China E-Commerce Proposed Law Includes Data Security

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Mark Melnicoe

China's imminent electronic commerce law imposes wide-ranging data-security requirements on merchants, third-party platforms and logistics companies to store and safeguard the personal information of hundreds of millions of people shopping online.

Companies operating outside China—but targeting consumers there—are subject to the new law. It will also cover foreign platforms that allow Chinese companies to trade on them. For example, if Amazon.com Inc. allows Chinese mainland companies to sell on its platform, it will be subject to the law.

“If a multinational company is engaged in cross-border e-commerce activities within China or in cross-border e-commerce activities that involve domestic enterprises which operate an e-commerce business or customers located in China, it's required to protect the personal information and business data in accordance with the law,” Manuel E. Maisog, a privacy partner at Hunton & Williams LLP in Beijing, told Bloomberg BNA.

A draft version of the nation's first comprehensive e-commerce law was issued by the National People's Congress (NPC) Dec. 27, 2016, and is open for public comment through Jan. 26. Domestic and foreign companies were invited to weigh in on the draft, which is 93 articles long and covers issues beyond data security, including anti-competitive practices and payment systems. The data security component of the law is of more concern than other e-commerce matters it covers, Jake Parker, chief representative of the U.S.-China Business Council in Shanghai, told Bloomberg BNA.

Requirements that companies share data with the government raise privacy concerns, he said.

Maisog said open-ended requirements for data to be handed to the government contrast with limited data sharing in the U.S., where the U.S. Cybersecurity Information Sharing Act “is driven more by information sharing among governmental and private sector actors than by compliance with mandatory rules.”

The draft law seeks to facilitate cross-border e-commerce, which is booming in China, as more of the nation's consumers can afford foreign products, which generally are seen as higher quality than their domestic counterparts. China's Ministry of Commerce projects that cross-border e-commerce reached 6.5 trillion yuan ($941 billion) in 2016 and that it will soon constitute 20 percent of China's foreign trade.

“Promoting e-commerce is conducive to China's opening-up strategic layout and the optimization and upgrading of its foreign trade,” Lyu Zushan, deputy director of the National People's Congress Financial and Economic Affairs Committee, told NPC legislators during introduction of the proposed law.

Data Localization

A requirement that companies store certain data for three years and within China is of particular concern, Parker said.

“It's onerous for companies to have to store that much back data,” he said. “Companies manage their data in a global framework,” with many using data-processing centers based in the U.S. or Canada to process data that comes from China, he said.

“Requirements that personally identifiable information be stored domestically can increase costs for foreign companies that must develop their own server or contract out to domestic suppliers to store within Chinese borders,” said Parker, whose organization represents more than 200 U.S. businesses operating in China.

The draft law is loaded with rules on handling data, much of it aimed at protecting consumers' private information, he said. That includes a requirement that companies anonymize personal data before it is shared. It would also give customers the right to control the use of their information, primarily by requiring companies to gain user consent.

The law would require that companies implement reasonable data security measures and sets maximum fines of 500,000 yuan ($72,710).

In case of a leak, loss or damage of data, “e-commerce business entities should take immediate remedial measures, promptly inform the user, and report to the relevant departments,” the draft law says.

Sharing Data With Government

The proposed law includes requirements that companies share data with the government.

“A potential privacy concern is the idea of being asked for data without limits and without a public process or court order to make sure the public info complies with the rule of law,” Parker told Bloomberg BNA. “It's unclear which agencies would be allowed to approach them and request this data. That's certainly a concern. We're recommending the law specify which authorities are authorized to collect data,” he said.

Article 5, for example, requires operators to “provide the relevant state departments with the information of e-commerce data in accordance with the provisions of laws and administrative regulations” without specifying what data and which departments. Article 71 provides that the state will establish mechanisms for the storage, exchange and protection of cross-border e-commerce transaction data.

Parker said his group will urge Chinese authorities to offer a “single-window platform for requesting that information.”

By Mark Melnicoe

To contact the reporter on this story: Mark Melnicoe in Shanghai, at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security