Our Observations: In May 2023, China’s TMT sector witnessed key legal developments that underscored a rigorous focus on cybersecurity, consumer protection, and personal information protection. Notably, the Cybersecurity Review Office’s declaration that Micron Technology’s products had not passed its cybersecurity review signaled an increased vigilance in safeguarding China’s critical information infrastructure against significant cybersecurity risks. Furthermore, the introduction by the Cyberspace Administration of China (the “CAC") of the Guidelines for the Record-Filling of Standard Contracts for the Outbound Transfer of Personal Information clarifies details for relevant enterprises to prepare the Standard Contract and relevant documents. Additionally, the implementation of the GB/T 42574-2023 by the Standardization Administration of China (the “SAC") signifies a proactive approach to regulating the “inform-consent" rule regarding personal information collection. Together, these regulatory developments convey an unequivocal message of China’s dedication to fortifying cybersecurity, endorsing personal information protection, and fostering fair commercial practices in its evolving TMT sector.

Part I – Regulations, Policies & Judiciary Interpretations

1. The State Council Issued the Regulations on the Commercial Passwords

On May 24, 2023, the State Council issued the Regulations on the Commercial Passwords (the “SC Regulations"), which is to take effect on July 1, 2023. The SC Regulations primarily provides for areas such as technological innovation and standardization, testing and certification, electronic certification, import and export, application promotion, supervision and management, among others.

The SC Regulations stipulates that network operators should, in line with the requirements of the national classified protection system for cybersecurity, employ commercial passwords to safeguard network security. The National Cryptography Administration has the responsibility of overseeing commercial password practices across the nation. The CAC, the Ministry of Commerce, the General Administration of Customs, and the State Administration for Market Regulation (the “SAMR") are among the competent authorities responsible for managing commercial passwords within their respective jurisdictions.

The SC Measures emphasizes that critical information infrastructure operators should implement protection measures using commercial passwords, develop plans for application of these passwords, and allocate necessary financial resources and professional staff to concurrently plan, construct, and operate a commercial password safeguard system, conduct a security assessment of commercial password application independently or with the help of cryptography inspection institutions. Such system can only be launched upon passing its evaluation and must undergo at least one annual review following its launch.

2. The CAC Issued the Announcement on the Matters Regarding Adjustment of the Security Administration of Specialized Cybersecurity Products

Recently, the CAC issued the Announcement on the Matters Regarding Adjustment of the Security Administration of Specialized Cybersecurity Products (the “CAC Announcement"). The Cybersecurity Law explicitly requires that network critical equipment and cybersecurity products must comply with mandatory national standards, in addition to passing the safety certification or safety inspection conducted by accredited institutions before they can be sold or provided. The specialized cybersecurity products enumerated in the Catalogues of Network Critical Equipment and Specialized Cybersecurity Products can be sold or provided only if one or more of following conditions are met:

(1) The specialized cybersecurity products are in compliance with applicable mandatory national standards, such as the Information Security Technology - Security Technical Requirements for Cybersecurity Dedicated Products and have passed the safety certification or safety inspection conducted by qualified institutions.

(2) The specialized cybersecurity products have previously been granted the “Sale License for Computer Information System Security Specialized Products", and such license remains valid.

The CAC Announcement further clarifies that starting from July 1, 2023, the specialized cybersecurity products that pass the safety certification and those pass the safety inspection will be equally eligible for market access, and the manufacturers do not have to apply for both.

3. The MOT Issued the Administrative Measures for the Security Protection of Critical Information Infrastructure for Highways and Waterways

Recently, the Ministry of Transport (MOT) issued the Administrative Measures for the Security Protection of Critical Information Infrastructure for Highways and Waterways (the “MOT Measures"), which will come into effect on June 1, 2023. The MOT Measures clarifies the rules for the determination of critical information infrastructure concerning highways and waterways, the obligations of the operators, as well as the safeguarding and supervision requirements. The MOT Measures specifies that to determine whether a piece of infrastructure is critical information infrastructure, three factors should be considered:

(1) the importance of the infrastructure’s network facilities and information systems to the core businesses of highways and waterways;

(2) whether the network facilities and information systems store or process core national data, and the magnitude of harm that could be caused by damage to, loss of functionality, or data leakage of these network facilities and information systems; and

(3) relevance to other industries and fields.

Also noteworthy is that, compared with the previous draft for comments version, the official MOT Measures has removed the section on “determination of important data" and has reduced the supervisory duties of local authorities.

4. The SAMR and Ten Other Governmental Departments Jointly Issued the Guidance Opinions on Further Strengthening the Supervision of the Medical Aesthetics Industry

Recently, eleven departments, including the SAMR, the National Health Commission, the CAC, the National Administration of Traditional Chinese Medicine, and the National Medical Products Administration, jointly issued the Guidance Opinions on Further Strengthening the Supervision of the Medical Aesthetics Industry (the “Guidance Opinions").

The Guidance Opinions clarifies that medical aesthetics services are classified as medical activities, and that future supervisory focus will be placed on strengthening the management of market entity registration and enhancing the qualification review of medical aesthetics institutions. When it comes to fields and industries associated with medical aesthetics, the Guidance Opinions highlights the tightened supervision of “guide-shopping" activities in the medical aesthetics industry, training activities in medical aesthetics, and the lifestyle beauty industry. The Guidance Opinions strictly prohibits personnel without appropriate medical qualifications or knowledge in medicine from engaging in medical aesthetics diagnosis and treatment consultation, medical guidance services, or publishing professional content related to the medical field either online or offline.

Part II - Sectorial Standards & Practice Guidance

1. The CAC Has Issued the Guidelines for the Record-Filling of Standard Contracts for the Outbound Transfer of Personal Information (First Edition)

To provide robust guidance to personal information processors for the systematic and structured record-filling of standard contracts for the outbound transfer of personal information, the CAC introduced the Guidelines for the Record-Filling of Standard Contracts for the Outbound Transfer of Personal Information (First Edition) (the “Record-Filling Guidelines") on May 30, 2023. The Record-Filling Guidelines details specific requirements for record-filling methods, procedures, and relevant materials for such filing.

Personal information processors intending to transfer personal information to overseas recipients based on the Standard Contract should follow the Record-Filling Guidelines and the applicable provisions of the Measures for Standard Contract of the Outbound Transfer of Personal Information and submit their record-filling to their local provincial-level Cyberspace Administration Office.

The Record-Filling Guidelines offers a comprehensive guide for businesses to prepare the outbound Personal Information Assessment (PIA) reports. The report comprises a self-assessment summary, an overview of proposed outbound activities, an impact assessment of such proposed outbound activities, and assessment conclusions. The content of the outbound PIA parallels the required self-assessment report for security assessment under the Guidelines for Self-Assessment of Outbound Data Transfer.

2. The SAMR and the SAC Have Jointly Issued the Information Security Technology - Implementation Guidelines for Notification and Consent in Personal Information Processing (GB/T 42574-2023).

On May 23, 2023, the SAMR and the SAC jointly issued the recommended national standard, i.e., the Information Security Technology - Implementation Guidelines for Notification and Consent in Personal Information Processing (the “GB/T 42574-2023"). The purpose of GB/T 42574-2023 is to address practical issues concerning notification and consent arising from personal information processing and provide a clear path for implementation. GB/T 42574-2023 will come into effect on December 1, 2023.

GB/T 42574-2023 refines the path for implementing notification and consent by proposing specific principles, methods, and steps which together forms an essential compliance framework for personal information processors to follow. Furthermore, GB/T 42574-2023 recommended implementation methods for notification and consent in 13 specific scenarios, thereby providing easy-to-follow scene-based guidance. GB/T 42574-2023 also categorizes notifications into general notification, enhanced notification, and prompt notice, where personal information processors may choose one or a combination of more notification modes based on the characteristics of their product or service functionalities.

3. The NISSTC Solicits Public Comments on the Cybersecurity Standards Practice Guide — Security Requirements for the Protection of Personal Information in Facial Recognition Payment Scenarios

Recently, the National Information Security Standardization Technical Committee (NISSTC) issued the Cybersecurity Standards Practice Guide — Security Requirements for the Protection of Personal Information in Facial Recognition Payment Scenarios (Draft for Public Comment) (the “Guide").

The Guide is tailored for facial recognition payment scenarios, detailing specific personal information protection requirements for diverse stakeholders involved in such payment settings. The Guide underscores the strict prohibition against utilizing facial data for any purpose beyond the immediate transaction, the non-permissibility of facilitating the export of facial data, and the requisite ability to ascertain the security status of the operating environment.

Moreover, the Guide establishes clear boundaries for the commencement and conclusion of facial data collections:

(1) Commencement: The collection of data should begin only subsequent to a definitive user interaction, such as a manual click.

(2) Termination: The collection of data should cease either upon the completion of facial recognition or one minute after data collection has begun.

Part III - Enforcement Highlights

1. Micron Failed the Cybersecurity Review

On May 21, 2023, the Cybersecurity Review Office announced the results of its review, stating that products sold by Micron Technology in China failed to pass the cybersecurity review. The rejection was attributed to the discovery of significant cybersecurity issues within the products of Micron Technology, which pose a major security risk to the supply chain of the critical information infrastructure and threaten national security.

As a result, pursuant to laws and regulations such as the Cybersecurity Law, critical information infrastructure operators should cease to procure products from Micron Technology. The announcement contended that the cybersecurity review conducted on Micron’s products is a necessary measure aimed at mitigating cybersecurity risks to China’s critical information infrastructure, thereby maintaining national security. China remains committed to keeping a high level openness to the world and welcomes businesses from across the globe and different platform products and services to enter the Chinese market, provided they comply with China’s laws and regulations.

2. The CAC Conducted a Special Campaign to Regulate False News

Recently, the CAC conducted a Special Campaign to Cleanse Cyberspace (the “Campaign") aiming to thoroughly eliminate information that disrupts the order of online communication, including illicit editing and reproduction of online content and generation of false news. The Campaign also targets misuse of social media accounts, such as impersonating a news presenter. To date, this initiative has resulted in the cleansing of approximately 107,000 accounts disguising as news organizations and presenter, and the removal of around 835,000 pieces of fabricated news. In addition, the Campaign has made public typical non-compliant accounts and behaviors on various online platforms.

During the Campaign, the CAC has been guiding online platforms in their compliance efforts, and at the request of the CAC, the platforms issue special announcements, keep displaying misbehaving accounts, and maintain dedicated reporting sections. These measures are designed to persistently remind internet content producers to operate in accordance with laws and regulations, which prohibit the impersonation of news organizations and presenters and outlaw the publication of false news.

Part IV - Court Judgments

1. Next of Kin Do Not Have the Right to Directly Log into the Deceased’s Account(s) to Review or Duplicate Personal Information

The Beijing Internet Court recently released a decision concerning the protection of the deceased’s personal information. The ruling established that while next of kin do retain a right to access the deceased’s personal data, this does not extend to direct access to the deceased’s account(s). The rationale behind this decision lies in the understanding that the content within the deceased’s account could potentially involve private information the deceased would rather not have disclosed, or that pertains to third parties.

Therefore, to safeguard the rights of the deceased in relation to their personal information, next of kin are prohibited from directly logging into the deceased’s account for data review. The court further stated that in parallel to ensuring the protection of the deceased’s personal information, a personal information processor who handles the deceased’s account is obligated to offer reasonable alternative methods for next of kin to exercise their rights.