Home Latest Technology, Data Protection, Cybersecurity (2020.09) – Technology – China

Technology, Data Protection, Cybersecurity (2020.09) – Technology – China

0
Technology, Data Protection, Cybersecurity (2020.09)  – Technology – China

[ad_1]


To print this article, all you need is to be registered or login on Mondaq.com.

The Ministry of Commerce launches pilot program on security
management for cross border data transfer

On August 14, 2020, the Ministry of Commerce
(“MOC”) issued the Master Plan for
Comprehensively Deepening the Pilot Program on Innovative
Development of Trade in Services

(“Plan”), covering 28 provinces and
municipalities directly under the Central Government (regions),
including Beijing, Tianjin and Shanghai, and the period for the
pilot program will be three years.

The Plan proposes to:

  • establish dedicated Internet data channel in pilot areas where
    feasible, and the Ministry of Industry and Information
    Technology(“MIIT”) shall formulate relevant
    policies;

  • explore the classification and supervision model of
    cross-border data flow and carry out the pilot program for
    cross-border data transfer security management. Office of the
    Central Cyberspace Affairs Commission shall formulate relevant
    policies, pilot program work for cross-border data transfer
    security management shall be implemented in pilot areas such as
    Beijing, Shanghai, Hainan, and Xiong’an New Area;

  • develop cross-border services such as big data collection,
    storage, processing, analysis, mining and trading based on
    industrial Internet in pilot areas;

  • explore the rules and standards of data service collection,
    masking, application, trading, supervision, etc.;

  • promote the commercialization and securitization of data
    assets, and explore the formation of new models for trading of big
    data;

  • carry out security assessment on cross-border data flow in
    pilot areas; and

  • establish data security management mechanisms on data
    protection capability certification, data circulation backup
    review, cross-border data flow and transaction risk assessment,
    etc.; encourage cooperation in international cooperation on digital
    rules in pilot areas and strengthen the protection of data.

For more information ,please refer to http://images.mofcom.gov.cn/fms/202008/20200814092010665.pdf

China proposes to tighten controls on import and export of
commercial cryptography products.

On August 20, 2020, the State Cryptography Administration
released the Regulations for the Administration of Commercial
Cryptography (Draft for Comment)
(“Draft
Regulations”
) to solicit public opinions by September
19, 2020.

The Draft Regulations provide that, import of the commercial
cryptography in the “Commercial Encryption Import License
List” and export of the commercial cryptography in the
“Commercial Encryption Export Control List” should be
subject to the import and export license for dual-use items issued
by the competent commercial department of the State Council.

According to the Draft Regulations, operators of networks and
information systems such as unclassified critical information
infrastructure, network of Grade III or above (under the network
graded protection regime), and national government information
system shall:

  • use commercial cryptography for protection;

  • formulate commercial cryptography application scheme;

  • have necessary funds and professionals;

  • plan, construct and operate the commercial cryptography
    safeguard system synchronously;

  • carry out the security assessment on commercial cryptography
    application by itself or commercial cryptography testing
    institutions.

The above-mentioned network and information systems can be put
into operation only after the security assessment on commercial
cryptography application. After operation, the assessment shall be
conducted at least once a year, and the assessment results shall be
filed with the local municipal cryptography administrative
department.

The Draft Regulations provide that operators of networks and
information systems such as unclassified critical information
infrastructure, network of Grade III or above, and national
government information system should use commercial cryptography
products and services that have been tested or certified, and use
commercial cryptography technology listed in the Guidance
Catalog of Commercial Cryptography Technology
.

The Draft Regulations stipulate that if operators of critical
information infrastructure purchase network products and services
involving commercial cryptography, which may affect national
security, they shall pass the national security examination
organized by the state cyberspace department, the state
cryptography department and other relevant departments according to
the law.

For more information ,please refer to http://www.oscca.gov.cn/sca/hdjl/2020-08/20/content_1060779.shtml

China released the revised Catalogue of Technologies Prohibited
and Restricted from Export

On August 28, 2020, the Ministry of Commerce and the Ministry of
Science and Technology jointly released the revised Catalogue
of Technologies Prohibited and Restricted from Export

(“Catalogue”). The revisions of the
Catalogue removed 4 items of technologies prohibited from export,
removed 5 items of technologies restricted from export, added 23
items of technologies restricted from export, and revised technical
parameters of 21 items of technologies.

It is worth noting that, in the export restriction section, the
Catalogue adds “personalized information push service
technology based on data analysis” and “technology of
unmanned aerial vehicles”.

For more information ,please refer to http://www.most.gov.cn/kjbgz/202008/t20200828_158546.htm

NISSTC seeks public opinions on the Information Security
Technology – Cyber-data Process Security
Specification

On August 31, 2020, the National Information Security
Standardization Technical Committee
(“NISSTC“) issued the Information
Security Technology – Cyber-data Process Security
Specification (Draft for Comment)
(“Draft
Specification”
) for public comments by October 27,
2020.

Highlights of the Draft Specification include:

Provision of data to others: Before providing
data to others, network operators should conduct security impact
analysis and risk assessment. If national security, public
security, economic security, and social stability will be
endangered, they must not provide the data to others.

Responsible person for data security: When
network operators carry out business and service activities and
collect important data and personal sensitive information, they
should clarify the person responsible for data security and provide
them with necessary resources to ensure that they perform their
duties independently. The person in charge of data security should
have professional knowledge of data security and relevant
management work experience, participate in important decisions
related to data processing activities, and perform the following
duties:

  1. organizing and determining the data protection catalog,
    formulating a data security protection plan and supervising the
    implementation;

  2. organizing and carrying out data security impact analysis and
    risk assessment, and supervising the rectification of security
    risks;

  3. reporting data security protection and incident handling to the
    cyberspace administration and relevant departments as required;
    and

  4. organizing to accept and handle data security complaints and
    reports.

Transmission and storage: Network operators
should take security measures for data transmission and storage
activities, including:

  1. When transmitting important data and personal sensitive
    information, security measures such as encryption should be
    adopted;

  2. When storing important data and personal sensitive information,
    security measures such as encryption, secure storage, access
    control, and security audits should be adopted; and

  3. The storage of personal information should not exceed the
    storage period agreed with the personal information subject, unless
    otherwise provided by laws and regulations.

The Draft Specification also provides special rules for the
protection of personal information in public health emergencies.
For example, in the process of providing information services, when
face recognition is used as the authentication method, other
authentication methods should be provided for users to choose in
principle. The original image that can extract the face recognition
information shall not be retained in principle when using face
recognition information for identity verification.

For more information ,please refer to https://www.tc260.org.cn/front/postDetail.html?id=20200830094619

MIIT: No user’s consent, No commercial SMS or calls

On August 31, 2020, the Ministry of Industry and Information
Technology (“MIIT“) issued the
Administrative Regulations on Short Messages and Voice Call
Service
(Draft for Comments) (“Draft
Regulations
“) to seek public comments by September
30, 2020.

According to the Draft Regulations, any organization or
individual shall not send commercial short messages or make
commercial telephone calls to the user without his/her consent or
request, or if he/she has explicitly refused to receive such
SMS/calls. If the user does not explicitly agree, it shall be
deemed as refusal. If the user agrees previously and explicitly
refuses to accept it later, sending commercial short messages or
making commercial telephone calls shall be terminated. If a short
message service provider sends port type commercial short messages,
it shall ensure that the relevant user has agreed or requested to
receive these messages and keep the user’s consent proof for at
least five months. A voice call service provider shall not make
platform commercial calls, or provide communication resources,
platform facilities and other conditions for organizations and
individuals who make commercial calls in violation of the Draft
Regulations.

For more information ,please refer to
ttp://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057709/n3057717/c8067025/content.html

Ministry of Culture and Tourism: Big data analysis and other
technical means must not be abused to violate tourists’
rights

On August 31, 2020, the Ministry of Culture and Tourism issued
the Interim Provisions on Administration of Online Tourism
Business and Services

(“Provisions”), which will take effect
on October 1, 2020.

According to the Provisions, online tourism operators should
implement graded protection system of cyber security, take
management and technical measures for cyber security, formulate
contingency plans for cyber security and organize regular trainings
according to the PRC Cybersecurity Law and other relevant
laws to ensure the normal development of online tourism business
and services.

Online tourism operators shall protect the tourists’ right
of comment and shall not arbitrarily shield or delete tourists’
comments on their products and services, nor shall they mislead,
induce, substitute or force tourists to make comments. Comments
made by tourists shall be saved and made public.

Online tourism operators should protect the security of
tourists’ personal information and other data, and clearly
indicate the purpose, method and scope of the collection of
tourists’ personal information in advance and obtain the
consent of the tourists.

Online tourism operators must not abuse technical means such as
big data analysis to set unfair trading conditions based on
tourists’ consumption records, travel preferences, etc., and
infringe on the legitimate rights and interests of tourists.

According to the Provisions, online tourism operators refer to
natural persons, legal persons and unincorporated organizations
engaged in online tourism business and services, including online
travel platform operators, operators on the platform, and operators
who provide travel services through self-built websites and other
network services.

For more information ,please refer to http://zwgk.mct.gov.cn/auto255/202008/t20200831_874550.html?keywords=

Six government agencies call for recommendation of national
green data centers in 2020

On August 6, 2020, the Ministry of Industry and Information
Technology (“MIIT”) and five other
government agencies issued the Circular on Organizing and
Implementing the Recommendation of National Green Data Centers
(2020)
(the “Circular”).

According to the Circular, all regions shall recommend a batch
of well-managed and representative data centers featuring high
energy efficiency and advanced technology in major application
fields of data centers, such as manufacturing, telecommunications,
Internet, public institutions, energy, finance, and e-commerce, in
accordance with the Evaluation Indicator System for Green Data
Centers
.

The Circular provides four basic conditions that a recommended
data center shall meet:

  1. The owner of the data center shall have independent legal
    person status. The data center shall have clear property rights and
    shall abide by relevant laws, regulations, policies and standards
    in the process of construction and operation. In the past 3 years
    (including less than 3 years of establishment), it has had no major
    safety incidents, environmental protection incidents or other
    incidents, and no other serious illegal or untrustworthy conducts
    decided by judicial or administrative agencies;

  2. The data center shall have a clear and complete physical
    boundary, independent power supply and distribution, and a cooling
    system that meet the requirements of the Action Plan for Green
    and Efficient Refrigeration
    and has been officially operating
    for one or more consecutive years as of the application date;

  3. The construction and layout shall meet the requirements of the
    Guiding Opinions on the Construction Layout of Data
    Centers
    , and meet the requirements of the local construction
    planning and other local laws and regulations; and

  4. It is not included in the list of Special Supervision and
    Rectification for the Energy Efficiency of the Industrial Energy
    Conservation Supervision Data Center in 2019
    .

For more information ,please refer to http://www.miit.gov.cn/n1146295/n1652858/n1652930/n3757016/c8045053/content.html

China issues the Guide to the Building of National Standard
Framework for New Generation Artificial Intelligence

On August 7, 2020, the Standardization Administration and other
four government departments issued the Guide to the Building of
National Standard Framework for New Generation Artificial
Intelligence
(“Guide”).

According to the Guide, the framework of standards for
artificial intelligence includes eight aspects, namely basic
generality, supporting technology and products, basic software and
hardware platforms, key general technologies, technologies in key
fields, products and service, industry application and
safety/ethnics.

The Guide requires that, the top-level design of artificial
intelligence standardization should be clarified by 2021, when more
than 20 key standards in key general technologies, technologies in
key fields, ethics, etc. have been preliminarily researched. By
2023, an artificial intelligence standard system should have been
initially established, focusing on the development of key and
urgently needed standards such as data, algorithms, system
services, and taking the lead in manufacturing, transportation,
finance, security, home furnishing, elderly care, environmental
protection, education, healthcare, justice and other key industries
and fields.

For more information ,please refer to http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057497/n3057502/c8048365/content.html

NISSTC seeks public opinions on its proposed national standards
to identify the boundaries for Critical Information
Infrastructure

On August 10, 2020, the National Information Security
Standardization Technical Committee (“NISSTC”) released
the Information Security Technology – Method of Boundary
Identification for Critical Information Infrastructure (Draft for
Comment)
(“Draft Method“) to seek
public opinions.

The Draft Method provides that, boundary identification for
critical information infrastructure
(“CII”) deals with further analysis and
sorting after the competent authority’s identification of the
critical business, which the CII operator will identify the network
facilities and information systems that are indispensable for the
continuous and stable operation of the critical business for the
purpose of providing a basis for the protection, review, and
emergency response.

The Draft Method provides six factors that should be considered
in identifying the boundaries of CII: critical business, network
facilities, information system, critical business information,
critical business information flow, and basic operation
environment.

  • Critical business is the core element and the basis for
    boundary identification of CII;

  • Critical business information is an indispensable information
    resource for the normal operation of critical business, and also a
    bridge and link for network facilities and information system to
    support the informatization for critical business;

  • Network facilities and information system design, collect,
    integrate, process, present, apply, store and destroy critical
    business information according to business operation logic and
    functions to support the automated, intelligent and efficient
    operation of critical business;

  • Critical business information flow is the flow process in the
    whole life cycle of critical business information. By sorting out
    the critical business information flow, network facilities and
    information systems supporting informatization for critical
    business can be obtained;

  • Basic operation environment refers to the safety equipment,
    safety measures, rules and regulations, machinery, plant, water,
    electricity, etc. supporting basic operation for critical
    business.

For more information ,please refer to
https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20200810142946595318&norm_id=20200112070029&recode_id=39652

NISSTC seeks public opinions on the Method for Evaluating
Security Protection Capabilities of Critical Information
Infrastructure

On August 10, 2020, the National Information Security
Standardization Technical Committee
(“NISSTC”) issued the Information
Security Technology – Method for Evaluating the Security Protection
Capabilities of Critical Information Infrastructure (Draft for
Comment)
(“Draft Method”) for
public comments by October 9, 2020.

The Draft Method provides that the evaluation of security
protection capabilities of critical information infrastructure
(“CII”) includes three parts: capability
domain level evaluation, graded protection evaluation, and
cryptography evaluation. Before the evaluation of the security
protection capability of CII, the CII should first pass the
corresponding graded protection evaluation and related cryptography
evaluation. Then, the organization should carry out the evaluation
according to the evaluation content and evaluation operation
method, give the judgment result and grade of each evaluation
index, get each capability domain level, and finally obtain the
security protection capability level of critical information
infrastructure based on the evaluation results of capability domain
level and graded protection.

For more information ,please refer to https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20200810142946548146&norm_id=20200112070019&recode_id=39650

MIIT seeks public opinions on Guidelines on the Construction of
Data Security Standard System in Telecom and Internet
Industries

On August 11, 2020,the Ministry of Industry and
Information Technology (“MIIT”) issued the Guidelines
on the Construction of Data Security Standard System in Telecom and
Internet Industries
(“Draft
Guidelines
“) to seek public opinions.

According to the Draft Guidelines, the data security standard
system of telecom and Internet industries includes four categories
of standards, namely the standards for basic generality, critical
technologies, security management and critical fields:

  • the standards for basic generality include definitions of
    terms, data security framework, and data category and
    classification;

  • the standards for critical technologies deal with data security
    technology from the dimensions of the entire life cycle, including
    data collection, transmission, storage, processing, exchange, and
    destruction;

  • the standards for security management include data security
    specifications, data security assessment, monitoring and early
    warning and handling, emergency response and disaster backup, and
    security capability certification; and

  • the standards for critical fields mainly include 5G, mobile
    Internet, connected-car, Internet of Things, Internet of Industry,
    cloud computing, big data, artificial intelligence, blockchain and
    other critical fields.

For more information, please refer to http://www.miit.gov.cn/n1278117/n1648113/c8050746/content.html

The Ministry of Justice: To strengthen protection of trade
secrets and confidential business information in administrative
licensing

On August 14, 2020, the Ministry of Justice
(“MOJ”) issued the Guiding Opinions
on Strengthening the Protection of Trade Secrets and Confidential
Business Information in Administrative Licensing (Draft for
Comment)
(the “Draft Opinions”) for
public comments by September 30, 2020.

The Draft Opinions provide that applicants for administrative
licenses shall expressly indicate their trade secrets pursuant to
the Anti-Fair Competition Law or other laws or regulations, as well
as their business information that are needed to be kept
confidential when making an administrative license application to
an administrative authority, and correctly identify the scope of
confidentiality.

When applicants submit the application materials to the
administrative authorities, they must clearly indicate the key
points of confidentiality, and not generally regard all materials
as trade secrets and confidential business information. Such
information should be clearly marked on the first page of the
paper-based or electronic materials submitted and the key points of
confidentiality.

For more information, please refer to http://www.moj.gov.cn/government_public/content/2020-08/14/657_3254208.html

Shandong Province releases classification management rules on
health care big data

On August 25, 2020, the People’s Government of Shandong
Province issued the Measures for the Management of Health Care
Big Data in Shandong Province
(the
“Measures”), which will take effect on
October 1, 2020.

According to the Measures, health care big data falls into three
categories:

  • health care data involving trade secrets, personal privacy or
    other types of data which are not allowed to be accessed according
    to laws and regulations shall be categorized as inaccessible
    data;

  • health care data with higher requirements for data security,
    processing capacity, and timeliness or that needs to be acquired
    continuously shall be categorized as conditional accessible data;
    and

  • health care data other than the above two categories shall be
    categorized as unconditional accessible data.

The Measures also stipulate that:

  • for unconditional accessible data, citizens, legal persons and
    other organizations can access it through the health care big data
    platform.

  • for conditional accessible data, health care big data
    management institutions and data using organizations should sign
    data using agreements to access the data. The agreement shall
    specify the scope, conditions, data products, confidentiality
    responsibilities and security measures, etc. of the data.

  • for inaccessible data, it can be accessed after the consent of
    the relevant obligees or after the desensitization and
    declassification, unless otherwise provided by laws and
    regulations.

For more information, please refer to http://www.shandong.gov.cn/art/2020/8/25/art_107851_108458.html

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

[ad_2]

Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here