China Newsletter | Spring 2020/Issue No. 46
|Measures for Reporting of Information on Foreign Investment Released
China’s new Foreign Investment Law formally took effect on Jan. 1. 2020. Prior to the Foreign Investment Law’s effective date, several related regulations were issued to coincide with the Foreign Investment Law, including the Measures for Reporting of Information on Foreign Investment (the Measures) jointly issued by the Ministry of Commerce and State Administration of Market Regulation. Like the Foreign Investment Law, the Measures became effective Jan. 1, 2020, and seek to clarify certain issues with respect to the foreign investment reporting system, which replaces the previous filing and annual report system for foreign invested enterprises.
Key provisions of the Measures:
The Measures are an important component of the new regulatory regime on foreign investment established under the Foreign Investment Law. They simplify the foreign investment entry management process and may reduce the burden on foreign invested enterprises.
SAMR Invites Public Opinion on the Draft Amendment to the Anti-Monopoly Law
On Jan. 2, 2020, the State Administration of Market Regulation (SAMR) published the draft amendment to the anti-monopoly law (Draft) for public opinion. This is the first time the government proposed major changes to the current Chinese Anti-Monopoly Law (AML), which has been in effect since 2008.
There are notable changes under the Draft:
Adding a definition of “control” in merger reviews. The concept of control is a core issue in merger review but is not clearly defined in the current AML. In practice, SAMR published guidelines containing the elements of “control” to instruct companies in determining whether a transaction requires SAMR’s approval. Under the Draft, “control” refers to the right or actual ability of the operator directly or indirectly, alone or jointly, having or possibly having a decisive influence on the production and operation activities or other major decisions of other operators. The concept of “major decision” under the Draft remains broad and may cause confusion in practice.
Adjustment to notification thresholds in merger control. The current notification threshold, published by the State Council in 2008, is too low, resulting in small and medium deals of large companies requiring approval from SAMR. Under the current AML, the notification thresholds must be made by the State Council. The Draft proposes to grant SAMR the right to timely adjust the thresholds as the economy develops.
Prohibition on companies aiding or abetting other companies to engage in a monopoly agreement. The Draft introduces a new article which prohibits operators from aiding and abetting other operators in forming a monopoly agreement. The newly added article is intended to make up for those complex monopoly arrangements where certain companies may escape from penalty due to a lack of clear rules. A typical example is in the automobile business, where a manufacturer may attempt to organize its distributors to have meetings and encourage them to reach a monopoly agreement to control the resale price.
Special considerations for internet industry in determining market dominance. The Draft adds an article saying that for determining whether an internet business operator holds market dominance, elements including network effects, economies of scale, lock-in effects, and the ability to master and process relevant data should be considered. This article is in response to the recent cases of internet giants, and it is expected that the authority will give detailed guidelines in this regard in the future.
Significant increases in maximum fines for antitrust violations. The current AML has low statutory maximums for monetary penalties for antitrust violations. For example, for monopoly agreement and merger control violations, the current maximum fine is RMB 500,000, while in the Draft, the fine for monopoly agreement can be up to RMB 5 million, and for merger control, the fine can be up to 10% of the company’s revenue in the previous year.
SAMR Solicits Comments on Interim Provisions on Merger Review
To further improve the anti-monopoly legal system and standardize the process of merger review, the SAMR released the draft Interim Provisions on Merger Review (the Draft) on Jan. 7, 2020, for public comment.
The Draft mainly consolidates several rules and notices in relation to merger control previously issued by SAMR and does not propose any substantial changes to the merger review process. However, the Draft encourages companies to apply to the SAMR for negotiation on issues related to the relevant deal before the formal notification and proactively provide relevant documents and materials that facilitate the review process. The Draft may be further elaborated following implementation of the Antitrust Law amendment.
Amended Personal Information Security Specification Officially Released
On Mar. 6, 2020, the National Information Security Standardization Technical Committee released an updated version of the recommended national standard Personal Information Security Specification (all links in Chinese), the most basic and important national standard in respect of personal information protection (GB/T 35273-2020) (the New Specification), which will take effect and replace the existing specification on Oct. 1, 2020. The New Specification imposes higher requirements on enterprises’ personal information protection mechanisms.
The highlights of the New Specification are as follows:
Strengthens the protection of personal biometric information. The New Specification imposes stricter requirements on the collection, storage, sharing and disclosure, etc. of personal biometric information (e.g., facial identification features, iris, fingerprints). Pursuant to the New Specification, (i) before collecting biometric information, a controller shall independently inform the information owner of the purpose, method and scope, etc., of collecting and using biometric information, and obtain the express consent of the information owner; (ii) regarding storage, a controller shall adopt encryption and other security measures to separately store biometric information and personal information, and in principle, shall not store the original biometric information; (iii) in terms of sharing/transfer, the biometric information shall, in principle, not be shared or transferred; if sharing and transfer are necessary due to business needs, the controller shall still separately inform the information owner of the purpose, information type, and other content, and obtain the express consent of the information owner; and (iv) biometric information shall not be disclosed publicly.
Provides data subject with more control. The New Specification adds provisions prohibiting the controller of personal information from forcing the data subject to accept the bundling of multiple business functions, which is defined as a service that meets a specific need of the data subject (such as navigation, car hailing, instant messaging, online shopping and payments), to request a one-time consent from the data subject to collect his or her personal information. Correspondingly, the controller must solicit consent for each collection function, and only collect personal information directly related to the specific function authorized by the subject.
Clarifies procedures for account deactivation. According to the New Specification, the controller shall provide its users with a simple and convenient way to deactivate their accounts. In particular, the controller must avoid setting up unreasonable conditions or procedures during account deactivation or collecting unnecessary personal information for the purpose of verifying users’ identities. Controllers shall delete or anonymize users’ personal information after the account deactivation. Even if certain personal information must be retained pursuant to laws and regulations, such personal information should not be used in daily business activities.
Regulates use of user portraits/profiles and personalized displays. The New Specification regulates the use of users portraits/profiles and the commercialization of data used for personalized displays, including but not limited to the following parameters: (i) the use of user portraits/profiles shall not infringe the rights and interests of citizens, legal persons and other organizations, or damage national security, honor and interests; (ii) the direct usage of user portraits/profiles shall be avoided to the extent possible in the course of business operations or cooperation with third parties; (iii) the option to exit personalized presentation shall be provided to the users.
Collection and Use of Personal Information by Mobile Internet Applications: Public Opinion Sought on Guiding Documents
On Jan. 15, 2020, the China Information Security Standardization Technical Committee (CISSTC) issued the Information Security Technology - Basic Specifications for Collecting Personal Information in Mobile Internet Applications (Draft for comments) (the Specifications), seeking public opinion. The public comment period ended on Mar. 20, 2020. The Specifications provide compliance guidelines for the collection and use of personal information by mobile internet applications (Apps).
The Specifications make clear that when an App operator uses third-party code or plug-in to satisfy its specific function, if the third-party code or plug-in collects personal information and such collection cannot be refused by the owner of personal information, the App operator should ensure that the third-party code or plug-in fulfills its obligation to protect the personal information and prevents the third-party code or plug-ins from collecting irrelevant personal information.
The Specifications further clarify that App operators should pay attention to program compliance during collection, use, storage, etc. For instance, during the storage and use of personal information, the App operator shall give priority to storing and using the collected personal information in the “user’s terminal” and shall send the personal information to the “back-end server” at the lowest reasonable frequency necessary to realize the service.
Based on the Specifications, in Mar. 2020, the secretariat of CISSTC further issued the Practical Guide to Cyber Security Standards: Guide to Self-evaluation of Collection and Use of Personal Information by Mobile Internet Applications (App) (Draft for Comment) (the Self-evaluation Guidelines) and the Practical Guide to Cyber Security Standards: Guidelines for the Safety Protection of Personal Information on Mobile Internet Applications (App) (Draft for Comment)(the Safety Guidelines). The public comment period ended on Apr. 2, 2020. The Self-evaluation Guidelines provide the self-assessment standards of Apps in six respects, such as whether the rules for collecting and using personal information are disclosed, whether the purpose, method and scope of collecting and using personal information are explicitly stated, etc. The Safety Guidelines clarify the specific noncompliance issues of Apps, such as overbroad collection of personal information and failure to provide deactivation channels, and their corresponding prevention strategies.
People’s Bank of China Releases Personal Financial Information Protection Technical Specification
On Feb. 13, 2020, the People’s Bank of China (China’s Central Bank) released the Personal Financial Information Protection Technical Specification (the Specification), which took immediate effect. Although the Specification is not mandatory, it constitutes a recommended industry standard and sets out best practices for handling personal information in the financial industry. The Specification applies to financial institutions that provide financial products and services (including their vendors or suppliers that assist in processing personal financial information) (collectively defined as “Financial Industry Entities”), and also serves as a reference for safety evaluation institutions to conduct safety inspection and evaluation work.
The Specification defines personal financial information (PFI) as personal information collected, processed or stored by financial institutions via provision of financial products or services or through other channels. The Specification generally classifies PFI into three categories (C3, C2 and C1) based on the degree of sensitivity.
The three categories are as follows, listed with decreasing level of sensitivity:
||Scope of PFI and example
|C3||Generally includes user authentication information, such as bank card magnetic strip data, card verification codes, password and expiration date of credit card, log-in passwords and payment codes for bank accounts, insurance accounts and securities accounts, and biometric information such as financial services customer fingerprints.
|C2||Generally includes user identification information, financial status, and other key information used for financial products and services, such as payment account number, ID, cellphone number, account user names, information to assist in authentication (e.g., SMS authentication, security questions), transactional information (e.g., account balance, insurance claims and loan amounts), photos, audios and videos collected for fulfillment of know your customer.
|C1||Generally includes information for internal use by Financial Industry Entities, such as when an account was opened, account opening bank, and customer’s payment token. It also includes any non-C3 and non-C2 PFI.
a) For data collection, the Specification requires the use of technical measures (such as pop-up windows and explicit URL links), enabling the data subject to review privacy notices and give express consent.
b) For data processing and usage, protection measures (such as screen protection or de-identification or anonymization) should be taken when PFI is displayed to customers, to ensure PFI is not made public; PFI must also processed within the stated purpose for which it was collected; otherwise, further consent should be sought from the data subject.
c) For data storage, encryption must be deployed for C3 information, and PFI collected and produced domestically in China (during the provision of financial products and services) should be stored, processed and analyzed domestically in China as well. If third-party vendors are involved, C2 and C3 information should not be stored by such external vendors. In addition, the database storing PFI should not be operated or maintained by external vendors.
d) For data transfer, if necessary for businesses to provide PFI to foreign institutions (including affiliates such as a parent company, head office, branch office, subsidiary), express consent from the data subject is required for such cross-border transfer, with notification of the data subject’s rights also provided. De-identification of PFI should be completed before such cross-border transfer. Before a third-party vendor is engaged to process the PFI, the data controller must conduct a security assessment (e.g., on-site verification) and sign a data security agreement with the vendor to ensure the obligations for PFI confidentiality, deletion, investigation assistance (if any) can be effectively fulfilled.
e) For data deletion, when a data subject requires removal of PFI, financial institutions should in accordance with related laws and regulations, and any agreements reached with the data subject, process the deletion and adopt appropriate technical measures to ensure the deleted PFI will not be searchable, retrievable or readable.
The Specification provides comprehensive requirements for the entire life cycle of PFI handling. Although the Specification is not mandatory, financial institutions and third-party vendors (such as FinTech companies) are advised to bring their operations in line with stipulations of the Specification, for risk management and greater compliance with the best practice.