When China’s legislature, the National People’s Congress (“NPC”), enacted the Cybersecurity Law (“CSL”) in 2017, it set into motion a new era of data governance in China.  Three years later, in 2020, the NPC followed up this landmark act with two other legislative milestones in this space: the draft Data Security Law (“DSL”) (see our blogpost here) and draft Personal Information Protection Law (“PIPL”) (see our client alert here).  Both the PIPL and DSL will be finalized this year.  Taken as a whole, these three laws form an over-arching framework that will govern data protection and cybersecurity in China for years to come.

While the DSL and PIPL have remained in draft form over the past year, the Chinese government has not stood idly by – instead, various Chinese regulators have continued to introduce data- and cyber-related rules in  key sectors.  Many of these sectoral rules do not appear to be primarily focused on data protection or cybersecurity, yet they may indirectly impact the collection, use and processing of personal information in specific sectors.  The rollout of these new rules has not been fully coordinated, and the approaches taken in some cases deviate from the over-arching framework mentioned above.  We expect this divergence to remain, even after the finalization of the PIPL and DSL.  Consequently, China’s data and cyber regime will likely present a complex web of regulatory rules for organizations to navigate – both now and in the years ahead.

In this blog series, we examine several recently-introduced data and cyber rules in the areas of e-commerce, finance, healthcare, and artificial intelligence – all of which are rapidly expanding sectors in China where the collection and use of massive amounts of personal information have given rise to a variety of regulatory concerns.  We will also explain, in the last blogpost of this series, China’s recent push to regulate how mobile applications can collect and process user data.

In our first blogpost of this series, we focus on recent developments in China’s e-commerce sector.

Introduction of New E-Commerce Requirements

In February and March 2021, China’s State Administration for Market Regulation (“SAMR”), the regulator that oversees market activities, and National Information Security Standardization Technical Committee (“TC260”), an organization responsible for drafting data- and cyber-related national standards, each issued rules for the e-commerce sector that include requirements for personal information protection.  Namely, the SAMR released its Measures for the Supervision and Administration of Online Transactions (“Measures”) (available here) on March 15, 2021, while the TC260 published its draft Information Security Technology – Data Security Guidelines for Online Shopping (“Draft Standard”) (available here) on February 24, 2021.

Both the Measures and the Draft Standard apply to “e-commerce service providers,” which include:

  • e-commerce platforms;
  • merchants operating on e-commerce platforms (“Merchants”); and
  • entities that sell products or services through their own e-commerce websites or by other means (providers under (i) and (iii) are referred to collectively as “Platform Operators”).

Due to their broad scope, it appears that these new rules will affect most major players in the e-commerce sector.  Below, we examine key aspects of these new rules in greater depth.

(1) Measures for the Supervision and Administration of Online Transactions

Personal Information Protection Requirements

The Measures impose a variety of personal information protection requirements on e-commerce service providers, consistent with the obligations set out in the draft PIPL and CSL.  Among other things, the Measures generally require e-commerce service providers to inform customers about the purpose(s), method(s) and scope of their collection (and processing) of personal information, as well as to obtain valid, freely given, and specific consent from consumers.  The Measures also require e-commerce service providers (both Platform Operators and Merchants) to keep personal information confidential and not disclose it to third parties without first obtaining consent.

Consumer Protection Requirements

In the area of consumer protection, the Measures require e-commerce service providers to describe their products and services accurately, without using any fraudulent or misleading information.  Further, e-commerce service providers are prohibited from including any unfair provisions in their terms of use, notices, or other consumer-facing statements that describe their products and services.

Finally, the Measures prohibit e-commerce service providers from sending “business information” (i.e., marketing messages) without obtaining consumers’ prior consent or explicit request to do so.

(2) Information Security Technology: Data Security Guidelines for Online Shopping

The Draft Standard is ostensibly a voluntary framework, but it will likely serve as a regulatory point of reference for government agencies, as well as practical guidance for e-commerce service providers processing personal information.

The Draft Standard sets out detailed rules for the collection, use, sharing, transfer, storage and deletion of personal information; defines personal information rights for individuals; and includes specific requirements for self-service stores and location-based services.  For instance, in terms of using personal information, the Draft Standard stipulates that – before profiling users or displaying personalized content – e-commerce service providers must explain any profiling mechanisms in their privacy notices and provide alternative ways to rank search results.  For data retention, the e-commerce service providers are required to retain information about transactions for products or services for no less than three years after the transaction is completed.

Notably, the cross-border data transfer requirements in the Draft Standard could diverge from the requirements under the draft PIPL.  According to Article 9.2 of the Draft Standard, unless otherwise required (or permitted) under relevant laws and regulations, e-commerce service providers are allowed to transfer personal information overseas only when providing cross-border e-commerce services for certain limited purposes.  In contrast, the draft PIPL could allow cross-border data transfers under additional scenarios as long as such transfers satisfy certain specified requirements.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.