When China’s legislature, the National People’s Congress (“NPC”), enacted the Cybersecurity Law (“CSL”) in 2017, it set into motion a new era of data governance in China. Three years later, in 2020, the NPC followed up this landmark act with two other legislative milestones in this space: the draft Data Security Law (“DSL”) (see our blogpost here) and draft Personal Information Protection Law (“PIPL”) (see our client alert here). Both the PIPL and DSL will be finalized this year. Taken as a whole, these three laws form an over-arching framework that will govern data protection and cybersecurity in China for years to come.
While the DSL and PIPL have remained in draft form over the past year, the Chinese government has not stood idly by – instead, various Chinese regulators have continued to introduce data- and cyber-related rules in key sectors. Many of these sectoral rules do not appear to be primarily focused on data protection or cybersecurity, yet they may indirectly impact the collection, use and processing of personal information in specific sectors. The rollout of these new rules has not been fully coordinated, and the approaches taken in some cases deviate from the over-arching framework mentioned above. We expect this divergence to remain, even after the finalization of the PIPL and DSL. Consequently, China’s data and cyber regime will likely present a complex web of regulatory rules for organizations to navigate – both now and in the years ahead.
In this blog series, we examine several recently-introduced data and cyber rules in the areas of e-commerce, finance, healthcare, and artificial intelligence – all of which are rapidly expanding sectors in China where the collection and use of massive amounts of personal information have given rise to a variety of regulatory concerns. We will also explain, in the last blogpost of this series, China’s recent push to regulate how mobile applications can collect and process user data.
In our first blogpost of this series, we focus on recent developments in China’s e-commerce sector.
Introduction of New E-Commerce Requirements
In February and March 2021, China’s State Administration for Market Regulation (“SAMR”), the regulator that oversees market activities, and National Information Security Standardization Technical Committee (“TC260”), an organization responsible for drafting data- and cyber-related national standards, each issued rules for the e-commerce sector that include requirements for personal information protection. Namely, the SAMR released its Measures for the Supervision and Administration of Online Transactions (“Measures”) (available here) on March 15, 2021, while the TC260 published its draft Information Security Technology – Data Security Guidelines for Online Shopping (“Draft Standard”) (available here) on February 24, 2021.
Both the Measures and the Draft Standard apply to “e-commerce service providers,” which include:
- e-commerce platforms;
- merchants operating on e-commerce platforms (“Merchants”); and
- entities that sell products or services through their own e-commerce websites or by other means (providers under (i) and (iii) are referred to collectively as “Platform Operators”).
Due to their broad scope, it appears that these new rules will affect most major players in the e-commerce sector. Below, we examine key aspects of these new rules in greater depth.
(1) Measures for the Supervision and Administration of Online Transactions
Personal Information Protection Requirements
The Measures impose a variety of personal information protection requirements on e-commerce service providers, consistent with the obligations set out in the draft PIPL and CSL. Among other things, the Measures generally require e-commerce service providers to inform customers about the purpose(s), method(s) and scope of their collection (and processing) of personal information, as well as to obtain valid, freely given, and specific consent from consumers. The Measures also require e-commerce service providers (both Platform Operators and Merchants) to keep personal information confidential and not disclose it to third parties without first obtaining consent.
Consumer Protection Requirements
Finally, the Measures prohibit e-commerce service providers from sending “business information” (i.e., marketing messages) without obtaining consumers’ prior consent or explicit request to do so.
(2) Information Security Technology: Data Security Guidelines for Online Shopping
The Draft Standard is ostensibly a voluntary framework, but it will likely serve as a regulatory point of reference for government agencies, as well as practical guidance for e-commerce service providers processing personal information.
The Draft Standard sets out detailed rules for the collection, use, sharing, transfer, storage and deletion of personal information; defines personal information rights for individuals; and includes specific requirements for self-service stores and location-based services. For instance, in terms of using personal information, the Draft Standard stipulates that – before profiling users or displaying personalized content – e-commerce service providers must explain any profiling mechanisms in their privacy notices and provide alternative ways to rank search results. For data retention, the e-commerce service providers are required to retain information about transactions for products or services for no less than three years after the transaction is completed.
Notably, the cross-border data transfer requirements in the Draft Standard could diverge from the requirements under the draft PIPL. According to Article 9.2 of the Draft Standard, unless otherwise required (or permitted) under relevant laws and regulations, e-commerce service providers are allowed to transfer personal information overseas only when providing cross-border e-commerce services for certain limited purposes. In contrast, the draft PIPL could allow cross-border data transfers under additional scenarios as long as such transfers satisfy certain specified requirements.