Legislative dynamics

1. Data Security Law of the People's Republic of China, National People's Congress Standing Committee

On June 10, 2021, the Data Security Law of the People's Republic of China was passed by the 29th meeting of the Standing Committee of the 13th National People's Congress and will be formally implemented on September 1, 2021.

The Data Security Law applies to data collection, storage, use, processing, transmission, provision, disclosure and other data processing activities carried out within the territory of the People's Republic of China. Overseas organizations and individuals carrying out data activities that harm China's national security, public interests or the legitimate rights and interests of citizens and organizations will also be investigated for legal responsibility according to law. In this version, new penalties have been added for violating the national core data management system and illegally providing important data overseas.

2. Shenzhen Municipal People's Congress Standing Committee "Shenzhen Special Economic Zone Data Regulations" (Draft)

On June 1, 2021, the Standing Committee of the Shenzhen Municipal People's Congress publicly issued the "Shenzhen Special Economic Zone Data Regulations (Draft for Comment)" for comment until June 15, 2021.

The version, which will be submitted to the Standing Committee of the Shenzhen Municipal People's Congress for consideration, includes five basic principles such as requiring the collection of personal information to follow the minimum necessary, data processors should provide ways to withdraw consent, explore the establishment of a data transaction system, severely punish big data "killing", and establish a public interest litigation system for data infringement rights.

3. National Health Commission, "Internet Medical Health Information Security Management Standards" (draft)

In order to standardize and promote Internet medical and health application network security, the Statistical Information Center of the National Health and Health Commission organized the drafting of the "Internet medical and health Information Security Management Standard (draft for comments)" industry standard, which was publicly solicited from June 4 to June 17.

The "Draft for Comment" consists of 11 parts, including the introduction, scope, normative reference documents, terms and definitions. The regulations and security requirements of the overall framework of Internet medical health information security management, information security related party management, information security process management, information security data management, information security technology management and information security organization management are stipulated.

4. The Ministry of Industry and Information Technology, "Notice on Strengthening the Network Security of the Internet of Vehicles (Intelligent Connected Vehicles)" (draft)

On June 23, 2021, the Ministry of Industry and Information Technology issued the Notice on Strengthening the Network Security Work of the Internet of Vehicles (Intelligent Connected Vehicles) (Draft for Comment) and solicited comments from the public until July 2, 2021.

The "draft for Comments" puts forward requirements from four aspects: strengthening vehicle network security protection and strengthening platform security protection. The draft for Comments stipulates that it is necessary to protect the security of vehicle networking network facilities and systems, implement the main responsibility of enterprise network security, establish the management system and operating procedures for vehicle networking network security, determine the person in charge of network security, regularly carry out compliance evaluation and risk assessment, and eliminate network security risks in a timely manner. It is clear in the draft for Comments that data security management should be strengthened, data asset management ledger should be established, data classification and classification management should be implemented, and personal information and important data protection should be strengthened. The draft also points out that the development, utilization and sharing of data should be standardized; Strengthen data exit security management.

5. General Administration of Radio, Film and Television Network Security Level Protection Basic Requirements (draft)

On June 21, 2021, the State Administration of Radio, Film and Television issued the Basic Requirements for Network Security Level Protection of the State Administration of Radio and Television and solicited public opinions until June 30, 2021.

The Draft of the Standard for Approval stipulates the contents of the object grading of the security level protection of radio and television networks, different levels of security protection capabilities, general security requirements and expansion requirements, and security management requirements. The Draft Standard also clarifies the general security requirements for the first to fifth level broadcast and television networks, the security extension requirements for cloud computing and the security extension requirements for mobile Internet.

Industry dynamics

1. The Ministry of Industry and Information Technology notified the naming of 291 apps in five categories that violated users' rights and interests

This month, the Ministry of Industry and Information Technology notified a total of 291 apps in five categories, including practical tools, learning and education, life and travel, job hunting and recruitment, and sports and fitness, and asked them to rectify within a time limit. If no rectification is made within the time limit, the Ministry of Industry and Information Technology will take disposal measures.

The Ministry of Industry and Information Technology said that it will further strengthen the rectification of prominent problems such as APP popup information that cannot be closed or does not significantly provide a close function logo, screen opening information, popup information that uses text, pictures, videos and other ways to deceive and mislead users to jump to other pages, and fully protect users' right to know and choice.

2. Cac notified 129 apps of illegal collection and use of personal information

This month, the Cyberspace Administration of China (CAC) announced the illegal collection and use of users' personal information by some apps widely used by the public, such as sports and fitness, news information, online live broadcasting, APP stores, and women's health, involving 129 apps. The ministry of Internet and Information Technology requires the notified APP to complete the rectification within 15 working days and send the rectification report to the Cyberspace Administration.

3. The European Commission adopts a new version of the standard contract clauses

The European Commission has adopted a new version of Standard Contractual Clauses (SCCs), consisting of two sets of texts, one for the transfer of personal data to third countries between controllers and processors and the other.

The new version reflects the new requirements of the General Data Protection Regulation (GDPR) and takes into account the judgment of the European Court of Justice Schrems II to ensure a high level of protection of citizens' data. The new standard contract clauses will help European businesses, especially smes, ensure compliance with the requirements for secure data transfers, while allowing data to flow freely across borders without legal barriers.

(4) The Court of Justice of the European Union has made it clear that data protection authorities of each Member State may initiate proceedings in their own country

On 15 June 2021, the Court of Justice of the European Union (CJEU) officially clarified that under the EU's General Data Protection Regulation (GDPR), under statutory conditions, Each Member State data protection authority (DPA) may initiate judicial proceedings in its national courts against the data controller (whether or not the data controller constitutes a "primary authority" under EU law).

In cross-border data-related cases, it is common for the company's "Main Establishment" in the EU to be in another country, and in judicial proceedings, The issue first arose in 2015 in a legal action initiated by the Belgian Data Protection Commission against Facebook (which has its EU headquarters in Ireland). The clarification of this issue by the Court of Justice of the European Union is of great significance for countries to strengthen their own data protection.

5. Notice of the Ministry of Industry and Information Technology on the pilot work of identity authentication and security trust in the Internet of Vehicles

In order to implement the "New energy Automobile Industry Development Plan (2021-2035)", "Intelligent Vehicle Innovation and Development Strategy" and the task requirements of the fourth plenary meeting of the Special Committee for the development of the Internet of Vehicles industry, the Ministry of Industry and Information Technology recently issued a document to carry out the pilot work of Internet of vehicles identity authentication and security trust.

The pilot direction includes four aspects: vehicle-cloud security communication, vehicle-to-vehicle security communication, vehicle-to-road security communication, and vehicle-to-equipment security communication. Units with the ability to manage and operate the identity authentication of the Internet of vehicles can jointly declare the relevant industry chain.

6. The Ministry of Industry and Information Technology organized centralized rectification of camera network security

In accordance with the requirements of the Announcement on the centralized management of black products such as camera Voyeurism, the Network Security Administration of the Ministry of Industry and Information Technology recently organized the centralized rectification of camera network security.

The Network Security Administration of the Ministry of Industry and Information Technology will organize local communication administrations, basic telecommunications enterprises, professional institutions and video surveillance cloud platforms, camera manufacturers, etc., to carry out centralized rectification of camera network security nationwide from June to August. By increasing the monitoring and disposal of security threats to network cameras, carrying out special inspections of network and data security of video surveillance cloud platforms, and standardizing product security vulnerability management of camera manufacturers, the hidden dangers of camera network security are eliminated, network security is guaranteed, and the legitimate rights and interests of citizens in cyberspace are protected.

7. Ikea France fined 1 million euros for illegally obtaining sensitive employee and customer information

Ikea France has reportedly been fined 1 million yuan for illegally spying on employees and customers following an investigation by French prosecutors. At the same time, IKEA France also fired four senior executives and changed internal policies.

Previously, IKEA France was revealed to have illegally obtained personal and sensitive information of employees and IKEA customers between 2009 and 2012, through access to internal police databases, hiring private investigators and other means, including the collection of trade union activists and customers who had disputes with IKEA.

8. Biden will reverse Trump's ban on TikTok and wechat while signing a new order to implement security reviews

The White House said President Joe Biden on Wednesday would lift a Trump-era ban on TikTok and wechat, while signing a new order directing the Commerce Department to conduct a new security review of the software and other apps from "foreign adversaries."

The Trump administration's ban on Chinese technology companies has been blocked in several US courts and has not been implemented. Biden's new executive order will replace a Trump-era one. In addition to TikTok and wechat, the new executive order also lifts a ban imposed in January on eight other communications and fintech apps.

On June 8, local time, the US Senate passed a bill aimed at improving the United States' ability to compete with China in technology, including "banning the download of the TikTok app on government devices." In response, China's latest response on June 9 said that how the United States develops and how to improve the "competitiveness" of the United States is its own business, but we firmly oppose the United States to talk about China and regard China as a "hypothetical enemy."

Hot case

1.18 billion pieces of user information were illegally stolen from Taobao, and two men were sentenced to more than 3 years in prison

In the case, the defendant Lu accessed more than 1.18 billion pieces of Taobao customer information, including digital ids, nicknames and mobile phone numbers, through the software he developed over eight months from November 2019. Lu provides the data to Li, who uses the robot to distribute Taobao coupons in his wechat group to earn rebates.

In the end, the Suiyang District People's Court of Shangqiu City in Henan Province sentenced the defendant Li Mou to three years and six months in prison and fined 350,000 yuan. The defendant, Lu, was sentenced to three years and three months in prison and fined 100,000 yuan for infringing citizens' personal information.

2. The "data wizard" threatened the security of wechat information content, and the development company was sentenced to pay 5 million yuan compensation

The defendant in this case, micro source company and other companies develop and operate the "data wizard" software, using the software and with the specific wechat version of the software provided, you can add thirteen special functions such as "targeted violence adding powder" that the legitimate wechat software did not originally have on the mobile terminal.

Therefore, the plaintiff in this case Tencent Technology Company, Tencent System company sued to order microsource company, business circle company to stop unfair competition; Compensation for economic losses of RMB 5 million and reasonable expenses for rights protection of RMB 100,000.

After the trial, the court held that the "data Wizard" software forcibly changes and adds functions, and its functional characteristics of high frequency, large scope, automatic transmission and interaction with unspecified user groups may lead to risks such as server overload and information content insecurity, which has adverse effects on information system and data security, and is an act of unfair competition. The two companies were ordered to stop the infringement and pay 5 million yuan in compensation.

3. A class-action lawsuit stemming from a data breach in Canada was dismissed because it could not prove damages

The Superior Court of Alberta, Canada, in Setoguchi v Uber B.V., 2021 ABQB 18, dismissed an application for certification of a proposed class action resulting from a data breach on the basis that there was no evidence of damage or loss.

The class-action lawsuit stems from a hacking incident in which Uber users' names, phone numbers and email addresses were obtained from the cloud, but Uber did not initially disclose the data breach to its members, regulators or police. In the three years since the incident, there has been no evidence of fraud, identity theft, or any other financial loss. In considering the issue of damage or loss, the Court takes into account the nature of personal information, noting that the applicable obligations and standards of care will vary depending on the sensitivity of the information. Uber said the information was already in the public domain.

4. The Supreme Court of the United States reheard the case of hiQ Corporation v. linkedin

The United States Supreme Court on the 19th rejected the Ninth Circuit Court's decision in the linkedin case and sent the case back for retrial. Previously, the 9th Circuit Court of Appeals in 2019 barred linkedin from blocking hiQ while the lawsuit was in progress.

hiQ uses data to analyze employees' skills to recommend employers when they are looking for a new job. To expand its data range, hiQ collects its publicly available data from linkedin. Linkedin believes hiQ's collection of personal data from publicly available profiles threatens user privacy and constitutes unfair competition. hiQ argued that linkedin made the allegations after it released features similar to hiQ, so it filed a lawsuit in federal court accusing linkedin of anti-competitive behavior.