data compliance system as early as possible.

(2) Four departments jointly investigated privacy policy to safeguard personal information from the root

On 27 July 2017, the Office of the Central Leading Group for Cyberspace Affairs, the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security, and the Standardization Administration of the People’s Republic of China launched a joint campaign to review the privacy policies of the first batch of ten network products and services, including WeChat, Sina Weibo, JD.COM, Baidu Map, UME Trip, and Ctrip.com. [2]

Previously, a joint research on privacy policies of 1,000 online platforms demonstrates a lack of attention from internet companies in this regard. Among these 1,000 websites and Apps, none has reached the standard of “high” transparency in privacy policy, while over a half are ranked as “low”.[3] This joint examination by the above four departments focuses on whether users are clearly informed of which of and how their personal information is collected, the rules of using such personal information, such as user profile and its purpose, and whether personal information will be used for pushing commercial advertisements, and their rights and methods to access, delete and correct their personal information and relevant restrictions.

Comment

As the first gate to personal information collection, privacy policy will be the first step for personal information protection. In developing and revising their privacy policies, companies should first follow national standards, and consider industry features, to strike a balance between protection of personal information and realization of business objectives.

(3) Specialized campaigns against criminal acts of infringing personal information, strict investigation on data industrial chain

The Ministry of Public Security recently disclosed that since a specialized campaign was launched in March this year to combat criminal acts of hacker attacks and infringement upon citizens’ personal information in the cyberspace, to date over 1,800 cases have been solved nationwide, over 4,800 suspects captured, and over 50 billion pieces of various personal information seized.[4]

In Hefei, for example, since the beginning of 2017, in the specialized campaign launched by Hefei Public Security Bureau against hacker attacks and infringement upon citizens’ personal information in the cyberspace, a total of 5 cases concerning hacker attacks and 53 cases of infringement of personal information in the cyberspace were solved, 77 suspects captured and over 300 million pieces of personal information seized. [5]

According to the police, “There are mainly two sources of large-scale leakage of personal information: (1) hacker attacks; and (2) disclosure by insiders of the companies, institutions and platforms in possession of large amount of personal information”. In this specialized campaign, various departments of Hefei police, cyber security, criminal investigation and other teams, collaborated in conducting comprehensive investigations on online transaction platforms, forums, and websites with an aim to identify the source, destroy the platform and cut off the crime chain, and found clues of illegally obtaining, selling and using personal information; they especially intensified punishment against criminal acts of purposeful disclosure of citizens’ personal information by insiders in financial, telecommunication, network service providers, and of obtaining such information through hacking.

Comment

In addition to the obligations and duties concerning personal information protection provided in the Cyber Security Law, the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues Concerning the Application of Law in the Handling of Criminal Cases of Infringement upon Citizens’ Personal Information (the “Judicial Interpretation”) also provides interpretation of Article 253 of the Amendment (IX) to the Criminal Law of the People’s Republic of China, which specifies the standard of conviction and sentencing for infringing upon citizens’ personal information, and serves as an important basis for current law enforcement in personal information projection. The Judicial Interpretation specifies the subject of criminal acts, bringing companies, their officers and direct business heads under the scope of such subject, and also provides much lower criminal standards. Therefore, companies are compelled to establish a qualified compliance system to prevent possible risks of criminal liabilities.

2. Legislation

Along with intensified law enforcement, introduction of the Cyber Security Law also speeds up the formulation and issuance of implementing regulations and national standards, providing basis for a more specified protection of personal information.

(1) Personal Information Security Specification (draft for approval) (the “Draft Specification”) serves as basis for revision of privacy policy

On 1 August 2017, a new version of the AutoNavi App became available. In this new version, before any user uses the App, a popup window displaying the terms of service and privacy policy will appear as a special reminder of the scope of collection and use of personal information and relevant restrictions.

It is reported that the privacy policy was revised based on the appendix of the Draft Specification, a national standard. In fact, as early as in 2016, the formulation of the Personal Information Security Specification was established by the National Information Security Standardization Technical Committee as a key project of that year. China Information Security Research Institute, China Electronics Standardization Institute, First Research Institute of the Ministry of Public Security of PRC, Tencent, Alibaba and many other companies and institutions participated in its formulation. If AutoNavi did have revised its privacy policy in accordance with the appendix of the Draft Specification, the issuance of the Personal Information Security Specification will be just around the corner.

Comment

With rapid development of cyber security and big data technologies, the Cyber Security Law and implementing regulations only provide general and principle provisions on cyber security and personal information protection. The national standard formulated in accordance with the Cyber Security Law and implementing regulations, on the other hand, will be much more specific with a shorter circle of revision. Thus, it stays up-to-date, providing a more practical guidance for companies’ compliance systems. That AutoNavi revises its privacy policy in accordance with relevant national standard shows the positive guidance of such standard in cyber security and personal information protection.

(2) Protection of users’ personal information incorporated into formulation of Standardization

In early August 2017, the MIIT issued the Guideline for Establishing Mobile Internet Standardization (the “Guideline”).[6] The Guideline proposed that by 2020, a standardization system with improved basic standards, coverage of main products and services, and well-safeguarded security standards that are aligned with the demand of China’s mobile internet industry will be preliminarily established. Also, protection of users’ personal information will be incorporated into the standard.

According to the information from MIIT, relevant standard mainly deals with “the definition, scope, categorization and hierarchy of personal information protection, and standards for the platforms and terminals managing personal information”, and provides regulations on data management methods, structure and scope in relation to users’ account, authorization and resources. The current established standards include technical requirements and testing methods for systems and terminals in relation to mobile internet users’ personal information management business, and the guidance on personal information sharing. More personal information protection standards for the App store, terminal, App, and users’ data are still needed.

Comment

Mobile internet has become one of the most rapid-developing, competitive, and innovative sectors in the information industry. Due to its convenience and close interaction with users, mobile internet companies have access to a vast amount of user data. As the newest engine to drive a company in this big data era, user data is exactly what companies are competing for. It calls for attention from the mobile internet industry and even the internet industry as a whole to tap the full value of data on the one hand, and provide strong protection against leakage and abuse of personal information on the other. It is foreseeable that it will be key for competent and regulatory authorities to better regulate companies in personal information protection practice under the guidance of national or industrial standards.

3. Disputes

(1) SF and Cainiao: who moved whose customer data?

On the very afternoon when the Cyber Security Law took effect, cainiao.com immediately issued the “Statement on SF’s Suspension of Logistics Data Interface”, claiming that SF actively closed logistics data return for Hive Box and Taobao platform; four hours later, SF responded that Cainiao unilaterally cut off the connection. Under the mediation by the State Post Bureau, in the principles of benefitting all, safeguarding market order and legitimate rights and interests of consumers, the parties reached a consensus and agreed to resume all business cooperation and data transfer as of noon 3 June.

(2) Huawei and WeChat: who has claim over user data on mobile phones?

Recently, the dispute between Huawei and WeChat over user data drew wide attention. Issues such as entitlement to user data, delineation of claim over data by software applications and hardware will become foci for future business and judicial practice.

(3) Weibo and toutiao.com: how to crawl information legally?

Dispute over information crawling and authorization occurred between Weibo and toutiao.com. Recently, Weibo claimed that without its knowledge and authorization, toutiao directly crawled content from Weibo including content from the self-media accounts, an alleged violation against which Weibo shall defend its rights. Toutiao.com, on the other hand, claimed that it has crawled information with prior knowledge and consent from users, who have full discretion on authorization, so the copyright for information they published on Weibo still belong to them. Whether to given authorization is determined by users, and knowledge and authorization from Weibo was not applicable in this case.

Comment

In the Sina/maimai.cn case, the court already pointed out that “user data have become increasingly important commercial resources for businesses”. It is foreseeable that the competition over such “commercial resources” will be increasingly fierce, and the number of disputes arising from this will also rocket. In this era of rapid development of smart devices and internet of things, enterprises inevitably access to and use user data in business operation. How providers of products and services can protect user data to the best possible extent is a question that has to be answered in a time for cyber security. At the same time, despite national legislation for internet user data protection on the macro level, issues such as whether individuals have full ownership over relevant information under certain circumstances, and which enterprises may claim rights over legitimately collected personal information remain to be clarified in enforcement or judicial practice.

CII

1. Legislation

(1) Regulations on Security Protection of Critical Information Infrastructures (Draft for Comment) opens a new chapter in CII protection legislation

On 11 July 2017, the State Internet Information Office issued the high-profile Regulations on Security Protection of Critical Information Infrastructures (Draft for Comment) (“Draft Protection Regulation”). [7] As the core and top priority in the information cyber security regimes established by the Cyber Security Law, CII protection regime was identified as the very basis for such legislation in national plan for information network in as early as 2013. The Draft Protection Regulation contains detailed provisions on the scope of CII, protective obligations of operators, product and service security, surveillance and early warning, emergency response and assessment and evaluation, laying out a concrete framework for CII protection regime. This regulatory framework requires CII operators to take initiatives and leverage multiple resources for sharing and cooperation. This demonstrates the government’s determination to make CII indestructible and safeguard cyber sovereignty.

Comment

The issuance of this document indicates a step further in CII protection legislation in China, and has important instructive value for CII operators in their daily operation and management. Therefore, CII operators should begin to sort out their internal cyber security mechanisms and systems as soon as possible and make adjustments and fine-tuning following obligations defined by relevant regulations.

(2) CII Identification Guideline right around the corner

Pursuant to Article 19 of the Draft Protection Regulation, national internet information departments will formulate the CII Identification Guideline (“Identification Guideline”) jointly with telecommunication authorities under the State Council and public security authorities; national authorities or regulators will identify CII in their respective industries and sectors following the Identification Guideline, and submit results following relevant procedures. In the future, the Identification Guideline and specific list of CII identified in various industries will be published to eliminate uncertainties concerning the scope of CII in implementation of the Cyber Security Law.

Comment

The Identification Guideline will further define CII. CII identification by industry and sector is reasonable and rational in that the identification is a comprehensive assessment based on characteristics of industries and sectors. Before the official publication of the Identification Guideline, enterprises may conduct initial assessments based on industry and model of operation, in preparation for future compliance efforts.

2. Law enforcement

(1) Preliminary CII list determined, many SOEs on the list

According to PaPP, currently, 400-500 enterprises in China have been included on the CII list, most of which are SOEs. It is said that those on the list were informed of this inclusion, and those that were not would not be determined as CII operators for the time being. However, the list may be subject to update from time to time, and will be published in due course following the ongoing identification process.

Pursuant to the Cyber Security Law, the State Internet Information Office will coordinate annual check-ups for CII operators by relevant authorities nationwide; the check-up for this year is already on the way and is expected to speed up prior to the 19th CPC National Congress.

Comment

Construction and implementation of CII protection regime will be a core in China’s cyber security system. Currently enterprises are most concerned with whether their network facilities constitute CII and how CII are to perform relevant protection obligations. Following the issuance of the Draft Protection Regulation and the roll-out of the Identification Guideline formulation, the scope of CII will be more clearly defined. Enterprises should actively respond to inquiries on CII by relevant authorities, and keep updated with statements and developments by authorities to get well prepared.

Online operation security

1. First ever cyber security case in Chongqing

In early August 2017, the cyber security department of Chongqing Public Security Bureau successfully handled the very first administrative case against the Cyber Security Law in Chongqing. [8] During daily checks, the department discovered that a certain online operator failed to keep record of web logs for user login during service after the Cyber Security Law came into effect. The company was given a warning pursuant to law and ordered to make amends within a given period.

2. First ever cyber security case in Sichuan

According to scol.com, due to failure to implement the classified protection system, recently, an institution for teachers’ education in Cuiping District, Yibin City was fined RMB 10,000, and its legal representative surnamed Tang RMB 5,000 by Sichuan Public Security Bureau. This is the first administrative case in violation of the Cyber Security Law handled by Sichuan public security authorities following the implementation of this law on 1 June.

Besides, the cyber security departments of Sichuan public security indicate that next, pursuant to the Cyber Security Law, regulation and enforcement province-wide will be more rigorous; the annual enforcement examination will continue, and failure to implement the classified protection system, real-name registration and infringement of citizens’ personal data will be handled in a strict manner for protection of cyber information security.

Comment

Both cases in Chongqing and Sichuan are related to security of operation. Record-keeping of web logs necessitates tracking of online crimes by public security authorities, enabling them to access to the log files of violators in an accurate and timely manner, which serves as solid basis for tracking and reaching these violators. According to the cyber security department of Chongqing Public Security Bureau, preservation of web logs can also protect operators themselves in that it is not only a record of historic data, but also a precaution against possible future risks.

The classified protection system, on the other hand, is an important regime in the area of cyber security currently. Authorities for public security and standardization have formulated protection classification for information systems. Building on this, the Cyber Security Law specifies its major content for the furtherance of implementing this system.

3. Zhipin.com case

Li Wenxing, a graduate of Northeastern University, lost his life because he was deceived to join pyramid selling during his job-hunting on zhipin.com. This incident exposed major loopholes in zhipin.com, and relevant authorities are involved in interference. Internet Information Offices of Beijing and Tianjin jointly interviewed representatives of zhipin.com for its publication of illegal information and gross negligence in user management, and ordered the website to make amends immediately. [9]

A spokesperson of Beijing Internet Information Office said that zhipin.com published information for users without authentic identity information in violation of the law, and did not take effective measures to manage information published by users, resulting in dissemination of illegal information. On 10 August 2017, zhipin.com issued its official apology, saying that after the incident, the company had taken three emergency measures, i.e. “100% verification”, “founding job-hunt security center” and “establishing reminder system for the platform”.

4. Files for investigation opened for Tencent WeChat, Sina Weibo and Baidu Tieba

According to the briefing from the official website of the State Internet Information Office, on 13 August 2017, the Office instructed its subordinates in Beijing and Guangdong to open files for Tencent WeChat, Sina Weibo and Baidu Tieba and conduct investigations accordingly. The briefing points out that based on reports by internet users and initial investigation by Beijing and Guangdong internet information offices, the platforms of the three companies have users who disseminate information harmful to state security, public security and social order that includes contents of violent terrorism, rumors, pornography, etc. As the platforms failed to perform their obligation of managing forbidden information published by users, they are alleged to have violated the Cyber Security Law and other laws and regulations. [10]

Comment

In this era of information industry, by leveraging on the connectivity of the internet, online platforms have literally become highways of information. However, this characteristic makes them vulnerable to becoming tools for disseminating garbage and illegal information. From the last two cases above, it is clear that with the implementation of the Cyber Security Law and unrolling of operation regulation, the focus of online operators, particularly compliance in this regard, will be standardizing regimes for online information platform operation and defining responsibility for surveillance and management. From law enforcement developments so far, it can be seen that disclaimers in user agreements do not qualify as defense for platforms’ exemption. Platform operators should change their attitudes towards their functions, shifting from participants to grassroots regulators of online information, improve prior reminder, after-event regulation and information examination and verification systems, shoulder the responsibility of information access and influence, and actively perform their protection obligations as operators.

---

[1] See “Rectify Non-compliances in the Big Data Industry Chain” Caixin Weekly 2017(Vol.31), published on 7 August 2017.

[2] See http://www.cac.gov.cn/2017-08/02/c_1121421829.htm.

[3] See http://news.xinhuanet.com/legal/2017-06/01/c_1121067078.htm.

[4] See http://www.gov.cn/xinwen/2017-07/18/content_5211559.htm.

[5] See http://hf.ahga.gov.cn/xwfb/201706/23152231zuet.html.

[6] See http://www.miit.gov.cn/n1146295/n1146592/n3917132/n4061630/c5757129/content.html.

[7] See http://www.cac.gov.cn/2017-07/11/c_1121294220.htm.

[8] See http://www.cqga.gov.cn/jfzx/53137.htm.

[9] See http://society.people.com.cn/n1/2017/0810/c1008-29460958.html.

[10] See http://www.cac.gov.cn/2017-08/11/c_1121467425.htm.