Our Observations: In the TMT sector, the Measures for Standard Contract for Cross-Border Transfer of Personal Information (the “SCC Measures") and its annexes (the “Standard Contract"), promulgated in February 2023, is one of the most significant pieces of legislation for cross-border data transfer, as it complements the Security Assessment and the Cross-Border Data Transfer Certification to form China’s current legal landscape of cross-border data transfer. Corporations may apply the Standard Contract for cross-border data transfer only if certain criteria are met.[i] Besides the Standard Contract, enhancing the innovative capability of AI technology and rectifying the mobile applications’ non-compliant functionality are still the core issues keenly followed by relevant supervisory authorities during the last month.

Part I – Regulations, Policies & Judiciary Interpretations

1. CAC Issued the Measures for Standard Contract for Cross-border Transfer of Personal Information

On February 24, CAC issued the SCC Measures and the Standard Contract, aiming to implement certain aspects of the Personal Information Protection Law, protect the rights and interests of personal information subjects and regulate cross-border transfer of personal information.

The Standard Contract referred to by the SCC Measures contains 13 articles and provides for the scope of application of the Standard Contract, conditions to meet before entering into the Standard Contract, record-filing requirements and the superseding effect of the Standard Contract clauses over other supplemental clauses, so as to provide specific guidelines for cross-border transfer of personal information. The SCC Measures will be implemented from June 1, 2023, and corporations plan to apply the Standard Contract shall rectify any non-compliant practices and finish the record-filling before December 1, 2023.

2. The Central Committee of the CPC and the State Council Issued the Outline for Building a Great Power of Quality

On February 6, 2023, the Central Committee of CPC and the State Council issued the Outline for Promoting High-Quality Development (the “Outline"), proposing that the key to promoting development is to improve quality and efficiency, and to cultivate new advantages of economic development in technology, standards, brands, quality, services and other core areas.

The Outline specifies six development goals by 2025 as follows:

(1) improving the quality and efficiency of economic development;

(2) enhancing the competitiveness of industries’ quality;

(3) improving the quality of products projects, and services;

(4) making greater progress in building up brands;

(5) making the quality infrastructure more modern and efficient; and

(6) improving the quality governance system.

In addition to the principal goals, the Outline also stipulates that the PRC aims to:

(1) accelerate the thorough application of big data, networks, artificial intelligence and other new technologies to promote the integration of modern service industries, advanced manufacturing industries and modern agriculture industries;

(2)  improve the quality and safety of agricultural products, food and drug;

(3) promote the standardized and orderly development of new models such as online shopping and mobile payment, encourage the diversification and integrated development of supermarkets, e-commerce platforms and other retail formats; and

(4) strengthen the quality supervision of goods sold through online platforms, improve cross-regional and cross-industrial supervision and coordination mechanisms and promote the integration of online and offline supervision.

3. The General Office of the State Council Issued the Guiding Opinions on Further Promoting Integrated Supervision across Departments

On February 17, 2023, the General Office of the State Council issued the Guiding Opinions on Further Promoting Integrated Supervision Across Departments (the “Guiding Opinions"), aiming to further strengthen integrated supervision across departments, maintain a fair and orderly market environment and effectively reduce institutional transaction costs for market players.

The Guiding Opinions proposes the following measures:

(1) promoting the exchange and sharing of regulatory information, which means all local authorities and all departments shall strive to break down data barriers to support integrated supervision across departments through data exchange and sharing across departments, regions and levels;

(2) using the existing government data sharing and exchange platform to connect with the information databases of natural persons, legal persons, spatial geography, electronic certificates, public credit and regulatory practices;

(3) requiring that data of local governments shall be shared where their work entails cross-departmental collaboration and that rules on the returning and exchange of data shall be specified to ensure an orderly data collection and the secure and efficient use of data; and

(4) requiring that governmental departments should consider the needs arising from their work of cross-departmental integrated supervision of specific matters, such matters including risk monitoring and collaborative law enforcement, and in particular, they shall clarify the scope, method, procedures, time limits, frequency and confidentiality requirements for information sharing.

4. The Shanghai Municipal People’s Government Issued the Administrative Measures for the Information Infrastructure in Shanghai

On February 19, 2023, the Shanghai People’s Government issued the Administrative Measures for the Information Infrastructure in Shanghai (the “Administrative Measures"), which comes into effect on March 1, 2023. The Administrative Measures consists of 30 articles, which regulates activities relating to the planning, construction, maintenance, protection and supervision of information infrastructure, aiming to regulate and promote the construction and management and ensure the security of Shanghai’s information infrastructure and promote the comprehensive digitalization of economy, livelihood and governance. According to the Administrative Measures, information infrastructure includes equipment, lines and other supporting facilities that provide telecommunication services, radio and television services and information services such as data transfer, storage and computing to the public.

The Administrative Measures also includes special provisions for data centers, i.e., the city’s economic and information technology department shall, in conjunction with the city’s development and reform department, communications department and other departments, coordinate and promote the establishment, transformation and upgrading of data centers, guide the construction of edge computing resource pool nodes, substations and other facilities, improve energy efficiency and promote the formation of a new type of data centers which are green and low-carbon with reasonable layout, advanced technology and computing power commensurate with the growth of the digital economy.

5. The Hangzhou Data Resources Administration Bureau Issued the Implementation Plan for the Authorized Operation of Public Data in Hangzhou (Draft for Public Comments)

On February 17, 2023, the Hangzhou Data Resources Administration Bureau issued the Implementation Plan for the Authorized Operation of Public Data Operation in Hangzhou (Draft for Public Comment) (the “Draft"). The Draft stipulates four aspects, which are:

(1) general requirements;

(2) scope of the data;

(3) main tasks; and

(4) mechanisms to ensure proper implementation.

The Draft is the first detailed implementation plan for the procedures of authorized operation of public data within Zhejiang Province, which marks a significant milestone for exploring and enhancing the value of public data resources and promoting the circulation of data elements. The closing date for public comments is March 18, 2023.

6. The Development and Reform Commission of Shenzhen Municipality Issued the Interim Measures for the Management of Data Property Rights Registration in Shenzhen (Draft for Public Comments)

On February 20, 2023, the Development and Reform Commission of Shenzhen Municipality issued the Interim Measures for the Management of Data Property Rights Registration in Shenzhen for public comments (Draft for Public Comments) (the “Interim Measures"). The Interim Measures aims to regulate the registration of data property rights, protect the legitimate rights and interests of data elements market participants and promote the unconstrained flow, development and utilization of data as factors of production.

The Interim Measures specifies that the registry shall use blockchain and other relevant technologies to store the registered information and properly preserve the original documents and other documents and materials of the registration. The retention period shall not be less than 30 years. The registry and its staff are legally obliged to keep confidential the data, documents and materials related to the data property registration. The Interim Measures also mentions that the regulatory authorities should strengthen the collection and sharing of registered data and implement new regulatory methods such as off-site regulation, credit regulation and risk warning, so as to step up the regulation.

Part II - Practice Guidance & Enforcement Highlights

1. MIIT Announced 46 Apps (SDKs) that Infringe Users’ Rights and Interests

On February 8, 2023, the Ministry of Industry and Information Technology (the “MIIT") organized third-party inspection agencies to inspect mobile applications (apps) in the category of services for daily life and third-party software development kit (SDK) according to the Personal Information Protection Law, the Cybersecurity Law, the Telecommunications Regulations, the Provisions on the Protection of Personal Information of Telecommunications and Internet Users and other laws and regulations. Infringing behaviors by 46 apps (SDKs) have been flagged, including:

(1) illegal collection of personal information;

(2) illegal use of personal information;

(3) collection of personal information beyond the scope of necessity;

(4) forced collection of unnecessary personal information;

(5) insufficient disclosure and notification of personal information collection;

(6) insufficient disclosure and notification of app information on the application distribution platform;

(7) illegal Internet pop-up information push service;

(8) deceiving, misleading and forcing users;

(9) forced, frequent, excessive requests for access by apps; and

(10) illegal use of third-party services.

2. MIIT Issued the Notice on Several Reform Measures for the Network Access Licensing System for Telecommunications Equipment

On February 6, 2023, MIIT issued the Notice on Several Reform Measures for the Network Access Licensing System for Telecommunications Equipment (the “MITT Notice"), and the relevant measures have been implemented since March 1 this year. The MIIT Notice includes five reform measures, including:

(1) adjusting supervision methods for some telecommunications equipment;

(2) streamlining and optimizing network access license testing items;

(3) announcing the time limit for network access license approval commitments;

(4) extending the valid period of network access trial approvals; and

(5) implementing family management of telecommunications equipment products.

3. SAMR Exposed Ten Cases regarding Illegal Advertising：

On February 3, 2023, the State Administration for Market Regulation (SAMR) announced the results of the special rectification actions carried out since 2022 for commercial marketing hype piggybacking on the 20th National Congress of the CPC and other illegal advertising that undermines national dignity, hinders social stability, obstructs public order and violates good morals of the society, singling out ten typical cases to publish where:

(1) the name of the 20th National Congress of the CPC, the centenary celebrations of the CPC and special dates were used for illegal promotion and hype;

(2) the name or image of any state government agencies or staff thereof were used for marketing and publicity without authorization;

(3) the marketing activities were gimmicks;

(4) national dignity was undermined; and/or

(5) good morals of the society were violated.

4. Guangdong Communications Administration Plans to Carry Out Inspection of Network Data Security and Application Compliance for 2023

On February 13, 2023, Guangdong Communications Administration released the Notice on Carrying out 2023 Administrative Inspection on Network Data Security and Application Compliance in the Telecommunication and Internet Industries (the “Inspection Notice"). Guangdong has become the first province in China to carry out province-wide inspections of network data security and application compliance in 2023. The 2023 National Work Conference for Industry and Information Technology emphasizes that the industry and information technology authorities shall continue the whole-process governance of apps, personal information protection and the protection of users’ rights and interests across entire industry chains as one of the key tasks in 2023.

Compared with its 2022 inspection requirements, Guangdong Province’s regulatory inspection for 2023 will be furthered to the extent that:

(1) the range of objects and the contents for the inspection will become wider;

(2) the relevant enterprises will not be given a period for self-inspection and self-rectification; and

(3) the inspection by the regulatory authorities will be carried out at irregular intervals.

To rise up to such intensified regulation, enterprises shall constantly conduct effective self-inspection and compliance rectification, in order to perform the obligations of cybersecurity protection and data compliance.

5. MIIT Issued the List of Administrative Law Enforcement Matters of MIIT (2022 Edition)

On February 16, 2023, MIIT issued the List of Administrative Law Enforcement Matters of MIIT (2022 Edition) (the “List"), taking into account the revision of relevant laws and regulations and the administrative law enforcement activities according to the requirements of the Interim Implementation Plan for MIIT to Fully Implement the Administrative Law Enforcement Publicity System, the Record System of the Whole Process of Law Enforcement, and the Legal Review System for Significant Law Enforcement Decisions.

It should be noted that MIIT has added a total of 15 items (Articles 247-261) to the list of administrative law enforcement matters related to data security in combination with the provisions of the Data Security Law and the Security Assessment Measures for Outbound Data Transfers. The inclusion of such law enforcement matters reflects the implementation of MIIT’s security supervision responsibilities as a competent department in the field of industry and information technology.

[Note] 

[1]  Corporations shall meet all the following criteria before applying the Standard: (1) the Corporations do not qualify as CIIO; (2) the Corporations do not transfer important data or core data; (3) the Corporations do not exceed the threshold of transferring 100,000 individuals’ personal information; and (4) the Corporations do not exceed the threshold of transferring 10,000 individuals’ sensitive personal information.