Market trends and digitalization
The retail sector in China is undergoing transformation. The two-pillar propellers of technology and data are redefining the ways retailers reach and interact with customers to deliver products and services. One notable development in China’s market is the integration of online and offline retail and use of omni-channel strategy to meet personalized needs of each customer, with a noteworthy feature that there is a much higher rate of smartphone enablement in the buying process than the rest of the world. Against this backdrop, retailers are more motivated than ever to leverage technology and data to know better their customers and stimulate growth under the customer-centric business model.
In the meantime, changes in legislative and regulatory landscape and customer expectation make it not just legally required but also strategically desirable to address key privacy concerns in the retail sector. In addition, the increasing privacy awareness of Chinese consumers also suggests that privacy has gradually become part of brand reputation and customer experience, even for the Chinese society where privacy was perceived as a rather alien concept in culture.
The main challenge facing retailers in China is how to deal with the change from a relatively lax environment to more stringent regulations in an increasingly digitalized context.
In our view, the focal points are different in the near future and in the middle- and long-term. In the short term, the key challenge that retailers in China’s market must take on is how to steer the business through the legislative and regulatory uncertainties surrounding data compliance and privacy protection. Such uncertainties are mainly caused by a prolonged period to have the implementing regulations passed in order to give effect to the broadly couched provisions of the China Cybersecurity Law (the “CSL”).
In the middle- and long-term, the retailers will need to consider those additional issues covered by the law, such as customer’s rights with respect to their data, data breach notification, and contingency plan in response to investigations.
Salient features of the CSL
Before discussing how the new law will impact the retail sector, it will be helpful to highlight the salient features of the CSL, as we have observed that there are quite a number of misperceptions in various aspects.
On the surface, the CSL bears much resemblance to the data protection laws in other jurisdictions, and it is tempted to read those legislations using a comparison and contrast approach. However, despite their similarities in many aspects, the fundamental logic underpinning the enactment of the CSL is based on the wider notion of national security. The legislator holds the view that security in the cyberspace is an integral part of national security and effective governance of the cyberspace is a pre-requisite to pursuing other values. In other words, cybersecurity is an umbrella term on the top to cover a wide range of elements, which include cybersecurity requirements, personal data protection, provision of network products and services, and important data regulation.
Further, the legislator uses a mixed approach to formulating the implementing regulations of the CSL. One can often find provisions dealing with one or more aspects of cybersecurity, personal data, and important data in the same regulation, so sometimes it would be difficult to understand how those provisions interact with each other if not based on the wider notion of cyber sovereignty.
The CSL does not distinguish between data controller and data processor. Instead, it defines two fundamental concepts: (i) network operator and (ii) operator of critical information infrastructure (“CIIO”). A network operator is any entity that constructs, operates, maintains or uses network in China. The definition is technologically neutral and covers all businesses in all the sectors of economy except those whose activities do not involve any use of network. Given its coverage, almost all the entities controlled by foreign retailers operating in China will be caught by the definition of network operator and therefore subject to the obligations under the CSL.
CIIO is a subset of network operator subject to more onerous cybersecurity obligations. The main concern for foreign retailers operating in China is whether their subsidies and affiliates in China will be classified as a CIIO on the ground that they collect and use a huge volume of customer data. The answer remains uncertain as the specific rules for defining CIIO are still pending, and the authorities are taking a restrictive and prudent approach during the transitional period.
Top five areas where privacy is a key concern
The regulatory landscape in China is evolving quickly and the majority of the important legislations are expected to be passed in 2020. The overarching principle underlying those legislations is how to strike a balance between protection of personal data and development of digital economy in a secure cyber environment.
Retailers operating in China should take a holistic view to define an effective strategy addressing key privacy concerns and data-related issues arising from new technologies and transformation of business model in the following key aspects.
1. Omni-channel strategy and “private traffic” marketing
Omni-channel strategy and “private traffic” marketing (i.e. socialized customer relationship management) are the buzzwords in China’s retail market in 2019 and are expected to remain so in 2020. The competition for traffic among search engines, e-commerce platforms, marketplaces, and social media channels has been keener than ever, and various estimates all point to the conclusion that merely focusing on the remaining internet traffic will not be sustainable. Consequently, customer acquisition cost via third-party platforms will rise accordingly, raising a similar sustainability concern among the retailers.
From a legal point of view, “private traffic” marketing means that the retailers have to pool together and make use of customer data from multiple sources instead of relying on third-party platforms. A tightened grip on huge volumes of customer data comes with greater accountability on the retailers themselves. Under the CSL, implementing an omni-channel strategy will require the consideration of at least two kinds of principal obligations: (i) network security requirements and (ii) personal data protection.
1.1. Multi-level protection system (“MLPS 2.0”)
The legislator holds the view that data security is the bedrock of personal data protection, without which it will not be feasible to implement other relevant provisions of the law. The statutory obligation requires all network operators to fulfill their cybersecurity obligations in accordance with the respective levels of classification under the multi-level protection system (“MLPS 2.0”).
As mentioned above, almost all retailers operating in China will be caught by the definition of network operator and will be required to complete MLPS 2.0 filing at some point in the future.
MLPS 2.0 is a less familiar concept for foreign retailers. The laws in other countries would usually provide that data controllers have to take appropriate organizational and technical measures to ensure data security. It is the industry standard that determines the detailed requirements for the IT system. MLPS 2.0 aims to take a holistic approach by incorporating those details as a set of mandatory requirements. In short, it can be understood as a tiered assessment system containing specific parameters to assess the security of the information system and network used by the retailers. Most commonly seen are systems and network relating to OA (office automation), payroll management, CRM (customer relationship management) and SCRM (socialized customer relationship management), database, webpage and mobile application, and third-party services.
Currently the classification and filing under MLPS 2.0 is being promoted nationwide and there is still a sufficient time window for the retailers to be prepared for MLPS 2.0, given the relatively moderate enforcement actions to date.
1.2. Personal data protection
The terms of privacy protection and personal data protection are often used interchangeably in a generic sense, but they carry different definitions under the Chinese law. For a simple comparison purpose, we may say that rights relating to personal data accord individuals a wider protection than invoking privacy right. When it comes to personal data protection in the retail sector, legal basis and data subject rights remain the focus and priority.
Under the CSL, consent is the predominant legal basis and mostly likely a retailer will invoke consent for its data processing activities. There are some exceptions to consent, but they are of limited practical value in the commercial context.
The CSL does not give a precise definition to “consent”. In practice, the Personal Information Security Specifications (GB/T 35273-2017) (the “Specifications”) may serve as a good reference and its guidelines largely follow the way the GDPR interprets consent. Retailers should pay attention to the gap between actual practice and what the law provides.
Second, although the CSL’s provisions do not prohibit collecting general consent from customers, if customers’ personal data will be used for multiple subsequent purposes, a single general consent may be deemed to be invalid, which may lead to enforcement actions.
Moreover, retailers will also come across the difficult question of how valid consent can be obtained in the context of building a “private traffic pool” through mini-programs on a social media platform. This is because obtaining consent for just one definite purpose may seem easily manageable, but what constitutes a valid consent for subsequent uses and aggregation of data for profiling purposes is not yet crystal clear. Some put forward the view that consent is a necessary but not sufficient condition. What makes it more difficult is that a mini-program is often embedded in the user interface of the social media platform, and when users click on and open the mini-program, it is not yet clear how the platform and the retailer should be respectively held accountable for the data collection activities of the mini-program.
1.3. Data subject rights
Customers are entitled to certain rights in the capacity as data subject and the retailers shall enable their customers to exercise such rights. Realization of data subject rights will require technical and organizational input, including collaboration among various functional departments.
There are two baselines for determining what kinds of data subject rights should be granted to customers, namely the CSL and the Specifications. Despite the fact the latter is frequently cited during discussions and sometimes heralded as best practices, its nature should not be confused: the Specifications are a set of recommended national standards without binding force, so the retailers may but are not obliged to implement invariably the Specifications.
The exact scope of data subject rights is currently a confusing aspect in the implementation of the law. This is mainly because the guidelines issued by the enforcement agencies have strong persuasive force and some enforcement actions are taken as per the guidelines. Based on this, we suggest that the retailers should keep pace with law enforcement priorities in dealing with data subject rights.
The question on data subject rights is expected to be made clearer in the upcoming Personal Data Protection Law, which has been included in the legislative agenda in 2020.
2. Use of artificial intelligence
Retailers have been increasingly using artificial intelligence (AI) as a key element in the digitalization process to interact with their customers. One example is installing cameras enabled by facial recognition function in a brick-and-mortar store to identify membership customers and match the identity with the past purchase record to know better the customers’ preferences.
The PRC law generally takes a neutral stance on the existence of the technology and will determine how it should be regulated in each scenario. The latest news reveals that the regulations of AI and blockchain technology are also on the legislative agenda, but not as urgent as the Personal Data Protection Law and the Data Security Law.
The use of AI will have both regulatory and ethical implications. If retailers are planning to install AI-enabled equipment in their brick-and-mortar stores, extra care should be taken as the privacy awareness of Chinese consumers has increased remarkably. A privacy by design approach is strongly encouraged to assess how customers might react to the use of such technologies and barely fulfilling the minimum statutory requirements is unlikely to be sufficient. One recommended practice is to always give customers a choice as to the ultimate control over their personal data before conducting AI-powered processing activities.
3. Exposure to third-party tools
Leveraging data analytics is crucial for the success of the omni-channel strategy, and it is common for a retailer to use third-party tools for analytical purposes. One example is incorporating a third-party SDK (software development kit) in its own mobile app to monitor the customer’s preferences.
One important question is under what circumstances will the retailer be held liable for the acts of the third-party SDK?
The law does not provide a clear answer but the liability attribution principles under the CSL could be interpreted to impose some obligations on the retailer under certain circumstances. How to regulate third-party tools is already under the regulatory spotlight. It is anticipated that the upcoming regulations would not take a one-size-fits-all stance. What is more likely is to require the retailer to perform a limited due diligence, the purpose of which is to know better how the SDKs will collect and process personal data. Inadvertent exposure to risks associated with third-party tools could be effectively reduced by carrying out a basic due diligence into the SDK vendor and inserting tailored clauses in the service agreement. Further, some cybersecurity firms have already rolled out automatic technical auditing products focusing on mobile apps and third-party SDKs.
4. Localization and cross-border data transfer
Data localization and cross-border data transfer is another hot topic that concerns most of the foreign retailers operating in China, as this will have a significant impact on their global IT configurations and server locations.
It is necessary to demystify some misconceptions from the outset: the CSL does not provide any absolute data localization rules or any general prohibition on cross-border transfer of data.
Whether or not a retailer operating in China will be subject to data localization rules depends upon (i) whether the retailer is classified as a network operator or an operator of critical information infrastructure, and (ii) the types of data to be transferred abroad, i.e. personal data, financial data or important data.
More specifically, the rules of cross-border transfer will also affect foreign retailers in the following aspects:
- transfer of their employees’ data abroad for HR and payroll purposes;
- transfer of customers’ personal data to the overseas affiliates;
- transfer of important data abroad (the ambit of important data is yet to be clarified in the upcoming regulations).
Specific regulations on the procedure for cross-border transfer of data are in the pipeline and the authority has recently envisaged a method combing security assessment and filing before transferring data out of China.
The overall regulatory attitude is to encourage free flow of data provided that the regulatory authorities are able to exercise effective supervisory powers. The recent consultation drafts also demonstrate that the regulators are prudent in assessing whether the proposed regulations would disproportionately impede cross-border data transfer.
Therefore, the genuine concern for foreign retailers is less about a mandatory data localization rule. Rather, it is more about how to design a cost-effective data transfer mechanism. We have observed different ways of IT configurations in response to the changing regulatory framework. One approach is to keep the current global IT configurations unchanged and prepare to deal with the security and filing requirements when the proposed regulations on cross-border data transfer take effect. Another approach is to localize part of the data storage server for the subsidiaries in China. Though some upfront investment is needed, it may help with reducing the cumbersome process of assessment and filing at a later stage.
The possibilities of different structures suggest that the issue is by no means a mere yes or no question. Foreign retailers still have considerable leeway in achieving data sharing between the parent company and its subsidiaries in China.
It is worth noting that China’s Ministry of Commerce recently issued two documents on promoting innovation in service trade, which propose certain pilot schemes for implementing cross-border data transfer arrangements in 28 provinces and cities in China. It remains to be seen what particulars will be put forward for discussion and implementation at a later stage.
5. Direct selling and franchise models in the digital age
The PRC law provides for separate regulations on direct selling and franchise selling respectively, but the coming-together trend of offline and online sales somehow blurs the way of operation between these sales models and the conventional retail model.
Personal data protection related to direct-selling and franchise selling will be subject to additional regulatory rules, in particular with respect to retention period and cross-border transfer of personal data. One of the challenges we could foresee is that businesses engaging in the direct-selling and the franchise selling sector will need to re-consider what kinds of personal data they should collect and how long they should keep such data in their bonus/royalty system. On the other hand, they should be prepared to respond to newly emerging questions raised by the members of the sales team, for example, whether a request to access a fuller picture of the bonus system constitutes a valid request, or if they have any legal ground to access more information on individuals either above or below the line. These interesting yet thorny questions are yet to be discussed and resolved.
It would also be helpful to point out that data compliance in direct-selling and franchise selling sectors always has two dimensions: regulatory and data compliance. The former is well established while the latter is a new regulatory framework taking shape. Businesses in direct-selling and franchise selling sectors are strongly advised to re-visit their current policies and practices under both regimes in light of the strengthened regulations.
Compliance programs: global vs local
It is quite common for foreign retailers to adapt their global compliance standards for compliance programs in China to address, amongst other issues, the privacy concerns discussed above. This approach is understandable as it ensures a harmonized global compliance baseline for various affiliates within the group and avoids building a compliance program from scratch in each of the jurisdictions the business is operating. When adapting their global policies, notices, and procedures to operations in China, certain localization efforts are needed to reflect those special requirements under the Chinese laws.
During the localization and adaptation of global policies and practices, we observe some common avoidable pitfalls. One of them is that the domestic compliance program tends to focus on the policies and procedures of the corporate vehicles, while lesser or even no attention is given to potential individual liability in the case of a violation.
As mentioned above, the accountability principle under the CSL is a rather flexible mechanism, which clings upon two key concepts, namely “persons directly in charge” and “other directly liable persons”. As readers may have noticed, how to interpret “persons directly in charge” and “other directly liable persons” will largely depend upon the circumstance, the organizational structure of the business, and the role of the different people in a data incident.
By way of example, if a business fails to put in place appropriate policy documents and staff training during its operation and a data incident occurs due to an employee’s intentional action, both the compliance officer and the employees involved would probably be caught by “persons directly in charge” and “other directly liable persons” respectively. However, if the business has a sound compliance regime, the corporate vehicle and the compliance officer may be absolved from potential liability. Therefore, foreign retailers should pay special attention to potential individual liability (administrative and criminal) that might be facing the employees in various positions.