The emergence of the new retail model—“online + offline + logistics” —has changed the retail industry, reshaped consumer habits, and increased the online conversion rate. While these changes have brought more vitality to the retail sector, they have also raised consumers' concerns about privacy. Protecting personal information under this model has also become a huge challenge for retailers. Through examining the following 9 scenarios, this article seeks to provide suggestions to transnational retail business operators on compliance issues in the fields of internet safety and data protection.
In order to collect and use users' personal information, multinational corporations (MNCs) usually display their privacy policies on their official websites, apps, and even Tmall flagship stores to facilitate the registration and management of their membership.
- Formal Aspects
- Do not obtain users' consent through implicit means such as the default settings;
- Ensure the users can easily access, rectify, delete and cancel their personal information or accounts, as well as withdraw their consent.
- Substantive Aspects
- Clearly and specifically explain each business function and specify individually the purpose, method or scope of the collection or use of personal information by Apps(including entrusted third parties or embedded third parties' codes or plug-ins), websites, stores, etc.;
- Clearly specify the purpose of providing the types of personal information involved, the types or identities of recipients and obtain the users' explicit consent before prividing their personal information to third parties;
- Ensure the back end of websites, apps or mini programs respond quickly to user requests for access, rectification, deletion and cancellation of user information or accounts, and withdrawal of consent;
- Establish user reporting or request mechanisms in China.
- Cross-border Data Transfer: Understanding Data Localization and Cross-border Data Transfer Security Assessment Obligations
For the IT infrastructure of MNCs, the official website (including self-built online store) and the intranet are usually operated and managed by its overseas headquarters, while the subsidiaries in China merely use these sites to offer products or after-sales service to customers. Thus, many MNCs set up their servers overseas.
As the Cybersecurity Law came into force, its Article 371 establishes the data localization and the data cross-border transfer security assessment obligations for operators of critical information infrastructure (“CII”), which brings risks and uncertainties to MNCs' network operation. As a result, the following issues have became key concerns for MNCs: (1) whether MNCs should maintain a server in mainland China or store personal information collected in the course of operation in China, (2) whether MNCs should conduct security assessments, and (3) how such assessments should be done before personal information are transferred across borders.
Regarding the data localization obligations, according to the existing laws and regulations, and judging from an industry-based perspective, it is less likely that retail companies are considered as CII operators. Moreover, the current approach is for the authorities to proactively identify and inform a business if they consider that the business falls into the CII operator category, and the priority is largely placed on network systems which have completed Level 3 filing under the Classified Protection 2.0 System.
However, it is worth noting that the Measures for the Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment) released by the Cyberspace Administration of China (“CAC”) on 13 June 2019 expands the data localization obligation from CII operators to all network operators. Though as a draft, it is a signal of expanding applicability for retailers.
Regarding the data cross-border transfer security assessment obligations, the Measures for the Security Assessment for Personal Information and Important Data (Draft for Comment) released by the CAC on 11 April 2017 establishes a security assessment approach with the combination of self-assessment and govenemnt assessment. But the Measures for the Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment) released by the CAC on 13 June 2019 requires all personal information to be subject to government assessment before cross-border transfers take place. Since the latter requirement has faced significant resistance from companies in various industries during the public opinion-seeking process, how to conduct the security assessment before transferring personal information across borders remains uncertain for retailers in the short run.
At the present stage, our suggestions for MNCs intending to transfer data overseas are as follows:
- Cooperate with local cloud service providers to store personal information in China;
- If only a small amount of non-sensitive data is involved, specify the purpose of transfer, the scope and type of the transferred personal information, identity of the recipient (including the country or region in which the recipient is located), obtain the explicit consent of data subjects (including employees) before the cross-border transfer of their personal information, and keep the corresponding records;
- Consult the local CAC in a timely manner if a large amount of personal information (more than 500,000 people or 1000GB) or sensitive data is involved;
- Before transferring personal information cross-borders, conduct self-assessments on aspects such as the amount, scope, type, and sensitivity of personal information, as well as the security capabilities of the receiver and the environment of the destination country; if there are national security or public interest concerns, the transfer should be halted.
- Establish records of cross-border transfer of personal information including the date and time of transfer, the identity of the recipients, the types, quantities and sensitivity level of the transferred information, and keep the records for at least five years.
- Supply Chain Management: Complying with Data Sharing Rules
For the purpose of product design, advertising, or after-sales, it is not uncommon that MNCs gather customers' preferences and demographic data from third parties, or entrust data analyzing companies to process customer information. Under these scenarios, customer information is transmitted multiple times along the supply chain. Such transmission may create administrative sanctions risks2 or even result in criminal prosecutions3 if MNCs fail to fulfill relevant obligations.
Under the current laws and regulations, special enforcement actions conducted and relevant guidelines released by law enforcement agencies, we recommend that in order to mitigate risks, MNCs should pay attention to the following obligations:
- Duty of Examination as a Receiver.
As data receivers, MNCs should review the personal information received to ensure the legality of its source, the proper authorization by users, and that the use is within the scope of the authorization. Meanwhile, MNCs may require data providers to confirm the legality of sharing data by means of contracts or written commitments.
- Duty of Supervision as a Provider.
As data providers, MNCs should:
- Clearly specify the purpose of providing the types of personal information involved, the types or identities of recipients and obtain the users' explicit consent before providing their personal information to third parties;
- Require downstream distributors to have qualified data security capabilities and to establish a comprehensive personal information protection system;
- When appointing data processing companies, set constraints on its processing conducts or select a qualified third-party to audit.
- Classified Protection 2.0: Is It Really Necessary?
The Cybersecurity Law requires network operators to fulfill duties specified by the cybersecurity classified protection system. Otherwise, network operators may be subject to administrative penalties such as warnings and fines, or may incur criminal liabilities.
The cybersecurity classified protection regime (or “Classified Protection 2.0”, the upgraded version of Classified Protection 1.0 – formerly “information security classified protection regime” in China) and ISO27000 are currently the two major information security standards in China. However, ISO27000, as the most recognized information security management standard in the world, has been more widely adopted and followed by MNCs. It should be noted that there are obvious differences in the specific security requirements between the two sets of standards. Certification of ISO27000 doesn't equate to compliance with classified protection.
In fact, Classified Protection 1.0 under the Measures for Management of Information System Security Classified Protection has been existent long before the promulgation of the Cybersecurity Law. On 13 May 2019, the release of a set of core national standards on cybersecurity classified protection marked the era of Classified Protection 2.0. Specifically, it expands the applicable scope from basic information network and information system to cloud computing, mobile Internet, the Internet of things, and industrial control systems, etc., realizing full coverage except for personal and home-built networks. Taking cloud computing as an example, Classified Protection 2.0 requires both the basic facilities of cloud computing and the storage of customer data to be located in mainland China.
Therefore, we recommend MNCs that do not satisfy Classified Protection 2.0 standards, that is, the grading, filing, evaluation and rectification work, should initiate compliance projects as soon as possible, especially for those retailers with large number of membership systems or business systems. For those companies which have completed Classified Protection 1.0, it is also necessary to upgrade to the requirements of Classified Protection 2.0.
- Use of VPNs: How to “Sneak” Lawfully?
Due to business needs or connections with overseas parent companies or affiliates, many multinational retailers use VPNs for global networking. However, with the release of the Notice on Cleaning up and Regulating the Internet Network Access Service Market by the Ministry of Industry and Information Technology (“MITT”) in January 2017, its control over illegal VPNs has become increasingly strict. Illegal operation or set-up of VPNs, even the use of unapproved VPNs, may incur administrative and criminal penalties. In June 2019, a foreign trade company in Zhejiang received administrative sanctions for using an illegal VPN to access websites abroad.
According to the Interim Provisions on the Management of International Networking of Computer Information Network, those using self-built channels or other channels not provided by the national public telecommunication network of the Ministry of Posts and Telecommunications to access international network may be ordered by the public security organs to stop networking, have warnings issued, and/or receive a fine not exceeding 15,000 yuan, and have any illegal income confiscated. Although a fine is light in amount, an order to stop networking may cause substantial impacts and losses to companies. At the same time, refusing to make correction may incur criminal liability for “refusal to fulfill obligations of information network security management ” under the Interpretations on Several Issues concerning the Application of Laws in Handling Criminal Cases involving Crimes of Illegal Use of Information Networks or Aiding Criminal Activities regarding Information Network jointly issued by the Supreme People's Court and the Supreme People's Procuratorate in October 2019. The crime could lead to a sentence of up to three years for the responsible persons.
Based on the above analysis, we recommend MNCs to:
- Choose VPN service providers with relevant qualifications;
- Use a blacklist to block illegal and sensitive websites (such as those involving threats to national security, terrorism, superstition, gambling, obscenity, violence, etc.);
- Strengthen internal management by formulating relevant policies;
- Monitor and record internal network activities to ensure employees use VPN properly.
- Precision Marketing: How to Make Targeted Promotion?
Unlike traditional retail services, new retail model is no longer limited by time or geography. Mining and reaching customers have become essential for seizing market share and exploring business opportunities. Against this backdrop, companies need to feel the pulses of the new retail market, the core being big data analysis and precision in marketing. However, personalized services require analyzing and targeting customers based on a large amounts of customers' personal information and behavioral data, which means MNCs need to ensure compliance with relevant regulations on data protection.
In terms of big data analysis, MNCs may collect personal information through App, mini programs, official website, online store, road show, Wifi probe, etc., and analyze such information on their own or through third parties, or may obtain anonymous or de-identified data from third parties. After that, users receive push ads sent by the retailers themselves or by third parties. Given the complexity of collecting, receiving, providing, processing, and appointing third parties of personal information during the process, we recommend to:
- When collecting data, ensure the data subjects know and agree that their personal information will be used for personalized services, and are given the right to opt out;
- When receiving personal information from a third party, review the information received to ensure the legality of its source, and require data providers to confirm its legality by means of contracts or written commitments;
- Monitor a third party's behavior closely (limited to the entrusted matters) when outsourcing the processing of personal information;
- Obtain the users' explicit consent and give the users a way to opt-out when sending information of product or promotions by e-mail or SMS.
- Require third-party service providers to demonstrate data protection capabilities when outsourcing precision marketing services;
- M&A: How to Conduct Data Protection Due Diligence?
As one of the important assets in M&A deals, data may directly affect the valuation of the target company. MNCs have to fully consider the legal aspects of personal information protection when they invest in big data analytics companies, or other sectors that may involve large amounts of personal information. Thus, data protection due diligence is indispensable to reduce data compliance risks such as the transaction being aborted, decline in value of the target company, and even hefty fines or class action caused by data breach of the target company.
Because the process of data collection, use, storage, and sharing often involves multiple departments of the target company, MNCs need to focus on the following points during data protection due diligence, subject to the actual operation of the target company and the communication with the heads of the relevant departments:
- Fully understand the actual operation of the target company regarding the collection and use of personal information and important data;
- Check whether the target company has a comprehensive data compliance system.
In addition to due diligence, in practice, we suggest introducing the following clauses to allocate data security risks in transaction documents, such as:
- Representation clauses, warranty clauses, and remedies for breach; for example, the buyer is entitled to adjust the price or withdraw from the deal if the seller violates such clauses;
- Condition precedents requiring rectification of any major data compliance issues identified during the due diligence process before closing the transaction.
- Data Breach: How to Respond?
Data breach such as attacks by external hackers, leaks by employees, and improper operations conducted by employees or outsourcing data processing companies has always made headlines. No matter what kind of measures are taken, data breach cannot be completely prevented.
Many MNCs simultaneously establish ex ante mechanisms of security protection and ex post mechanisms of response measures for the purpose of GDPR compliance. It includes building-up data security capabilities, formulating emergency plans for cybersecurity incidents, periodically rehersing emergency preplans and employee training, as well as keeping records of security incidents.
Building on GDPR compliance, we suggest MNCs to consider the following for cybersecurity compliance:
- Before Data Breach
- Perform the Classified Protetion 2.0 obligations in accordance with the requirements of the Cybersecurity Law;
- Develop an emergency plan for cybersecurity events in order to promptly respond to security risks such as system bug, computer virus, network attacks and intrusions;
- Retain relevant weblogs for no less than six months;
- In the Course of Data Breach
Under the GDPR, data controllers must notify the supervisory authority and individuals within 72 hours after becoming aware of the breach which poses risks to an individual's rights and freedoms. In China, according to the Cybersecurity Law, MNCs must immediately activate the emergency plan, take remedial measures, prevent the spread of hazard, inform users, and report to relevant authorities, including the CAC and sector-specific supervisory authorities;
- After Data Breach
Organize materials in relation to data security incidents, update emergency plans, and if investigated, actively cooperate with enforcement agencies and show them certifications of data security capabilities, such as the documents that can prove the fulfilment of the Classified Protection 2.0 obligations.
- Criminal Risk: How to Construct a Firewall?
For promotion of new products or services, it is common to reach consumers by phone or email. The pressure of sales KPI may even drive salespersons to purchase personal information. For example, in the criminal case involving infringement of citizens' personal information by Nestlé employees, six employees bought more than 120,000 pieces of personal information of pregnant women including names and phone numbers from hospitals in Lanzhou in order to promote formula milk. In the final ruling, the court fully approved Nestlé's data protection policies such as their Employees Code of Conduct and held that the relevant misconduct should not be imputed to Nestlé.
So how can MNCs avoid the imputation of unwanted coporate liability? We understand that the establishment and implementation of a personal information protection compliance system is of great practical value in avoiding and reducing the risks of corporate crime. We recommend that MNCs formulate and implement a personal information protection compliance system in several steps:
- Establish an internal policy that includes explicit prohibition of infringement of personal information;
- Include commitments on personal information protection in employment contracts and supervise employees' compliance;
- Carry out regular training for employees.
With the rapid development of the Internet and information technology, data is critical strategically for every entity. Simultaneously, with the promulgation of the Cybersecurity Law and its implementing measures, the anticipated enactment of the Personal Information Protection Law and the Data Security Law, and the increasingly regular law enforcement on personal information protection and cybersecurity, the significance of data compliance is becoming ever more prominent. Therefore, we recommend that multinational retail companies prioritize data compliance on their agendas. We believe that putting in place appropriate means of collecting and using personal information, as well as protecting cybersecurity could help companies establish a firm position throughout the evolvement of this new “online + offline + logistics” retail model.
- Article 37 of the Cybersecurity Law provides: “Personal information or important data that are collected or generated by an operator of critical information infrastructure during its operation within the territory of the People's Republic of China shall be stored within mainland China. Where due to business reasons it is truly necessary to be provided overseas, the security assessment shall be conducted in accordance with the measures jointly formulated by the State cybersecurity and informatization departments and the relevant departments of the State Council. Where laws and administrative regulations provide otherwise, such rules shall be followed.”↩
- Article 64 of the Cybersecurity Law provides: “Where any network operator or any provider of network products or services, in violation of any provision of paragraph 3 of Article 22, or Articles 41 to 43 of this Law, infringes upon the right of personal information to be protected in accordance with the law, the competent department shall order it to take corrective action, and may, either separately or concurrently depending on the circumstances, issue a warning, confiscate its illegal income therefrom, impose a fine of not less than one time but not more than ten times the amount of illegal income, and if it has no illegal income therefrom, impose a fine of not more than one million yuan on the entity and a fine of not less than 10,000 yuan but not more than 100,000 yuan on the person in charge and other directly liable persons. If the circumstances are serious, the competent department may order it to suspend relevant business operation, cease business operation for rectification, or close down the website, or may revoke the relevant business permit or business license.”↩
- Article 253-1 of the Criminal Law provides: “Whoever sells or provides any citizen's personal information in violation of the relevant provisions of the state shall, if the circumstances are serious, be sentenced to imprisonment of not more than three years or criminal detention, and/or a fine; or, if the circumstances are particularly serious, be sentenced to imprisonment of not less than three years but not more than seven years and a fine.”
“Whoever sells or provides to any other person any citizen's personal information obtained in the course of performing their duties or providing services in violation of any relevant provisions of the state shall be given a heavier penalty in accordance with the preceding paragraph.”
“Whoever obtains any citizen's personal information by stealing or other illegal methods shall be punished in accordance with paragraph 1.”
“Where an entity commits any crime as provided in the preceding three paragraphs, the entity shall be imposed a fine, and the person in charge and other directly liable persons shall be punished according to the applicable paragraphs.”
Originally published 09 July, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.