Information/Technology - 21. page

On October 29, the Cyber Administration of China (CAC), China’s Internet regulator, released a draft regulation on the security assessment for data “leaving the country,” aiming to further tighten controls on the cross-border flow of data.

The draft regulation proposes that data operators should conduct a risk assessment before sending data outside the country. The assessment should include the quantity, scope, type and sensitivity of the data, as well as the risk that the outflow of the data may bring to national security, public interests and the legitimate rights and interests of individuals or organizations.

After the Chinese ride-sharing giant Didi Chuxing went public in the U.S. in late June, the CAC launched an immediate probe into the company and suspended its new user registration, citing “safeguards against national data security risks.”

The state media later claimed that the IPO of companies such as Didi in the U.S. would inevitably involve data leaving the country. The Data Security Law passed by China’s National People’s Congress in June prohibited them from providing domestically stored information to foreign law enforcement agencies.

According to the authorities, the draft regulation is based on China’s Cybersecurity Law, its Data Security Law, and its Personal Information Protection Law.

China’s Cybersecurity Law, which came into effect in 2017, already stipulates that critical information infrastructure operators shall store important data within China and shall conduct security assessments if they really need to provide it outside of China. The Data Security Law, which came into effect in September this year, specifies penalty standards for operators who provide important data outside of China in violation of the aforementioned provisions. The Personal Information Protection Law, which came into effect on November 1, stipulates that critical information infrastructure operators and personal information processors that handle personal information up to the amount specified by the state cyber authorities shall store the relevant personal information within China, and if they really need to provide it outside China, they must pass the security assessment conducted by the state cyber authorities.

That means that, several years ago, the Chinese government had already begun to regulate the way information processors stored data. It has also placed a higher threshold on the security assessment of data leaving the country.

The draft regulation stipulates several situations in which data processors should make a declaration of a security assessment to cyber authorities when providing data outside the country. 1) Outgoing data contains important information; 2) Data provided by operators that process personal information on up to one million people; 3) Data that contains personal information on more than 100,000 people or sensitive personal information on more than 10,000 people. The cyber authorities should complete the security assessment within sixty working days.

Source: People’s Daily Online, October 29, 2021
http://finance.people.com.cn/n1/2021/1029/c1004-32268844.html

Well-known new Chinese news site The Paper recently reported that a simple static portrait photo can be transformed into a video after special software processing. Such a video can be used in the facial recognition processes. Since China now regulates the use of mobile phone SIM cards, all SIM cards must be associated with real names. To battle the illegal use of static facial pictures, communications companies now require video responses to certain commands (like blinking) for authentication. Due to the high demand for SIM cards, some criminals are seizing the opportunity to forge people’s facial videos based on static pictures to pass the registration authentication processes. These videos are sold online in large volume for a few U.S. cents per face, which is coupled with actual personal profile information. Current Chinese laws do not specifically stipulate who has the right to collect facial information. Many companies now collect people’s facial information with very weak security measures for privacy protection. This has caused a massive loss of Personal Identifiable Information (PII) to hackers.

Source: The Paper, October 23, 2021
http://m.thepaper.cn/rss_newsDetail_15036994

On October 15, China’s top media regulator, the National Press and Publication Administration, issued a draft interim provision on “Continuing Education for Professional Journalists and Technical Workers.” The provision requires journalists, editors and other news personnel to receive no less than 90 hours of continuing education each year.

The provision states that the continuing education of journalists should “closely focus on the Chinese Communist Party’s (CCP’s) mission for journalism and public opinion work, carry out in-depth education on Marxist journalism,  …  and guide professional journalists and technical workers in using the correct political direction, public opinion and value orientation.”

The contents of the study include policies, regulations, and professional knowledge, as well as new theories and technologies needed for keeping up with the industrial trend. It will become an important qualification for journalists to receive promotions and press credentials.

The provision also emphasizes that doing so is conducive to the building of a team of politically committed, professional, and ethical journalists with whom “the party and the people can have peace of mind.”

This year, the Chinese government has further escalated control over the media. Earlier this month, China’s Development and Reform Commission released a draft of the “Market Access Negative List (2021 Edition),” which requires that private capital shall not engage in the news gathering, editing or broadcasting business.

Source: National Press and Publication Administration, October 15, 2021
http://www.nppa.gov.cn/nppa/contents/279/99411.shtml