Latest Draft of China E-Commerce Law Adds Cybersecurity Mandate

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By John Butcher

Online companies doing business in China would be required to follow the country’s new cybersecurity law restrictions on storing and transferring personal data under the latest draft of e-commerce legislation.

China’s proposed e-commerce law would set online transaction standards and intellectual property protection requirements. The second draft of the bill dropped provisions that appeared in the first draft that defined personal information of e-commerce users, and established requirements for collecting and using that data.

The second draft instead states that e-commerce operators must comply with the country’s cybersecurity law, which took effect June 1. That means Inc. and other e-commerce companies would have to abide by the law’s requirements to store personal data on servers inside China, restrict exporting data overseas, and set personal information security standards.

“It is not that the cyber law has expanded. It’s rather now it has been made clear in the e-commerce law that the rules of the cyber law could apply,” James Gong, a cybersecurity, data protection, and privacy senior associate at Herbert Smith Freehills LLP, in Beijing, told Bloomberg Law.

The cybersecurity law is aimed at critical infrastructure protection. Draft guidance defining critical infrastructure has already swept in companies engaged in the energy, finance, transportation, water conservation, health-care, education, social insurance, environmental protection, telecommunications, media, cloud computing, big data, information network services, science and technology for national defense, large equipment manufacturing, chemical, food, and drug sectors.

Cross-Border Transfers

“If a U.S. company is operating an e-commerce platform in China, then they are bound to collect a large amount of personal information about the users of the platform,” Gong said.

Because the cybersecurity law considers any company selling goods or services to Chinese consumers as being a covered domestic operation, companies beyond China may be liable for security screening of any data collected from users in China.

“If they are going to export this outside China to a U.S. headquarters, then it will have to be assessed for security. That will be a self-assessment and then if it reaches a certain threshold, it will have to be sent to the regulator for assessment,” Gong said.

Data Localization

The requirement that personal data be stored within China presents challenges for foreign e-commerce companies that process transaction and other data abroad, and for companies that use cloud services to store data.

“This can be costly and does not lead to an increase in security of data. In fact, we continue to push the Chinese government for more clarity on the Cybersecurity law especially on its data localization requirements,” Kenneth Jarrett, president of the American Chamber of Commerce in Shanghai, told Bloomberg Law.

The second draft of the e-commerce bill, released Nov. 7, won’t likely be the final version, as the government opened it to public comments through Nov. 26. Concerns over the latest draft bill won’t be allayed soon, as a third draft is likely, according to Martyn Huckerby, an international corporate practice partner in the Shanghai office of King & Wood Mallesons.

The general rule in China is that “a legislative bill shall be put to vote after deliberations at three meetings of the Standing Committee,” he told Bloomberg BNA. “New elements may be introduced in the third version.”

Intellectual Property

The e-commerce bill would classify e-commerce operators into three categories: those doing business on their own websites, e-commerce platform operators, and stores on e-commerce platforms.

It would require that e-commerce platform operators protect intellectual property rights by blocking businesses engaged in the sale and distribution of goods or services as soon as they become aware of a violation. A platform operator could be held jointly liable, under the bill, with a seller for IP rights offenses it should have known about.

The e-commerce bill would also more strictly control e-commerce, through provisions to hold companies liable for false advertisements, fabricated transaction information or user comments, or failure to deliver purchased goods and services.

The focus on IP rights is the main benefit to U.S. companies of the proposed e-commerce law, the U.S.-China Business Council (USCBC) said in an analysis report provided to Bloomberg Law.

“In the previous draft of the law, suspected IP violators could simply issue declarations of non-infringement and platform operators would be required to promptly terminate any measures taken against the alleged IP violators. The second draft improves this process by requiring accused IP violators to submit evidence with non-infringement declarations before platforms lift punitive measures,” according to the USCBC analysis report.

To contact the reporter on this story: John Butcher in Beijing at correspondents@bna.comTo contact the editor responsible for this story: Donald Aplin at

For More Information

The second draft of the e-commerce bill is available, in Chinese, at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security