Overview:In June 2023, significant regulatory developments occurred in the TMT sector, most significantly the new regulations and guidelines rolled out by various authorities. The CAC issued regulations on short-range self-organizing network services and published the first record list for deep synthesis service algorithms in China. The MIIT expanded the scope of and procedures for administrative penalties. The SCA issued security evaluation measures for commercial cryptography. The SAMR issued antitrust guidelines for mergers and acquisitions and compliance rules for blind box business. The SPC, SPP, and MPS jointly veiled guidelines to address cyber violence. The NISSTC established standards for classifying cybersecurity incidents. Enforcement highlights included a joint report by the CSAC and CNCERT/CC on data collection by video streaming apps and a data breach case under the Data Security Law that resulted in significant penalties. These updates underscore the intensified regulatory focus on data security, network service management, antitrust compliance, and cybercrime, signaling the need for enhanced compliance measures across the TMT sector.
Part I – Regulations, Policies & Judiciary Interpretations
1. The CAC Issues New Regulations to Regulate Short-range Self-organizing Network Information Services
Recently, the Cyberspace Administration of China (“CAC”) announced the Administrative Regulations on Short-range Self-organizing Network Information Service (Draft for Comments) (“CAC Regulations”). The CAC Regulations regulates services that use information technologies like Bluetooth and Wi-Fi to quickly establish networks within proximity for the purpose of information exchange. In particular, it explicitly details the obligations of both providers and users of these short-range self-organizing network services.
According to the CAC Regulations, providers of short-range self-organizing network information services must assume specific security management responsibilities. These responsibilities include:
* formulating security protocols and emergency response plans for cybersecurity incidents;
* implementing necessary security management systems and technical measures to enhance their ability to prevent risks;
* carrying out security assessments of new technologies that potentially shape public opinion or drive societal mobilization;
* reporting any unlawful or harmful information to relevant regulatory departments promptly.
Furthermore, the CAC Regulations indicates that users of these short-range self-organizing network information services must not misuse such services to generate, replicate, distribute, or forward illegal or harmful information. It also prohibits users from engaging in unlawful activities such as network intrusion or data theft using these services. In instances where users receive illicit content, they have the right to report such information to supervisory authorities.
2. The MIIT Issues New Provisions on the Procedures for Administrative Penalties
Recently, the Ministry of Industry and Information Technology (“MIIT”) issued the Regulations on Administrative Penalty Procedures for Industry and Information Technology (“Administrative Penalties Regulations”), which revises the current Regulations on Telecommunication Administrative Penalty Procedures (“2001 Regulations”) and is set to take effect from September 1, 2023. Compared to the 2001 Regulations, the Administrative Penalties Regulations updates several requirements:
* The scope of application has been broadened from telecommunications only to encompassing the entirety of industry and information technology.
* General provisions for administrative penalty procedures have been added, reflecting the requirements of the Administrative Penalty Law of the People’s Republic of China.
* The MIIT’s jurisdiction has been clarified. The places of unlawful acts now unequivocally include the offender’s place of residence, place of illegal operation, network access location, and the location where the offender’s telecommunication and internet information services are licensed or recorded.
* The general procedures have been adjusted and fine-tuned, with improvements made to the case filing standards and deadlines. The Administrative Penalties Regulations also details the requirements for evidence collection during law enforcement.
* The procedures for law enforcement and case closure have been refined, offering clear directives for compulsory enforcement by people’s courts and establishing specific requirements for case closure.
3. The SCA Issues New Administrative Measures on the Security of Commercial Cryptography
Recently, the State Cryptography Administration (“SCA”) promulgated the Administrative Measures for Commercial Cryptographic Testing Institutions (Draft for Comment) and the Administrative Measures for the Security Assessment of Commercial Cryptographic Applications(Draft for Comment) (collectively, “Security Assessment Administrative Measures”). The Security Assessment Administrative Measures is devised to enhance the oversight of commercial cryptographic testing institutions and to standardize activities related to commercial cryptographic testing as well as the security assessments of commercial cryptographic applications.
The requirements for security assessment of commercial cryptographic applications are as follows:
* “Important networks and information systems” refer to those networks and systems which are legally required to be protected via commercial cryptography.
* Prior to deploying any important networks and information systems, an operator is obligated to conduct a security assessment of commercial cryptographic applications, either independently or with the help of a licensed commercial cryptographic testing institution.
* After the deployment, the operator of the important networks and information systems is required to undertake a security assessment of commercial cryptographic applications at least once per year.
* All original records and assessment reports from the security assessment of commercial cryptographic applications must be archived and preserved in a manner that ensures traceability, with a minimum retention period of six years.
* Within 30 days following the completion of an assessment report, the operator is required to submit the report, along with other materials, to the SCA or the competent local cryptography administration where the network and information system are located, for record-keeping purposes.
4. The SAMR Issues New Antitrust Compliance Guidelines on M&A
Recently, the State Administration for Market Regulation (“SAMR”) issued the Antitrust Compliance Guidelines on Mergers and Acquisitions (Draft for Comments) (“Antitrust Guidelines”). The Antitrust Guidelines consists of general provisions, core principles of the M&A review system, identification and management of compliance risks, safeguards for compliance management, and supplementary provisions. The Antitrust Guidelines specifies six principal categories of M&As for which anti-trust declarations should be made:
* a merger with an enterprise that generated a turnover exceeding RMB 400 million within China during the preceding fiscal year;
* acquisition of equity or assets from an enterprise with a turnover exceeding RMB 400 million in China during the preceding fiscal year;
* joint acquisition of equity or assets from an enterprise that generated a turnover exceeding RMB 400 million in China during the preceding fiscal year;
* control of or capacity to exert significant influence over an enterprise with a turnover exceeding RMB 400 million in China during the preceding fiscal year through contractual arrangements or other methods;
* formation of a new joint venture with an enterprise that generated a turnover exceeding RMB 400 million in China during the preceding fiscal year;
* an M&A of which the transaction value is considerable, or which may substantially influence the market and have elicited considerable industry attention.
5. The SAMR Issues New Compliance Guidelines for Blind Box Business
Recently, the SAMR promulgated the Compliance Guidelines on Blind Box Operation (for Trial Implementation) (“SAMR Guidelines”), which came into effect on June 8, 2023. The SAMR Guidelines sets forth clear compliance obligations for entities operating blind box business and online trading platforms conducting blind box transactions. These obligations include explicit pricing, probability of blind box selection, product style variations, range of product values, and the establishment of a corporate quality assurance system.
Compared to the draft for public comments issued on August 16, 2022, the SAMR Guidelines has introduced the following amendments:
* Lists of products not allowed to be sold in blind boxes are introduced to restrict sale of certain cosmetics and food products, among others, packaged in blind boxes.
* A ‘factory probability sampling’ mechanism is in place to aid administrative bodies in ensuring the consistency between the promised probability of getting the desired products through blind box selection and the actual outcomes.
* Companies intending not to be bound by seven-day post-sale refund requirements must fully disclose such intention to the consumers and obtain their consent before completing the transactions.
* Sale of blind boxes to minors under eight years old are prohibited. In instances where blind boxes are sold to minors aged eight and above, sellers must clearly notify and obtain the consent of their guardians.
6. The SPC, the SPP, and the MPS Solicits Public Opinions for the Guiding Opinions on Disciplining Cyber Violent Crime
Recently, the Supreme People’s Court (“SPC”), the Supreme People’s Procuratorate (“SPP”), and the Ministry of Public Security (“MPS”) have collectively issued the Guiding Opinions on Disciplining Cyber Violence Crime (Draft for Comments) (“Guiding Opinions”). The Guiding Opinions clarifies that if, for the purpose of hype creation or clout-chasing, a network service provider refuses to fulfill its information network security management obligations against cyber violence, it will be penalized for the offense of failing to fulfill information network security management obligations.
Additionally, the Guiding Opinions highlights that stricter penalties should be levied on cyber violence crimes that fit any of the following descriptions:
* crimes specifically targeting minors or individuals with disabilities;
* organizing “internet trolling” or creating fictitious “sex-related” topics that infringe upon the dignity of others;
* employing “deepfake” technology to disseminate illicit or inappropriate information that contravenes public decency, ethics, or morals;
* crimes that are initiated or organized by network service providers themselves.
Part II - Sectorial Standards & Practice Guidance
1. The CAC Announces the Record Information on Deep Synthesis Algorithms
On June 20, 2023, the CAC issued a list regarding the record information for deep synthesis service algorithms. First of its kind for deep synthesis service algorithms in China issued by the CAC, the list contains 41 distinct deep synthesis algorithms from 26 companies.
As indicated by the record list, the application of deeply synthetic technology encompasses a broad range of scenarios. These include but are not limited to AI customer service, image generation, dialogue formation, video production, audio synthesis, real-time communication, multi-modal content generation, text composition, speech-to-text conversion, video conferencing, and facial image/video editing.
2. The NISSTC Issues Guidelines on Classification of Cybersecurity Incidents
Recently, the National Information Security Standardization Technical Committee (“NISSTC”) officially released the Guidelines for the Classification and Grading of Cybersecurity Incidents (“NISSTC Guidelines”). The NISSTC Guidelines sets out ways to categorize cybersecurity incidents into different types and tiers.
* Cybersecurity Incident Categories: Considering factors such as the origin of the cybersecurity incident, the associated threat, the method of cyberattack, and the consequences of the damage, incidents are divided into ten categories, namely, incidents related to malicious software, cyberattacks, data security, information content security, equipment and infrastructure failures, regulatory violations, security endangerment, anomalous behavior, force majeure circumstances, and other miscellaneous incidents.
* Cybersecurity Incident Levels: based on three key factors - the significance of the affected entities, the extent of commercial loss, and the magnitude of societal harm - cybersecurity incidents are classified into four tiers. From highest to lowest, such tiers are identified as particularly significant incidents (Level One Incidents), major incidents (Level Two Incidents), considerable incidents (Level Three Incidents), and general incidents (Level Four Incidents).
Part III - Enforcement Highlights
1. The CSAC and the CNCERT/CC Publish a Report on the Collection of Personal Information in Online Video Apps
Recently, an evaluative study was conducted jointly by the Cyber Security Association of China (“CSAC”) and the National Computer Network Emergency Response Technical Team/Coordination Center of China (“CNCERT/CC”), scrutinizing the practices of personal data collection by a range of popular “Online Audio and Video” applications. A report revealing the findings of this assessment was issued on June 12, 2023.
The study encapsulated a meticulous examination of eight “Online Audio and Video” applications, each with more than 100 million downloads across 19 application platforms, mainly via three dimensions: invocation of system permissions, uploading of personal data, and network upload traffic.
The results highlighted in the report demonstrate that the majority of the applications overstep the boundaries of the principles of data minimization and necessity, in relation to their fundamental business functions. These “Online Audio and Video” applications are primarily designed to enable users to search and play music and films, which inherently does not necessitate the collection of personal information.
Nonetheless, it was unearthed during the investigation that all the examined applications collected personal data during the process of music and video search. The collected data included details such as the users’ locations and unique device identifiers. Such practices of data collection were determined to be non-compliant with the regulations stipulating that only the minimal personal information necessary for basic application functions may be collected.
Part IV - Court Judgments
1. Uploading Data to the Public Cloud without Sufficient Protection Measures May Lead to Legal Consequence
Recently, a local public security bureau in a city in Zhejiang Province disclosed a case concerning a significant data breach. The incident occurred during the development of an information management system for a government department, where a company, without securing the necessary approval from a government agency, transferred the agency’s sensitive operational data to a public cloud server. This server was rented from a third party by the company.
Despite the sensitive nature of the data, the company did not take any security measures throughout the process, thereby causing a significant data leak. The public security bureau determined that the company failed to institute a comprehensive data security management mechanism or implement essential technical measures to ensure data protection.
In conclusion, the local public security bureau found the company in violation of the Data Security Law and proceeded to levy administrative penalties accordingly. The company was fined RMB 1 million, the project director received a fine of RMB 80,000, and another individual directly responsible was penalized with a fine of RMB 60,000.