China Cybersecurity Review Technology and Certification Center (中国网络安全审查技术与认证中心, CCRC) recently released the first batch of enterprises that approved by CCRC regarding personal information security. The first batch includes AliPay(支付宝), Tencent Cloud, Baidu Cloud, and others. China’s IT giants BAT (Baidu, Alibaba, Tencent) are the models in protecting personal information in the industry.
Among the list, Alipay, a crucial member of Alibaba family, is the fintech company approved by CCRC while other fintech giants’ parent companies are approved for cloud services. According to several resources, CCRC chose 10 representative companies, which personal information is a significant constitution part in their operations, for testing the personal information system certification. CCRC granted certifications to those companies that the personal security information management system complies to national standard and privacy protection protocols.
Since the Law of Cybersecurity of the People’s Republic of China published in 2016, the corresponding cybersecurity regulation systems are approaching completion; the GB/T 35273-2017 Information Security Technology Personal Information Security Standards (信息安全技术个人信息安全规范, ISTPISS) was published in December 2017. Under the structure of the Law of Cybersecurity of the PRC and combining the universal international cybersecurity rules, CCRC adopts ISTPISS, which proposes seven principals including the parity of right and responsibility, accurate purpose in the use of personal information, option to agree, minimum of use, open and transparent, security guaranteed, and subjective participation. All certified enterprises are strictly required to follow ISTPISS with consistency in both technology and culture.
Alipay and other companies attributed to it, as revealed in Alibaba’s Q3 financial report, the AAU (annual active user) excessed 1,000 million in worldwide. The scale of user size requires the most advanced level of protection since Alipay’s business deeply roots in fintech and collects the most sensitive personal information like citizen’s ID number and bank account. Tencent and Baidu, one is social-network-based company and the other is search-engine-based, also provide financial services and with strengths in fintech; Tencent’s Wechat Pay is the biggest competitor for Alipay in China, but it is not isolated from Tencent – its competitor Alipay is not owned by Alibaba but Ant Finance; the old Baidu Finance is current Du Xiaoman (度小满), which started to run independently in 2018, but the core tech is still heavily based on Baidu’s cloud service.
With years of data management and cybersecurity-related technological accumulations, there is no surprise that BAT obtained the CCRC Personal Information Security Management System certificates. As the IoT age is approaching along with the 5G technology, the developed network and threats that emerged from network activities will urge the ongoing efforts in cybersecurity and personal data protection.