Our Observations: for the past two months (December 2022 - January 2023), enhancing the re-use of data and facilitating data sharing has become THE TOPIC that draws the attention of policymakers and legislators. To maximize the role of data as a new factor of production, the 20 Data Measures creatively sets the tone that the data property system must be laid down. The super metropolis – Shanghai also issued implementation rules on the disclosure and re-use of public data at the provincial level. Among other things, the courts and supervisory bodies keenly follow AI compliance, protection of personal information, outbound data transfer, NFT compliance, online content purification, and sectorial cybersecurity standardization for the last two months.

Part I – Regulations, Policies & Judiciary Interpretations

1. The Central Committee of the CPC and the State Council Issued Opinions on Building Basic Systems for Data to Maximize the Role of Data Elements (Twenty Data Measures)

On December 19, 2022, the Central Committee of the CPC and the State Council issued the Opinions on Building Basic Systems for Data to Maximize the Role of Data Elements (the “20 Data Measures"). The 20 Data Measures notes that as a new factor of production and the basis for digitization, networking, and intelligence empowering, data has been rapidly integrated into various aspects of production, distribution, circulation, consumption, and social service management, profoundly changing the mode of production, lifestyle, and social governance.

The 20 Data Measures emphasizes four major systems and four safeguard measures to promote compliance and efficient circulation and use of data and empower the real economy. The four major systems mentioned in the 20 Data Measures include data property rights system, data element circulation and trading system, data element profit distribution system, and data element governance system. The four safeguard measures are: strengthening organizational leadership, increasing policy support, encouraging experimentation and exploration, and promoting institutional construction.

According to the 20 Data Measures, the National Development and Reform Commission (“NDRC") will enact relevant rules for data ownership identification and utilization.

2. The Supreme People’s Court Issued Opinions on Regulating and Strengthening the Judicial Application of Artificial Intelligence

On December 9, 2022, the Supreme People’s Court issued the Opinions on Regulating and Strengthening the Judicial Application of Artificial Intelligence (the “SPC Opinions"), aiming to:

(1) Further promote the deep integration of artificial intelligence with judicial work.

(2) Comprehensively reinforce the establishment of smart courts.

(3) Create a higher level of digital justice.

(4) Promote the development of smart rule of law to a higher level.

The SPC Opinions focuses on five basic principles that the judicial application of artificial intelligence should follow, including the principles of (1) security and legality; (2) fairness and impartiality; (3) auxiliary trial; (4) transparency; and (5) public order and good morals. In addition, the SPC Opinions also emphasizes the need to strengthen the classification and grading of judicial data and the protection of important data and sensitive information, improve the safe sharing and application model of judicial data, prevent and eliminate security risks arising in the process of artificial intelligence application through the judicial artificial intelligence ethics committee and other mechanisms by adopting ethics review, compliance review and security assessment.

3. MIIT Issued Measures for Data Security Management in Industry and Information Technology Sector (for Trial Implementation)

On December 8, 2022, the Ministry of Industry and Information Technology (MIIT) issued the Measures for Data Security Management in Industry and Information Technology Sector (for Trial Implementation) (the “MIIT Measures"), aiming to:

(1) Regulate data processing activities in the industry and information technology sector.

(2) Strengthen data security management.

(3) Protect data security.

(4) Promote data development and utilization.

(5) Protect the legitimate rights and interests of individuals and organizations, and national security.

The issuance of the MIIT Measures reflects that the issue of data security in the sector of industry and information technology is high on the MITT’s agenda, and it is also a timely response to the concerns raised by the public. The MIIT provides an institutional framework for the supervision of data security in the form of departmental rules.

The MIIT Measures consists of eight chapters and 42 articles, clarifying the compliance requirements for data security management for data processors in the industry and information technology sector and the supervision and review responsibilities of relevant regulators, as well as special requirements for the management of central enterprises, in terms of classified and graded management of data, data lifecycle security management, data security monitoring, early warning and emergency management, and management of data security testing, certification and evaluation.

4. NEA Issued Measures for Cybersecurity Management in the Power Industry

On December 12, 2022, the National Energy Administration issued the Measures for Cybersecurity Management in the Power Industry (the “NEA Measures"), which aims to strengthen the supervision and management of cybersecurity and regulate cybersecurity in the power industry.

The NEA Measures consists of five chapters and 35 articles, including the General Provisions, Supervision and Administration Responsibilities, Responsibilities and Obligations of Power Enterprises, Supervision and Inspection, and Supplementary Provisions. The NEA Measures specifies the responsibilities and obligations of power enterprises, including but not limited to establishing a sound cybersecurity responsibility system, designating the chief cybersecurity officer, strengthening cybersecurity protection, establishing cybersecurity risk assessment, developing contingency plans for cybersecurity incidents, establishing a sound disaster recovery backup system and a sound data security management system throughout the whole process and personal information protection system, conducting special summary reporting and submission of cybersecurity work and the security protection work for critical information infrastructure.

5. Shanghai Municipal Commission of Economy and Informatization and CAC, Shanghai Office Issued Implementation Rules on Access to Public Data in Shanghai

On December 31, 2022, the Shanghai Municipal Commission of Economy and Informatization and CAC, Shanghai Office issued Implementation Rules on Access to Public Data in Shanghai (the “Implementation Rules"), aiming to promote a deeper and higher level of access to public data to support the digital transformation of Shanghai. The Implementation Rules consists of seven chapters and 39 articles, including General Provisions, Data Disclosure, Data Access, Information Systems and Disclosure Platforms, Data Utilization, Security Measures, and Supplementary Provisions, which apply to the activities of public data disclosure, access, utilization, and security management in Shanghai.

The Implementation Rules specifies that public data refers to data collected and generated by state organs, institutions, organizations authorized by law to manage public affairs, and organizations providing public services such as water supply, electricity supply, gas supply, public transportation, etc., in the course of performing public service responsibilities. Public data disclosure refers to public services that public management and service institutions provide to society with original, machine-readable, and socially reusable data.

6. Standing Committee of Beijing Municipal People’s Congress Issued Regulations on the Promotion of the Digital Economy in Beijing

On January 1, 2023, the Regulations on the Promotion of Digital Economy in Beijing (the “Regulations") came into effect. The Regulations provides detailed rules on digital infrastructure, data resources, digital industrialization, industrial digitalization, smart city development, digital economy security, and safeguard measures. The Regulations points out that the digital economy refers to a new economic form that uses data resources as key elements, modern information networks as main carriers, and integrated application of information and communication technologies and digital transformation of all elements as important driving forces to promote fairness and efficiency.

Part II - Sectorial Standards & Practice Guidance

1. TC260 Issued Practice Guideline for Cybersecurity Standards – Safety Certification Specification for Cross-border Processing Activities of Personal Information V2.0

On December 16, 2022, the Secretariat of the National Information Security Standardization Technical Committee (TC260) issued the Practice Guideline for Cybersecurity Standards – Safety Certification Specification for Cross-border Processing Activities of Personal Information V2.0 (the “Guideline 2.0"), which aims to support the implementation of personal information protection certification and guide personal information processors to regulate their cross-border processing activities of personal information.

Compared to the Draft Guideline issued on November 8, the Guideline 2.0 has the following major amendments:

(1) Emphasizing the continuous supervision right of certification bodies on the cross-border processing activities of personal information.

(2) Clarifying the civil liability of personal information processors and overseas recipients regarding the rights and interests of personal information subjects.

(3) Requiring that the agreement signed by personal information processors and overseas recipients stipulate both parties’ legal liabilities.

(4) Encouraging personal information processors conducting cross-border personal information processing activities to apply for personal information protection certification voluntarily.

(5) Providing that the competent court before which the personal information subject brings a legal action can be the People’s Court at the location of the personal information subject’s habitual residence as well as the specific competent court as stipulated in the Civil Procedure Law.

2. TC260 Issued Practice Guideline for Cybersecurity Standards – Verification of the Effect of Local Contouring of Out-of-Automobile Screens (Draft) for Public Comments

On January 6, 2023, the Secretariat of the National Information Security Standardization Technical Committee (TC260) issued the Practice Guideline for Cybersecurity Standards – Verification of the Effect of Local Contouring of Out-of-Car Screens (Draft) (the “2023 Guideline") for public comments, which clarifies the process, method and verification criteria for the verification of the effect of local contouring of the face and license plate of out-of-automobile screens, in order to guide automobile data processors to standardize the out-of-automobile screen data collection and verify the effect of local contouring of the face and license plate of out-of-automobile screens.

The 2023 Guideline applies to the automobile data processor’s own verification of the effect of local contouring of the face and license plate of out-of-automobile screens. Also, it applies to the third-party agencies to verify the local contouring effect. “Local contouring" refers to the process of removing areas of video and images that contain information such as faces and license plates, or replacing these areas with other images that cannot be associated with the personal information subject and cannot be recovered. However, the 2023 Guideline does not explain the technical means to carry out local contouring.

3. TC260 Issued Cybersecurity of Industrial Internet Enterprises – Part 4: Data Protection Requirements for Public Comments

On December 1, 2022, the Secretariat of the National Information Security Standardization Technical Committee (TC260) issued the Cybersecurity of Industrial Internet Enterprises – Part 4: Data Protection Requirements (the “Draft") for public comments, clarifying that industrial internet data refers to industrial internet data generated and collected in various industries and fields under the industrial internet model, including any data collected and generated in the process of R&D design, manufacturing, operation and management, operation and maintenance, platform operation, and so forth.

The Draft clarifies the process and specific requirements of industrial internet data security protection. It sets level-by-level enhanced security protection requirements for general, important, and core data based on the idea of graded protection, including the classification and grading methods and requirements of industrial internet data, graded protection requirements of the entire lifecycle of industrial internet data, the classification and grading requirements of other data processing activities and the management requirements of industrial internet data.

4. MIIT and Other 16 Departments Jointly Issued Guiding Opinions on Promoting the Development of the Data Security Industry

On January 13, 2023, 16 Departments including the MIIT, the CAC, the National Development and Reform Commission jointly issued the Guiding Opinions on Promoting the Development of the Data Security Industry (the “Guiding Opinions"), which aims to:

(1) Promote the implementation of the Data Security Law and the work of the national data security coordination mechanism.

(2) Clarify the tasks of data security industry development.

(3) Create a sound ecosystem for data security industry development.

The Guiding Opinions focuses on the data security protection and the need for the development and utilization of data resources; specifically, it clarifies:

(1) The overall requirements for promoting the development of the data security industry, including guidelines and basic principles, and two stages of industry development goals by 2025 and 2035.

(2) The seven key tasks to promote the development of the data security industry.

(3) The need to strengthen organizational coordination and policy support and optimize the industry development environment to ensure the implementation of the Guiding Opinions and effectively promote the healthy development of the industry.

5. SAMR Issued Guidelines for Enforcement on Absolute Terms in Advertising (Draft) for Public Comments

On December 7, 2022, the State Administration for Market Regulations (SAMR) issued the Guidelines for Enforcement on Absolute Terms in Advertising for public comments (the “SAMR Guidelines"). The SAMR Guidelines aims to:

(1) Further strengthen and standardize the supervision over and enforcement against commercial advertising with absolute terms.

(2) Maintain the order of the advertising market.

(3) Protect the legitimate rights and interests of natural persons, legal persons and other organizations.

Based on the Advertising Law, the SAMR Guidelines provides more implementation details on the supervision over and enforcement against absolute terms in advertising, mainly in terms of exceptions to absolute terms.

6. CAC, Zhejiang Office Issued Guidelines for Declaration Materials of Security Assessment for Outbound Data Transfer

On January 6, 2023, the CAC, Zhejiang Office issued Guidelines for Declaration Materials of Security Assessment for Outbound Data Transfer (the “Zhejiang Guidelines"). The Zhejiang Guidelines is drafted on the basis of the Security Assessment Measures for Outbound Data Transfers and the Guide to Applications for Security Assessment of Outbound Data Transfers (First Edition). The Zhejiang Guidelines aims to guide and help data processors within Zhejiang Province to conduct the self-assessment of the risks of the outbound data transfer and improve the completeness, accuracy and consistency of their declaration materials.

Part III - Enforcement Highlights

1. CAC Kicked off the Nationwide Campaign of “Purifying the Online Environment – Rectification of Chaos in the Field of Mobile Internet Applications"

On December 12, 2022, the CAC kicked off the nationwide campaign of “Purifying the Online Environment – Rectification of Chaos in the Field of Mobile Internet Applications," aiming at:

(1) Regulating the management of mobile Internet application information services.

(2) Thoroughly addressing the chaos on platforms such as APP, WeChat mini programs and fast applications.

(3) Further clarifying the accountability of application distribution platforms.

In accordance with the requirements of the Administrative Provisions on Mobile Internet Applications Information Services, this campaign urges application distribution platforms to fulfill the responsibilities and rectify the problems in all links (including links of searching, downloading and installing, and operating and using).

2. The Primary People’s Court of Chongzhou City Issued China’s First Personal Safety Protection Order – “Protecting Women’s Privacy and Personal Information"

On January 1, 2023, the Primary People’s Court of Chongzhou City issued China’s first Personal Safety Protection Order – “Protecting Women’s Privacy and Personal Information" [(2023) Sichuan 0184 Civil Protection Order No. 1 Civil Ruling], prohibiting the respondent Li XX from continuing to disclose and disseminate the privacy and personal information of the applicant Chen. Article 29 of the Law of the People's Republic of China on the Protection of Rights and Interests of Women, which came into force on January 1, 2023, stipulated that it is prohibited to pester or harass women or to disclose or disseminate women’s privacy or personal information under the excuse of a romantic relationship or friendship or after the termination of a romantic relationship or divorce, and a woman suffering from the said infringement or facing the looming risk of the said infringement may apply to People’s Court for a Personal Safety Protection Order.

Part IV – Court Judgments

1. The Supreme People’s Court Released 4 Criminal Cases Involving the Protection of Personal Information

On December 26, 2022, the Supreme People’s Court issued the 35th batch of four guiding cases (No. 192 to No. 195), all of which are criminal cases involving infringement of citizens’ personal information. This is the first time that the Supreme People’s Court issued criminal guiding cases concerning personal information infringement. The types of personal information involved in the cases include facial information, ID card information, social media account information, and mobile phone verification code information. The defendants in the four cases all committed the crime of infringement of citizens’ personal information as stipulated in Article 253 of the Criminal Law, among which Case No. 192 and Case No. 195 were criminal cases with incidental civil public interest action.

2. Hangzhou Internet Court Adjudicated that NFT Digital Collections Should Be Protected by Laws as Network Virtual Property

On December 5, 2022, the Hangzhou Internet Court released a judgment regarding a dispute over the sale and purchase contract of information network in terms of the transaction of NFT digital collections. The plaintiff claimed more than 90,000 yuan for the defendant’s forced refund of the “NFT digital collection blind box" he purchased. The court dismissed the plaintiff’s claim because of a mistake in filling in his personal information. It is worth noting that the court held that the transaction object in the case was NFT digital collection, not NFT equity certificate, and NFT digital collections have the characteristics of property rights such as value, scarcity, controllability, and tradability. They also have the unique attributes of virtual network property, such as network virtuality. Therefore, they constitute virtual network property. The contract involved in the case does not violate the laws and regulations of China, nor does it violate the policy and regulatory guidelines of China that prevent economic and financial risks, and should be protected by the laws of China.

The case has certain guiding significance for the development of China’s digital collection industry, playing an important guiding role for enterprises to operate the platforms, control the risks and for the judiciary to define the assets of digital collections. This judgment fills the judicial precedents gap in China’s NFT digital collection industry and is a typical case with much reference value.