Legislative dynamics

1. Cyberspace Administration of China (CAC) Several Regulations on Automobile Data Security Management (Draft for Comment)

On May 12, the CAC issued Several Regulations on Vehicle Data Security Management for public comment until June 11, 2021.

A total of 21 articles in the draft for Comments, it is clear that the purpose of the operator's processing of personal information or important data in the process of automobile production, manufacturing, sales and service should be legal, specific and clear, and directly related to the design, manufacturing and service of automobiles. Operators shall implement the network security level protection system, strengthen the protection of personal information and important data, and fulfill network security obligations in accordance with the law.

The draft also provides for the first time that it is difficult to solicit personal information consent in practice, and the draft stipulates that where it is difficult to solicit personal information consent in practice (such as collecting audio and video information outside the car through cameras), and it is necessary to provide it, it should be anonymized or desensitized, including deleting images that can identify natural persons. Or partial contouring of the faces in these pictures.

Original link to the Draft for Comments:

http://www.gov.cn/hudong/2021-05/12/content_5606075.htm

2. Information Safety Standards Commission, "Information Security Technology Gene Identification Data Security Requirements" (draft for comment)

On May 11, the Information and Safety Standards Committee issued the "Information Security Technology gene identification Data Security Requirements" (draft for comment).

According to the draft, genetic identification data is personal information. The data controller shall assess the necessity and rationality of using the genetic identification data and associated information to conduct business, clarify the impact on the data subject, and determine the relevant business process and data security protection needs according to the requirements of the standard, and obtain the relevant qualifications.

The main content of the draft for comments includes the basic security requirements, security processing requirements and security management requirements of genetic identification data, covering the collection, use, storage, sharing, transfer and destruction of genetic data and its associated information.

The draft for Comments was originally linked to:

https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20210511175221&norm_id=20201104200041&recode_id=42563

3. Guangdong Provincial Government, "Guangdong Province Chief Data Officer System Pilot Work Plan"

On May 13, 2021, the General Office of the Guangdong Provincial Government issued the Pilot Work Plan of the Chief Data Officer System in Guangdong Province.

The "Plan" encourages pilot units to strengthen cross-departmental, cross-level, cross-field coordination mechanism. It is reported that the responsibilities of the chief data officer focus on overall data management and convergence innovation, and promote the sharing of public data and development and utilization; To lead the data work within the administrative region, to make decisions on major issues in information construction and data development and protection, and to coordinate and solve relevant major problems; Organize the formulation of medium - and long-term development plans and relevant systems and norms for data governance work, and promote the deep integration of public data and social data and the innovation of application scenarios.

Link to the original version of the Plan:

http://zfsg.gd.gov.cn/zwgk/wjk/content/post_3283320.html

4. Information Safety Standards Commission, "Information Security Technology Network connected vehicle Data Collection security Requirements" (draft)

On April 28, 2021, the Information Safety Standards Commission issued the "Security Requirements for Data Collection of Information Security Technology Connected Vehicles" (draft) for public comment until May 15, 2021.

The draft stipulates the security requirements for the data collected by connected vehicles in the transmission, storage and cross-border links, which is applicable to regulating the data processing related activities of mass production passenger vehicles with networking functions, and is also applicable to relevant departments, third-party evaluation institutions and other organizations to carry out the supervision and evaluation of connected vehicle data processing.

Link to the original Draft:

http://www.cac.gov.cn/2021-04/29/c_1621273432655484.htm

5. Internet Society of China, "Data Security Governance Capability Evaluation Method"

On April 27, 2021, the Internet Society of China issued the group standard "Data Security Capability Evaluation Method". The "Method" stipulates the basic points of telecom Internet enterprises in the whole life cycle of data, including data collection, transmission, storage, use, sharing, destruction, etc., including strategic planning, personnel management, identification and access control, security incident emergency response and other aspects of the ability requirements at each stage and specific evaluation indicators.

Full text of the Methodology link:

https://www.isc.org.cn/zxzx/xhdt/listinfo-39680.html

Industry dynamics

1. The CAC notified 222 apps of illegal collection and use of personal information three times

On May 1, May 10, and May 21, the National Cyberspace Office notified 222 apps that illegally collected and used personal information, including Sogou input method, Autonavi Map, Tencent mobile phone butler, Ping An consumer finance, Douyin, Baidu, and Linxin, three times.

The above APP involves 9 categories: input method, map navigation, instant messaging, security management, online lending, short video, browser, job recruitment and utility tools. Most of them involve violation of necessary principles, collection of personal information unrelated to the type of service they provide, and collection and use of personal information without the user's consent. The State Cyberspace Administration requires the offending apps to complete the rectification within 15 working days, and those that are not completed within the deadline will be dealt with according to law.

2. The Ministry of Industry and Information Technology notified the removal of 90 apps

On May 13, 2021, the Ministry of Industry and Information Technology notified the removal of 90 apps that violated users' personal rights and interests. Among them, five apps such as Tianya, Damai, Tuniu, and VIP Spartan were removed due to repeated similar problems in different versions, and the remaining apps were removed due to failure to rectify in accordance with the requirements of the Ministry of Industry and Information Technology and the provincial communications Administration Bureau.

3. Tesla has built data centers in China to realize data localization storage

 In the future, Tesla will add more local data centers.

Tesla also said that in the future, it will open the vehicle inquiry platform to owners.

4. Ele. me was fined 500,000 yuan for price fraud and failure to fulfill its online audit obligations

The Shanghai Market Supervision Administration recently fined Ele. me 500,000 yuan for two violations.

The Market Supervision Administration found that Ele.me carried out promotional activities between July 1 and August 31, 2020, and the discount promotion rate indicated on its promotional page was different from the discount rate actually displayed by consumers entering the activity area, and the above behavior violated the Price Law, so Ele.me was fined 300,000 yuan.

The Market Supervision Administration also found that during the period from August 18, 2020 to February 28, 2021, the parties did not fulfill the obligation to enter the network for the qualification of 62 enterprises in the platform and violated the relevant regulations for the second time, so they imposed a fine of 200,000 yuan on Ele.me.

Hot case

1. The Guangzhou Internet Court ruled that car condition information is not personal information

The defendant in the case, Beijing Coolcar Yimei Network Technology Co., LTD. (hereinafter referred to as Coolcar Yimei Company), developed and operated a doctor APP to provide second-hand car history information inquiry, vehicle detection and other services.

In the case, Yu complained that in December 2020, in the process of consultation with the intended customer, he learned that the other party used the frame number contained on the motor vehicle driving license provided by him to inquire the historical vehicle condition information of the vehicle for payment in the APP, and obtained the "Historical vehicle condition Report" that detailed records of vehicle driving data, maintenance data and other information.

The plaintiff Yu believes that the "Historical Vehicle Condition Report" comprehensively reflects its driving characteristics, maintenance whereabouts, consumption power, consumption habits, etc., which can indirectly identify Yu's identity and belong to Yu's personal information and personal privacy. The defendant provided the above information to others without their consent and violated their personal information and privacy. Yu then appealed to the court to request the Coolcar company to immediately delete the car condition information in the Doctor APP and compensate its economic losses of 3,000 yuan.

After hearing the case, the Guangzhou Internet Court held that the car condition information involved in the case is neither personal information nor privacy, and rejected all litigation requests of the plaintiff. The key points of the judgment are as follows:

⚫ From the information content, the historical vehicle condition information does not contain any information that can directly identify a specific natural person, such as identity information, communication contact information, etc. The driving data and maintenance data do not show the location information of vehicle maintenance institutions and the specific year, month and date of maintenance, so the whereabouts and track of natural persons cannot be identified based on the information.

⚫ From the perspective of information characteristics, historical vehicle condition information can only reflect the use of the vehicle under investigation, and its content does not involve specific individuals, nor is it used to evaluate the behavior or status of specific individuals, and cannot be associated with specific natural persons such as the vehicle owner.

⚫ From the information source, according to the daily vehicle use experience, in addition to the vehicle owner, the subject of vehicle condition information can also be relatives and friends, maintenance personnel, insurance personnel, etc. It is impossible to accurately identify whether the actual user of the vehicle is Yu himself through the vehicle condition information;

⚫ From the perspective of the cost of recombining information to identify a specific natural person, the technical threshold, economic cost and time required for combining vehicle condition information with other information to identify are high. At the same time, each data provider transmits the data held by it to Coolcar e-Mei through desensitization technology to collect, collate and issue relevant reports, which to a certain extent reduces the possibility of the general public combining vehicle condition information with third-party information to re-identify specific natural persons;

⚫ The historical vehicle condition information cannot identify a specific natural person, and therefore will not unduly interfere with the plaintiff's daily life, home or correspondence peace;

⚫ The driving data, maintenance data and other information in historical vehicle condition information are generated in open auto repair business places and are not in a secret state. Although events in public places can also become the object of privacy, any information that one does not want to be known by others is defined as privacy, which will bring unnecessary burden to normal social communication.

⚫ In the vehicle trading scenario, directly incorporating historical vehicle condition information into the scope of privacy protection may increase the information asymmetry risk and transaction security risks in the second-hand car trading market.

2. Eight people from a Shanghai company were sentenced for developing "crawler" programs to collect personal information

Liu and other 12 people work for a Shanghai company has developed a credit information website, paid to provide customers with personal information inquiry services. The company's personal information mainly comes from the purchase and use of the company's development of "crawlers to climb various websites, social security, provident fund, mobile phone App and other network personal data information." The information obtained from both channels is integrated and stored on the company's servers for customers to query with compensation.

         After investigation, the company reached cooperation with more than 3,000 upstream and downstream companies by signing cooperation agreements and other ways, using self-developed "crawler" technology to climb on the Internet to obtain ID cards, social security, provident fund, travel, social networking, consumption power, communication records, e-commerce consumption records and other types of citizens' personal information totaling more than 3.08 million, through the payment of inquiry services to provide a total of illegal income More than 17.5 million yuan.

The court sentenced eight defendants Liu Mou and Huang Mou to three years in prison for violating citizens' personal information, suspended for three years to one year, suspended for one year, and fined 30,000 yuan to 10,000 yuan. Dai and the other four are still on trial.

3. Bytedance was found guilty of unfair competition for grabbing Weibo data and paid 21 million yuan in compensation

On May 28, 2021, Beijing Haidian District People's Court disclosed a civil judgment of first instance [(2017) Beijing 0108 No. 24530 at the beginning of the Republic of China], which made a judgment on the unfair competition dispute between Sina Weibo and ByteDance. Bytedance is required to compensate Sina Weibo for economic losses of 20 million yuan and reasonable expenses of 1.157 million yuan.

The main facts involved in this case are that since October 2016, Byte Company has used technical means to capture, or its employees have manually copied, large-scale access to content from Sina Weibo, and subsequently published, displayed in Toutiao, and disseminated to users. The main point of dispute between the two parties is "whether third-party platforms can directly copy and publish relevant content after users publish content on the platform". After hearing the case, the court held that the microblog content displayed and rebroadcast through the Sina Weibo platform was not simply generated by users, but the final result formed after adding the operating resources and services invested by Sina Company on this basis, which was essentially a kind of competitive rights and interests. In the case of the original platform is not authorized, even if there is user authorization, the relevant copying and publishing behavior also constitutes abnormal competition.

4. Irish court rejects Facebook's petition, uncertain future of cross-border data transfer between Europe and the United States

A court in Dublin, Ireland, recently dismissed a lawsuit brought by Facebook against the Irish Privacy Protection Commission's oversight process.

It is reported that European Union regulators for Facebook in the cross-border transfer of data in the process of difficult to ensure the security of user data in the European Union market to investigate Facebook and ask Facebook to stop the transfer of EU users' data to the United States. Facebook filed a lawsuit and requested a judicial review of the investigation and order. Facebook's defeat means that data transfers between the EU and the US will become more difficult in the future.

In addition, since the Privacy Shield agreement was overturned in 2020, the European Union and the United States have been negotiating a new cross-border transmission agreement for nearly a year, and the court's decision could also add to the obstacles for the two sides to develop new rules.