Hello privacy pros. Greetings from Beijing, China. I hope you have enjoyed the summer and taken some time off for relaxation.

This August in China appears to be a busy and eventful month, as multiple key data regulations were issued or adopted.

The beginning of August witnessed the release of the draft Administrative Measures for Personal Information Protection Compliance Audits. The regime of personal information audit was initially introduced by the Personal Information Protection Law, without implementation details. The draft measures add a lot more guidance and clarity on PI audits. Under the draft measures, companies that handle personal information exceeding 1 million individuals must conduct at least one PI audit each year, and business organizations below that threshold are required to undergo at least one PI audit every two years. Data controllers are subject to penalties ranging from orders for rectification, administrative fines, and business suspension if they do not comply with the PI audit requirements. The Cyberspace Administration of China will collect comments from the general public until 2 Sept.

China is the largest mobile app market in the world. In the past two years, the CAC, Ministry of Industry and Information Technology and other regulators conducted numerous rounds of investigations to crack down on illegal collection and processing of personal information by mobile app developers and operators. On 8 Aug., MIIT issued an official circular imposing a new internet content provider filing requirement on app operators. This circular applies widely to mobile apps which are available in the app stores located in China, as well as mobile apps which are hosted in app stores outside China but target and can be downloaded by Chinese users. According to the Circular, app operators are required to complete an ICP filing with the competent MIIT authorities by 31 March 2024. Failing to comply with the ICP filing requirement will lead to removal of the app from app stores. The circular provides that the MIIT authorities will start compliance investigations in April 2024.

On the heel of the MIIT circular, WeChat, one of China's most popular social media platforms, issued a notice requiring all existing WeChat mini-program operators to complete ICP filing by the end of March 2024. In addition, starting from 1 Sept., WeChat will not accept the launch of any new mini-programs unless the operators have secured the ICP filing.

Also, 8 Aug., CAC released a draft regulation on security and management of facial recognition technology to seek public comments. This draft regulation imposes enhanced compliance requirements on the deployment of facial recognition technology. A data protection impact assessment must be conducted before collecting and processing facial recognition information. If facial recognition technology is used in public places or for a scenario involving personal data of more than 10,000 individuals, a filing with local CAC is a must-have procedure. In addition, data controllers providing facial recognition technology services to the public must meet the cybersecurity requirements applicable to multilayer protection scheme Level 3 or above.

Other recent notable developments are related to enforcement actions taken under the Data Security Law. In one recent data incident, a major Chinese university suffered a data breach due to its failure to take proper technical measures for data protection and set up data security policy and protocol. More than 30,000 teachers and students were affected, the CAC imposed a fine of RMB800,000 on this university and a personal liability on the person in charge.

Digital economy ranks as a high priority for China's economic development and this is again confirmed in the new guidelines issued by the State Council (China's cabinet) last Sunday. The new 24-point guidelines aim to further improve the business environment for international investors and their business operations in China. The guidelines lay down specific provisions to address some data compliance challenges facing multinational companies. The State Council vowed to create a green channel for qualified foreign-invested companies and improve the efficiency of security assessment for outward transfer of important data and personal data. In addition, Beijing, Tianjin, Shanghai and Guangdong/HK/Macau GBA are specifically identified where the State Council will help to devise a "white list" of general data that can be freely transferred out of China. This is undoubtedly excellent news for MNCs. Upon implementation, it will significantly expedite the cross-border data transfer process and provide better efficiency for business operations in the world's second largest economy!

Hope you have enjoyed this Digest. Until next time!