GC shares experiences in adapting to China’s new personal data law

China’s regulatory scrutiny on platform companies and data has engaged legal departments across the country and beyond to the task of swift compliance. As the new Personal Information Protection Law completes the domestic legislative regime, Chen Yan, general counsel and head of Group Legal Centre at KE Holdings, makes some international comparisons and shares his own company’s experience in adapting and evolving

In the past three years, there has been a noticeable trend toward the strengthening of data legislation and law enforcement in major countries and regions around the world.

Looking at legislation, major jurisdictions have been busy issuing data and personal information-related legislation in the past three years. For example, the EU issued the General Data Protection Regulation (GDPR) in May 2018; in the US, the California Consumer Privacy Act (CCPA) was issued in June 2018; Brazil issued the Lei Geral de Proteção de Dados (General Data Protection Law) in August 2018; and in December 2019, the Personal Data Protection Bill was tabled in India.

In China, the Data Security Law was adopted by the Standing Committee of the National People’s Congress in June 2021, and implemented on 1 September 2021; and the Personal Information Protection Law (PIPL) was also adopted by the standing committee in August 2021, and implemented on 1 November 2021. In addition, countries such as Japan, Canada and South Africa have rolled out relevant legislation in recent years.

Looking at law enforcement, major countries around the world are currently completing the transition from “provision to practice”. Domestically, starting with the joint issuance of the Notice on Launching the Dedicated Approach to Handling the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations – by the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation – in January 2019, China officially raised the curtain on the era of comprehensive law enforcement relating to personal information.

In November 2019, the Ministry of Industry and Information Technology issued the Notice of the Ministry of Industry and Information Technology on Launching the Dedicated Rectification Work Relating to the Infringement of User Rights and Interests by Apps, and launched actions that led to the reporting of more than 10 apps that were in violation of regulations.

In the same year, a number of authorities jointly launched sweeping campaigns, such as Qinglang and Wangjian. In July 2020, the Office of the Central Cyberspace Affairs Commission and 13 other ministerial-level authorities jointly established the App Governance Working Group. And in the first half of this year, the Ministry of Public Security, in conjunction with relevant authorities, took down in excess of 1,100 apps that collected and/or used personal information in violation of laws and regulations, and the Ministry of Industry and Information Technology reported a total of 10 batches of apps that infringed users’ rights and interests.

Internationally, the EU is at the vanguard in enforcement of personal data law globally. Since the assessment by France of the first fine of EUR50 million (USD57.8 million) in respect of Google’s personalised ads under the GDPR in January 2019, large enterprises like H&M, British Airways and Marriott have been hit by large fines in the tens of millions of euros.

This year is a big year in the enforcement of personal data law internationally. In July, Amazon faced a EUR746 million fine assessed by the Commission Nationale pour la Protection des Données, Luxembourg’s data protection authority, for violation of the GDPR. And in September, the Irish Data Protection Commission announced a EUR225 million penalty against Facebook’s WhatsApp for not adequately informing about the collection of personal information, and launched an investigation into the processing of the personal data of children and the sending of such data abroad by TikTok.

Trend toward convergence in personal data legislation in major countries and regions, but with differences. Looking at the three major jurisdictions of China, the EU and the US, each country’s personal data legislation on the whole accords strict protection for data and information that can identify specific individuals, while paying due attention to the right of individuals to give informed consent in the course of the collection and processing of their data. But their legislations also take noticeably different stances and have different regional characteristics, for example:

• In terms of leniency, China’s PIPL and the EU’s GDPR provide more stringent protection for personal data, whereas California’s CCPA is more relaxed.
• In terms of scope of application, China and the EU both emphasise the extraterritorial application of personal data protection, whereas in the US the application is mainly domestic.
• In terms of the types of personal data rights protected, China and the EU place more emphasis on the rights of individuals to know, access, delete and take with them their personal information; in contrast, the US places more restrictions on the exercise of such rights.
• In terms of the mode of notification of consent, both China and the EU have adopted the “opt-in” model, while the US has on the whole preferred the “opt-out” model.
• In terms of enterprises’ data security compliance obligations, China and the EU have set out more detailed and stringent compliance requirements in respect of data storage periods, data security incident reporting obligations, personal data protection impact assessments, data encryption and other such security measures, while US compliance requirements are more relaxed and superficial. Furthermore, China’s PIPL also draws on the EU’s legislative efforts by imposing gatekeeper obligations on large internet platform enterprises.
• In terms of regulating the sending abroad of data, China has the most stringent regulation, setting out strict provisions on such things as security assessments to send data abroad, and for the domestic storage of data, whereas the EU sets out regulations for the sending abroad of data that are more in the nature of principles, while additionally enumerating exceptions to the regulation of sending data abroad. Although the US CCPA does not set restrictions on sending data abroad, it actually implements restrictions under specific scenarios, such as critical technologies and information, by way of such legal documents as the Foreign Investment Risk Review Modernisation Act of 2018, and the Export Control Reform Act of 2018.

Personal data legal risks that should be on enterprises’ radars. Under the current legal environment, in addition to comprehensively reviewing the personal data compliance work involved in their own businesses, Chinese enterprises need to focus on the key scenarios that are concerns of legislation and law enforcement. These are the high-risk scenarios that enterprises face, and they specifically include:

• Scenarios involving the sending of data abroad. In the current context of a holistic national security approach, oversight of the sending abroad of data has become increasingly stringent, with cyberspace authorities having conducted cybersecurity reviews of four platforms recently. More specifically, enterprises need to strictly comply with relevant provisions of the Data Security Law and the PIPL, and evaluate, certify and report on their sending of data abroad. Additionally, they must strengthen their compliance assessment work on their own collection and processing of data that may be sent abroad, track and study domestic and international legislative and regulatory developments, establish internal compliance mechanisms, and actively heed the professional opinions of internal data compliance personnel and external experts.
• Large data breaches. Large-scale data breaches are particularly likely to attract the close attention of public opinion and the regulators, and the long-term negative impact that this can have on enterprises is difficult to assess. In November 2018, Marriott’s database was hacked and the data of more than 500 million of its customers were leaked, resulting in a huge fine of GBP18.4 million (USD25 million) imposed by UK law enforcement authorities. In 2017, the Yahoo information breach, the largest of its kind in history, compromised the data of more than a billion users and left Yahoo reeling from the dozens of regulatory actions and legal actions that ensued.
• Algorithms and automated decision-making scenarios. Algorithmic compliance is an emerging topic in the field of personal data protection and will be a key target of regulation and law enforcement in the future. This year, the cyberspace authorities launched the “Clear – Algorithm Abuse Governance” campaign and began to solicit public comment on the Regulations for the Administration of the Algorithmic Recommendations of Online Information Services. The PIPL further sets out specific provisions to regulate automated decision-making. The combination of algorithms and numerous other hot topics of discussion, such as anti-monopoly, unfair competition, protection of workers’ rights and interests, etc., should be accorded close attention by enterprises.
• Facial, genetic and other sensitive personal information technology application scenarios. Articles 28-32 of the PIPL specifically set out rules for the processing of sensitive personal information, expressly including biometric information as sensitive personal information. In China, close attention has been directed at the application of facial recognition, gene editing and other such sensitive personal information technologies. In July 2021, the Supreme People’s Court issued the Regulations on Several Issues Concerning the Application of the Law in the Trial of Civil Cases Involving the Use of Facial Recognition Technology in Processing Personal Information. To date, a number of enterprises have been assessed penalties by the market regulation authorities for unlawfully collecting consumers’ facial recognition information. Facial recognition and other such sensitive personal information utilisation scenarios not only involve personal data rights, but may also involve national security and social stability. Internationally, there is likewise high-level attention focused on the misuse of facial recognition and other such technologies. In February 2021, TikTok was compelled to reach a USD92 million settlement agreement with users in the US for misusing facial recognition technology on mobile phones. Google also incurred a painful price of USD650 million for a similar offence.
• Protection of minors. Minors have always been a key subject of concern and protection by the state. Since the seventh census, the protection of minors has become a key task in maintaining the long-term stability of the state, with rectification of the education and training fields, and the upgrading of the anti-addiction specifications in the game industry, being necessary means in that pursuit recently. Within the PIPL, minors’ information is expressly enumerated as sensitive personal information, is subject to special regulation, and a specific provision addressing the processing of minors’ information is included. Internationally, in 2019 the US Federal Trade Commission assessed a USD170 million fine for YouTube and a USD5.7 million fine for TikTok based on the Children’s Online Privacy Protection Act.

China’s framework

With extensive technology innovation and the digital transformation of enterprises, rapid changes in the external legal environment have profoundly affected enterprises’ judgment of development strategies, and their operational and management upgrading. China’s data security and personal information protection legal regime is anchored by the Civil Code and the Cybersecurity Law, supported by the Data Security Law, the PIPL, complementary administrative statutes, ministerial-level rules and regulations and national standards in the fields of network security and data governance, and supplemented by provisions on the protection of data rights and interests scattered in such laws and regulations as the Law Against Unfair Competition, the E-Commerce Law, the Law on the Protection of the Rights and Interests of Consumers, etc. This regime has given rise to a comparatively independent and sound data protection and privacy protection legal sector.

Of the above-mentioned, the PIPL is the code that sets out the principles for protecting the data privacy of natural persons. It requires corporate entities, in their business operations and internal management, to perform the security obligations of data processors, and ensure the data rights and interests of such natural person subjects as service providers, consumers, etc., and manage legal risks throughout the life cycle of personal data in accordance with the law by such means as privacy compliance design and technical implementation measures under different scenarios.

Additionally, the PIPL establishes a relatively comprehensive system for regulating the sending abroad of personal information, requiring multinational corporations and any corporate entities involved in scenarios where data need to be sent abroad to actively address the oversight of cross-border data flows by category, and ensure the security of cross-border transmission of data.

In contrast, the Data Security Law is founded on the oversight of data security. It establishes the principle of strong state oversight of key data, with a system of administration of this data by type and level, and an exit control and cross-border flow oversight system for key data that is sent abroad, raising data security to the level of national security.

In light of the trend of regulators’ increasingly strict enforcement of the law in respect of the performance by network operators of their cybersecurity protection obligations – and frequent data security incidents in recent years – corporate entities’ compliance tasks of comprehensive implementation of their cybersecurity protection obligations, and taking strict precautions against data security incidents, are of utmost urgency. Improving data disaster recovery mechanisms and protecting data security have become top priorities in enterprise data compliance.

Under the existing regulatory framework, there are also a number of detailed rules for the application of laws and data security industry standards that have a bearing on cybersecurity, protection of personal information by applications, cloud services, machine learning algorithm recommendations and other such emerging technology modules, as well as such finely defined sectors as e-commerce, social media, and alternate energy vehicles.

These rules have begun to give shape to an internet industry data security standards regime, providing data compliance specifications and standards for a significant number of finely divided sectors. “Data anti-monopoly” in the Anti-monopoly Guidelines for the Platform Economy of the State Administration for Market Regulation involves the intersection of data law and anti-monopoly law enforcement, once again drawing a new boundary for the processing and application of data by internet platform enterprises.

Having seen these broad outlines, we expect that legal codes addressing the protection of rights and interests in data and data security will become increasingly detailed and extensive, the scope of oversight will gradually expand, and law enforcement efforts will be continually enhanced, thereby considerably increasing the difficulties faced by enterprises in their data compliance work.

Compliance for domestic enterprises

Realising legal risk control through precision compliance. As a technology-driven and digital infrastructure-based comprehensive platform enterprise resident on the internet, our business scenarios are complex. Our data flow, data processing and data application are multi-port, multi-dimensional and multi-level, which requires that our data compliance systems be consistent with our corporate organisational structure, main business, industry practice and strategic objectives of digitalisation and intelligent transformation. They should also be tailor-made to achieve precision compliance and comprehensive compliance, and reduce legal risks.

KE Holdings’ data security and compliant operation control system is tailored for the enterprise’s own operational characteristics and development strategy. It has become a key and indispensable part of the enterprise’s organisation, covering the flow of data across the platform, and integrated tightly into the various day-to-day business scenarios.

The system supports online products and various applications upwardly, ensures the lawfulness and compliance of hardware and data resource scheduling downwardly, ensures the compliance and security of technological innovation and industrial upgrading outwardly, supports the organisational operation and rational enterprise management inwardly, participates in the top-level design of various digital solutions, and establishes a data compliance firewall at the front end of the business to realise powerful ex ante legal risk control.

Seeking the optimal balance between compliance costs and compliance value in regulation and practice. In order to facilitate the release and growth of corporate value, and support corporate tech transformation and operational and management upgrading, exploring the shortest path to reaching our compliance goals is a key objectives of our data compliance work. It is only by thoroughly understanding regulatory objectives and logic, and continually exploring new compliance formulas in the course of data compliance practice, that a closed loop of data compliance system and compliance practices can take shape.

We sort out the product, business and organisation-based data compliance topology from three aspects of data compliance – namely strategy design, technical implementation and internal audit – and adapt data compliance systems and processes with different compliance focuses and implementation paths for different practical scenarios.

In terms of top-level design for data compliance, we construct a top-down data compliance governance structure. We set out the principles for internal resource allocation, and co-ordinate compliance costs with an in-depth examination of domestic and international data law legislation, anticipating regulatory priorities and methods, focusing attention on state strategy, industry development and the competitive environment in the global market, and closely matching our strategic positioning for the development of an internet platform enterprise.

At the level of technical implementation for data compliance, we have adopted a compliance strategy that emphasises ex ante risk control, with the legal department co-ordinating closely with the big data department, research and development department, product department and security department. We seamlessly embed data compliance tools in the integration of demand and technology, algorithms and scenarios, and deploy data compliance solutions on the basis of a comprehensive understanding of technology and business, seeking the optimal solution for data compliance.

At the level of data compliance audits, the legal department and the internal control and audit department regularly conduct inspections of the data compliance of front-end applications and back-end data processing for each product line. We regularly review the extent to which data compliance strategies are realised, and rationalise the compliance processes to give rise to a bottom-up data compliance audit mechanism that is updated and replaced in real-time, and that continually checks for and patches vulnerabilities based on internal self-examinations.

Creating an adaptive data compliance ecology comprised of regulation, business, data and organisation. Data law regulation is the major precondition for data compliance, and a company’s current business position and industry practice are the minor preconditions for data compliance. Data are an emerging key production factor, and organisation is the support for realising compliance value and enterprise value. We regard compliance, business, data and organisation as the four most important start and end points in KE Holdings’ data compliance.

Through internal collaboration, we have developed and applied a variety of automated data compliance tools – which start at product research and development, and the early stage of business proposal, and run through the whole life cycle of products and technologies – in an effort to build a data compliance ecosystem that is in keeping with the internet business ecology, and adaptive to the organisational structure and business flow.

In the new era of the intelligent industrial revolution, in which science and technology develop at warp speed, countless new products and services appear through data research and development of emerging technologies, and technological innovation and industrial upgrading continue to increase business.

Data law is a key cornerstone for the rule of law in the digital era, and data compliance is a key support for enterprise development. Walking together with enterprises, industries and markets on the road of exploring the future, it is only by taking the long-term perspective that we can appreciate the real value of data compliance, and do the hard but right thing. The road is bumpy and long, but with persistence, one eventually gets there.