Legislative dynamics

1. The Supreme People's Court, Provisions on Several Issues Concerning the Application of Law to Civil Cases Involving the Use of Face Recognition Technology to Process Personal Information

On July 28, 2021, the Supreme People's Court issued the Provisions on Several Issues Relating to the Application of Law in Civil Cases Involving the Processing of Personal Information Using Face Recognition Technology, which will be officially implemented on August 1, 2021.

This provision applies to civil cases caused by the use of face recognition technology to process face information and the processing of face information generated based on face recognition technology in violation of laws, administrative regulations or the agreement between the two parties. The regulation lists eight situations, such as the rules for the undisclosed processing of face information or the purpose, method and scope of the processing, as violations of the personality rights and interests of natural persons.

Link to the original Provisions:

http://www.court.gov.cn/fabu-xiangqing-315851.html 

2. Cyber Security Review Measures (Revised Draft for Comments), Cyberspace Administration of China

On July 10, 2021, the CAC issued the "Cybersecurity Review Measures (Revised Draft for Comments)" for comments until July 15, 2021.

The main amendments to the "Review Measures (Draft for Comments)" issued this time include: 1. Add the "Data Security Law" as the legislative basis; 2. Expanded the application of network security review to include data processing activities in the scope of network security review. 3. The obligatory subject of network security review covers data processors, broadening the obligatory subject of network security review.

Link to the original text of the Measures:

http://www.cac.gov.cn/2021-07/10/c_1627503724456684.htm 

3. General Offices of the CPC Central Committee and The State Council Opinions on Strictly Cracking Down on Illegal Securities Activities according to Law

On July 6, 2021, the General Office of the CPC Central Committee and The General Office of the State Council issued the Opinions on Strictly Cracking Down on Illegal Securities Activities in accordance with the Law.

The "Opinions" proposed to strengthen cross-border regulatory cooperation and improve the relevant laws and regulations on data security, cross-border data flow, and secret-related information management, pay close attention to revising the provisions on strengthening the confidentiality and file management related to overseas securities issuance and listing, compacting the main responsibility of information security of overseas listed companies, and strengthening the standardized management of cross-border information provision mechanisms and processes.

Link to original article of Opinion:

http://www.gov.cn/zhengce/2021-07/06/content_5622763.htm 

4. Shanghai Municipal Commission of Economy and Information Technology, Shanghai Administrative Measures for Road Test and Demonstration Application of Intelligent Connected Vehicles (Draft for Comment)

On July 16, 2021, the Shanghai Municipal Commission of Economy and Information Technology issued the "Management Measures for the Road Test and Demonstration Application of Intelligent Connected Vehicles in Shanghai (Draft for Comment)", which was solicited until July 23, 2021.

In this revision, a chapter of "Network and data security" has been added, and the application subject of the "Measures" has put forward relevant access and management requirements for the network security and data security of intelligent connected vehicles. At the same time, the "Measures" improve the management mechanism, and adopt various forms such as enterprise commitment, third-party testing, expert review, big data monitoring, random inspection, regular reporting, violation and accident handling to ensure the safe and orderly development of intelligent connected car testing and demonstration.

Link to the original text of the Measures:

http://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=897AC202AE5F385D28F15CEAEB75E609

5. National Cyberspace Administration and other three ministries and commissions, "Regulations on the Management of Network Product Security Vulnerabilities"

On July 13, 2021, the Ministry of Industry and Information Technology, the National Cyberspace Administration, and the Ministry of Public Security issued the "Regulations on the Management of Network Product Security Vulnerabilities", which will be implemented from September 1, 2021.

The regulations require that no organization or individual may take advantage of network product security vulnerabilities to engage in activities that endanger network security, and may not illegally collect, sell or publish information about network product security vulnerabilities. Knowing that others use network product security loopholes to engage in activities endangering network security, shall not provide them with technical support, advertising promotion, payment and settlement assistance.

Link to the original Provisions:

http://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm 

6. The National Cyberspace Administration and other three ministries and commissions, "Network Product Security Vulnerability Management Regulations"

On July 23, 2021, the People's Bank of China issued the "Management Measures for Reporting Major Events of Non-bank Payment Institutions", which will be officially implemented on September 1, 2021.

The measures stipulate the classification and disposal requirements of personal information leakage incidents of customer information leakage. Among them, "information security incidents such as customer personal information disclosure involving more than 5,000 customer information data or more than 500 customers at one time" belong to the category. Information security incidents such as customer personal information leakage involve no more than 5,000 customer information data at one time, and involve no more than 500 customers "belong to the second category."

Link to the original text of the Measures:

https://www.mpaypass.com.cn/news/202107/23180018.html 

Industry dynamics

1. Seven ministries and commissions, including the Cyberspace Administration of China, conducted a network security review of Didi

On July 2, 2021, the Central Network Letter announced that in order to prevent national data security risks, safeguard national security, and safeguard public interests, according to the National Security Law and the Network Security Law, the Network Security Review Office implemented a network security review of "Didi Chuxing" in accordance with the "Network Security Review Measures". Didi Chuxing stopped registering new users during the review period.

On July 16, 2021, the CAC, together with the Ministry of Public Security, the Ministry of State Security and other seven ministries and commissions officially jointly stationed in Didi Chuxing Technology Co., Ltd. to carry out a network security review.

2. The Ministry of Industry and Information Technology removed 48 apps and notified 145 apps that violated users' rights and interests

On July 12, 2021, the Ministry of Industry and Information Technology notified 48 (the fifth batch in 2021, the total 14th batch), and the apps that did not complete the rectification in accordance with the requirements of the Ministry of Industry and Information Technology or the local communications Administration Bureau will organize the removal of the above apps.

On July 19, 2021, the Ministry of Industry and Information Technology notified 145 apps that violated users' rights and interests and did not complete rectification according to the requirements of the Ministry of Industry and Information Technology and the local Communications Administration Bureau. The above apps involve medical health, e-commerce, utility tools, video and audio several types. The Ministry of Industry and Information Technology requires the above APP to complete the rectification on July 26, 2021, and if the rectification is not overdue, the disposal work will be carried out according to law.

3. The CAC removed 25 apps, including Didi Enterprise Edition

On July 9, 2021, the National Cyberspace Administration announced that, according to reports and testing verification, 25 apps including Didi Enterprise Edition (including Didi Enterprise Edition, Didi Car Owner, Didi Hitch, Uber Uber China, etc.) had serious violations of laws and regulations in collecting and using personal information. The CAC will remove the above 25 apps, and the relevant operators should strictly comply with the legal requirements and refer to the relevant national standards, and seriously rectify the situation to effectively protect the security of users' personal information.

At the same time, the CAC also asked websites and platforms not to provide access to and download services for the above 25 apps.

4. The Ministry of Industry and Information Technology launched a special rectification action for the Internet industry

On July 26, 2021, the Ministry of Industry and Information Technology announced that it would carry out a six-month special Internet rectification action.

The rectification action involves eight types of problems in four aspects, including threatening data security, infringing on users' rights and interests, disrupting market order, and violating resources and qualification management, involving 22 scenarios.

In terms of threats to data security, the Ministry of Industry and Information Technology will focus on the problem that operators fail to take necessary management and technical measures as required in the links of data collection, transmission, storage and external provision, including specific scenarios such as failing to encrypt sensitive information during data transmission and failing to obtain user consent before providing data to third parties.

In terms of infringing on users' rights and interests, the Ministry of Industry and Information Technology will focus on problems such as the compulsory provision of personalized services by application software, including scenarios such as pop-up screens for skip links and false close buttons for directional push.

5. New York's Biometric Privacy Act goes into effect

On July 9, 2021, New York City Council Bill 1170-2018 went into effect.

The bill requires businesses to inform consumers about the use of biometric technology and, if a consumer's biometric information has been collected, to post a sign that clearly informs consumers that their biometric information has been collected. The bill also prohibits the sale of biometric information.

In addition, the bill also gives information subjects the right to Sue companies for the collection and use of biometric information.

6. Russia investigates data localization programmes of international companies

This month, Russia's Data Protection Agency sent a query to foreign companies doing business in Russia about meeting the personal data localization requirements, and asked the companies concerned to respond within 30 days. If the company does not respond within the deadline, it may face fines, blocking access and other measures.

The purpose of the survey was to check whether the companies comply with the personal data localization requirements under the Russian Personal Data Act and to understand the specific programs taken by the companies.

7.TikTok has been fined €750,000 by the Dutch Data Protection Authority for violating children's privacy

On July 22, the Dutch Data Protection Authority announced that TikTok had been fined 750,000 euros for violating the privacy of children. When users in the Netherlands, many of whom are children, install and use TikTok, TikTok provides incomprehensible information in English rather than the Dutch version of the privacy statement, and as a result, TikTok fails to adequately explain how TikTok collects, processes and uses personal data. TikTok has disputed the fine. TikTok said it had offered a shorter and more understandable Dutch-language version of its privacy policy for children since July 2020, and that the Data Protection Authority had accepted the solution.

Hot case

1. He was convicted of illegally obtaining computer information system data for profit after leaving the company

Defendant Zhao joined a company in June 2015, during which he was responsible for the iOS development of an APP of a company. In May 2017, Zhao resigned from a company.

Between January and December 2019, Zhao used the information he learned during his employment to create a fake "ad-free" version of an APP that accessed a company's resources stored on the server through crawler technology. Zhao put the fake APP on the app store for users to pay to download, charging 68 yuan per time, and Zhao made a total profit of 190,000 yuan. A company claimed that Zhao's behavior caused significant losses to the company, and Zhao argued that only part of the company's resources had set protection measures for crawler technology, and the resources it used were all resources without protection measures.

After the trial, the court held that Zhao's behavior constituted the crime of illegally obtaining computer information system data, and sentenced Zhao to 4 years and 6 months in prison and fined 50,000 yuan.

2. 58 people were arrested for infiltrating parents' groups to collect personal information and selling it to nearly 100 educational institutions

Recently, Zhejiang Provincial Market Supervision Bureau notified Suichang County investigated a case of infringement of consumer personal information.

In this case, Bi, Zhong, Zhang set up seven companies in Lishui City, including Yashang Information Technology Co., LTD., and convened employees to enter the parents' wechat group by posing as educational institutions, training teachers, students' parents, etc., and collect more than 9 million students' and parents' personal information in the name of experiencing classes or providing one-to-one course consulting services. And the data summary uploaded to a unified platform, after screening, illegally sold to online education and training institutions, involving a total of more than 9 million personal information, the amount of about 150 million.

At present, the case has been transferred to the public security department, a total of 58 people have been arrested, of which 3 people have been arrested and 55 people have been released on bail.

3. Big data kill cooked, Ctrip was sentenced to return one pay three

In the case, the plaintiff, Ms. Hu, is a Ctrip diamond VIP customer and enjoys a 15% discount on the Ctrip platform. In July 2020, Ms. Hu ordered a hotel room through the Ctrip APP and paid 2,889 yuan. When she left the hotel, Ms. Hu found that the actual listed price of the hotel was only 1,377.63 yuan.

After Ms. Hu communicated with Ctrip, Ctrip refunded part of the price difference. Ms. Hu then sued the Shaoxing Keqiao District People's Court, asking Ctrip to refund one compensation and add options for it to continue to use when it does not agree with the "Service agreement" and "privacy policy" to avoid the defendant's collection of personal information and grasp the plaintiff's data.

Keqiao District Court after the trial supported the original Ms. Hu's request for a refund of three. Regarding Ms. Hu's request not to agree that the user agreement and privacy policy can still be used, the court held that the "Service Agreement" and "Privacy Policy" of Ctrip APP require users to authorize Ctrip and its affiliates and business partners to share users' personal information. It also allows Ctrip and its affiliates and business partners to conduct data analysis of user information and further commercial use of the analysis results. The "Privacy Policy" of Ctrip APP also requires users to authorize Ctrip to automatically collect users' personal information, including log information, device information, software information, and location information, requires users to allow them to use user information for marketing activities and personalized recommendations, and requires users to agree that Ctrip will analyze users' order data to form a user portrait. So that Ctrip can understand user preferences. The court held that the above information exceeded the essential information for the formation of the order and belonged to the collection and use of non-essential information, among which the sharing of user information to the associated companies and business partners that the defendant could arbitrarily define for further commercial use was not necessary, but also infinitely increased the risk of using user personal information. At the same time, the court also held that after the new download of Ctrip APP, users must click to agree to Ctrip's "Service agreement" and "privacy policy" to use, if they do not agree, they will directly exit Ctrip APP, which is to refuse to provide services to users