In recent years, especially in response to the COVID-19 pandemic, economies around the world have undergone accelerated digital transformations. The platform economy, a subset of the digital economy, has also grown rapidly and given rise to a number of data protection issues, which China is looking to tackle through a series of policy measures.
Currently, many service providers in China require their users to share irrelevant personal information or face the likelihood of being denied access to mobile apps. In May, the Cyberspace Administration of China said 33 mobile apps, including Sougou Pinyin, iFlytek, Baidu Input, Gaode Map and Baidu Map, collected excessive personal data without the consent of users, and gave their developers 10 days to rectify any unauthorized data collection.
This is just one of the ways that regulators having been looking to address the challenges to data protection. Another example: In late March, four regulators jointly released the Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications. The provisions stipulate that mobile app developers must not deny users basic services if they refuse to share unnecessary personal data, which further refine the requirements for mobile app developers on collecting personal information from users.
In April, the second draft of the Personal Information Protection Law was promulgated, and further stipulated that personal information must not be collected through coercion. The collection and handling of personal information must be limited to the minimum scope necessary to achieve the goals of handling the information and do it in such a way to minimize the impact on the rights and interests of individuals. Developers must also disclose the rules for handling personal information; clarify any goals, methods and scope of the handling; and ensure the quality of personal information to avoid causing negative impact on individuals' rights and interests from inaccurate or incomplete information.
A series of regulatory moves targeting the platform economy has sent a strong signal that regulators are tightening scrutiny over the sector.
Ramon Huang, senior partner at Hui Ye Law Firm, tells ALB that the protection of personal information will help raise awareness of fair competition among platform operators. Companies are not allowed to abuse data or illegally collecting and using personal information, which disrupts market competition and harms the rights and interests of consumers. These measures strengthen the corporate accountability of app distribution platforms, including app stores, and require distribution platforms to strengthen pre-launch inspection and post-launch supervision.
“They stipulate that large platforms that span across sectors such as auto-driving, vehicle networking and artificial intelligence should be responsible for data localization,” he says.
But lawyers feel companies should make the first move by ensuring they themselves are compliant. “Given the current regulatory trend, platform companies should conduct a systematic compliance audits of their core business model and rectify any compliance violations,” says Chen Jihong, equity partner at Zhong Lun Law Firm.
Based on the recent new rules, Internet platforms are expected to face stricter compliance regulations than other data companies and fulfil special obligations when their business, service, or number of users meet certain thresholds, points out Kevin Huang, partner at Commerce & Finance Law Offices.
He explains that these obligations include “establishing an independent body that is mainly made of external members to supervise the platform’s handling of data; publishing social responsibility reports on personal information protection on a regular basis, and governing and supervising third-party data processors on the platform.”
Platform services that depend heavily on data, such as personalized display and smart risk controls, maybe impeded as companies have to fulfil the special obligations required by the new rules, Kevin Huang says. Massive data resources and the data analytic technologies supported by these resources are important leverages for platform companies to provide these services. Fulfilling these special obligations will enhance the companies’ compliance in data processing but also restrict their freedom in using data and technologies, which will undermine their competitive advantage enabled by data.
Furthermore, fulfilling these obligations will increase the cost of data compliance. Kevin Huang explains that companies need to invest more resources in rectifying their business and institutional flaws related to data processing to answer to the independent supervisory body and to avoid disclosing these flaws in their social responsibility reports. On the other hand, if companies fulfil the obligation to govern third-party data processing on the platform, they need to impose more rules on data governance and more technical measures, such as modifying the platform rules, restricting system authorizations and staying committed to monitoring the technologies used.
Ramon Huang also believes that the intensified legislation and law enforcement efforts may increase the cost of compliance for the platform economy sector in the short term and impact current business models. But in the long run, these efforts will keep competition healthy, cultivate digital literacy and prompt companies to keep a compliance regime in place and undergo digital transformation, which will promote the sustainable development of the digital economy.
Overall, the promulgation and enforcement of data compliance rules can contribute to the development of “digital China” in the long term. The move indicates regulators’ intention to balance the protection of personal information and the flow of data as the industry grows. It also shows that regulators prioritize issues that gravely concern society and industry, such as sensitive personal information processing and the illegal behavior associated with apps and software development kits, while easing regulation on other less urgent issues.
Kevin Huang believes that under the new rules, platform companies will share part of the responsibilities of data regulation and serve as “gatekeepers.”
Supervising a large number of data processors has been challenging for regulators since data processing activities are embedded in everyday life. As a result, the legislature offloads part of the regulatory responsibilities to platform companies, such as operators of application distribution platforms, operating systems and large-scale apps. These platform operators control the technical resources and operating environment that data processors on the platform depend on in order to provide products and services, which give them the resources and capability to supervise third-party processors.
Meanwhile, Chen suggests that “companies should pay close attention to the laws for the platform economy and regulatory updates, and keep inspecting their operations to avoid compliance risks.”
Kevin Huang has another suggestion. “Platform operators should assess if they are subject to the new regulations based on their business, services and number of users. If this is the case, they should formulate rules and impose technical measures to supervise data processing by third parties. They should also improve compliance of their own data processing,” he says.
OPPORTUNITIES AND CHALLENGES
Speaking of how law firms should provide compliance services to companies under the new rules, Kevin Huang believes lawyers should assess if companies are engaged in the platform economy and what roles they play when providing legal services.
He explains that for platform operators, lawyers should identify and point out the special obligations that they may need to fulfill and advise them on how to do so. If the company is a third party on the platform, lawyers should help them understand the platform’s management rules and authority. They should also remind their clients to keep an eye on the rules and notices on data processing issued by the platform operator.
Sharing a similar view, Ramon Huang says, “Both companies and lawyers should pay close attention to the latest development of the country’s regulations and policy to predict new regulatory and law enforcement trends. They should understand the scope of regulations and law enforcement as well as industry best practices to refine the companies’ business models and technical measures to balance legal risks, the costs of compliance and technical feasibility.”
In Chen’s view, both companies and law firms face challenges and opportunities under the new compliance rules. He says law firms should help platform companies create a data compliance regime and conduct compliance audits of their digital products. They should also help companies conduct rectification, build a system for personal information impact assessment and constantly improve their operations.
“On one hand, lawyers should upskill themselves and seize the opportunities to win more business. On the other hand, they should study thoroughly every regulation to provide better services for their clients to implement compliance systematically,” Chen concludes.
To contact the editorial team, please email ALBEditor@thomsonreuters.com.