The emergence of the new retail model—“online + offline + logistics” —has changed the retail industry, reshaped consumer habits, and increased the online conversion rate. While these changes have brought more vitality to the retail sector, they have also raised consumers' concerns about privacy. Protecting personal information under this model has also become a huge challenge for retailers. Through examining the following 9 scenarios, this article seeks to provide suggestions to transnational retail business operators on compliance issues in the fields of internet safety and data protection.
In order to collect and use users’ personal information, multinational corporations (MNCs) usually display their privacy policies on their official websites, apps, and even Tmall flagship stores to facilitate the registration and management of their membership.
In reality, many MNCs simply translate their global privacy policy formulated based on the General Data Protection Regulation (“GDPR”) into Chinese or slightly revise it for Chinese users. It is important to note that due to the differences in data protection rules inside and outside China, a simple translation or revision of a global privacy policy may fail to satisfy domestic legal requirements.
According to the Information Security Technology-Personal Information Security Specification (“PISS”), the Self-Assessment Guide on the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations and the Measures for the Determination of Illicit Collection and Use of Personal Information by Apps jointly released by the four competent ministries recently, we suggest that MNCs should pay attention to at least the following points when drafting privacy policy in China:
For the IT infrastructure of MNCs, the official website (including self-built online store) and the intranet are usually operated and managed by its overseas headquarters, while the subsidiaries in China merely use these sites to offer products or after-sales service to customers. Thus, many MNCs set up their servers overseas.
As the Cybersecurity Law came into force, its Article 371 establishes the data localization and the data cross-border transfer security assessment obligations for operators of critical information infrastructure (“CII”), which brings risks and uncertainties to MNCs’ network operation. As a result, the following issues have became key concerns for MNCs: (1) whether MNCs should maintain a server in mainland China or store personal information collected in the course of operation in China, (2) whether MNCs should conduct security assessments, and (3) how such assessments should be done before personal information are transferred across borders.
Regarding the data localization obligations, according to the existing laws and regulations, and judging from an industry-based perspective, it is less likely that retail companies are considered as CII operators. Moreover, the current approach is for the authorities to proactively identify and inform a business if they consider that the business falls into the CII operator category, and the priority is largely placed on network systems which have completed Level 3 filing under the Classified Protection 2.0 System.
However, it is worth noting that the Measures for the Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment) released by the Cyberspace Administration of China (“CAC”) on 13 June 2019 expands the data localization obligation from CII operators to all network operators. Though as a draft, it is a signal of expanding applicability for retailers.
Regarding the data cross-border transfer security assessment obligations, the Measures for the Security Assessment for Personal Information and Important Data (Draft for Comment) released by the CAC on 11 April 2017 establishes a security assessment approach with the combination of self-assessment and govenemnt assessment. But the Measures for the Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment) released by the CAC on 13 June 2019 requires all personal information to be subject to government assessment before cross-border transfers take place. Since the latter requirement has faced significant resistance from companies in various industries during the public opinion-seeking process, how to conduct the security assessment before transferring personal information across borders remains uncertain for retailers in the short run.
At the present stage, our suggestions for MNCs intending to transfer data overseas are as follows:
For the purpose of product design, advertising, or after-sales, it is not uncommon that MNCs gather customers’ preferences and demographic data from third parties, or entrust data analyzing companies to process customer information. Under these scenarios, customer information is transmitted multiple times along the supply chain. Such transmission may create administrative sanctions risks2 or even result in criminal prosecutions3 if MNCs fail to fulfill relevant obligations.
Under the current laws and regulations, special enforcement actions conducted and relevant guidelines released by law enforcement agencies, we recommend that in order to mitigate risks, MNCs should pay attention to the following obligations:
As data receivers, MNCs should review the personal information received to ensure the legality of its source, the proper authorization by users, and that the use is within the scope of the authorization. Meanwhile, MNCs may require data providers to confirm the legality of sharing data by means of contracts or written commitments.
As data providers, MNCs should:
The Cybersecurity Law requires network operators to fulfill duties specified by the cybersecurity classified protection system. Otherwise, network operators may be subject to administrative penalties such as warnings and fines, or may incur criminal liabilities.
The cybersecurity classified protection regime (or “Classified Protection 2.0”, the upgraded version of Classified Protection 1.0 – formerly “information security classified protection regime” in China) and ISO27000 are currently the two major information security standards in China. However, ISO27000, as the most recognized information security management standard in the world, has been more widely adopted and followed by MNCs. It should be noted that there are obvious differences in the specific security requirements between the two sets of standards. Certification of ISO27000 doesn’t equate to compliance with classified protection.
In fact, Classified Protection 1.0 under the Measures for Management of Information System Security Classified Protection has been existent long before the promulgation of the Cybersecurity Law. On 13 May 2019, the release of a set of core national standards on cybersecurity classified protection marked the era of Classified Protection 2.0. Specifically, it expands the applicable scope from basic information network and information system to cloud computing, mobile Internet, the Internet of things, and industrial control systems, etc., realizing full coverage except for personal and home-built networks. Taking cloud computing as an example, Classified Protection 2.0 requires both the basic facilities of cloud computing and the storage of customer data to be located in mainland China.
Therefore, we recommend MNCs that do not satisfy Classified Protection 2.0 standards, that is, the grading, filing, evaluation and rectification work, should initiate compliance projects as soon as possible, especially for those retailers with large number of membership systems or business systems. For those companies which have completed Classified Protection 1.0, it is also necessary to upgrade to the requirements of Classified Protection 2.0.
Due to business needs or connections with overseas parent companies or affiliates, many multinational retailers use VPNs for global networking. However, with the release of the Notice on Cleaning up and Regulating the Internet Network Access Service Market by the Ministry of Industry and Information Technology (“MITT”) in January 2017, its control over illegal VPNs has become increasingly strict. Illegal operation or set-up of VPNs, even the use of unapproved VPNs, may incur administrative and criminal penalties. In June 2019, a foreign trade company in Zhejiang received administrative sanctions for using an illegal VPN to access websites abroad.
According to the Interim Provisions on the Management of International Networking of Computer Information Network, those using self-built channels or other channels not provided by the national public telecommunication network of the Ministry of Posts and Telecommunications to access international network may be ordered by the public security organs to stop networking, have warnings issued, and/or receive a fine not exceeding 15,000 yuan, and have any illegal income confiscated. Although a fine is light in amount, an order to stop networking may cause substantial impacts and losses to companies. At the same time, refusing to make correction may incur criminal liability for “refusal to fulfill obligations of information network security management ” under the Interpretations on Several Issues concerning the Application of Laws in Handling Criminal Cases involving Crimes of Illegal Use of Information Networks or Aiding Criminal Activities regarding Information Network jointly issued by the Supreme People's Court and the Supreme People's Procuratorate in October 2019. The crime could lead to a sentence of up to three years for the responsible persons.
Based on the above analysis, we recommend MNCs to:
Unlike traditional retail services, new retail model is no longer limited by time or geography. Mining and reaching customers have become essential for seizing market share and exploring business opportunities. Against this backdrop, companies need to feel the pulses of the new retail market, the core being big data analysis and precision in marketing. However, personalized services require analyzing and targeting customers based on a large amounts of customers’ personal information and behavioral data, which means MNCs need to ensure compliance with relevant regulations on data protection.
In terms of big data analysis, MNCs may collect personal information through App, mini programs, official website, online store, road show, Wifi probe, etc., and analyze such information on their own or through third parties, or may obtain anonymous or de-identified data from third parties. After that, users receive push ads sent by the retailers themselves or by third parties. Given the complexity of collecting, receiving, providing, processing, and appointing third parties of personal information during the process, we recommend to:
As one of the important assets in M&A deals, data may directly affect the valuation of the target company. MNCs have to fully consider the legal aspects of personal information protection when they invest in big data analytics companies, or other sectors that may involve large amounts of personal information. Thus, data protection due diligence is indispensable to reduce data compliance risks such as the transaction being aborted, decline in value of the target company, and even hefty fines or class action caused by data breach of the target company.
Because the process of data collection, use, storage, and sharing often involves multiple departments of the target company, MNCs need to focus on the following points during data protection due diligence, subject to the actual operation of the target company and the communication with the heads of the relevant departments:
In addition to due diligence, in practice, we suggest introducing the following clauses to allocate data security risks in transaction documents, such as:
Data breach such as attacks by external hackers, leaks by employees, and improper operations conducted by employees or outsourcing data processing companies has always made headlines. No matter what kind of measures are taken, data breach cannot be completely prevented.
Many MNCs simultaneously establish ex ante mechanisms of security protection and ex post mechanisms of response measures for the purpose of GDPR compliance. It includes building-up data security capabilities, formulating emergency plans for cybersecurity incidents, periodically rehersing emergency preplans and employee training, as well as keeping records of security incidents.
Building on GDPR compliance, we suggest MNCs to consider the following for cybersecurity compliance:
Under the GDPR, data controllers must notify the supervisory authority and individuals within 72 hours after becoming aware of the breach which poses risks to an individual’s rights and freedoms. In China, according to the Cybersecurity Law, MNCs must immediately activate the emergency plan, take remedial measures, prevent the spread of hazard, inform users, and report to relevant authorities, including the CAC and sector-specific supervisory authorities;
Organize materials in relation to data security incidents, update emergency plans, and if investigated, actively cooperate with enforcement agencies and show them certifications of data security capabilities, such as the documents that can prove the fulfilment of the Classified Protection 2.0 obligations.
For promotion of new products or services, it is common to reach consumers by phone or email. The pressure of sales KPI may even drive salespersons to purchase personal information. For example, in the criminal case involving infringement of citizens’ personal information by Nestlé employees, six employees bought more than 120,000 pieces of personal information of pregnant women including names and phone numbers from hospitals in Lanzhou in order to promote formula milk. In the final ruling, the court fully approved Nestlé’s data protection policies such as their Employees Code of Conduct and held that the relevant misconduct should not be imputed to Nestlé.
So how can MNCs avoid the imputation of unwanted coporate liability? We understand that the establishment and implementation of a personal information protection compliance system is of great practical value in avoiding and reducing the risks of corporate crime. We recommend that MNCs formulate and implement a personal information protection compliance system in several steps:
With the rapid development of the Internet and information technology, data is critical strategically for every entity. Simultaneously, with the promulgation of the Cybersecurity Law and its implementing measures, the anticipated enactment of the Personal Information Protection Law and the Data Security Law, and the increasingly regular law enforcement on personal information protection and cybersecurity, the significance of data compliance is becoming ever more prominent. Therefore, we recommend that multinational retail companies prioritize data compliance on their agendas. We believe that putting in place appropriate means of collecting and using personal information, as well as protecting cybersecurity could help companies establish a firm position throughout the evolvement of this new “online + offline + logistics” retail model.
“Whoever sells or provides to any other person any citizen's personal information obtained in the course of performing their duties or providing services in violation of any relevant provisions of the state shall be given a heavier penalty in accordance with the preceding paragraph.”
“Whoever obtains any citizen's personal information by stealing or other illegal methods shall be punished in accordance with paragraph 1.”
“Where an entity commits any crime as provided in the preceding three paragraphs, the entity shall be imposed a fine, and the person in charge and other directly liable persons shall be punished according to the applicable paragraphs.”↩
What can we do for you ?
Contact Us +