[ad_1]
To print this article, all you need is to be registered or login on Mondaq.com.
The Ministry of Commerce launches pilot program on security
management for cross border data transfer
On August 14, 2020, the Ministry of Commerce
(“MOC”) issued the Master Plan for
Comprehensively Deepening the Pilot Program on Innovative
Development of Trade in Services
(“Plan”), covering 28 provinces and
municipalities directly under the Central Government (regions),
including Beijing, Tianjin and Shanghai, and the period for the
pilot program will be three years.
The Plan proposes to:
- establish dedicated Internet data channel in pilot areas where
feasible, and the Ministry of Industry and Information
Technology(“MIIT”) shall formulate relevant
policies; - explore the classification and supervision model of
cross-border data flow and carry out the pilot program for
cross-border data transfer security management. Office of the
Central Cyberspace Affairs Commission shall formulate relevant
policies, pilot program work for cross-border data transfer
security management shall be implemented in pilot areas such as
Beijing, Shanghai, Hainan, and Xiong’an New Area; - develop cross-border services such as big data collection,
storage, processing, analysis, mining and trading based on
industrial Internet in pilot areas; - explore the rules and standards of data service collection,
masking, application, trading, supervision, etc.; - promote the commercialization and securitization of data
assets, and explore the formation of new models for trading of big
data; - carry out security assessment on cross-border data flow in
pilot areas; and - establish data security management mechanisms on data
protection capability certification, data circulation backup
review, cross-border data flow and transaction risk assessment,
etc.; encourage cooperation in international cooperation on digital
rules in pilot areas and strengthen the protection of data.
For more information ,please refer to http://images.mofcom.gov.cn/fms/202008/20200814092010665.pdf
China proposes to tighten controls on import and export of
commercial cryptography products.
On August 20, 2020, the State Cryptography Administration
released the Regulations for the Administration of Commercial
Cryptography (Draft for Comment) (“Draft
Regulations”) to solicit public opinions by September
19, 2020.
The Draft Regulations provide that, import of the commercial
cryptography in the “Commercial Encryption Import License
List” and export of the commercial cryptography in the
“Commercial Encryption Export Control List” should be
subject to the import and export license for dual-use items issued
by the competent commercial department of the State Council.
According to the Draft Regulations, operators of networks and
information systems such as unclassified critical information
infrastructure, network of Grade III or above (under the network
graded protection regime), and national government information
system shall:
- use commercial cryptography for protection;
- formulate commercial cryptography application scheme;
- have necessary funds and professionals;
- plan, construct and operate the commercial cryptography
safeguard system synchronously; - carry out the security assessment on commercial cryptography
application by itself or commercial cryptography testing
institutions.
The above-mentioned network and information systems can be put
into operation only after the security assessment on commercial
cryptography application. After operation, the assessment shall be
conducted at least once a year, and the assessment results shall be
filed with the local municipal cryptography administrative
department.
The Draft Regulations provide that operators of networks and
information systems such as unclassified critical information
infrastructure, network of Grade III or above, and national
government information system should use commercial cryptography
products and services that have been tested or certified, and use
commercial cryptography technology listed in the Guidance
Catalog of Commercial Cryptography Technology.
The Draft Regulations stipulate that if operators of critical
information infrastructure purchase network products and services
involving commercial cryptography, which may affect national
security, they shall pass the national security examination
organized by the state cyberspace department, the state
cryptography department and other relevant departments according to
the law.
For more information ,please refer to http://www.oscca.gov.cn/sca/hdjl/2020-08/20/content_1060779.shtml
China released the revised Catalogue of Technologies Prohibited
and Restricted from Export
On August 28, 2020, the Ministry of Commerce and the Ministry of
Science and Technology jointly released the revised Catalogue
of Technologies Prohibited and Restricted from Export
(“Catalogue”). The revisions of the
Catalogue removed 4 items of technologies prohibited from export,
removed 5 items of technologies restricted from export, added 23
items of technologies restricted from export, and revised technical
parameters of 21 items of technologies.
It is worth noting that, in the export restriction section, the
Catalogue adds “personalized information push service
technology based on data analysis” and “technology of
unmanned aerial vehicles”.
For more information ,please refer to http://www.most.gov.cn/kjbgz/202008/t20200828_158546.htm
NISSTC seeks public opinions on the Information Security
Technology – Cyber-data Process Security
Specification
On August 31, 2020, the National Information Security
Standardization Technical Committee
(“NISSTC“) issued the Information
Security Technology – Cyber-data Process Security
Specification (Draft for Comment) (“Draft
Specification”) for public comments by October 27,
2020.
Highlights of the Draft Specification include:
Provision of data to others: Before providing
data to others, network operators should conduct security impact
analysis and risk assessment. If national security, public
security, economic security, and social stability will be
endangered, they must not provide the data to others.
Responsible person for data security: When
network operators carry out business and service activities and
collect important data and personal sensitive information, they
should clarify the person responsible for data security and provide
them with necessary resources to ensure that they perform their
duties independently. The person in charge of data security should
have professional knowledge of data security and relevant
management work experience, participate in important decisions
related to data processing activities, and perform the following
duties:
- organizing and determining the data protection catalog,
formulating a data security protection plan and supervising the
implementation; - organizing and carrying out data security impact analysis and
risk assessment, and supervising the rectification of security
risks; - reporting data security protection and incident handling to the
cyberspace administration and relevant departments as required;
and - organizing to accept and handle data security complaints and
reports.
Transmission and storage: Network operators
should take security measures for data transmission and storage
activities, including:
- When transmitting important data and personal sensitive
information, security measures such as encryption should be
adopted; - When storing important data and personal sensitive information,
security measures such as encryption, secure storage, access
control, and security audits should be adopted; and - The storage of personal information should not exceed the
storage period agreed with the personal information subject, unless
otherwise provided by laws and regulations.
The Draft Specification also provides special rules for the
protection of personal information in public health emergencies.
For example, in the process of providing information services, when
face recognition is used as the authentication method, other
authentication methods should be provided for users to choose in
principle. The original image that can extract the face recognition
information shall not be retained in principle when using face
recognition information for identity verification.
For more information ,please refer to https://www.tc260.org.cn/front/postDetail.html?id=20200830094619
MIIT: No user’s consent, No commercial SMS or calls
On August 31, 2020, the Ministry of Industry and Information
Technology (“MIIT“) issued the
Administrative Regulations on Short Messages and Voice Call
Service (Draft for Comments) (“Draft
Regulations“) to seek public comments by September
30, 2020.
According to the Draft Regulations, any organization or
individual shall not send commercial short messages or make
commercial telephone calls to the user without his/her consent or
request, or if he/she has explicitly refused to receive such
SMS/calls. If the user does not explicitly agree, it shall be
deemed as refusal. If the user agrees previously and explicitly
refuses to accept it later, sending commercial short messages or
making commercial telephone calls shall be terminated. If a short
message service provider sends port type commercial short messages,
it shall ensure that the relevant user has agreed or requested to
receive these messages and keep the user’s consent proof for at
least five months. A voice call service provider shall not make
platform commercial calls, or provide communication resources,
platform facilities and other conditions for organizations and
individuals who make commercial calls in violation of the Draft
Regulations.
Ministry of Culture and Tourism: Big data analysis and other
technical means must not be abused to violate tourists’
rights
On August 31, 2020, the Ministry of Culture and Tourism issued
the Interim Provisions on Administration of Online Tourism
Business and Services
(“Provisions”), which will take effect
on October 1, 2020.
According to the Provisions, online tourism operators should
implement graded protection system of cyber security, take
management and technical measures for cyber security, formulate
contingency plans for cyber security and organize regular trainings
according to the PRC Cybersecurity Law and other relevant
laws to ensure the normal development of online tourism business
and services.
Online tourism operators shall protect the tourists’ right
of comment and shall not arbitrarily shield or delete tourists’
comments on their products and services, nor shall they mislead,
induce, substitute or force tourists to make comments. Comments
made by tourists shall be saved and made public.
Online tourism operators should protect the security of
tourists’ personal information and other data, and clearly
indicate the purpose, method and scope of the collection of
tourists’ personal information in advance and obtain the
consent of the tourists.
Online tourism operators must not abuse technical means such as
big data analysis to set unfair trading conditions based on
tourists’ consumption records, travel preferences, etc., and
infringe on the legitimate rights and interests of tourists.
According to the Provisions, online tourism operators refer to
natural persons, legal persons and unincorporated organizations
engaged in online tourism business and services, including online
travel platform operators, operators on the platform, and operators
who provide travel services through self-built websites and other
network services.
For more information ,please refer to http://zwgk.mct.gov.cn/auto255/202008/t20200831_874550.html?keywords=
Six government agencies call for recommendation of national
green data centers in 2020
On August 6, 2020, the Ministry of Industry and Information
Technology (“MIIT”) and five other
government agencies issued the Circular on Organizing and
Implementing the Recommendation of National Green Data Centers
(2020) (the “Circular”).
According to the Circular, all regions shall recommend a batch
of well-managed and representative data centers featuring high
energy efficiency and advanced technology in major application
fields of data centers, such as manufacturing, telecommunications,
Internet, public institutions, energy, finance, and e-commerce, in
accordance with the Evaluation Indicator System for Green Data
Centers.
The Circular provides four basic conditions that a recommended
data center shall meet:
- The owner of the data center shall have independent legal
person status. The data center shall have clear property rights and
shall abide by relevant laws, regulations, policies and standards
in the process of construction and operation. In the past 3 years
(including less than 3 years of establishment), it has had no major
safety incidents, environmental protection incidents or other
incidents, and no other serious illegal or untrustworthy conducts
decided by judicial or administrative agencies; - The data center shall have a clear and complete physical
boundary, independent power supply and distribution, and a cooling
system that meet the requirements of the Action Plan for Green
and Efficient Refrigeration and has been officially operating
for one or more consecutive years as of the application date; - The construction and layout shall meet the requirements of the
Guiding Opinions on the Construction Layout of Data
Centers, and meet the requirements of the local construction
planning and other local laws and regulations; and - It is not included in the list of Special Supervision and
Rectification for the Energy Efficiency of the Industrial Energy
Conservation Supervision Data Center in 2019.
For more information ,please refer to http://www.miit.gov.cn/n1146295/n1652858/n1652930/n3757016/c8045053/content.html
China issues the Guide to the Building of National Standard
Framework for New Generation Artificial Intelligence
On August 7, 2020, the Standardization Administration and other
four government departments issued the Guide to the Building of
National Standard Framework for New Generation Artificial
Intelligence (“Guide”).
According to the Guide, the framework of standards for
artificial intelligence includes eight aspects, namely basic
generality, supporting technology and products, basic software and
hardware platforms, key general technologies, technologies in key
fields, products and service, industry application and
safety/ethnics.
The Guide requires that, the top-level design of artificial
intelligence standardization should be clarified by 2021, when more
than 20 key standards in key general technologies, technologies in
key fields, ethics, etc. have been preliminarily researched. By
2023, an artificial intelligence standard system should have been
initially established, focusing on the development of key and
urgently needed standards such as data, algorithms, system
services, and taking the lead in manufacturing, transportation,
finance, security, home furnishing, elderly care, environmental
protection, education, healthcare, justice and other key industries
and fields.
For more information ,please refer to http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057497/n3057502/c8048365/content.html
NISSTC seeks public opinions on its proposed national standards
to identify the boundaries for Critical Information
Infrastructure
On August 10, 2020, the National Information Security
Standardization Technical Committee (“NISSTC”) released
the Information Security Technology – Method of Boundary
Identification for Critical Information Infrastructure (Draft for
Comment) (“Draft Method“) to seek
public opinions.
The Draft Method provides that, boundary identification for
critical information infrastructure
(“CII”) deals with further analysis and
sorting after the competent authority’s identification of the
critical business, which the CII operator will identify the network
facilities and information systems that are indispensable for the
continuous and stable operation of the critical business for the
purpose of providing a basis for the protection, review, and
emergency response.
The Draft Method provides six factors that should be considered
in identifying the boundaries of CII: critical business, network
facilities, information system, critical business information,
critical business information flow, and basic operation
environment.
- Critical business is the core element and the basis for
boundary identification of CII; - Critical business information is an indispensable information
resource for the normal operation of critical business, and also a
bridge and link for network facilities and information system to
support the informatization for critical business; - Network facilities and information system design, collect,
integrate, process, present, apply, store and destroy critical
business information according to business operation logic and
functions to support the automated, intelligent and efficient
operation of critical business; - Critical business information flow is the flow process in the
whole life cycle of critical business information. By sorting out
the critical business information flow, network facilities and
information systems supporting informatization for critical
business can be obtained; - Basic operation environment refers to the safety equipment,
safety measures, rules and regulations, machinery, plant, water,
electricity, etc. supporting basic operation for critical
business.
NISSTC seeks public opinions on the Method for Evaluating
Security Protection Capabilities of Critical Information
Infrastructure
On August 10, 2020, the National Information Security
Standardization Technical Committee
(“NISSTC”) issued the Information
Security Technology – Method for Evaluating the Security Protection
Capabilities of Critical Information Infrastructure (Draft for
Comment) (“Draft Method”) for
public comments by October 9, 2020.
The Draft Method provides that the evaluation of security
protection capabilities of critical information infrastructure
(“CII”) includes three parts: capability
domain level evaluation, graded protection evaluation, and
cryptography evaluation. Before the evaluation of the security
protection capability of CII, the CII should first pass the
corresponding graded protection evaluation and related cryptography
evaluation. Then, the organization should carry out the evaluation
according to the evaluation content and evaluation operation
method, give the judgment result and grade of each evaluation
index, get each capability domain level, and finally obtain the
security protection capability level of critical information
infrastructure based on the evaluation results of capability domain
level and graded protection.
For more information ,please refer to https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20200810142946548146&norm_id=20200112070019&recode_id=39650
MIIT seeks public opinions on Guidelines on the Construction of
Data Security Standard System in Telecom and Internet
Industries
On August 11, 2020,the Ministry of Industry and
Information Technology (“MIIT”) issued the Guidelines
on the Construction of Data Security Standard System in Telecom and
Internet Industries (“Draft
Guidelines“) to seek public opinions.
According to the Draft Guidelines, the data security standard
system of telecom and Internet industries includes four categories
of standards, namely the standards for basic generality, critical
technologies, security management and critical fields:
- the standards for basic generality include definitions of
terms, data security framework, and data category and
classification; - the standards for critical technologies deal with data security
technology from the dimensions of the entire life cycle, including
data collection, transmission, storage, processing, exchange, and
destruction; - the standards for security management include data security
specifications, data security assessment, monitoring and early
warning and handling, emergency response and disaster backup, and
security capability certification; and - the standards for critical fields mainly include 5G, mobile
Internet, connected-car, Internet of Things, Internet of Industry,
cloud computing, big data, artificial intelligence, blockchain and
other critical fields.
For more information, please refer to http://www.miit.gov.cn/n1278117/n1648113/c8050746/content.html
The Ministry of Justice: To strengthen protection of trade
secrets and confidential business information in administrative
licensing
On August 14, 2020, the Ministry of Justice
(“MOJ”) issued the Guiding Opinions
on Strengthening the Protection of Trade Secrets and Confidential
Business Information in Administrative Licensing (Draft for
Comment) (the “Draft Opinions”) for
public comments by September 30, 2020.
The Draft Opinions provide that applicants for administrative
licenses shall expressly indicate their trade secrets pursuant to
the Anti-Fair Competition Law or other laws or regulations, as well
as their business information that are needed to be kept
confidential when making an administrative license application to
an administrative authority, and correctly identify the scope of
confidentiality.
When applicants submit the application materials to the
administrative authorities, they must clearly indicate the key
points of confidentiality, and not generally regard all materials
as trade secrets and confidential business information. Such
information should be clearly marked on the first page of the
paper-based or electronic materials submitted and the key points of
confidentiality.
For more information, please refer to http://www.moj.gov.cn/government_public/content/2020-08/14/657_3254208.html
Shandong Province releases classification management rules on
health care big data
On August 25, 2020, the People’s Government of Shandong
Province issued the Measures for the Management of Health Care
Big Data in Shandong Province (the
“Measures”), which will take effect on
October 1, 2020.
According to the Measures, health care big data falls into three
categories:
- health care data involving trade secrets, personal privacy or
other types of data which are not allowed to be accessed according
to laws and regulations shall be categorized as inaccessible
data; - health care data with higher requirements for data security,
processing capacity, and timeliness or that needs to be acquired
continuously shall be categorized as conditional accessible data;
and - health care data other than the above two categories shall be
categorized as unconditional accessible data.
The Measures also stipulate that:
- for unconditional accessible data, citizens, legal persons and
other organizations can access it through the health care big data
platform. - for conditional accessible data, health care big data
management institutions and data using organizations should sign
data using agreements to access the data. The agreement shall
specify the scope, conditions, data products, confidentiality
responsibilities and security measures, etc. of the data. - for inaccessible data, it can be accessed after the consent of
the relevant obligees or after the desensitization and
declassification, unless otherwise provided by laws and
regulations.
For more information, please refer to http://www.shandong.gov.cn/art/2020/8/25/art_107851_108458.html
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
[ad_2]
Source link