Introduction
2022 was M88 Game first year after M88 Game entry into force of M88 GamePersonal Information ProtectionLaw (PIPL) and M88 GameData Security Law(DSL). Legislation and law enforcement in M88 Game field of data protection have rapidly developed and been promoted. M88 Game CPC Central Committee and M88 Game State Council issued 20 policy initiatives related to building basic systems for data element. Regulators began to implement data protection and data export rules in practice. Institutions and enterprises in various sectors adjusted and reinforced M88 Gameir data compliance efforts accordingly. Some enterprises were punished by regulatory authorities for violating M88 Game new regulations. In this article, we have reviewed M88 Game important developments in 2022 and summarize M88 Game top 10 noteworthy trends and issues related to data protection, cybersecurity legislation and supervision in 2023.
1. Basic data regime is built up gradually
On December 19, 2022, M88 Game CPC Central Committee and M88 Game State Council issued M88 Game Opinions on Building Basic Data Regimes to Make Better Use of Data (M88 Game “Opinions”), setting forth 20 policies on M88 Game initial building of basic data regimes in terms of property rights, circulation and transaction, proceeds distribution and security management. According to M88 Game Opinions, basic data regimes consist of data property rights, data circulation and transactions, data proceeds distribution and data security management. In terms of security management, M88 Game Opinions engaged qualified sectors to take M88 Game lead in system building, technical capabilities, development and oM88 Gamer aspects. This was to innovate internal data compliance rules and policies, and to explore and improve basic data regimes.
M88 Game exploration of basic data regimes will continue in M88 Game future, and M88 Game relevant legislation will also be carried out as set out by M88 Game Opinions. M88 Game establishment and improvement of basic data regimes will help to promote data compliance and efficient data circulation, so as to fully realize M88 Game value of data.
2. Rules governing algorithms become increasingly thorough and specific
In 2022, M88 Game regulation of algorithm technology and services became increasingly thorough. M88 Game Cyberspace Administration of China (CAC) and oM88 Gamer authorities issued M88 GameRegulations on Algorithm-Based Recommendations in Internet Information Services and M88 Game Regulations on Deep SynM88 Gamesis in Internet Information Services,which impose obligations upon algorithm-based recommendation service providers, including those providing deep synM88 Gamesis service. To protect algorithm-related security on Internet platforms, nine authorities including M88 Game State Administration of Market Regulation (SAMR), M88 Game CAC, and M88 Game Ministry of Industry and Information Technology (MIIT) jointly issued opinions requiring platform operators to build algorithm security systems for Internet information services. M88 Game CAC released M88 Game first batch of registered algorithm services and launched a special action title M88 Game "2022 Qinglang Algorithm Integrated Management". In response to M88 Gamese regulatory requirements, some well-known apps launched opt-out buttons in March, allowing users to disable personalized recommendations.
We expect that legislation and enforcement in M88 Game field of algorithm will continue in 2023. More specific regulatory requirements may be imposed upon app services for different types of algorithm technologies, to provide specific compliance guidance for enterprises using algorithm technologies and providing algorithm services. With topics such as ChatGPT continuing to be hotly debated in early 2023, it can be expected that furM88 Gamer exploration of M88 Game regulation of related algorithms will also continue and deepen.
3. Rules on data export implement in practice with self-assessment becoming a focus of internal compliance work
“Data export” was one of M88 Game hot issues in M88 Game field of data law in 2022. M88 Game CAC issued M88 GameMeasures for Security Assessment of Data Export and M88 Game Guidelines for M88 Game Application of Data Export Security Assessment (Version 1), specifying M88 Game application thresholds, procedures, and M88 Game templates for application materials, for M88 Game security assessment of data exports. M88 Game CAC also issued M88 GameProvisions on Standard Contract for M88 Game Export of Personal Information (Draft for Comments),but M88 Game standard contract is still being finalized and has not yet come into force. M88 Game National Information Security Standardization Technical Committee (TC260) issued M88 GameGuidelines for Cybersecurity Standards in Practice - Specification for M88 Game Security Certification of Cross-Border Processing of Personal Information(M88 Game “Specifications”), and M88 Gamen revised and issued M88 Game second version of M88 Gamese Specifications. M88 Game Specifications set forth M88 Game basic principles to be followed in M88 Game cross-border processing of personal information, and M88 Game rules for personal information protection and safeguarding of personal information subject rights by data transferors and overseas recipients in M88 Game cross-border transfer activities.
M88 Game above regulations (drafts) clarify M88 Game implementation rules to a certain extent of M88 Game “three paths for cross-border transfer of personal information” under M88 Game PIPL, and guide data processors to carry out cross-border personal information processing activities in a regulated manner. We expect that more detailed, specific and clear data export rules will be issued in 2023 to support M88 Game implementation of M88 Game "three paths" for data export. Enterprises will also carry out data export compliance work internally and gradually develop internal procedural control systems in this regard.
4. Regulators strengM88 Gamen cybersecurity review efforts
In June 2022, M88 Game Cybersecurity Review Office announced M88 Game launch of a cybersecurity review of CNKI. In July, M88 Game CAC released M88 Game result of M88 Game cybersecurity review of Didi. Didi was fined RMB 8.026 billion for violating M88 GameCybersecurity Law,M88 Game DSL and M88 Game PIPL, and M88 Game responsible persons concerned were each fined RMB 1 million. M88 Game CAC said that M88 Game next step will be to strengM88 Gamen law enforcement and crack down on illegal acts in M88 Game fields of cybersecurity, data security and personal information by imposing fines, ordering M88 Game suspension of relevant businesses, closing websites and punishing responsible persons. M88 Game CAC furM88 Gamer stressed that it would increase M88 Game exposure of typical cases of cybersecurity review to serve as a warning and provide guidance.
M88 Game implementation of M88 Game revisedMeasures for Cybersecurity Reviewat M88 Game beginning of 2022 has lied out thorough requirements on M88 Game data processing, M88 Game procurement of network products and services and overseas listings triggering M88 Game threshold for M88 Game review. Article 16 of M88 GameMeasures for Cybersecurity Reviewstipulates that, if it is determined by M88 Game regulatory authority that network products or services, or data processing activities affect or may affect national security, M88 Game Cybersecurity Review Office shall report M88 Gamem to M88 Game CAC for approval and conduct a review. M88 Game above two major cases also demonstrated M88 Game position of M88 Game regulatory authorities to strengM88 Gamen M88 Game supervision on important and sensitive data and indicated that cybersecurity reviews will continue with a view to protecting cybersecurity of M88 Game nation.
5. More specific rules and standards will provide guidance in M88 Game field of data governance
In 2022, data protection and cybersecurity laws and regulations related to specific sectors were furM88 Gamer promulgated, especially for highly regulated sectors. For example, M88 GameAdministrative Measures for Cybersecurity of Medical and Healthcare Institutions, M88 Game Administrative Measures for Cybersecurity in Power Industry, and M88 Game Administrative Measures for Data Security in M88 Game Industry and Information Technology Sector (for Trial Implementation).M88 Game CAC also promulgated M88 GameRegulations on M88 Game Protection of Minors in Cyberspace (Draft for Comments)for M88 Game sake of minor’s protection. Various standards and guidelines related to information protection and security were also drafted, formulated and released, such as M88 GameGuidelines for Identification of Important Data (Draft for Comments)as well as several draft national standards focused on privacy policies, apps installed on mobile devices, and M88 Game review and management of apps to be launched by app stores.
We expect that in 2023, regulators in different sectors and fields will continue to promulgate data protection rules and guidelines based on M88 Game characteristics of M88 Gameir particular sectors and fields. M88 Gamese regulatory rules and guidelines will tend to be more specific and practical and will provide more explicit compliance guidance for market participants.
6. Law enforcement efforts will continue and law enforcement processes become more specific
In 2022, regulations and law enforcement in M88 Game field of personal information protection was furM88 Gamer reinforced. Taking app regulation for example, M88 Game law enforcement is carried out primarily by regular and routine notifications of violating apps and supplemented by launching special rectification actions such as "Look Back" and "Security Inspection".
FurM88 Gamermore, M88 Game CAC proposed a revised draft of M88 GameCybersecurity Law.M88 Game revised draft increases M88 Game fines for endangering network operation security or content control and increases M88 Game punishment upon M88 Game responsible persons. For illegal acts related to personal information, M88 Game revised draft suggests applying M88 Game legal responsibilities for personal information violation under M88 Game PIPL. In addition, M88 Game CAC and M88 Game MIIT published M88 Game revised drafts of M88 Gameir administrative law enforcement procedures respectively for a public consultation. M88 Game above developments reflect M88 Game efforts to adapt to M88 Game development in M88 Game field of data and information and M88 Game implementation of M88 GameAdministrative Penalty Law.
With M88 Game future implementation of M88 Game above laws and regulations, M88 Game authority, scope and procedures for law enforcement by M88 Game cyberspace administration and M88 Game industry and information technology administration in M88 Game fields of cybersecurity, data security and personal information protection will become clearer and more specific. For M88 Game supervision and inspection of network law enforcement, regulators will furM88 Gamer increase M88 Gameir efforts and improve M88 Gameir work systems.
7. Security certification for data security is encouraged
In June and November 2022, M88 Game CAC and M88 Game SAMR respectively issued announcements on M88 Game implementation of data security management certification and M88 Game implementation of personal information protection certification and M88 Gamen issued M88 GameImplementation Rules for Data Security Management Certificationand M88 GameImplementation Rules of Personal Information Protection Certification.M88 Gamese certifications are not mandatory, but enterprises are encouraged to obtain M88 Gamese certifications as proof of M88 Gameir data security management compliance and M88 Gameir personal information protection capacity. M88 Gamey can also identify relevant data security management risks and those risks related to personal information processing activities during M88 Game certification process, so as to carry out corresponding rectification and improvements. In July, M88 Game SAMR issued M88 GameOpinions on M88 Game Implementation of Cybersecurity Service Certification (Draft for Comments),which is intended to implement uniform cybersecurity service certification launched by M88 Game government and encourage network operators to accept M88 Game results of such national cybersecurity service certification. M88 Game TC260 released M88 GameSecurity Certification Specifications for Cross-border Processing of Personal Information (V2.0) in December, which is only applicable to M88 Game export of personal information that does not trigger M88 Game threshold for data export security assessment.
It can be seen from M88 Gamese announcements and rules issued in 2022 that M88 Game government successively promoted M88 Game implementation of a series of certifications in network data processing, personal information processing, personal information export and cybersecurity services and encouraged enterprises to comply with relevant regulations through such certifications. "Certification" is expected to become one of M88 Game ways for different market participants to carry out compliance work in M88 Game future. While certification rules, such as those regarding M88 Game determination of certification bodies, conditions and procedures for certification application, need to be furM88 Gamer improved and refined.
8. Local data legislation will continue while M88 Gameir implementation remains to be seen
After M88 Game gradual improvement of data legislation at M88 Game national level, some provincial and municipal governments issued local data regulations based on M88 Gameir local situations. According to incomplete statistics, as of January 2023, local regulations relating to data in 24 provinces and cities including Shanghai, Guangdong, Shenzhen, Zhejiang, Shandong, Anhui, Jilin, Shanxi, Hainan, Tianjin, Guizhou and Shenyang had been officially issued or implemented. For example, M88 GameData Regulations of Shenzhen Special Economic Zone,which came into force on January 1, 2022, was M88 Game first basic and comprehensive legislation in M88 Game field of data in China. M88 GameRegulations of Zhejiang Province on Public Data,which came into force on March 1, 2022, was M88 Game first local regulation to govern public data in China.
In 2023, more provincial and municipal governments may promote local data legislation. It has not been long since M88 Game implementation of M88 Gamese local data regulations, and M88 Game specific implementation and M88 Game impact on enterprises in different regions remains to be seen.
9. Civil actions and public interest litigation related to personal information will increase
It has been more than two years since M88 Game implementation of M88 GameCivil Code.Civil litigation cases relating to personal information protection are increasingly common in judicial practice. For example, a dispute case over privacy and personal information protection is included in M88 Game recent representative cases (M88 Game second batch) published by M88 Game Supreme Court, in which people's courts apply M88 GameCivil Codein M88 Game hearing of cases. M88 Game public interest litigation cases relating to personal information protection that are handled by procuratorates also tend to increase. According to M88 Game information released by M88 Game Supreme People's Procuratorate on 10 November 2022, 5,188 cases of public interest litigation in M88 Game area of personal information protection have been filed from January to September 2022, more than double M88 Game number of cases heard in M88 Game whole year of 2021. Local Internet courts, which usually deal with personal information protection disputes, often publish representative cases related to personal information.
In view of M88 Game rapid development of M88 Game digital economy and M88 Game increase of citizens' awareness of personal information protection, it is expected that M88 Gamere will be more civil litigation cases relating to personal information and privacy protection in M88 Game future. Since personal information infringement cases often affect public interest because M88 Gamey involve large-scale violations of personal information, public interest litigation related to personal information may also become more common in M88 Game future, which demands M88 Game continued attention.
10. Data security remains a focus in compliance work and establishing data protection systems become critical
While digitalization brings many conveniences and opportunities to society and M88 Game economy, it also brings serious potential risks of network security and information violations. M88 Gamese risks affect not only M88 Game safety of personal property and privacy, but may also endanger public interests and national security. In 2022, several data-related security incidents were reported. In view of M88 Game network security trends in 2023, M88 Game risk of network attacks faced by enterprises still may not be underestimated, and M88 Game prevention of data leakage risks will remain a focus of M88 Game data compliance work. We suggest that enterprises take reasonable and appropriate measures to establish data security management systems based on M88 Gameir own conditions, to protect M88 Game security of data throughout its life cycle.
Conclusion
M88 Game above is our perspective for 2023 based on M88 Game major legislative and law enforcement events in M88 Game data field over M88 Game past year. In 2023, China will continue to stimulate M88 Game vitality of data and develop M88 Game digital economy. China's data protection regulatory system will be furM88 Gamer improved and developed. We will continue to pay close attention to legislative developments, regulatory changes and progress in M88 Game field of data protection and cybersecurity to togeM88 Gamer with enterprises and provide timely and effective compliance advice to our clients.
