US Federal Trade Commission Updates Safeguards Rule for Consumer Financial Information

The US Federal Trade Commission (the FTC) released the text of a Final Rule (the Final Rule) on October 27, 2021, amending the Standards for Safeguarding Consumer Information (the Safeguards Rule). Since 2003, the Safeguards Rule has set the data security standards applicable to certain non-banking financial institutions, as defined under the Gramm-Leach-Bliley Act of 1999 (GLBA). Non-banking financial institutions include, for example, creditors, debt collectors, mortgage companies, and mortgage brokers, but not banks, savings and loan institutions, or federal credit unions. The Safeguards Rule governs the protection of the security and confidentiality of the “nonpublic personal information” (NPI) of customers of covered entities. See 16 C.F.R. Part 314. The Final Rule represents the product of several years’ work, since the FTC first issued a Notice of Proposed Rulemaking and request for public comment in April 2019, followed by a public workshop on the proposed changes in July 2020.

Key takeaways from the Final Rule include the following:

  • Institutions subject to the Safeguards Rule should be aware that the Final Rule, which was adopted in a divided, 3-2 vote by the FTC, appears to signal a broader shift by the FTC to imposing “more specific criteria” with respect to data security under the GLBA. See FTC, Press Release (October 27, 2021). The FTC notes that, in response to the 2019 Notice of Proposed Rulemaking, industry groups criticized the FTC’s proposed approach as “too prescriptive [and] lack[ing] flexibility.” See, g., Final Rule at 27-28. Moreover, the two dissenting Commissioners issued a joint statement suggesting that, as drafted, the Final Rule adopts a “check-the box” and more “intrusive” approach to data security. See, e.g., Joint Statement at 2, 9. The dissenting Commissioners state that the Final Rule departs from the FTC’s historically more “flexible,” “principle-based approach” to oversight in this area.
  • Some of the areas where the Final Rule imposes “more specific criteria” include the mandate that covered entities appoint a single “Qualified Individual” to oversee the entity’s information security program, see 314.4(a); a range of additional testing and monitoring requirements, see §§ 314.4(b), (d), (g); a mandate that all covered entities implement certain specific safeguards, see §§ 314.4(c)(1)-(8); additional training and educational requirements for security staff, see § 314.4(e); periodic assessments of service providers for compliance with the security program, see § 314.4(f)(3); the requirement that covered entities implement a written incident response plan with seven mandatory components, see § 314.4(h); and the requirement that the Qualified Individual make regular reports on data security to the entity’s board or other governing body, see § 314.4(i).
  • Some of the changes announced by the Final Rule are scheduled to take effect within 30 days of the formal publication of the Final Rule in the Federal Register, while others are scheduled to take effect within one year of publication (as indicated below). However, the Final Rule has not yet been published in the Federal Register, so the precise dates on which it will become binding on covered entities are not yet clear. Given the scope of the changes, companies would be well-served to review their compliance with the Final Rule as soon as possible.

We note that the FTC’s changes are broadly consistent with the more prescriptive approach to data security adopted in New York Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 N.Y.C.R.R. Part 500, as companies familiar with the Cybersecurity Regulation may be aware. Compare, for example, the NYSDFS requirement that covered entities appoint a “Chief Information Security Officer” with the requirement in the Final Rule that covered entities appoint a “Qualified Individual” to oversee the information security program. The NYDFS Cybersecurity Regulation came into force in 2017.

Summary of certain changes taking effect within 30 days of publication in the Federal Register

The following is a summary of certain of the changes that will take effect within 30 days of publication of the Final Rule.

  • 314.1(b) – Expanded scope

Revised Section 314.1(b) specifically provides that “financial institutions” include institutions engaged in activities “incidental” to covered financial activities, as defined in Section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k).

  • 314.2 – Expanded definitions

The Final Rule generally harmonizes definitions under the Safeguards Rule with the Privacy Rule (see 16 C.F.R. Part 313) while adding a number of new definitions. For example, the Final Rule defines multi-factor authentication as including two of three enumerated types of authentication factors (knowledge factors, such as a password; possession factors, such as a token, and/or inherence factors, such as biometric characteristic). Similarly, the term “financial institution” is expanded to bring the activity of “finding” within the scope of the Safeguards Rule, as defined in 12 C.F.R. § 225.86(d)(1), i.e., an activity that is incidental to covered financial activities under the Bank Holding Company Act. Finally, we note that while the encryption requirements are new, the FTC has not mandated any specific standard of encryption in the Final Rule.

  • 314.3 – Written information security program

Section 314.3 requires covered entities to “develop, implement, and maintain a comprehensive information security program that is written . . . and contains administrative, technical, and physical safeguards” that are appropriate to each individual company. Notably, this section provides that each company’s information security program “shall include the elements set forth in section 314.4 . . . .” While the mandate in Section 314.3 takes effect within 30 days, the elements of an information security program under Section 314.4 largely take effect within one year.

  • 314.4(b)(2), (d)(1) – Additional testing requirements

While most required elements of the mandated information security program (see § 314.4) must be implemented within one year of the publication of the Final Rule, Sections 314.4(b)(2) and 314.4(d)(1) must be implemented within 30 days of publication. Paragraph (b)(2) generally requires covered entities to “perform additional risk assessments” to identify any “reasonably foreseeable” internal and external risks to customer information held by the covered entity that could lead to unauthorized disclosure, misuse, alteration, or destruction of such information, and to “reassess the sufficiency” of safeguards that have been implemented. Paragraph (d)(1) in turn requires covered entities to “[r]egularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures,” including procedures to detect actual and attempted attacks or intrusions.

  • 314.4(g) – Adjustments to information security program

Paragraph (g) requires covered entities to “[e]valuate and adjust” their information security program based upon the testing and monitoring required under paragraph (d) and the risk assessments performed under paragraph (b)(2), in addition to any other “material changes” to the company’s operations or business arrangements or circumstances that a covered entity knows or has reason to know “may have a material impact” on the information security program.

Summary of certain changes taking effect within one year of publication in the Federal Register

The following is a summary of certain of the changes that will take effect within one year of publication of the Final Rule.

  • 314.4(a) – Appointment of a “Qualified Individual”

In order to promote “improve[d] accountability,” the Final Rule requires that a covered entity appoint a single “Qualified Individual” to oversee the entity’s information security program. The Qualified Individual may be employed by the covered entity, an affiliate, or a service provider. If employed by an affiliate or service provider, the covered entity must retain responsibility for compliance and perform oversight. Previously the Safeguards Rule required covered entities to appoint one or more employees to be responsible for the company’s information security program.

  • 314.4(c)(1)-(8) – Eight specific safeguards that must be implemented

Previous versions of the Safeguards Rule generally required covered entities to undertake a risk assessment and develop and implement safeguards to address identified risks. The Final Rule imposes more detailed, prescriptive requirements regarding what specific safeguards must be implemented, and how. See Final Rule at § 314.4(c)(1)-(8). These include (1) implementing and periodically reviewing access controls, (2) data inventory and classification requirements, (3) implementing encryption protocols, (4) adopting “secure development practices” for certain in-house developed applications, (5) generally implementing multi-factor authentication “for any individual accessing any information system,” (6) developing, implementing and maintaining procedures for secure information disposal no later than two years after the information is last used in connection with a product or service to the customer, with certain narrow exceptions, (7) adopting procedures for change management, and (8) implementing policies and procedures to monitor and log the activity of authorized users and detect unauthorized access.

  • 314.4(d)(2) – Annual penetration testing and vulnerability assessments

While requirement regarding regular testing in paragraph (d)(1) must be implemented within 30 days of publication, the requirement in paragraph (d)(2) that covered entities perform “continuous monitoring or periodic penetration testing and vulnerability assessment” must be implemented within one year. If companies cannot implement “effective continuous monitoring,” they “shall conduct” both “[a]nnual penetration testing” and “[v]ulnerability assessments . . . at least every six months,” or whenever there are “material changes” to the company’s “operations or business arrangements” or when there are “circumstances that you know or have reason to know may have a material impact on your information security program.”

  • 314.4(e) – Training of information security personnel

The existing version of the Safeguards Rule requires that covered entities ensure employee training. However, as revised in the Final Rule, Section 314.4(e) now provides more detailed requirements on the subject of employee training. It requires covered entities to “ensure that personnel are able to enact [the] information security program” by reference to four covered actions, namely (1) providing “security awareness training,” (2) “[u]tilizing qualified information security personnel,” (3) ensuring that information security personnel have “security updates and training sufficient to address relevant security risks,” and (4) “[v]ertifying” that the company’s key information security personnel “take steps” to remain aware of “changing information security threats and countermeasures.”

  • 314.4(f)(3) – Oversight of service providers

Paragraph (f) relates to a covered entity’s oversight over its service providers. Paragraphs (f)(1) and (f)(2) are effectively covered under the existing Safeguards Rule. However, paragraph (f)(3), which must be implemented within one year of the publication of the Final Rule, is new. It requires covered entities to “[p]eriodically assess[] your service providers based on the risk they present and the continued adequacy of their safeguards.”

  • 314.4(h) – Written incident response plan

Paragraph (h) introduces a requirement that covered entities must have a “written incident response plan” that “shall address” the seven elements enumerated in paragraph (h), including, but not limited to, “[t]he internal processes for responding to a security event.” However, the precise actions that are mandated by paragraph (h) are not entirely clear in every instance, e.g., the requirements for “[e]xternal and internal communications and information sharing,” and “[d]ocumentation and reporting regarding security events and related incident response activities” are not described with any further detail.

  • 314.4(i) – Regular reports by Qualified Individual

Paragraph (i) requires the Qualified Individual selected pursuant to § 314.4(a) to “report in writing, regularly and at least annually,” to the board or equivalent governing body of the covered entity. If no such body exists, the report must be made to the “senior officer responsible” for the covered entity’s information security program. Paragraph (i) specifies two items that “shall” be covered in the report, including (1) the “overall status” of the company’s information security program and compliance and (2) any “[m]aterial matters” that are related to the information security program, including “recommendations for changes” to the program.

In addition to the above changes, the Final Rule creates an exemption for financial institutions that collect NPI regarding fewer than 5,000 consumers (see § 314.6). Such institutions need not comply with the written risk assessment, penetration testing and vulnerability assessments, incident response plan, and annual reporting requirements (sections 314.4(b)(1), 314.4(d)(2), 314.4(h), and 314.4(i)).

* * *

We will continue to monitor developments in this area. Please reach out to your usual Herbert Smith Freehills contacts with any questions.

Joseph Falcone
Joseph Falcone
Partner, New York
+1 917 542 7805
Christopher Boyd
Christopher Boyd
Associate, New York
+1 917 542 7821

ASIA DATA PROTECTION UPDATE

New security assessment rules, which are applicable to the transfer of both important data and personal information outside of China, have been issued for public consultation.

The Cybersecurity Administration of China (“CAC“) released a draft of the Measures for Security Assessment of Cross-border Transfer of Data (“Draft Measures“) for public consultation on 29 October 2021. The deadline for the public to submit comments on the Draft Measures is 28 November 2021. Continue reading

China’s Personal Information Protection Law creates challenges for compliance

China’s Personal Information Protection Law (“PIPL”) was passed on 20 August 2021. PIPL presents certain challenges for compliance, which is required when it comes into force on 1 November 2021.

  1. Overview
  2. Lack of clarity over what constitutes consent
  3. Lack of clarity over “contract necessity” as a complete exception to consent
  4. Safeguards for transferring personal information outside China
  5. Restrictions in relation to automated individual decision-making
  6. Our China data and cyber law offering

Overview

PIPL is a generally applicable data protection law governing the processing of personal information being introduced in China.

Similar to the General Data Protection Regulation (“GDPR“), it also contains an express extra-territorial scope provision, provides data subjects with enhanced data subject rights, and the administrative fine for non-compliance is linked to a percentage of annual turnover.

However, despite these similarities, there are also notable differences which render compliance with PIPL challenging and burdensome, particularly in relation to consent and applying certain exceptions, stringent safeguards for transferring personal information outside China and restrictions on automated individual decision-making. See further below.

Lack of clarity over what constitutes consent

China already has a consent-based regime in relation to personal information, and PIPL is consistent in that regard.

Under PIPL, consent remains the only legal basis for processing personal information.

There are a number of exceptions to this under PIPL, which resemble the alternative legal basis under GDPR, e.g. processing being necessary for:

  • the conclusion or performance of a contract (namely the “contract necessity exception“);
  • performing legal obligations; or
  • protecting the life, health and property safety (i.e. vital interests) of individuals during emergencies.

However, PIPL does not have an equivalent to the controllers’ legitimate interests exception under GDPR.

The consent-based approach has also been adopted by the 2020 version of the Information Security Technology—Personal Information Security Specification (“Specification”), which remains relevant as the recommended best practice on processing of personal information in China. The terminology used in the Specification is more consistent with GDPR, e.g. “controller” is used in the Specification and GDPR, whereas “processor” is used in PIPL to refer to the concept of “controller” under GDPR.  Another notable example is that “explicit consent” is used in the Specification and GDPR, whereas “consent” and “separate consent” are used in PIPL.

Under PIPL, various types of data processing activities require either “consent” or “separate consent” to be obtained. For example:

  • entrusting a third party to process personal information requires “consent” to be obtained; and
  • “separate consent” is required for (i) disclosure of personal information to other personal information processors, (ii) publicizing personal information, (iii) using personal images and identification information collected from CCTV for purposes other than maintaining public safety, (iv) processing sensitive personal information, or (v) transferring personal information outside China.

The terms “consent’ and “separate consent” have not been defined in PIPL. In particular, PIPL does not contain any details of what constitutes “separate consent”.

Until further guidance is provided by the competent PRC authorities, it may make sense to equate “separate consent” with “explicit consent”, which is the higher standard of consent required for processing sensitive personal data under GDPR. Under GDPR, the term “explicit” refers to the way consent is expressed by the data subject.

Lack of clarity over “contract necessity” as a complete exception to consent

It is not entirely clear to what extent the contract necessity exception could trump requirements for “consent” or “separate consent” under PIPL.

For example, given that various data processing activities under PIPL specifically require “separate consent” to be given, if the contract necessity exception was interpreted narrowly then it may be that “separate consent” would still be required (or required to some extent) even in the case of contractual necessity.

Safeguards for transferring personal information outside China

Unlike the global approach for data privacy laws which only requires one of the appropriate safeguards to be in place before personal information can be transferred overseas, PIPL requires each of the following.

The data exporter must meet one of the three conditions linked to the Cyberspace Administration of China (“CAC“), namely it must:

  • pass the security review organised by the CAC;
  • conduct personal information protection certification via professional institutions in accordance with the regulations of the CAC; or
  • adopt the standard contract formulated by the CAC in its data transfer contract with the overseas data recipient to stipulate the rights and obligation of both parties.

There is a data localisation requirement imposed on Critical Information Infrastructure Operators (“CIIO“), or organisations which process large amounts of personal information (with the exact threshold to be stipulated by the CAC). The personal information collected and generated by them in China must be stored within China. If the personal information is required to be transferred overseas, a security assessment organised by the CAC must be passed (see the first condition above).

As regards the threshold for organisations to be regarded as high-volume processor, while the threshold is still pending guidance from the CAC, our view (based on two draft Measures published for the Cybersecurity Law and the Data Security Law, and the Specification) is that the threshold is likely to fall between 500,000 and 1,000,000 for personal information, and the threshold for sensitive personal information is likely to be even lower.

The data exporter must inform the individual of the details of the overseas data recipient, and obtain the individual’s separate consent.

A personal information impact assessment must be conducted before personal information is transferred outside of China.

PIPL is unique globally because it requires several safeguards to be provided at the same time so compliance could be burdensome.

Please note that we have summarised the major Chinese laws which affect the transfer of data/personal information out of China in our previous article.

Restrictions in relation to automated individual decision-making

Not only does PIPL provide individuals with a right to object to their personal information being used in automated individual decision-making which would have a significant impact on their interests, PIPL also requires organisations to:

  • observe the transparency principle and keep individuals informed of such use of their personal information; and
  • ensure that the outcome of automated decision-making would be fair to individuals who are subject to such processing.

In addition:

  • preferential pricing based on automated individual decision-making is not allowed by PIPL; and
  • individuals must be provided with a convenient way to opt-out from online behavioural advertising or given other alternatives which are not generated by automated individual decision-making.

All of these new restrictions on the use of artificial intelligence in pricing/marketing would significantly impact the way online e-commerce platforms currently conduct businesses in China.

Businesses operating in China should review their online marketing strategy in light of these requirements.

Our China data and cyber law offering

We are an award-winning data and cybersecurity team globally and in China.

We have extensive experience assisting companies in complying with data and cybersecurity laws, and dealing with data and cybersecurity issues, in China and across Asia Pacific and the world.

We have been helping clients understand how the new laws in China impact their business, identify key risk areas and gaps, and make recommendations on their data strategy and action plans.

We are also partnering with clients in this evolving area to anticipate and support their needs.

One of a limited number of firms to do so, our Joint Operation, Herbert Smith Freehills Kewei, enables us to provide an end-to-end legal service integrating PRC law and international law and legal service standards.

It also gives us a deeper understanding of Chinese business methods and corporate culture, and an in-depth knowledge of China’s complex regulatory and political environment.

Nanda Lau
Nanda Lau
Partner, Shanghai
+86 21 23222117
Peggy Chow
Peggy Chow
of Counsel, Singapore
+65 686 88054
Weili Zhong
Weili Zhong
Associate, Beijing
+86 10 65355105

China Cybersecurity and Data Protection: Monthly Update – July 2021 Issue

Key highlights – our comments on the cybersecurity probe into DiDi and the draft of the revised Measures on Cybersecurity Review

In early July, the Cyberspace Administration of China (CAC) announced that it had initiated cybersecurity review on three companies, namely DiDi, Boss Zhipin and Full Truck Alliance, and during the review the three companies are not permitted to register new users in order to “prevent spreading of risks”. In addition, the CAC also orders application stores to remove DiDi’s application due to “serious violations in collecting and using personal information”. Notably, all of the three companies were listed in the United States in June 2021.

There are very few details available to the public about the proposed cybersecurity review except for the fact that it has been initiated. The cybersecurity review is one of measures contemplated under the Cybersecurity Law (CSL) in order to ensure supply chain security of the critical information infrastructure (CII) through a review of the procurement of network product and services that may impact national security. One of the reasons why it had not been invoked till recently is that the scope of CII has not been identified. Although the CSL requires the State Council to publish regulations on the protection of CII, the CAC only released a draft regulation in July 2017. The guidance on identifying CII as contemplated in the draft regulation has never been published. Without knowing whether the information facilities are considered CII, it is almost impossible put the security review and all the other relevant CII protection measures into practice. The State Council seems to have been aware of this, and has included the regulation on CII protection in their legislative agenda for 2019, 2020 and 2021. We hope this regulation will finally be published this year.

In the absence of CII identification guidance, the first question here is how DiDi is identified as an operator of CII. Although it might meet the criteria set out in the general definition of CII under the CSL, we expect that at least a identification procedure should be followed to justify the decision, and it is unclear whether DiDi was aware of the fact that it was considered a CII operator before the decision for cybersecurity review was made.

Another question is which network product or service procured by DiDi has impacted national security. There is no indication in the announcement by the CAC, and it remains to be seen how the CAC will interpret and assess the procurement on national security.

There are also questions on the enforcement measures. The regulation on cybersecurity review does not empower CAC to take any enforcement measures alongside the initiation of the review. In terms of penalties, the CSL only permit the authority to order the CII Operator to cease using the relevant network products or services, and to impose a fine of up to 10 times of the purchase amount on the CII operator and a fine of up to RMB 100,000 on the persons responsible, if the CII operators use the unauthorised products or services. The CSL provision also allow the authorities to require network operators to take technical or other necessary measures to prevent contain harm in the event of a cybersecurity incident. In this case, DiDi has been ordered to stop registering new users, and the CAC may rely on such provision to take the measures, although the announcement does not mention that a cybersecurity has occurred.

As the Data Security Law (DSL) is not enforceable yet, CAC is not able to invoke any measures provided thereunder if there is any allegation concerning DiDi’s data (especially important data) processing activities. The national security review regime proposed under the DSL is even further from becoming enforceable. The CAC does not specify the data protection laws and regulations pursuant to which it ordered the removal of DiDi application from application store. Considering that the Personal Information Protection Law (PIPL) is yet to be enacted, it is likely that the decision is based on the CSL and the relevant regulations on processing of personal information by mobile applications.

As discussed, the factual basis for CAC’s decisions remains unclear. It is worth pointing out that at this point, there is still a very limited number of enforceable laws and regulations in cybersecurity and data protection that the authority can actually rely on for their enforcement actions. The CSL and the cybersecurity review regulation are the most readily available from an enforcement perspective at this point.

CAC seems to have realized the inadequacy of the current regulations. On 10 July 2021, the CAC released a draft of the revised Measures on Cybersecurity Review for public consultation. Notably, the revised draft has extended the scope of cybersecurity review to cover data processing activities of data processors that may impact national security. The extension is apparently intended to implement the national security review on data processing activities as contemplated under the DSL.

The revised draft has special focus on listing of companies outside China that process core data, important data and large amount of personal information. Any operator that processes personal information of over 1 million users must apply to the CAC for cybersecurity review before the operator is listed outside China. The CAC will assess the risks of CII, core data, important data or personal data being “influenced, controlled or maliciously used” by foreign governments if an operator is listed outside of China. The revised draft also includes China Securities Regulatory Commission (CSRC) as one of the ministries responsible for the review.

The revised draft is apparently targeted at companies, such as DiDi, which have launched or going to launch their initial publish offering outside China and at the same time process a large amount of personal information, important data or even core data within China. One critical question is that if the listing of a company is considered to have impacted national security after review what actions the CAC and CSRC will take, e.g. whether the company will be order to delist. For the companies that plan to be listed outside China, the cybersecurity review will bring great uncertainty to their listing process and could potentially affect their decision as to the place of listing.

An interesting point is whether a listing in Hong Kong will be subject to the cybersecurity review. The revised draft uses the term “listing outside China”, instead of the traditional expression of “overseas listing” used in the context of securities laws which usually includes Hong Kong listings. It is unclear whether this indicates that Hong Kong listings are excluded from the scope of review, and CAC should clarify this point in their final draft.

Data processing and cybersecurity compliance are now under closer scrutiny by the government. Although there are still questions surrounding the decisions on Didi, and the revised Measures on Cybersecurity Review is still in a draft, no doubt companies, especially the technology companies, should pay more attention to their compliance with data and cybersecurity laws, in anticipation of the upcoming DSL, PIPL and the implementing regulations. Companies that process important data or sizable amount of personal information or operate CII should particular heed the regulations and actions of CAC.

Our views

If you would like to know more about the cybersecurity review, please click below link to read our previous article on the Measures on Cybersecurity Review published in June 2020.

New regulation strengthens cyber supply chain security in China

If you would like to know more about the newly-enacted Data Security Law, please click below link to read our comments.

What to know about China’s Data Security Law

Regulatory developments

1. Data Security Law promulgated, and will come into effect on 1 September

On 10 June 2021, the Standing Committee of the 13th National People’s Congress voted through the Data Security Law after a third reading, which will become enforceable from 1 September 2021. Compared with the second draft, key changes in the final version are: (i) the commission will establish a coordination mechanism for national data security (Mechanism), and the Mechanism will coordinate relevant ministries to draft the catalogue of important data and strengthen the acquisition, analysis, research and early warning of risk information; (ii) a new concept of “core data” of the state is introduced, which is defined as data relevant to national security, national economic lifeblood, important livelihood of people and significant public interest. Core data will be subject to an even more rigorous protection regime; (iii) personal information processing activities shall comply with Data Security Law as well as relevant laws and regulations

2. Notice on Strengthening the Network Security of Vehicle Networking was released for public consultation

On 22 June, the Ministry of Industry and Information Technology (“MIIT”) issued the Notice on Strengthening the Network Security of Vehicle Networking for public consultation. This Notice consists of four aspects: strengthening the network security protection of the vehicle networking, strengthening the security protection of the platform, ensuring data security, and strengthening security vulnerability management. It aims to guide basic telecommunications enterprises, intelligent connected vehicle operation enterprises, and intelligent connected vehicle production enterprises to strengthen the network security management of the vehicle networking (intelligent connected vehicle), accelerate the improvement of the ability of guaranteeing cybersecurity, and promote the healthy development of the vehicle networking industry.

3. Notice on Strengthening the Management of Name Registration of Vehicle Networking Cards was released for public consultation

On 11 June, MIIT issued the Notice on Strengthening the Management of Name Registration of Vehicle Networking Card for public consultation. According to this Notice, the MIIT is responsible for the organization, management and overall promotion of nationwide name registration of vehicle networking cards. Vehicle enterprises are responsible for the name registration of the vehicle networking cards of vehicles produced and sold by them pursuant to the relevant requirements of the competent authorities. The Vehicle enterprises shall establish strict management systems for the purchase, use and name registration of the vehicle networking cards, build name registration management platforms of vehicle networking cards, and improve the user information protection system. This notice also provides that telecom enterprises should strengthen the management of basic resources of vehicle networking cards.

4. Vehicles Networking Security Standard System Construction Guide was released for public consultation

On 21 June, MIIT issued the Vehicles Networking Security Standard System Construction Guide for public consultation. This Guide points out that efforts should be made to build the cybersecurity standard system of the vehicles networking, so as to provide support for the safe and sustainable development of the vehicles networking industry. By the end of 2023, basic network security standard system of the vehicles networking shall be built, and by 2025, a relatively complete network security standard system of the vehicles networking shall form. This Guide elaborates the construction ideas, construction contents and implementation scheme of the network security standard system of the vehicles networking.

5. “Internet Medical and Health Information Security Management Regulations (Draft for Comments)” was released for public consultation

On 4 June, the Statistic and Information Centre of the National Health Commission issued the “Internet Medical and Health Information Security Management Specification (Draft for Comments)”, an industry standard, for public consultation. It specifies the regulations and security requirements for the overall framework of information security management of Internet medical and health, management of information security related party, management of information security process, management of information security data, management of information security technology, and management of information security organization, and it is applicable to information security management in Internet medical and health activities carried out by organizations and individuals in China.

6. Basic Requirements for Multi-level Protection of Cybersecurity in Radio and Television was released

On 21 June, the Science and Technology Department of the National Radio and Television Administration released the Basic Requirements for Multi-level Protection of Cybersecurity in Radio and Television, which has been reviewed and approved by the National Radio, Film and Television Standardization Technical Committee. Basic Requirements for Multi-level Protection of Cybersecurity in Radio and Television was formulated by the relevant entities organized by the National Radio and Television Administration, which stipulates the general requirements and extended requirements for the security of objects from the first level to the fourth level of classified protection objects in radio and television network security and the requirements for security expansion.

7. Ministries published Opinions on Several Issues Concerning the Application of Law in Handling Criminal Cases Such as Telecommunications and Network Fraud

On 17 June, the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security issued Opinions on Several Issues Concerning the Application of Law in Handling Criminal Cases Such as Telecommunications and Network Fraud (“Opinions”). The Opinions clearly stipulate the identification of the crime location of telecommunications and network fraud, the situation of trying the cases together, illegal possession of credit cards, the crime of fraud, the crime of infringing on citizens’ personal information, and the crime of forging identity documents, which are conducive to further clarification of legal standards, and severely punishing telecommunication network and fraud crimes in accordance with the law.

Enforcement developments

1. Cyberspace Administration of China reported that 129 apps collected and used personal information illegally

On 11 June, Cyberspace Administration of China (“CAC”) reported 129 apps widely used by the public, including Keep, Joyrun, Xiaomi Sports, Jinri Toutiao, Tencent News, Nike, Zhenai.com, etc., covering the field of sports, news information, webcast, app store, and women’s health. These apps collected personal information unrelated to the services, violating the necessity principle and the Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, collect and use personal information without the users’ consent, and do not provide the function of deleting and correcting personal information and the channels for filing complaints.

2. MIIT notified APPs that infringes users’ rights and interests

On June 8, MIIT issued a notification of apps that violate users’ rights and interests (the fifth batch in 2021, the 14th batch in total). Previously, MIIT organized a third-party inspection agency to inspect mobile apps, requiring relevant companies to make rectifications. 291 apps had not finished the rectification until June 8, and there were problems like illegal collection of personal information in these apps. These APPs should complete the rectification and implementation work before June 16. If rectification is not finished within the time limit, MIIT will take disposal measures in accordance with laws and regulations.

3. Four ministries of Beijing jointly carry out the special treatment of App cybersecurity in 2021

On 12 June, the Beijing branch of CAC, Beijing Public Security Bureau, Beijing Market Supervision Bureau, and Beijing Communications Administration issued a notice on the launch of special governance of app cybersecurity in Beijing in 2021, and decided to carry out a special governance action on the illegal collection and use of personal information of apps in the city from the date of issuing the notice to November, requiring app operators to collect and use personal information in accordance with laws and regulations, be responsible for the security of the collected personal information, and take effective measures to strengthen personal information protection. This special action is based on the Cyber Security Law, Notice on Issuing the Methods for Identifying the Collection and Use of Personal Information in Violations of App Laws and Regulations, Notice on Issuing the Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Apps, etc., to provide in-depth control of the illegal collection and use of personal information by App operators.

4. Four ministries of Zhejiang Province jointly launched a special treatment for the illegal collection and use of personal information by App in 2021

On 1 June, Zhejiang Cyberspace Administration Office, Zhejiang Public Security Department, Zhejiang Market Supervision Bureau, and Zhejiang Communications Administration issued an announcement on the jointly launch of a special treatment for illegal collection and use of personal information by apps from June to December in 2021. This special treatment focuses on apps that have a large number of users, are closely related to people’s lives, or are complained by citizens. Relevant departments will carry out specific rectification for apps that have hidden security hazards such as illegal collection and use of personal information and causing personal information leakage.

5. MIIT and the Ministry of Public Security issued a notice on the rectification of fraudulent phone cards, Internet of Things cards, and associated Internet accounts

On 2 June, MIIT and the Ministry of Public Security issued a notice on clearing and rectifying fraudulent phone cards, Internet of Things cards, and associated Internet accounts, requiring people who illegally handle, rent, sell, buy, and hoard of phone cards and Internet of Things cards and relative person of Internet accounts, as of the date of this notice, to stop related activities, and cancel related phone cards, Internet of Things cards, and related Internet accounts before the end of June 2021. Relevant departments will fight against illegal handling, renting, and selling, buying and hoarding phone cards, Internet of Things cards, and associated Internet accounts in accordance with the law.

Industry developments

1. The pilot work for identity authentication and security trust in vehicles networking was launched

On 8 June, the General Office of MIIT issued a notice on launching a pilot program for identity authentication and security trust in vehicles networking. The pilot direction consists of four aspects: vehicle-to-cloud safe communication, vehicle-to-vehicle safe communication, vehicle-to-road safe communication, and vehicle-to-device safety communication. Basic telecommunications companies, Internet companies, automobile manufacturers, electronic parts companies and other entities can apply for pilot projects for Internet of vehicles networking authentication and security trust. MIIT will select projects that fulfil the requirements of carrying out the pilot work. The pilot entities should take the key responsibilities of cybersecurity, improve the corporate cybersecurity management system, and implement cybersecurity protection requirements.

2. E-commerce platform enterprises undertake to strictly implement relevant requirements for spam message governance

On 11 June, the Information and Communications Administration Bureau of the Ministry of Industry and Information Technology held an administrative guidance meeting, at which the Ministry of Industry and Information Technology warned e-commerce platform enterprises to standardize the sending of short messages in marketing and strengthen industry self-discipline. Alibaba, JD, PDD and other major e-commerce platform enterprises have made a solemn commitment to strictly implement the relevant requirements on garbage information control, conduct comprehensive self-inspection and self-correction, improve the management system, optimize user services, ensure the achievement of tangible results in a short time, and constantly enhance the sense of gain, happiness and security of the vast majority of users.

International developments

1. Biden Signed Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries

On 9 June, President Biden signed Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries, repealing and superseding three executive orders aimed at prohibiting transactions with TikTok, WeChat, and eight other communications and finance-technology software applications. The decision mainly includes the following three aspects: enabling the United States to take strong measures to protect sensitive data of the United States; developing standards for identifying software applications that may pose unacceptable risks, and further developing plans to protect sensitive personal data against potential threats posed by certain connected software applications.

2. EDPB and EDPS issued a Joint Opinion on EU AI Regulation

On 18 June, EDPB and EDPS issued a Joint Opinion on the proposal for a Regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence (Artificial Intelligence Act). (Artificial Intelligence Act) In the Joint Opinion, EDPB and EDPS issued a call for a total ban on the use of AI in public places to automatically recognize human features, such as faces, but also on other biological or behavioral signals such as gait, fingerprints, DNA, and voice.

3. Version 2.0 issued by EDPB on “Supplemental Measures” Guide to Standard Conditions of Contract

On 18 June, EDPB updated the Supplemental Measures Guide to the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation published on June 4 as a follow-up to the Schrems II decision of the European Court of Justice. It provides a number of steps to be followed, potential sources of information, and examples of supplemental measures that could be implemented to assist senders in the complex task of assessing third countries.

4. Recognition by the EU of the UK Data Protection Rules

On 28 June, the EU recognized that Britain’s privacy rules are commensurate with EU rules, a key step that will allow the flow of data between the EU and the UK to continue after Brexit. Meanwhile, the EU added a “sunset clause” to set a four-year term for the decision. If during this period, the UK has major differences with the EU on data standards, the European Commission may intervene.

5. HiQ’s Grabbing of LinkedIn User Information Case Requested A New Trial

On 14 June, the US Supreme Court asked the lower courts to review the case regarding the grabbing of LinkedIn User Information by hiQ. An earlier decision held that LinkedIn should not prohibit competitor hiQ Labs from collecting personal information from LinkedIn users’ public personal information. LinkedIn believes that the use of “robots” for large-scale grabbing of personal information would pose a serious threat to user privacy. Rival hiQ Labs argues that it does not sell user information and that LinkedIn’s lawsuit is aimed at monopolizing public data, hurting the openness and innovation of the Internet. Although hiQ Labs does not sell user information captured, for LinkedIn, the “user privacy risk” associated with data being captured by various crawler tools does exist. In April, it was reported that the archive of data captured from 500 million LinkedIn resumes was sold on a hacker forum.

6. Google plans to remove the third cookie by the end of 2023

On 25 June (Thursday, local US time), Google announced that its Chrome Internet browser would stop supporting a user-tracking technology called third-party cookies by the end of 2023, nearly two years after its original time frame for early 2022. Under pressure from privacy regulators and advocates, Google had previously announced that it would remove cookies, which many companies in the advertising industry use to track individuals and target ads. Google said the delay would give publishers, the advertising industry and regulators more time to familiarize themselves with the new technology it is developing and testing to continue to target ads after cookies exit.

Mark Robinson
Mark Robinson
Partner, Singapore
+65 6868 9808
Nanda Lau
Nanda Lau
Partner, Mainland China
+86 21 2322 2117
James Gong
James Gong
Of Counsel, Mainland China
+86 10 6535 5106

China Cybersecurity and Data Protection: What you need to know about China’s draft Personal Information Protection Law

Mid-October marked the start of the formal legislative approval process for China’s proposed new law on personal information protection. The milestone draft Personal Information Protection Law (PIPL) underwent is first reading by the Standing Committee of the 13th National People’s Congress and was released for public consultation on 22 October 2020.

For further details on the draft PIPL please refer to our briefing by clicking here. In this briefing we highlight the key provisions of the draft law and set out our observations.

Overview

The draft PIPL expands the scope of personal information and sets out the key concepts and principles for processing personal information. It replaces the current consent-based protection regime with a new one allowing multiple legal bases for processing personal information, as well as setting out more detailed requirements for consent. The draft PIPL also lays down obligations on processors when sharing and transferring personal information to third parties. The safeguards on export of personal information and the requirements on data localisation are less stringent and more practical as compared to previous draft regulations. The GDPR-style extraterritorial effect extends the application of the PIPL to processors outside of China. Individuals may exercise a comprehensive set of rights against processors, and processors are required to take a range of measures to protect personal information.

The Cyberspace Administration of China is responsible for coordinating the ministries who are charged with regulating and supervising the protection of personal information, and the draft PIPL equips them with a wide range of powers to discharge their duties. It sets out the legal liabilities for those processing personal information and dramatically increases the economic penalties that may be imposed for breaches. Significantly, public interest litigation is introduced into the personal information protection regime for the first time. New technologies such as automated decision-making are also regulated by the draft PIPL.

Although there are a number of points still to be clarified by future drafts and guidelines, we can now see for the first time the future regulatory landscape of the personal information protection regime in China. Once the PIPL is enacted, it will have a far-reaching impact on protection of personal information as well as the business and compliance practices for companies.

For further details on China’s draft Personal Information Protection Law please refer to our briefing here.

James Gong
James Gong
Of Counsel, Corporate
+86 10 6535 5106
Mark Robinson
Mark Robinson
Partner, Corporate
+65 68689808
Nanda Lau
Nanda Lau
Partner, Corporate
+86 21 23222117

Storming the Breaches: DCMS releases Cyber Security Breaches Survey 2019

Cyber-attacks are a continuous threat to both businesses and charities. From the Cyber Security Breaches Survey 2019 (available here as a PDF), we can see that fewer businesses are identifying breaches than in previous years, but the ones that are identifying breaches are typically experiencing more of them. Approximately 32% of businesses and 22% of charities report having cyber security breaches/attacks in the last 12 months. The most common type of cyber security breaches reported are: Continue reading

UK’s cyber security breaches survey and Verizon’s data breach report suggest progress – but more to do

April 2017 welcomed two insightful publications on the current cyber security landscape. The UK Department for Culture, Media and Sport’s annual Cyber Security Breaches Survey (the “Survey“) and Verizon’s 2017 Data Breach Investigations Report (the “Report“), highlight the changing attitude of businesses toward cyber security, the specific threats facing organisations, and the opportunities for mitigating cyber crime. Whilst the results of these two publications suggest some advances in cyber security awareness, they also highlight a lack of preparedness which makes the extent of the recent “WannaCry” cyber attack in May 2017 (see above) somewhat unsurprising. Continue reading