Click above|Follow us
Recently, in the field of data governance, the "Regulations on Network Data Security" were officially introduced, focusing on prominent issues such as personal information, important data, and cross-border data flows, and addressing them by refining the existing system design. In terms of promoting the flow of data elements, the National Data Bureau has proposed several guiding opinions and drafts, and for the first time at the national level, it has formulated and released the "Interim Implementation Standards for Authorized Operation of Public Data Resources" (Draft for Public Comment). In terms of key industry regulation, the National Security Department has issued a special warning through cases, highlighting the threat to national security posed by illegal cooperation between foreign organizations and domestic enterprises in collecting original surveying and mapping data, which has attracted widespread attention to the issue of domestic and foreign cooperation in surveying and mapping data. In terms of foreign domains, the EDPB has sought public comments on guidelines for the legal basis of personal data processing based on legitimate interests; the US Department of Commerce has proposed rules to restrict the supply of smart connected vehicle hardware and software from countries such as China; California has passed several AI-related bills, strengthening AI governance from aspects such as transparency and training data.
HOTSPOT
HOTSPOT
The State Council Announces the "Regulations on Network Data Security"
On September 30, 2024, the "Regulations on Network Data Security" were officially announced and will come into effect on January 1, 2025. Together with the "Cybersecurity Law," "Data Security Law," "Personal Information Protection Law," "Regulations on the Security Protection of Critical Information Infrastructure," and the "Cybersecurity Level Protection Regulations (Draft for Comment)," they form the framework of "three laws and three regulations" in the field of network security and data protection in China.
Compared with the draft for comments released in 2021, the "Regulations on Network Data Security" have added the legislative purpose of "promoting the legal, reasonable, and effective use of network data," relaxed many obligations to reduce the burden on enterprises and promote the effective use of data. For example, the cybersecurity review trigger scenarios have removed the situation of going public in Hong Kong, and the threshold for personal information processors to fulfill the obligations of important data processors has been raised to 10 million. At the same time, the "Regulations on Network Data Security" still adopt strict supervision for some high-risk regulatory items to ensure network data security, such as the new requirement that risks involving national security, public interest, safety defects, vulnerabilities, etc., should be reported within 24 hours.
The Zhong Lun Data Team has prepared compliance materials such as the "To Do List for the Compliance Implementation of the Regulations on Network Data Security," "Compliance Obligation List of the Regulations on Network Data Security," and "Key Change Overview Table of the Regulations on Network Data Security." Corporate legal and compliance personnel who wish to obtain the aforementioned compliance materials can apply by emailing zhangli2@zhonglun.com.
Information source: State Council
https://www.gov.cn/zhengce/zhengceku/202409/content_6977767.htm
National Data Bureau Seeks Public Comments on the "Interim Implementation Standards for Authorized Operation of Public Data Resources (Open for Public Comment)"
On October 12, 2024, the National Data Bureau released the "Interim Implementation Standards for Authorized Operation of Public Data Resources" (Open for Public Comment, hereinafter referred to as the "Standards") and sought opinions from all sectors of society. As the first document at the national level to regulate the authorized operation of public data, the "Standards" clarify that county-level and above local people's governments and national industry authorities can include public data resources they legally hold within the scope of authorized operation, without endangering national security, public interest, commercial secrets, and personal privacy, and personal information rights. The "Standards" also propose several requirements from the basic requirements, plan formulation, agreement signing, operation implementation, and management of public data authorized operation. In addition, the development and utilization of public data held by public utilities such as water, gas, heating, electricity, and public transportation can also refer to the relevant procedural requirements of the "Standards".
Information source: National Development and Reform Commission
https://yyglxxbsgw.ndrc.gov.cn/htmls/article/wap-article.html?articleId=2c97d16b-9091ce05-0192-7ffe5fd4-0023#iframeHeight=817
EDPB Seeks Public Comments on Guidelines for Processing Personal Data Based on Legitimate Interests
On October 9, 2024, the European Data Protection Board (EDPB) sought public comments on the Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR (hereinafter referred to as the "Legitimate Interests Guidelines"). The "Legitimate Interests Guidelines" emphasize that "legitimate interests" should not be overused as a legal basis, and clarify that personal data processing activities based on "what is necessary for the legitimate interests pursued by the controller or a third party" must simultaneously meet three requirements:
(1)The legitimate interest pursued by the controller or a third party is a legitimate interest that is legal, clearly identified, and currently exists;
(2)The personal data processing activity is necessary to pursue the legitimate interest, i.e., it cannot be effectively achieved by other means;
(3)The interests or fundamental rights and freedoms of the data subject involved do not take precedenceover the legitimate interests of the controller or a third party, and a balance test is required.
The "Legitimate Interests Guidelines" also provide detailed explanations on the application of legitimate interests in various scenarios, such as child data processing, fraud prevention, direct marketing, internal management of enterprises, and disclosure of data to regulatory authorities in third countries.
Information source: EDPB
https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf
NEWSLETTER
NEWSLETTER
(Click on the source or copy the corresponding link to view the details)
LEGISLATION
The State Council announces the "Regulations on Network Data Security"
Source: The State Council
https://www.gov.cn/zhengce/zhengceku/202409/content_6977767.htm
The General Office of the CPC Central Committee and the State Council issue opinions on accelerating the development and utilization of public data resources
Source: The State Council
https://www.gov.cn/zhengce/202410/content_6978911.htm
The National Development and Reform Commission releases the "Interim Measures for the Registration Management of Public Data Resources" (Draft for Public Comment)
Source: The Development and Reform Commission
https://yyglxxbsgw.ndrc.gov.cn/htmls/article/wap-article.html?articleId=2c97d16b-9091ce05-0192-7ffe5fd4-0023#iframeHeight=817
The National Data Bureau seeks public comments on the "Interim Implementation Standards for Authorized Operation of Public Data Resources" (Draft for Public Comment)
Source: The National Data Bureau
The National Data Bureau seeks public comments on the "Guiding Opinions on Promoting High-Quality Development of the Data Industry" (Draft for Public Comment)
Source: The National Data Bureau
The National Data Bureau seeks public comments on the "Opinions on Promoting the Development and Utilization of Enterprise Data Resources" (Draft for Public Comment)
Source: The National Data Bureau
The National Development and Reform Commission and others issue the "National Data Standard System Construction Guide"
Source: The Development and Reform Commission
https://www.ndrc.gov.cn/xxgk/zcfb/tz/202410/t20241008_1393509_ext.html
The Cyberspace Administration of China seeks public comments on the "Regulations on the Management of Direct Satellite Services for Terminal Equipment" (Draft for Public Comment)
Source: The Cyberspace Administration of China
The National Information Security Standardization Technical Committee releases the "GB/T 44599-2024 Data Security Technology Internet Platform and Product Service Personal Information Processing Rules"
Source: The National Information Security Standardization Technical Committee
https://www.tc260.org.cn/front/postDetail.html?id=20241014160633
The National Information Security Standardization Technical Committee releases the "GB/T 44602-2024 Cybersecurity Technology Smart Lock Cybersecurity Technical Specifications" and other 9 national cybersecurity standards
Source: The National Information Security Standardization Technical Committee
https://www.tc260.org.cn/front/postDetail.html?id=20241009104335
The National Information Security Standardization Technical Committee seeks public comments on the "Cybersecurity Technology Anti-DDoS Attack Product Technical Specifications" and other 15 national standards (Draft for Public Comment)
Source: The National Information Security Standardization Technical Committee
The National Information Security Standardization Technical Committee seeks public comments on the "Cybersecurity Standard Practice Guide - Academic Technology Service Platform Data Security Requirements" (Draft for Public Comment)
Source: The National Information Security Standardization Technical Committee
https://www.tc260.org.cn/front/postDetail.html?id=20240930151230
The Ministry of Industry and Information Technology seeks public comments on the "Artificial Intelligence Office Large Model System Technical Requirements" and other 198 industry standards, 1 recommended national standard project (Draft for Public Comment)
Source: The Ministry of Industry and Information Technology
https://wap.miit.gov.cn/gzcy/yjzj/art/2024/art_6caf756fd2c64392a26b75d0b64aa48f.html
The China Internet Association seeks public comments on the "Industrial and Information Technology Field Data Security Compliance Guidelines" (Draft for Public Comment)
Source: The China Internet Association
https://www.isc.org.cn/article/22295344848957440.html
Guangdong seeks public comments on the "Guangdong Data Regulations" (Draft for Public Comment)
Source: The Guangdong Cyberspace Administration
Hunan releases the "Hunan Data Intellectual Property Registration Management Method (Trial)"
Source: The Hunan Market Supervision Administration
https://amr.hunan.gov.cn/ztx/zscqqsx/zszcfg/zscqzc/202409/t20240919_33457846.html
Zhejiang releases the "Zhejiang Network Live Marketing Behavior Standards"
Source: The Zhejiang Market Supervision Administration
https://zjamr.zj.gov.cn/art/2024/9/25/art_1229003052_59038690.html
Shenzhen Data Exchange releases the "Enterprise Data Assets on the Balance Sheet Concise Operation Guide"
Source: Shenzhen Data Exchange
INDUSTRY TRENDS
The National Security Department Issues Surveying and Mapping Safety Alerts
Source: National Security Department
China Cybersecurity Association: Recommends Initiating Cybersecurity Review of Intel Products to Investigate Risks
Source: China Cybersecurity Association
https://mp.weixin.qq.com/s/rgRmOfoPr7x1TZhyb-1ifg
Intel China Responds: Committed to Ensuring Product Safety and Quality, Will Clarify Related Doubts
Source: Intel China
The Ministry of Industry and Information Technology Releases the 8th Batch of APP (SDK) Notifications on Infringements of User Rights for 2024
Source: Ministry of Industry and Information Technology
https://wap.miit.gov.cn/jgsj/xgj/gzdt/art/2024/art_7471539a36f04791a88ee6a66536f17a.html
The National Computer Virus Emergency Response Center Finds 13 Mobile Apps with Non-compliant Privacy Practices
Source: Xinhua News Agency
https://h.xinhuaxmt.com/vh512/share/12206411?d=134da1d&channel=weixin
Shanghai Communications Administration Delists 12 Apps for Infringing User Rights
Source: Shanghai Municipal Communications Administration
https://shca.miit.gov.cn/zwgk/tzgg/art/2021/art_e37c5223ce33483781bff714a098782f.html
Zhejiang Communications Administration Reports 19 Apps for Infringing User Rights
Source: Zhejiang Cyberspace Administration
Guangdong Communications Administration Delists 3 Apps for Infringing User Rights
Source: Guangdong Cyberspace Administration
Anhui Communications Administration Releases the 7th Batch of Notifications on Apps Infringing User Rights for 2024
Source: Anhui Provincial Communications Administration
Guangdong Cyberspace Administration Announces Registration Information for Generative AI Services (September 25th)
Source: Guangdong Cyberspace Administration
Guangzhou Intellectual Property Court Releases Typical Cases of Judicial Protection of Data Rights and Intellectual Property
Source: Guangzhou Intellectual Property Court
Beijing Internet Court: Sharing Screenshots of Employment Lists May Infringe on Personal Information Rights
Source: Beijing Internet Court
Chongqing Police Announce 5 Typical Cases of Combating the Use of AI Tools to Fabricate Rumors
Source: Ministry of Public Security Cybersecurity Bureau
Shanghai Medical Technology Company Penalized by Cyberspace Administration for Failing to Fulfill Protection Obligations
Source: Shanghai Cyberspace Administration
Shanghai Cyberspace Administration Comprehensively Rectifies the Misuse of Facial Recognition Technology in Subway Station Vending Machines
Source: Shanghai Cyberspace Administration
Jiangxi Court Releases Typical Cases of Anti-Unfair Competition
Source: Jiangxi Court Website
http://jxgy.jxfy.gov.cn/article/detail/2024/09/id/8139090.shtml
OVERSEAS
European Union:
The European Council adopts the Cyber Resilience Act
Source: European Commission
https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
The European Commission will soon launch a public consultation on new standard contractual clauses for the transfer of personal data to third countries
Source: European Commission
https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14404-Standard-contractual-clauses-for-the-transfer-of-data-to-third-country-controllers-and-processors-subject-to-the-GDPR_en
The EDPB consults on guidelines for processing personal data based on legitimate interests
Source: EDPB
https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf
The European Commission announces the signing of the AI Pact
Source: European Commission
https://ec.europa.eu/commission/presscorner/detail/en/ip_24_4864
The European Commission releases a practical guide on the Data Governance Act
Source: European Commission
https://digital-strategy.ec.europa.eu/en/library/new-practical-guide-data-governance-act
The European Commission announces the adoption of implementing acts under the NIS 2 Directive for essential entities and cybersecurity
Source: European Commission
https://digital-strategy.ec.europa.eu/en/news/commission-seeks-feedback-draft-implementing-act-under-nis2-directive#:~:text=By%2017%20October,%20the%20Commission%20will%20adopt%20an,digital%20providers,%20and%20ICT%20service%20management%20(business-to-business)%20sectors.
The EDPB issues Guidelines 2/2023 on the technical scope of Article 5(3) of the ePrivacy Directive
Source: EDPB
https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22023-technical-scope-art-53-eprivacy-directive_en
The EDPB issues Opinion 22/2024 on certain obligations following from the reliance on processors and sub-processors
Source: EDPB
https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-222024-certain-obligations-following_en
The EPRS releases a proposal for an AI Liability Directive
Source: European Parliamentary Think Tank
https://www.europarl.europa.eu/thinktank/en/document/EPRS_STU(2024)762861
The European Commission seeks feedback on the DGA
Source: European Commission
https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportunities/tender-details/5586778b-d4d2-4c31-a03e-ac5f28fa087e-CN?isExactMatch=true&order=DESC&pageNumber=1&pageSize=50&sortBy=startDate
The European Commission publishes the findings of the first review of the EU-U.S. Data Privacy Framework
Source: European Commission
https://commission.europa.eu/document/download/25695177-8073-4ce3-bf81-eb816dc6b468_en?filename=Report%20on%20the%20first%20periodic%20review%20of%20the%20functioning%20of%20the%20adequacy%20decision%20on%20the%20EU-US%20Data%20Privacy%20Framework.pdf
The European Commission declares that X does not meet the gatekeeper criteria
Source: European Commission
https://digital-markets-act.ec.europa.eu/commission-concludes-online-social-networking-service-x-should-not-be-designated-under-digital-2024-10-16_en
The European Court of Justice issues a ruling on the right to delete personal data from commercial registers
Source: European Court of Justice
https://curia.europa.eu/juris/document/document.jsf?text=&docid=290701&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4017440
The European Court of Justice issues a ruling on defining legitimate interests
Source: European Court of Justice
https://curia.europa.eu/juris/document/document.jsf?text=&docid=290688&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4017244
The European Court of Justice issues a ruling on GDPR and non-monetary damage compensation
Source: European Court of Justice
https://curia.europa.eu/juris/document/document.jsf?text=&docid=290709&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4017520
The European Court of Justice issues a ruling prohibiting the unbridled use of personal data for targeted advertising by online platforms
Source: European Court of Justice
https://curia.europa.eu/jcms/upload/docs/application/pdf/2024-10/cp240166en.pdf
The European Court of Justice issues a ruling defining health-related data
Source: European Court of Justice
https://curia.europa.eu/jcms/upload/docs/application/pdf/2024-10/cp240159en.pdf
United States:
The Department of Commerce announces a proposed rule to secure the supply chains of connected vehicles from foreign adversaries
Source: Bureau of Industry and Security, U.S. Department of Commerce Link
https://www.bis.gov/press-release/commerce-announces-proposed-rule-secure-connected-vehicle-supply-chains-foreign#:~:text=%E2%80%93%20Today,%20the%20U.S.%20Department%20of%20Commerce%E2%80%99s%20Bureau,the%20People%E2%80%99s%20Republic%20of%20China%20(PRC)%20or%20Russia.
Marriott Hotel pays 367 million yuan to settle with the FTC
Source: Privacy Guard Team
California:
①The governor signs multiple AI-related bills
1) AI Transparency Act
https://www.markey.senate.gov/news/press-releases/senator-markey-introduces-ai-civil-rights-act-to-eliminate-ai-bias-enact-guardrails-on-use-of-algorithms-in-decisions-impacting-peoples-rights-civil-liberties-livelihoods
2) GenAI Training Data Transparency Act
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240AB2013
3) GenAI Accountability Act
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB896
4) AI Definitions Act
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240AB2885
5) Healthcare Services and AI Act
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240AB3030
Source: California Legislature
② The governor signs bills related to CCPA revisions
1) Revision of the definition of sensitive personal information
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB1223
2) Revision concerning publicly available data
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240AB1008
Source: California Legislature
United Kingdom: The ICO launches a new data protection audit framework
Source: ICO
https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/10/new-data-protection-audit-framework-launched/
France:
CNIL releases privacy recommendations for mobile apps
Source: CNIL
https://www.cnil.fr/fr/applications-mobiles-la-cnil-publie-ses-recommandations-pour-mieux-proteger-la-vie-privee
CNIL provides an opinion on the online age verification framework
Source: CNIL
https://www.cnil.fr/fr/verification-de-lage-en-ligne-la-cnil-rend-son-avis-sur-le-referentiel-de-larcom
Netherlands: The AP publishes a position paper on AI regulation
Source: AP
https://autoriteitpersoonsgegevens.nl/documenten/position-paper-ap-rondetafelgesprek-toezicht-en-normuitleg-ai
Hungary: The government adopts a decree implementing the EU AI Act
Source: Hungarian Government
https://magyarkozlony.hu/hivatalos-lapok/s4F1eOsmRcDlSD3MOzBA66f1afaad3338/dokumentumok/0023a3c60cb4033ef9f687dd413894c4c157267e/letoltes
Singapore: The CSA releases the Safe App Standard 2.0
Source: CSA
https://www.csa.gov.sg/News-Events/Press-Releases/2024/csa-publishes-safe-app-standard-version-2.0
South Korea:
The PIPC announces an administrative notice on the draft for personal information transfer
Source: PIPC
https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS061&mCode=C010010000&nttId=10656
The PIPC releases standards for the protection of personal image information used in the development of autonomous driving AI
Source: PIPC
https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=10678
The PIPC publishes guidelines on data subject rights regarding automated decision-making
Source: PIPC
https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=10611#LINK
Japan:
The PPC releases a document on the reasonable disposal of personal data breaches in the medical field
Source: PPC Link
https://www.ppc.go.jp/news/careful_information/240925_alert_hospitals_clinics_pharmacies/
The PPC releases a provisional Japanese translation of the EDPB PbD guidelines
Source: PPC
https://www.ppc.go.jp/files/pdf/data_protection_guideline_42019.pdf
Hong Kong, China: LinkedIn states it will no longer use Hong Kong personal data to train Gen AI
Source: PCPD
https://www.pcpd.org.hk/sc_chi/news_events/media_statements/press_20241015.html
India: The DSCI releases a white paper on cross-border transfers
Source: DSCI
https://www.dsci.in/resource/content/privacy-across-borders
Israel: The PPA releases guidelines on record-keeping under the Data Security Regulation
Source: PPA
https://www.gov.il/he/pages/takana10d
Czech Republic: The NÚKIB announces a consultation on the EUCC implementing regulation
Source: NÚKIB
https://nukib.gov.cz/cs/infoservis/aktuality/2166-poskytnete-zpetnou-vazbu-na-provadeci-narizeni-v-oblasti-evropskych-certifikaci-kyberneticke-bezpecnosti/
Brazil: The ANPD issues a resolution to establish a National Data Protection and Privacy Committee
Source: ANPD
https://www.in.gov.br/en/web/dou/-/resolucao-cnpd-n-2-de-26-de-setembro-de-2024-587271488
Sri Lanka:
The Data Protection Authority releases a draft regulation on the appointment of DPOs
https://www.dpa.gov.lk/newsregulation.php
The Data Protection Authority releases a draft regulation on personal information protection impact assessments
https://dpa.gov.lk/newsn1.php
The Data Protection Authority releases draft rules on personal data breach notifications
https://dpa.gov.lk/newsbench.php
The Data Protection Authority releases draft regulations on data subject rights and appeals
https://www.dpa.gov.lk/newsappeals.php
The Data Protection Authority releases draft regulations on fees applicable to the exercise of data subject rights
https://www.dpa.gov.lk/newsfee.php
Source: Sri Lanka Data Protection Authority
Note
本文由AIGC翻译,仅供参考。
Translated by AIGC service. For reference only.
本期编辑:陈瑊 陈煜烺 马辰 林婉琪 陈瑞庭 张丽
