Overview: In June 2023, significant developments in the TMT legal sector included new regulations and guidelines issued by various authorities. The CAC issued regulations on short-range self-organizing network services and published the first record list for deep synthesis service algorithms in China. The MIIT expanded the scope and procedures for administrative penalties. The SCA issued security evaluation measures for commercial cryptography. The SAMR issued antitrust guidelines for mergers and acquisitions and compliance rules for blind box operations. The SPC, SPP, and MPS jointly issued guidelines to address cyber violence. The NISSTC established standards for classifying cybersecurity incidents. Enforcement highlights included a joint report by the CSAC and CNCERT/CC on data collection by online video apps, and a data breach case under the Data Security Law that resulted in significant penalties. These updates underscore the growing regulatory focus on data security, network service management, antitrust compliance, and cybercrime, signaling the need for enhanced compliance measures across the TMT sector.

Part I – Regulations, Policies & Judiciary Interpretations

  1. The CAC Issues New Regulations to Regulate Short-Range Self-Organizing Network Information Services.

Recently, the Cyberspace Administration of China (CAC) announced the Administrative Regulations on Short-Range Self-Organizing Network Information Service (Draft for Comments) ("CAC Regulations"). The CAC Regulations regulates services that use information technologies like Bluetooth and Wi-Fi to quickly establish networks within proximity for the purpose of information exchange. Moreover, the CAC Regulations explicitly details the obligations of both providers and users of these short-range self-organizing network services.

According to the CAC Regulations, providers of short-range self-organizing network information services must assume specific security management responsibilities. These include:

  • Formulating security protocols and emergency response plans for cybersecurity incidents.
  • Implementing necessary security management systems and technical measures to enhance their ability to prevent risks.
  • Carrying out security assessments of new technologies that potentially shape public opinion or drive societal mobilization.
  • Reporting any unlawful or harmful information to the relevant regulatory departments promptly.

Furthermore, the CAC Regulations indicates that users of these short-range self-organizing network information services must not misuse such services to generate, replicate, distribute, or forward illegal or harmful information. It also prohibits users from engaging in unlawful activities such as network intrusion or data theft using these services. In instances where users receive illicit content, they have the right to report such information to the supervisory authorities.

  1. The MIIT Issues New Provisions on the Procedure for Administrative Penalties.

Recently, the Ministry of Industry and Information Technology (MIIT) issued the Regulations on Administrative Penalty Procedures for Industry and Information Technology ("Administrative Penalties Regulations"), which revises the current Regulations on Telecommunication Administrative Penalty Procedures ("2001 Regulations") and is set to take effect from September 1, 2023. Compared to the 2001 Regulations, the Administrative Penalties Regulations presents several updated requirements:

  • The scope of application has been broadened from telecommunications only to encompassing the entire sector of industry and information technology.
  • General provisions for administrative penalty procedures have been added, reflecting the requirements of the Administrative Penalty Law of the People's Republic of China.
  • The MIIT's jurisdiction has been clarified. The places of unlawful acts now unequivocally include the offender's place of residence, place of illegal operation, network access location, and the location where the offender's telecommunication and internet information services are licensed or recorded.
  • The general procedures have been adjusted and fine-tuned, with improvements made to the case filing standards and deadlines. The Administrative Penalties Regulations also details the requirements for evidence collection during law enforcement.
  • The procedures for law enforcement and case closure have been refined, offering clear directives for compulsory enforcement by the People's Court and establishing specific requirements for case closure .
  1. The SCA Issues New Administrative Measures on the Security of Commercial Cryptography

Recently, the State Cryptography Administration (SCA) promulgated the Administrative Measures for Commercial Cryptographic Testing Institutions (Draft for Comment) and the Administrative Measures for the Security Assessment of Commercial Cryptographic Applications (Draft for Comment) (collectively, "Security Assessment Administrative Measures"). The Security Assessment Administrative Measures is devised to enhance the oversight of commercial cryptographic testing institutions and to standardize activities related to commercial cryptographic testing as well as the security assessments of commercial cryptographic applications.

The requirements for security assessment of commercial cryptographic applications are as follows:

  • "Important networks and information systems" refer to those networks and systems which are legally required to implement protection via commercial cryptography.
  • Prior to deploying important networks and information systems, operators are obligated to conduct a security assessment of commercial cryptographic applications, either independently or by commissioning a licensed commercial cryptographic testing institution.
  • After the deployment, operators of important networks and information systems are required to undertake a security assessment of commercial cryptographic applications at least once per year.
  • All original records and assessment reports from the security assessment of commercial cryptographic applications must be archived and preserved in a manner that ensures traceability, with a minimum retention period of six years.
  • Within 30 days following the completion of the assessment reports, the operator is required to submit the reports, among other materials, to the SCA or the respective local cryptography administrative department where the network and information system is located, for record-keeping purposes.
  1. The SAMR Issues New Antitrust Compliance Guidelines on M&A

Recently, the State Administration for Market Regulation (SAMR) issued the Antitrust Compliance Guidelines on Mergers and Acquisitions (Draft for Comments) ("Antitrust Guidelines"). The Antitrust Guidelines consists of general provisions, core principles of the M&A review system, identification and management of compliance risks, safeguards for compliance management, and supplementary provisions. The Antitrust Guidelines specifies six principal categories of M&As that should make anti-trust declarations:

  • A merger with an enterprise that generated a turnover exceeding 400 million RMB within China during the prior fiscal year.
  • Acquisition of equity or assets from an enterprise with a turnover exceeding 400 million RMB in China during the preceding fiscal year.
  • Joint acquisition of equity or assets from an enterprise that generated a turnover exceeding 400 million RMB in China during the preceding fiscal year.
  • Gained control of or capacity to exert significant influence over an enterprise with a turnover exceeding 400 million RMB in China during the preceding fiscal year, through contractual arrangements or other methods.
  • Formation of a new joint venture with an enterprise that generated a turnover exceeding 400 million RMB in China during the preceding fiscal year.
  • M&A involves enterprises where the transaction value is considerable, or which may substantially influence the market, and that have elicited considerable industry attention.
  1. The SAMR Issues New Compliance Guidelines for Blind Boxes Operations

Recently, the State Administration of Market Regulation promulgated the Compliance Guidelines on Blind Box Operation (for Trial Implementation) ("SAMR Guidelines"), which came into effect on June 8, 2023. The Compliance Guidelines sets forth clear compliance obligations for entities operating blind box businesses and online trading platforms conducting blind box transactions. These obligations include explicit pricing, probability of blind box selection, product style variations, range of product values, and the establishment of a corporate quality assurance system.

Compared to the draft for public comments issued on August 16, 2022, the SAMR Guidelines have introduced the following amendments:

  • The sale of certain cosmetics and food products has been restricted through the prohibitive lists for blind box sales.
  • The introduction of a 'factory probability sampling' mechanism to aid administrative bodies in verifying the consistency between the predetermined probability of blind box selection and the actual draw outcomes.
  • The requirement that companies wishing to decline consumer returns within seven days post-sale must first fully disclose this condition to the consumer and obtain their consent before completing the transaction.
  • The prohibition of blind box sales to minors under eight years old. In instances where blind boxes are sold to minors aged eight and above, companies must clearly notify the relevant guardians and obtain their consent.
  1. The SPC, the SPP, and the MPS Solicits Public Opinions for the Guiding Opinions on Disciplining Cyber Violent Crime.

Recently, the Supreme People's Court, the Supreme People's Procuratorate, and the Ministry of Public Security have collectively issued the Guiding Opinions on Disciplining Cyber Violence Crime (Draft for Comments) ("Guiding Opinions"). The Guiding Opinions clarifies that if the network service providers refuse to fulfill their information network security management obligations against cyber violence for the purpose of hype creation or clout-chasing, they will be penalized under the offense of failing to fulfill information network security management obligations.

Additionally, the Guiding Opinions highlights that stricter penalties should be levied on cyber violence crimes that meet any of the following criteria:

  • Crimes specifically targeting minors or individuals with disabilities;
  • Organizing "internet trolls" or creating fictitious "sex-related" topics that infringe upon the dignity of others;
  • Employing "deepfake" technology to disseminate illicit or inappropriate information that contravenes public decency, ethics, or morals;
  • Crimes that are initiated or organized by network service providers themselves.

Part II - Sectorial Standards & Practice Guidance

  1. The CAC Announces the Record Information on Deep Synthesis Algorithms

On June 20, 2023, the Cyberspace Administration of China (CAC) issued a circular regarding the record information for deep synthesis service algorithms. It is the first record list for deep synthesis service algorithms in China issued by the CAC. The list contains 41 distinct deep synthesis algorithms from 26 companies.

As indicated by the record list, the application of deeply synthetic technology encompasses a broad range of scenarios. These include but are not limited to AI customer service, image generation, dialogue formation, video production, audio synthesis, real-time communication, multi-modal content generation, text composition, speech-to-text conversion, video conferencing, and facial image/video editing.

  1. The NISSTC Issues Guidelines on Classification of Cybersecurity Incidents

Recently, the National Information Security Standardization Technical Committee (NISSTC) officially released the Guidelines for the Classification and Grading of Cybersecurity Incidents ("NISSTC Guidelines"). The Guidelines sets out the methodology for categorizing and assigning different tiers to cybersecurity incidents, defining the types and gradations of such incidents.

  • Cybersecurity Incident Categories: Considering various factors such as the origin of the cybersecurity incident, the associated threat, the method of attack, and the consequences of the damage, incidents are divided into ten categories. These include incidents related to malicious software, cyberattacks, data security, information content security, equipment and infrastructure failures, regulatory violations, security endangerment, anomalous behavior, force majeure circumstances, and other miscellaneous incidents.
  • Cybersecurity Incident Levels: based on three key grading factors - the significance of the affected entities, the extent of business loss, and the magnitude of societal harm - cybersecurity incidents are classified into four tiers. From highest to lowest, such tiers are identified as particularly significant incidents (Level One Incident), major incidents (Level Two Incident), considerable incidents (Level Three Incident), and general incidents (Level Four Incident).

Part III - Enforcement Highlights

  1. The CSAC and the CNCERT/CC Publish a Report on the Collection of Personal Information in Online Video

Recently, an evaluative study was conducted jointly by the Cyber Security Association of China (CSAC) and the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC), focused on scrutinizing the practices of personal data collection by a range of heavily utilized "Online Audio and Video" applications. A report revealing the findings of this assessment was issued on June 12, 2023.

The study encapsulated a meticulous examination of eight "Online Audio and Video" applications, each with download figures surpassing 100 million across 19 application platforms. The assessment is mainly focused on three core dimensions: invocation of system permissions, uploading of personal data, and network upload traffic.

The results highlighted in the report demonstrate that the majority of the applications overstep the boundaries of the principles of data minimization and necessity, in relation to their fundamental business functions. Essentially, these "Online Audio and Video" applications are primarily designed to enable users to search and play music and films, which inherently does not necessitate the collection of personal information.

Nonetheless, it was unearthed during the investigation that all the examined applications collected personal data during the process of music and video search. This included details such as the users' location and unique device identifiers. Such practices of data collection were determined to be non-compliant with the regulations stipulating that only the minimal necessary personal information should be collected in alignment with basic application functions.

Part IV - Court Judgments

  1. UploadingData to the Public Cloud without Sufficient Protection Measures May Lead to Legal Consequence.

Recently, a local public security bureau in a city within Zhejiang province disclosed a case concerning a significant data breach. The incident occurred during the development of an information management system for a government department, wherein a company, without securing the necessary approval from the concerned department, transferred the department's sensitive operational data to a public cloud server. This server was rented from a third party by the company.

Despite the sensitive nature of the data, the company did not undertake any security measures throughout the process, thereby causing a significant data leak. The public security bureau determined that the company failed to institute a comprehensive data security management mechanism or implement the essential technical measures to ensure data protection.

In conclusion, the local public security bureau found the company in violation of the Data Security Law and proceeded to levy administrative penalties accordingly. The company was fined RMB 1 million, the project director received a fine of RMB 80,000, and the individual directly responsible was penalized with a fine of RMB 60,000.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.