Legislative dynamics

1. National People's Congress, "Personal Information Protection Law (Second Reading Draft)"

On April 29, 2021, the Second review draft of the Personal Information Protection Law (the second review draft of the draft) was released for public comment until May 28, 2021. Compared with the first review draft previously released, the second review draft has made a number of important amendments, the main amendments include: 1) new legal basis for processing disclosed personal information within a reasonable range without obtaining consent; (b) express consent to the relationship between this lawful basis and other lawful bases and the effect of withdrawal of consent; 3) Refine the scenarios in which the agent deletes data in the entrusted processing and add specific requirements for the security obligations of the agent; 4) In terms of cross-border data transmission, it is clear that the network information department will issue a cross-border transmission standard contract, and strictly restrict the behavior of providing domestic stored personal information to overseas regulators without the approval of domestic regulators; 5) Strengthen the liability of personal data processors as a presumption of fault.

Link to the original Draft:

http://www.npc.gov.cn/flcaw/userIndex.html?lid=ff80818178f9100801 791b35d78b4eb4

2. National People's Congress, Data Security Law (Second Reading Draft)

On April 29, 2021, the Second review draft of the Personal Information Protection Law (the second review draft of the draft) was released for public comment until May 28, 2021. Some changes have been made in the second review draft compared with the first review draft, mainly including: 1) improving the meaning of terms such as data security in the draft; 2) Improve data classification and classification and important data protection systems; 3) Enrich data exit security management regulations.

The Draft was originally linked to:

http://www.npc.gov.cn/flcaw/userIndex.html?lid=ff80818178f910080 1791b3c96374eef

3. Information and Safety Standards Commission, "Personal Information De-identification Effect Grading Evaluation Standards" (draft)

On April 12, 2021, the Information and Safety Standards Commission issued the "Personal Information De-identification Effect Grading Evaluation Specification" (draft) for public comment until June 11, 2021. The Code proposes a method for grading and evaluating personal information identifiers. The Code classifies personal information identifiers into four levels, from high to low, based on the risk of re-labeling (the process of re-associating a de-identified data set with the original personal information subject). Specifically, Level 1 contains data with direct identifiers such as name, mobile phone number, and ID number, which can directly identify the subject of personal information in a specific environment. Through classification, the sharing and use of data can be promoted under the premise of protecting the security of personal information, and the security measures of personal information at different levels can also be refined.

Link to the original Code: https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20210412183118392 628&norm_id=20201104200026&recode_id=41659

4. Information and Safety Standards Commission, "Mobile Internet Application (APP) Personal Information Security Assessment Standards" (draft)

On April 19, 2021, the Information and Safety Standards Commission released the "Mobile Internet Applications (Apps)"

Human Information Security Assessment Standards (draft), open for comment until June 18, 2021.

In view of the inconsistency of APP personal information security evaluation standards and scales, the Code comprehensively considers personal information security norms and related requirements, and combines the personal information collection, transmission, storage, processing, exchange, destruction and other links involved in the process of realizing App's own business functions. The implementation process of App personal information security assessment and the assessment methods for specific security requirements are specified, providing guidance and reference for third-party assessment machines and App providers in the assessment of App personal information security.

Link to the original Code:

http://www.szrd.gov.cn/szrd_zyfb/szrd_zyfb_tzgg/202103/t20210312

_19409850.htm

5. Information and Safety Standards Commission, "Mobile Internet Application (APP) SDK Security Guidelines" (draft)

On April 19, 2021, the Information and Safety Standards Commission issued the "Mobile Internet Application (APP) SDK Security Guidelines" (draft) for public comment until June 18, 2021.

The Specification is mainly composed of SDK security guidelines, which are mainly composed of four key points: basic security, life cycle security, personal information security, SDK and App linkage. Targeted to solve the overall security development of SDK and personal information security lack of systematic standards, SDK providers and App providers for the two sides of the division of responsibilities is not clear positioning, lack of unified communication channels and other problems.

Link to the full text of the Code: https://www.tc260.org.cn/front/bzzqyjDetail.html?id=2021041916341 1486437&norm_id=20201104200005&recode_id=41707

6. Information and Safety Standards Commission "Face Recognition Security Requirements" (draft)

On April 23, 2021, the Information and Safety Standards Commission issued the "Face recognition Data Security Requirements" (draft) for public comment until June 22, 2021.

The Requirements first put forward the basic requirements for the security protection of face recognition data; Secondly, the "Requirements" from the collection, storage, use, processing, sharing, transfer and public disclosure of face recognition data processing requirements; Finally, the "Requirements" also from the data management responsibility, security remedial measures and other aspects of regulation.

"Requirements" involves face image processing is divided into three types of scenarios, including: a) face verification: the collection of face recognition data and the storage of a specific natural person's face recognition data for comparison (1:1 comparison); b) Face recognition: compare the collected face recognition data with the stored face recognition data within the specified range (1: N comparison); c) Face analysis: do not carry out face verification or face recognition, only collect the face image statistics, detection or feature analysis.

7. Four ministries, including the Ministry of Industry and Information Technology, Interim Provisions on the Protection and Management of Personal Information of Mobile Internet Applications (Draft)

On April 26, 2021, the Ministry of Industry and Information Technology issued the Interim Provisions on the Protection and Management of Personal Information of Mobile Internet Applications (Draft) jointly drafted by the Ministry of Industry and Information Technology, the Ministry of Public Security and the General Administration of Market Regulation under the guidance of the National Cyberspace Administration (CAC), for public comment until May 26, 2021.

There are twenty Provisions in total, defining the scope of application and the subject of supervision; Two important principles of "informed consent" and "minimum necessity" have been established. The responsibilities and obligations of APP developers and operators, distribution platforms, third-party service providers, terminal production enterprises, and network access service providers are detailed. Put forward four aspects of complaint reporting, supervision and inspection, disposal measures, risk tips and other normative requirements.

Link to the original Provisions:

http://www.gov.cn/xinwen/2021-04/26/content_5602780.htm

Industry dynamics

1. Supreme People's Procuratorate releases Typical Cases of Public Interest Litigation on Personal Information Protection of Inspection Authorities

On April 22, 2021, the Supreme People's Court issued 11 typical cases of public interest litigation on personal information protection by inspection authorities.

Among the 11 typical cases, administrative public interest litigation involves personal information supervision and government information disclosure in administrative organs such as education, market supervision, public security, Internet and information technology, agriculture and rural areas. Personal information leakage involving express delivery, medical institutions, off-campus training institutions, etc. Civil public interest litigation cases include Internet companies' illegal collection of personal information and illegal acquisition of personal information and consumption fraud. Civil public interest litigation cases with criminal collateral involve the illegal acquisition and trading of personal information through different means such as technology software and property services. In addition to cracking down on the criminal behavior of the perpetrator violating citizens' personal information according to law, the procuratorial organ also requires the network operator to bear the liability for public interest damage as a co-defendant.

2. The Ministry of Industry and Information Technology notified a list of 138 problematic applications

On April 23, 2021, the Ministry of Industry and Information Technology notified the fourth batch of apps infringing on user rights and interests in 2021 (93 types). And the Guangdong Provincial Communications Administration inspected 45 apps found to have problems. The above apps involve illegal collection of personal information, forced, frequent, excessive claims, deceiving and misleading users to download apps, forcing users to use targeted push functions, difficult account cancellation and other problems.

The Ministry of Industry and Information Technology requires the above APP to complete the rectification and implementation work before April 29. If no rectification is made within the time limit, the Ministry of Industry and Information Technology will organize and carry out relevant disposal work according to law and regulations.

3. The State Administration of Market Regulation filed an investigation into suspected monopolistic behavior of Meituan

On April 26, the website of the State Administration of Market Regulation released a message: Recently, the State Administration of Market Regulation, according to the report, filed an investigation into suspected monopoly behavior such as the implementation of "two choices" in accordance with the law.

Subsequently, Meituan responded on the official wechat public account, saying that the company will actively cooperate with the regulatory authorities to investigate, further improve the level of business compliance management, protect the legitimate rights and interests of users and parties, promote the long-term healthy development of the industry, and effectively fulfill social responsibilities. At present, the business of the company is running normally.

4. Guangdong High Court releases top 10 Anti-unfair competition and anti-monopoly cases in the Internet field

On April 20, the Guangdong High Court issued the first ten anti-unfair competition and anti-monopoly cases in the Internet field.

The ten selected cases involve online games, webcast, search engines, e-commerce and other emerging Internet industries, covering the abuse of market dominance, bidding rankings, data capture, commercial slander, infringement of trade secrets, and protection of rights and interests of collective image commercialization.

The Guangdong High Court said that in the next step, the Guangdong courts will continue to regulate the business behavior of Internet market players in accordance with the law, and promote the formation of a fair competition and standardized and orderly market system in the Internet field through judicial adjudication, and provide more powerful judicial services and guarantees for promoting the development of the Internet economy.

5. The EU publishes draft legislation on AI regulation

On April 21, 2021, the European Union published a legal framework on the use of artificial intelligence.

According to the level of security risk, the framework divides artificial intelligence application scenarios into four levels from "safe" to "unacceptable". The least risky applications include AI-based video games and spam detection software. Where risks are limited, the EU suggests that users should be made aware that they are interacting with a machine and have the right to decide whether to continue the conversation or opt out. High-risk scenarios are those that could have a serious impact on important aspects of people's lives, such as critical infrastructure such as transportation, including autonomous driving software, criminal courts, borders, mental hospitals, and immigration management.

Hot case

1. The second trial of the "face recognition first case" was added to delete fingerprint recognition information

On April 9, the Hangzhou Intermediate People's Court of Zhejiang Province issued a public verdict on the second instance of the service contract dispute between Guo Bing and Hangzhou Wild Animal World Co., LTD. (hereinafter referred to as "Wild Animal World").

The Hangzhou Intermediate Court held that the court of first instance ruled that it was appropriate for the Wild Animal World to compensate Guo Bing for the loss of contract interests of 678 yuan and the transportation cost of 360 yuan. Wildlife World wants to activate and process the photos it has collected as face recognition information, beyond the purpose of prior collection, in violation of the principle of legitimacy, and should delete the facial feature information including photos submitted by Guo Bing when he applied for the card.

At the same time, the court held that in view of the fact that the wildlife world stopped using fingerprint identification gates, resulting in the original agreed service mode of entering the park could not be realized, and Guo Bing's fingerprint identification information should be further deleted. According to this, the second trial on the basis of the original judgment, Wildlife World to delete the fingerprint identification information submitted by Guo Bing when applying for the fingerprint annual card.

2. Beijing Internet Court accepts disputes concerning Douban APP privacy and personal information protection

On April 15, the official public account of the Beijing Internet Court released a message saying that a Douban App user found that without authorizing the App to collect his personal location information, he could still receive advertisements pushed to him by the Douban App according to his geographical location, and the user complained to the Beijing Internet Court on the grounds that Douban collected and used his geographical location information without consent.

The plaintiff claims that the geographic location information is personal sensitive information and has privacy attributes, and that Douban APP obtains the aforementioned information without permission and sends targeted advertisements based on the obtained information, which infringes on its privacy and personal information. The plaintiff requested that the Douban APP stop the infringement, apologize, provide the option to exit the targeted push, and compensate for the loss of 1 yuan.

3. The Federal Court of Australia ruled that Google misled consumers about its location data collection

The Federal Court of Australia ruled on April 16 that Google had misled Android users and continued to collect their personal location information.

Google has a "Historical location" option in its systems to collect, store and use consumers' location data. At the same time, another option "Network &App Activity" will also collect user information, and this option is enabled by default. In its ruling, the court found that when a consumer gets a new Android phone and creates a Google account, Google's Settings and instructions lead the consumer to believe that "historical location" is the only option setting that collects and uses personal information. Google also does not have any reminder that Web &App activity remains on when the "Location History" option is turned off, nor does Google mention on the "Web &App Activity" page that this option involves collecting location information.

Google said it "disagreed" with the court's decision and would consider an appeal.

4. Civil public interest lawsuits on minors' online protection were accepted and concluded nationwide

On March 11, Yuhang District Procuratorate of Hangzhou, Zhejiang Province sued a well-known domestic short video company (hereinafter referred to as "a company") for violating children's personal information civil public interest lawsuit, and the case was closed after the Hangzhou Internet Court issued a mediation statement. Previously, the prosecution put forward the case to stop the infringement, apologize, eliminate the impact, compensation for losses and other appeals, a company has no objections, and has been comprehensively carried out rectification for the existing problems.

It is understood that the case is under the direct guidance of the Supreme People's Procuratorate, a task force composed of police from Zhejiang Province, city and district three procuratorial organs comprehensively sorted out and analyzed the existing problems of a company's APP, and visited Internet information departments, public security organs, courts, Internet legal experts and technical experts.

On the basis of fully soliciting and absorbing the opinions of all parties, it is decided to take this case as a breakthrough, actively and steadily carry out civil public interest litigation, and handle typical cases to promote network operators and Internet enterprises to improve industry rules, assume social responsibilities, and effectively strengthen the online protection of children's personal information.