Hello privacy pros. Greetings from Beijing, China.

With the summer heat cooling off, Beijing is entering its best season of the year: golden autumn. For privacy pros who have been busy with Cyberspace Administration of China security assessments, documentation and filing on standard contractual clauses, and tracking China's data developments in the past months, the good news is that the Mid-Autumn Festival and the National Day holiday are just around the corner.

Having said that, China's data regime never takes a break and Chinese data regulators have kept themselves busy drafting new data rules and taking enforcement actions. On 31 Aug., central CAC issued guiding opinions to enhance and improve the whistle-blowing mechanism, with a focus on preventing online abuse and cracking down on illegal collection and processing of personal data, especially sensitive personal data such as home address, personal ID, health data, financial data and individuals' geo-locational information.

Multiple rounds of data security investigations have been carried out by data regulators in Beijing, Shanghai, Zhejiang, Jiangsu and other provinces with active digital economies. Regulators caught noncompliance practices across various industries, ranging from retail, food and beverage, financial, and real estate, to education and health care. On 8 Sept., a commercial bank based in Beijing was fined RMB200,000 for not notifying regulators of a data breach. According to the rules issued by the China Banking Regulatory Commission (now renamed China National Financial Regulatory Bureau), banking institutions are required to notify the banking regulator within 60 minutes of a data breach affecting its critical IT system, followed by a formal written report to be submitted within 12 hours of occurrence of the data breach. Since the beginning of this year, a considerable number of banks, including Chinese and international banks, have been fined by the banking regulator for failing to comply with the data breach reporting requirements.

On 1 Sept., central CAC imposed a significant penalty of RMB50 million on China National Knowledge Infrastructure, China's largest online academic and research database. CAC announced in its decision that CNKI and its three operating companies have illegally collected and processed personal data against China's Personal Information Protection Law and Data Security Law via 14 mobile apps, with multiple violations including:

  • Collection of personal data beyond necessity.
  • Collection of personal data without consent.
  • Failure to make public the privacy policy and use rules.
  • Failure to provide account cancellation functions.
  • Failure to delete users' personal data in a timely matter after the users have canceled their accounts.

Following CAC's decision, CNKI made an official statement that it fully accepts CAC's decision and will take remediation actions.

It is worth noting that in December 2022, CNKI also received a big-ticket fine of RMB87,600,000 from the State Administration of Market Regulation for its anti-competitive practices, including abusing its market dominant position by charging unfairly high price for its services, splitting various databases and increasing price in disguise, and excluding the business partners from entering into collaborations with its competitors.

The CNKI case is an interesting development that clearly shows the lines between privacy and anti-trust oversight and enforcement are increasingly blurred. With data becoming the most important and valuable assets in all industries, companies face compliance challenges from the intersection and interoperability of data privacy and anti-trust/competition laws. Business organizations should stay abreast of the regulatory developments and take necessary compliance actions.