Technology | Data Protection | Cyber Security News Letter 2020.12 – Technology – China – Mondaq News Alerts

To print this article, all you need is to be registered or login on Mondaq.com.

REGULATIONS

NISSTC issued the Guidelines for Data Security of Online
Car-booking Services (Draft for Comment)

On November 10, 2020, the Secretariat of the National
Information Security Standardization Technical Committee
(“NISSTC”) issued the Information Security Technology –
Guidelines for Data Security of Online Car-booking Services (Draft
for Comment) (the “Draft”) for public comments by January
8, 2021.

The Draft specifies the types, scope, methods and conditions of
collection, storage, use, sharing, public disclosure and deletion
of data, as well as data security management requirements.

The requirements of data collection are as follows:

  • before collecting the personal information of users, online
    car-booking service operators shall inform users and obtain the
    consent of users;
  • When users refuse to provide personal information other than
    the minimum necessary personal information, online car-booking
    service operators shall not refuse to provide the online
    car-booking service; and
  • When users refuse to provide the minimum necessary personal
    information corresponding to the optional business function of
    online car-booking service, online car-booking service operators
    can refuse to provide the corresponding optional business function
    service but should not refuse to provide online car-booking
    service.

The requirements of data transmission and storage are as
follows:

  • When online car-booking service operators transmit personal
    information through the , they should adopt security
    measures such as ;
  • Online car-booking service operators shall store the personal
    identification information, facial recognition features and audio
    and video trip recordings data of passengers and drivers
    separately;
  • It is not suitable for online car-booking service operators to
    store the travel track and audio and video trip recordings data in
    the office terminal, but in the server with security measures.

The Draft also stipulates that online car-booking service
operators should not abuse analysis and other technical
means to set unfair trading conditions based on user consumption
records and consumption preferences, thus infringing on users’
legitimate rights and interests.

https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20201110160208&norm_id=20201030200001&recode_id=40116

NISSTC issued the Guidelines on the of Ethics for
Artificial Intelligence (Draft for Comment)

On November 9, 2020, the Secretariat of the National Information
Security Standardization Technical Committee (the “NISSTC”) issued the Practice Guide to Cybersecurity
Standards – Guidelines on the Code of Ethics for Artificial
Intelligence (Draft for Comment) (the “Draft”) for public
comments by November 23, 2020.

The Draft gives safety risk warnings regarding potential ethical
issues associated with artificial intelligence (“AI”),
and provides guidelines for AI research and development, design and
manufacturing, deployment and application, consumer use and other
related activities.

On deployment and application, the Draft stipulates that the
deployer should explain the functions, limitations, risks and
impacts of systems, products or services related to AI to users in
a timely, accurate, complete, clear and unambiguous manner, and
explain the relevant application process and application results.
The deployer should also provide users with a clear and easy way to
operate mechanism to refuse or stop using systems, products or
services related to AI. After users refuse or stop using systems,
products or services related to AI, the deployer should provide
users with alternative non-AI options as far as possible.

https://www.tc260.org.cn/front/postDetail.html?id=20201109163419

RCEP: To protect the personal information of electronic
commerce users

On November 15, 2020, the Regional Comprehensive Economic
Partnership Agreement (“RCEP”) was concluded. The RCEP
consists of 20 chapters, covering comprehensive market access
commitments on goods, services, investment and other areas.

The Chapter “Electronic Commerce” of RCEP stipulates
that the party to the RCEP is:

  • encouraged to improve trade management and procedures through
    electronic means;
  • required to create a favorable environment for electronic
    commerce, to protect the personal information of electronic
    commerce users, provide protection for online consumers, and
    strengthen supervision and cooperation on unsolicited commercial
    electronic information.

On cross-border transfer of information by electronic means,
RCEP also provides the party shall not prevent cross-border
transfer of information by electronic means where such activity is
for the conduct of the business of a covered person.

http://fta.mofcom.gov.cn/rcep/rceppdf/d12z_en.pdf

Announcement on 35 for non- with collecting and
using personal information

On November 13, 2020, Task Force on Apps for Illegal Collection
and Use of Personal Information (“Force”) finds that
there are problems in the collection and use of personal
information of 35 Apps. It is suggested that the relevant App
operators should rectify the existing problems in time and feedback
the rectification situation to the Force within 30 days from now
on. After the 30 days, the Force will verify the rectification
situation, submit the review results to the relevant departments,
and handle those that cannot be effectively rectified according to
laws.

https://mp.weixin.qq.com/s/KGFSSM9yuIxs9Wrv2tR24w

Live streaming platforms shall establish a mechanism for
personal information protection

On November 13, 2020, the Cyberspace Administration of
(“CAC”) issued the Administrative Provisions on Live
Streaming Marketing Information Content Services (Draft for
Comment) (the “Draft”) to solicit public comments by
November 28, 2020.

The Draft stipulates that live streaming platforms shall
establish a sound mechanism for registration and cancellation of
accounts and live streaming marketing business, information
security management, codes of conduct for marketing, minors’
protection, users’ rights protection, personal information
protection, credit evaluation and data security. At the same time,
the Draft provides live streaming platforms shall strengthen the
service management of live streaming information on the Internet.
If illegal and bad information is found, it shall immediately take
measures to deal with it, keep relevant records and report to the
relevant competent authorities. Live streaming platform shall
prevent and stop illegal advertising, price and other
violations of users’ rights and interests and warn users of the
risks of private transactions outside the platform in a prominent
way.

http://www.cac.gov.cn/2020-11/13/c_1606832591123790.htm

PBOC issued the Testing and Evaluation Guidelines for
Classified Protection of Cybersecurity of Financial Industry and
the Implementation Guidelines for Classified Protection of
Cybersecurity of Financial Industry

On November 11, 2020, the People’s Bank of
China(“PBOC”) formally issued two standards in financial
industry, namely the Testing and Evaluation Guidelines for
Classified Protection of Cybersecurity of Financial Industry
(“Testing and Evaluation Guidelines”) and the
Implementation Guidelines for Classified Protection of
Cybersecurity of Financial Industry (“Implementation
Guidelines”).

The Testing and Evaluation Guidelines stipulate the general
requirements and extended requirements of security evaluation for
Level-2, Level-3 and Level-4 protected objects in the financial
industry. The Testing and Evaluation Guidelines are applicable to
guide financial institutions, evaluation institutions and the
competent departments of cybersecurity classified protection in the
financial industry to conduct security evaluation on the security
status of the classified protection objects.

The Implementation Guidelines include six parts, which
regulate:

  • the cybersecurity of the financial industry and the
    security requirements corresponding to different security
    levels,
  • the basic framework and terminology definition of the
    cybersecurity level protection work in the financial industry,
  • the cybersecurity post setting requirements of financial
    institutions,
  • the cybersecurity post ability requirements,
  • the cybersecurity personnel ability evaluation
    requirements,
  • the cybersecurity training related requirements, and
  • the financial institutions cybersecurity level protection audit
    implementation requirements, etc.

The Implementation Guidelines are applicable to guide financial
institutions, evaluation institutions and competent departments of
financial industry to implement classified cybersecurity
protection.

https://www.cfstc.org/bzgk/gk/view/bzxq.jsp?i_id=1891

https://www.cfstc.org/bzgk/gk/view/bzxq.jsp?i_id=1885

NISSTC issued the Practice Guide to Cybersecurity Standards –
Security Guidelines for Using Software Development Kit (SDK) for
Mobile Internet Applications

On November 27, 2020, the Secretariat of the National
Information Security Standardization Technical Committee
(“NISSTC”) issued the Practice Guide to Cybersecurity
Standards – Security Guidelines for Using Software Development Kit
(SDK) for Mobile Internet Applications
(“Guidelines”).

The Guidelines provide the responsibilities of the parties
involved in the use of the SDK and the common security issues, as
well as the security principles and measures of App providers and
SDK providers for common problems. The Guidelines are applicable to
preventing SDK security and compliance risks when App providers use
the SDK, and also provide reference for SDK providers in protecting
SDK security and user personal information.

According to the Guidelines, App providers should take adequate
security measures to ensure that there is no security risk when
using SDKs, such as conducting security on the SDK
before integrating SDKs, conducting continuous dynamic monitoring
or regular security assessment on the integrated SDK, signing a
cooperation agreement with SDK providers or further improving the
cooperation agreement with the SDK providers.

Besides, SDK providers should collect personal information at
the lowest frequency necessary to realize its own business
functions, and enhance its own security by means of code audit and
code obfuscation.

https://www.tc260.org.cn/upload/2020-11-27/1606438309423027911.pdf

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Source: https://www.mondaq.com/china/new-technology/1015972/technology-data-protection-cyber-security-news-letter-202012

Leave a Reply