China Digital Economy - Monthly Policy Updates (September 2023)

The China-Britain Business Council will collaborate with LexisNexis as part of the working group programme to provide you the latest updates on the digital economy including case studies, insights, and analysis.
China Releases Draft Rules on Face Recognition Technology
On August 8, the Cyberspace Administration of China (CAC) released the Provisions on Security Management of the Application of Face Recognition Technology (for Trial Implementation) (Exposure Draft) for public consultation. These draft provisions have been prepared within the framework of the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Personal Information Protection Law of the People's Republic of China, and other laws and regulations to regulate the use of face recognition technology.
The draft provisions restrict the use of face recognition technology to scenarios where there are specified purposes, sufficient necessity, and strict securities measures in place.
Expert Comments
These draft provisions regulate those who utilize face recognition technology to process facial information or provide face recognition technology-based products or services within the territory of the People's Republic of China (PRC), which mainly involve users of face recognition technology and face recognition technology-based service and product providers.
The main content of the draft provisions covers the following: imposing a range of obligations on the above-mentioned entities, including a filing obligation for the first time; highlighting the security of facial information; emphasizing access requirements for equipment; refining the necessity principle; reaffirming specific consent; enhancing PIA obligations; requiring regular risk monitoring and assessments; defining behavioral boundaries; mandating cooperation with inspections and correction orders, and outlining special compliance requirements for various scenarios.
It is recommended that organizations identify their internal application scenarios of face recognition technology, as well as their role in the facial information processing process under the data law. They should evaluate the potential impact of these provisions on their business or products, and conduct compliance self-checks against the list of obligations to identity nay compliance gaps and develop a compatible rectification plan. Entities subject to the filing requirement under these provisions should review their methods of internal use, as well as collection and storage size of facial information to prepare for the filing process.
Draft National Standard – "Information Security Technology – Data Security Risk Assessment Method” Released
[2023-08-21]
On August 21, the National Information Security Standardization Technical Committee (NISSTC) released the National Standard –"Information Security Technology – Data Security Risk Assessment Method" (Exposure Draft) for public consultation.
The Standard establishes the basic definitions, relationships between various factors, analysis principles, implementation process, and content of data security risk assessment, and clarifies the focus and approaches at each stage of the assessment. The Standard includes the following main content: relationships between various assessment factors, risk analysis principles, applicable scenarios, assessment implementation process, assessment content framework, assessment methods, assessment preparations, identification of data and data processing activities, data security risk identification, data security risk analysis and evaluation, assessment conclusions, and a data security risk assessment report template.
Draft National Standard – " Information Security Technology – Security Requirements for Processing of Key Data” Released
[2023-08-25]
On August 25, the National Information Security Standardization Technical Committee (NISSTC) released the National Standard – " Information Security Technology – Security Requirements for Processing of Key Data" (Exposure Draft) for public consultation. This Standard has been drafted to prevent the leakage, corruption, tampering, and abuse of key data.
The Standard outlines the security requirements for data processors in the processing of key data. It can also serve as a reference for relevant bodies when implementing security oversight or security assessment of data processing activities involving key data. The Standard includes the following main content: security requirements for the information systems and cloud platforms carrying key data, security requirements to be met at each stage of the processing within the entire data lifecycle, and security requirements for operation and management. It provides technical infrastructure support for data security protection in China, in particular the management of key data security protection.
Expert Comments
This Standard details the compliance obligations of processors of key data and sets forth multiple compliance requirements for the lifecycle management of key data and the related security organizational structure. For instance, regarding the collection of key data, the Standard mandates legality and compliance for data sources, and requires processors of key data to establish systems for classifying and grading data, as well as identifying key data, and prepare a list and catalog of key data. Regarding data transmission, provision, and trading, it requires the parties to execute legal documents specifying the data recipient's obligations in terms of data processing, and mandates evaluation and review before providing data to outside parties. The adoption of technical safeguards and cybersecurity measures during the data transmission process is also required to ensure the security of key data. When trading key data, it requires the recipient to be verified, the entire process audited, and measures such as blockchains employed to ensure traceability of the entire process.
In general, the release of this Standard offers more specific and detailed guidance for organizations in the field of data security. The requirements outlined in chapters such as “Organization and Personnel”, “Data Governance Facilities”, “Supply Chain Management”, and “Emergency Response” provide clearer guidelines and directions for organizations when establishing a comprehensive data security system. This not only ensures the security of key data and enhance data security and orderly data flows, but also establishes a solid foundation for the sustainable development of organizations in the digital era.
Specially invited review experts in this issue:
Mr. Wang Yi, Partner and Head of Compliance Department of Zhide Law Firm
Practice areas: data compliance (including finance, medical, automobile, public utilities, government data, etc.), financial compliance, dispute resolution
Email: yi.wang@meritsandtree.com