Legislative dynamics

1. The Ministry of Industry and Information Technology, Guidelines for the Construction of Data Security Standard System for Telecommunications and Internet Industries

In order to play the role of standards in regulating and guaranteeing data security in the telecommunications and Internet industries, and accelerate the pace of building a manufacturing power and a network power, the General Office of the Ministry of Industry and Information Technology issued the Guidelines for the Construction of Data Security Standard Systems in the Telecommunications and Internet Industries on December 17, 2020 (hereinafter referred to as the Guidelines).

The guidelines point out that the data security standard system for the telecommunications and Internet industries includes standards for basic commonalities, key technologies, security management and key areas. Among them, the basic common standard includes the definition of terms, data security framework, data classification and classification, etc., which provides the basic support for various standards. Key technical standards standardize key technologies for data security from the whole life cycle dimension of data collection, transmission, storage, processing, exchange, and destruction. Security management standards include data security specifications, data security assessment, monitoring, early warning and disposal, emergency response and disaster backup, and security capability certification. Key area standards are mainly combined with the actual situation and specific requirements of relevant fields to guide the industry to effectively carry out data security protection in key areas.

The "Guide" proposed the telecommunications and Internet industry data security standard system construction goals, by 2021, the development of more than 20 data security industry standards, the initial establishment of telecommunications and Internet industry data security standard system, effectively implement data security management requirements, basically meet the needs of industry data security protection, promote the application of standards in key areas; By 2023, more than 50 data security industry standards will be developed, and the data security standard system in the telecommunications and Internet industries will be improved, and the technical level, application effect and internationalization of the standards will be significantly improved, which will strongly support the improvement of data security protection capabilities in the industry.

2. National Information and Safety Standards Commission, "Mobile Internet Application (APP) Using Software Development Kit (SDK) Security Guidelines"

On November 27, 2020, the Secretariat of the National Information Security Standardization Technical Committee organized the preparation of the "Network Security Standards Practice Guide - Security Guidelines for Mobile Internet Applications (Apps) Using Software Development Kit (SDK)".

The Practice Guide is designed to help APP providers protect against SDK security and compliance risks when using the SDK, and to help SDK providers protect SDK security and users' personal information. The Practice Guide gives the common security risks of SDK. In view of the security vulnerabilities of SDK itself, malicious behaviors of SDK, and illegal collection of App users' personal information by SDK in the process of APP using SDK, combined with the current status of mobile Internet technology and application, The practical guidelines of APP providers and SDK providers for SDK security problems are given.

3. Cac, "Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (Apps)"

The official website of the State Internet Information Office reported on December 1 that in order to implement the principles of the "People's Republic of China Network Security Law" on the collection of personal information is legal, legitimate and necessary, regulate the collection of personal information by APP, and ensure the security of citizens' personal information, The State Internet Information Office studied and drafted the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (APP) (Draft for Comment), and publicly solicited comments from the public. The document specifies the scope of personal information necessary for 38 common types of apps, including map navigation, online ride-hailing, and instant messaging. Necessary personal information refers to the personal information necessary to ensure the normal operation of the basic functions of the App, without which the APP cannot provide basic functional services. As long as the user agrees to collect the necessary personal information, the APP shall not refuse the user to install and use.

4. The State Administration for Market Regulation and the National Standards Commission, Guidelines for Personal Information Security Impact Assessment of Information Security Technology

On November 19, 2020, the State Administration for Market Regulation and the Standardization Administration issued the Announcement of the National Standards of the People's Republic of China (No. 26, 2020). The National standard GB/T 39335-2020 "Guidance for Personal Information Security Impact Assessment of Information Security Technology", which is centralized by the National Information Security Standardization Technical Committee, was officially released and will be officially implemented on June 1, 2021.

The Guidelines on the Impact Assessment of Personal Information Security (hereinafter referred to as the "Assessment Guidelines") are a process for testing the degree of legal compliance with personal information processing activities, determining the risks of harm to the legitimate rights and interests of personal data subjects, and assessing the effectiveness of measures used to protect personal data subjects. The Assessment Guidelines aim to identify, deal with and continuously monitor risks that may adversely affect the legitimate rights and interests of personal data subjects during the processing of personal data, strengthen the protection of the rights and interests of personal data subjects, help organizations demonstrate their efforts to protect the security of personal information, enhance transparency, and enhance the trust of personal data subjects.

The Assessment Guide is divided into five main parts: "Scope", "normative Reference documents", "Terms and definitions", "assessment principles", "assessment implementation process", and four appendices: "Examples of assessment compliance and assessment points", "Examples of high-risk personal information processing activities", "Common worksheets for personal information security assessment", and "Reference methods for Personal information security impact assessment". The introduction of the Assessment Guide will strongly support the implementation of the Personal Information Protection Law in the future.

5. The Ministry of Commerce, the National Cryptography Administration and the General Administration of Customs issued Announcement No. 63 of 2020 to implement import licensing and export control on relevant commercial cryptography products

The main contents include:

1. If the imported items and technologies are within the scope of the Commercial Password Import License List (including encrypted telephone, encrypted fax machine, password machine (password card), encrypted VPN equipment), it shall apply to the Ministry of Commerce for the import license of dual-use items and technologies;

2. If the exported items and technologies fall within the scope of the Commercial Cryptographic Export Control List (including security chips, cryptographic machines (cryptographic cards), cryptographic VPN equipment, key management products, special cryptographic equipment, quantum cryptographic equipment, cryptographic analysis equipment, cryptographic development and production equipment, cryptographic testing and verification equipment and related software and technologies), It shall apply to the Ministry of Commerce for an export license for dual-use items and technologies;

3, the main procedures of the commercial password import and export license are as follows, and other specific procedures and special cases are handled with reference to the relevant provisions of the "Administrative Measures for the Import and Export License of Dual-Use items and Technologies" (Order of the General Administration of Customs of the Ministry of Commerce No. 29, 2005) :

① The operator shall apply to the Ministry of Commerce through the provincial competent department of commerce;

② After receiving the application documents, the Ministry of Commerce will review them with relevant departments such as the National Cryptography Administration and make a decision within the legal time limit. The import and export license for dual-use items and technologies shall be issued by the Ministry of Commerce.

6. State Administration of Radio, Film and Television (SARFT) Guidelines for the Classification of Network Security Protection

On December 9, the State Administration of Radio and Television approved the release of radio and television and network audiovisual recommended industry standard "Radio and television network security grade Protection Grading Guide", which is the second domestic industry after the financial industry to introduce the isoguarantee 2.0 standard. The Guide suggests that according to the actual situation of the radio and television industry, according to the basic characteristics of the rated objects, taking into account the factors such as the responsible unit, business type and business importance of the rated objects, the radio and television network security level protection objects are classified according to the type of organization and the type of business carried, and the corresponding security protection level suggestions are given.

7. National Standards and Norms for Public Health Information Construction (Trial), National Health Commission

The National Health Commission and the State Administration of Traditional Chinese Medicine jointly formulated the National Standards and Norms for the Construction of Public Health Informatization (Trial). The code encourages medical and health institutions at all levels to integrate emerging information technologies such as big data, artificial intelligence and cloud computing with the application of public health according to their own conditions, explore innovative development models, and play a better supporting role in epidemic surveillance and analysis, virus tracing, prevention and treatment, and resource allocation.

8. Tianjin Municipal legislation prohibits market credit information providers from collecting biometric information such as faces

On December 1, the 24th meeting of the Standing Committee of the 17th Tianjin People's Congress passed the Tianjin Social Credit Regulations (hereinafter referred to as the Regulations). The regulations regulate the collection of sensitive personal information, including biometric information, diseases and medical history. The fourth chapter of the Regulations is "Protection of the rights and interests of credit subjects", which stipulates the collection, collection and application of social credit information, many of which involve the protection of personal information. For example, the regulations clearly state that no organization or individual may illegally collect, collect, use, process, transmit, or illegally trade, provide and disclose social credit information, except as otherwise provided by laws and regulations. Without the written authorization of the credit subject, no organization or individual may inquire the non-public social credit information of the credit subject.

9. The European Union published the draft Digital Market Law and the Digital Services Law

The European Commission has proposed two new pieces of legislation - the Digital Markets Act and the Digital Services Act. If both pieces of legislation are passed, the EU will make big tech companies remove harmful content and open up competition, or tech companies will risk hefty fines.

The first draft is the Digital Services Act. The draft requires all digital service platforms to create initiatives to combat illegal online content, and companies that fail to limit the spread of illegal online content will face heavy fines. In the most serious cases, the European Commission can fine service providers up to 6% of their global turnover.

The second draft is the Digital Markets Act. The draft requires "gatekeeper" companies to avoid "unfair practices," such as preventing users from uninstalling any pre-installed software or applications. For "gatekeepers" who do not follow the rules, the EU has proposed a fine of 10 per cent of global turnover.

10. The EU publishes a new cyber security strategy and related legislative proposals

The European Commission and the High Representative of the Union for Foreign Affairs and Security Policy have launched a new 'The EU's Cybersecurity Strategy for the Digital Decade'.

The EU Cyber security strategy contains recommendations on regulation, investment and policy tools to address three areas of EU action:

(1) Resilience, technological sovereignty and leadership;

(b) Building operational capacity for prevention, suppression and response;

3) Promoting an open global cyberspace.

In addition, the European Commission has adopted a proposal to amend the Network and Information Systems Security Directive (NIS 2 Directive) and a proposal for a Directive on the Resilience of Critical Entities.

11. European Commission launches New EU-US Agenda

The European Commission has issued A joint communication to the European Parliament, the European Council and the Council of the European Union on a new EU-US agenda for global change. The move is seen as moving closer to President-elect Joe Biden and the administration. The agenda covers technology and digital issues, including: working together as a technology alliance to drive technology development, use and shape the regulatory environment; Extensive cooperation on digital supply chain security, including securing global 5G infrastructure, and dialogue on 6G; Cooperate on cybersecurity capacity building, situational awareness, information sharing, and responding to third-country threats; Promote free data flows and regulatory convergence; We are strongly committed to reaching timely global solutions, including within the framework of the OECD and G20, on fair taxation in the digital economy.

Industry dynamics

1. The Ministry of Industry and Information Technology organized the national APP personal information Protection supervision meeting

On November 27, the Ministry of Industry and Information Technology organized a national APP personal information protection supervision meeting.

Xie Yi, Secretary general of the Telecom Terminal Industry Association, released 10 standards of the "APP User Rights Protection Assessment Standard" and 8 standards of the "APP Collection and Use of Personal Information Minimum Necessary Assessment standard", involving face, address book, location, pictures, software list, equipment, video information and other aspects, these standards will provide clear normative requirements for enterprises to comply with the operation. To provide basis and support for governance work.

Eleven Internet companies, including Suning, Ant, iQiyi, 360, Xiaomi, Sina, Kuaishou, Bilibili, Didi, Ali and Baidu, made public commitments to "strengthen APP personal information protection". To make a public solemn commitment to the society, will strictly implement the APP infringement of user rights and interests of the rectification work, to protect the legitimate rights and interests of users.

2. The Ministry of Industry and Information Technology notified the seventh batch of apps that violated users' rights and interests

In accordance with the "Network Security Law", "Telecommunications Regulations", "Telecommunications and Internet User Personal Information protection Regulations" and other laws and regulations, the Ministry of Industry and Information Technology recently organized third-party testing agencies to inspect mobile phone applications, urged the enterprises with problems to rectify, and notified the seventh batch of apps that have not been rectified.

The test found that the APP collected MAC address information without user consent; There are many problems with sending user personal information to third-party SDKS. Some head enterprise APP tests still found problems, and did not complete the rectification within the time limit required by the Ministry of Industry and Information Technology. Some application stores and mobile application distribution platforms have insufficient monitoring, detection and disposal of enterprises that deliberately evade the supervision of the Ministry of Industry and Information Technology by means of technical confrontation and replacement of "vests". Subsequently, the Ministry of Industry and Information Technology will take measures such as comprehensive removal, suspension of access, administrative penalties, and inclusion in the list of bad telecom business operations or the list of broken faith on the relevant enterprises with outstanding problems, orders, and incomplete rectification, and severely deal with them according to law.

3. CSRC Science and Technology Regulatory Bureau: It is necessary for the government to levy a digital service tax on platform enterprises

Yao Qian, director of the Science and Technology Supervision Bureau of the China Securities Regulatory Commission, said that enterprises can gain insight into users' characteristics, habits, needs and preferences from big data analysis, sense market changes, and adjust competitive strategies. Third-party platform companies grasp a large number of user data, just like mastering valuable mineral resources. The value of the platform comes from the user, so the user should enjoy the revenue generated by the platform. As a source of value creation, users are not really enjoying the benefits of the platform. Therefore, based on the above concept of "users create value", as a representative of the public, it is necessary for the government to levy a digital service tax on platform enterprises like a natural resource tax.

4. The US Federal Trade Commission launches privacy investigations into major Internet platforms

The U.S. Commerce Department added dozens of Chinese companies, including chip maker Semiconductor Manufacturing International Corp (SMIC) and Chinese drone maker Shenzhen DJI Technology Co Ltd, to its entity list, further escalating tensions with China.

The Commerce Department said the action against SMIC stemmed from Beijing's use of civilian technology for military purposes and that there was evidence of activity between SMIC and Chinese military industrial companies. In addition, the ministry blacklisted DJI Innovation, Wuxi AGCU Scientech, China Scientific Equipment Corporation and Shenzhen Kuang-Chi Group for contributing to "massive human rights violations".

5. French President Emmanuel Macron has proposed the idea of "digital sovereignty" for Europe to reduce its dependence on US tech giants

French President Emmanuel Macron said Europe must assert its "digital sovereignty" and outlined a series of measures aimed at reducing its reliance on US tech giants. Macron argued that while US digital platforms have contributed to "big changes" in society in the wake of the coronavirus outbreak, "European solutions and European sovereignty" need to be considered when it comes to technology. To this end, Macron outlined three steps that need to be taken to achieve a European digital sovereignty strategy:

First, the EU needs to be more involved in issues such as start-up finance.

The second is the need to develop a "digital single market" that values personal privacy and technological innovation.

The third is to build a European cloud and develop relevant data solutions to reduce dependence on US companies. At the same time, the European Commission, Germany and France are drawing up an initiative aimed at reducing dependence on U.S. cloud giants and creating a new framework for Europe's digital infrastructure through the development of a project called "Gaia-X."

6. The EU plans to tighten controls on online information

European Union lawmakers will introduce new rules for online political advertising in the third quarter of 2021 to improve transparency in political advertising. The rules will target sponsors of paid content and production/distribution channels, including online platforms, advertisers, and political consultants, requiring them to clarify their responsibilities, inform sponsors of their costs, purposes, and provide evidence of compliance. The new rules will determine which participants and sponsorship content fall within the scope of enhanced transparency requirements and guide the enforcement and monitoring of the relevant rules. The rules are part of a wider democracy action plan, which includes a package of measures to support free and fair elections, strengthen media pluralism and improve media literacy throughout the four-year term of the European Commission.

7. Apple introduced a new privacy feature that requires apps to state the purpose of data collection in the App Store

Recently, Apple launched a new privacy protection feature in the newly released iOS14.3 system, requiring developers to describe the type and purpose of App collection and use of user data, especially whether these data will be used for advertising "tracking" and so on. Apple announced the addition of this privacy feature in June this year, aiming to create a system for App privacy policy that is easy for users to understand, and it will be constantly adjusted as users' needs.

In the App Store, the types of data that apps need to disclose are divided into "data used for AD tracking", "data associated with users", "data not associated with users", and "data not associated with users". Contact information (such as name, address, etc.), financial information (payment information, credit information, etc.), location information, contacts, browsing history, usage data (advertising data, etc.), diagnostic data (crash data, etc.), device identifiers, etc.

"User-associated data" refers to data that binds a user's identity (such as ID, device identifier). Apple stressed that if the App states that the data collected is not associated with the user, it must take privacy protection measures before collection, such as removing any direct identifiers such as user ids and avoiding re-associating such data with user identity information after collection.

Apple also stipulates that developers can selectively disclose data submitted directly by users in the App interface, and data that users must choose to consent to each collection.

In addition to the collection of user information by the App itself, third-party plug-ins or codes embedded in the App collect user information. One of the most common ways this data is used is through "tracking," which is associated with third-party data for purposes such as targeted AD push or AD evaluation.

In China, with the deepening of App governance, the supervision of third-party plug-ins or code compliance with user data has gradually become a key governance direction.

In addition, Apple's new privacy protection function also requires that if the App integrates plug-ins or code of third-party partners, such as analysis tools, advertising networks, third-party SDKS, etc., it also needs to explain the type of data collected and used. Developers will also need to explain whether third-party partners will use the collected data for "tracking" and whether the data will be associated with user identities (such as accounts, device identifiers, etc.).

Starting December 8, 2020, developers submitting new and updated apps to the App Store will be required to submit information about the collection and use of user data. After that, Apple has a dedicated team to conduct audits in a human-machine manner, and conducts random checks. If an App doesn't follow the rules or fill out the application truthfully, Apple will communicate with the developer to help them adjust the application; If there is no improvement after communication, Apple will remove the relevant App, and in serious cases will cancel the developer account.

Starting next year, Apple will require explicit consent from all apps that want to track users, or it will remove the App from the App Store.

Hot case

1. The first case of face recognition was recently pronounced, and face recognition applications should be reasonable and legitimate

Guo Bing, the holder of the annual park card, decided to Sue Hangzhou Wildlife World for breach of contract after failing to negotiate with the zoo because he was required to "swipe his face" to enter the park. On November 20, the service contract dispute involving citizen biometric information collection was pronounced in the first instance of the Fuyang District People's Court in Hangzhou, Zhejiang Province. In the end, the court ruled that the Wildlife World compensated Guo Bing for the loss of contract interests and transportation expenses totaling 1,038 yuan, and deleted the facial features including photos submitted when he applied for the fingerprint annual card; Other claims filed by Guo Bing were dismissed.

2. Nanjing took the lead in saying no to the "face recognition" of the real estate, and the sales office dismantled the relevant system

The discussion of "whether the face recognition system will violate the personal privacy of customers" triggered by a video of "wearing a helmet to the sales office" has continued to ferment, and even attracted the attention of some local government departments.

A few days ago, Nanjing Housing security and real estate Bureau urgent notice, requiring the real estate sales office without the consent of others, not to photograph the face of visitors. It is pointed out that in order to strengthen the rights and interests of housing consumers and the protection of personal information, standardize and purify the real estate market environment in Nanjing, the identification of buyers, the collection and use of personal information of buyers should follow the principles of legality, legitimacy and necessity, and Nanjing requires that the use of face recognition system is prohibited in the commercial housing sales site.

3. Three people have been detained for leaking information about more than 6,000 people involved in the epidemic

The city of Qingdao said in a statement that the Jiaozhou Central Hospital in Qingdao has found a confirmed case of COVID-19, requiring close contacts to immediately register in their residential communities. Soon, a list of more than 6,000 "secret contacts" was circulated online, involving the names, addresses, contact information, ID numbers and other personal identification information of more than 6,000 people. After the incident triggered public opinion, the public security organs made an investigation, is Ye Mou work will receive the list of follow-up personnel information forwarded to the company's wechat group, the other two people also sent the list to the family, causing the list to leak. Local police gave administrative detention to the three people who caused the leak.

4. The owner of the house was transferred only by brushing his face, and more than a dozen people were cheated by more than 10 million

The real estate registration center of Nanning has launched an online business management platform called Yongedeng, on which citizens can transfer their real estate by swiping their faces. Nanning citizens Mr. Li through a real estate consultant to sell houses, after receiving a deposit of 30,000 yuan, the real estate consultant also on the grounds of housing inspection, asked Mr. Li to meet with him, and use a mobile phone to brush his face. But what the owner did not expect was that the housing transaction had not been completed, and the house had been transferred. The agent is now in police custody. It is understood that from June to October this year, the property consultant used the same technique to transfer the property of a dozen owners, involving more than 10 million yuan. Everyone is required by the real estate consultant to complete the face certification check, the house was transferred out on the same day, and was immediately mortgaged by the buyer to a third party.

5. Dongguan brush face to take toilet paper controversy, the company responded: face features are deleted after short-term storage

In order to build star-rated public toilets in Dongguan City, facial recognition system is used to provide toilet paper for users. After the use of face recognition paper machine, the public only need to stand in front of the paper machine for 3 seconds, through the automatic "face brushing" function of the machine, you can get the set amount of paper, because the amount of paper and the frequency of paper are set, it can also eliminate the uncivilized phenomenon of paper waste caused by the same person repeatedly taking paper for a short time, which improves the civilized quality of the public.

The production enterprise of the face recognition paper taking equipment is a technology company in Tianjin. According to the company's website, its fifth-generation facial recognition toilet paper machine is "designed to make it easier for citizens to use paper and to save businesses the cost of purchasing paper." The staff of the enterprise said in an interview with the media that the company's equipment has passed the testing of the Ministry of Public Security Security and police electronic product Quality testing center. The test item of "automatic removal of face recognition information function test" in the detection report shows that the test result is "meet the requirements".

In response, the Dongguan urban management Bureau said in a micro blog notice that the original intention was to prevent waste. The "face brushing" device has no network function module and can limit the number of times the same person can take a tissue within a specified time. Each photo taken by the user will be deleted within the specified time. The use of the device has been terminated, and the free tissue paper is provided in a conventional way.

6.2 Yuan package 70 stars plain face photos, health treasure now personal information security vulnerabilities

Recently, the suspected celebrity Beijing "health treasure" photo was leaked, which has attracted much attention. Some netizens by entering the name of the star plus the ID number, without face recognition, to inquire its certification photo on the Beijing "health treasure", suspected of more than 30 photos of the star were spread and sold.

Suspected Wang Yuan, Wang Junkai, Yi Yangqianxi, Liu Haoran, Yang Mi, Deng Lun, CAI Xukun and other more than 50 celebrities "health treasure" photos spread online, involving nucleic acid testing institutions in Beijing, Xiamen, Shanghai and other places, these information is even sold in the relevant groups.

The above "health treasure" generally refers to "Beijing Health Treasure", which is a small program launched by the Beijing Big Data Center based on the relevant data of Beijing's epidemic prevention and control and the national government affairs service platform for the prevention and control of the novel coronavirus pneumonia. Developed by Beijing Municipal Bureau of Economy and Information Technology.

According to incomplete statistics, there are screenshots of nucleic acid detection photos of more than 70 stars circulating on the Internet. The screenshots include: the star's face photo, initials, the first and second digits of the ID number, as well as the nucleic acid testing agency and the specific test time.