News

China's evolving data protection legislation and its implications for the online retail business

01 December 2021
Image
Image

The promulgation of China's Personal Information Protection Law (PIPL), effective since November 1, 2021, is a crucial milestone in the development of Chinese data protection legislation.

This piece of legislation has profound implications for any type of business, particularly where a large amount of information (including personal information) and cross-border transfer of data many be involved. The e-commerce sector will be as such one of the business sectors that will be most affected by the PIPL.

Similar to the European General Data Protection Regulation (GDPR), the PIPL imposes restrictions on how personal data should be handled, and its extraterritorial effects extend to anyone providing goods and services to people in China or anyone analyzing the activities of people within China. But the PIPL also solidifies China’s unique perspective towards separate consent requirements, data localization and cross-data border transfers.

Companies engaging in online retail business in China (including online sellers and e-commerce platform operators) need to grapple with the implementation of the PIPL and should:

  • Have a clear understanding of the type of information necessary for online shopping; adopt a transparent privacy policy stipulating a clear and reasonable purpose for the collection of consumers data.
  • Have an appropriate consent mechanism embedded in websites/mobile applications (e.g. set up popup windows to obtain separate consent).
  • Comply with the stringent requirements for data exportation before transferring customer data to overseas affiliates.
  • Implement appropriate data protection and cybersecurity clauses in the agreements with service providers; disclose sufficient information of third party service providers in their privacy policies (e.g. information of the SDK service provider deployed on websites or mobile applications).
  • Establish an internal data protection compliance policy.

The PIPL is mostly drafted in general terms, and will have to be supplemented by detailed implementing rules. At present, it is therefore hard to assess how to fully achieve compliance with the new regime, in the absence of detailed implementing legislation and guidance from the Chinese authorities. It will be essential to watch out for any new developments in this area and seek proper guidance on the interpretation of these new rules.

 

Authored by Sherry Gong, Tong Zhu, Flora Feng.

Contacts

bio-image

Sherry Gong

Partner

location Beijing

View more

Related topics

Load more

Related countries

Related keywords

Load more

More like this

image_1
Insights and Analysis

2024 Annual Retail and Fashion Holiday Guide

18 December 2024
image_1
News

CES 2024: AI, Sustainability, Inclusivity and Living Technology

08 February 2024
image_1
News

2023 Annual Retail and Fashion Holiday Guide

19 December 2023
image_1
News

How to prepare for evolving global AI legislation

13 December 2023
image_1
News

Recap: Consumer Horizons webinar on Artificial Intelligence – Transforming consumer business and reshaping the law

30 June 2023
image_1
News

China’s new internet advertising measures to take effect on 1 May 2023

17 April 2023
image_1
News

Recent developments in African data protection laws – Outlook for 2023

24 February 2023
image_1
News

Consumer NFT Guide

15 February 2023
image_1
News

2022 Annual Retail and Fashion Holiday Guide

21 December 2022
left_arrow
right_arrow

Search

arrow
arrow

Register now to receive personalized content and more!

 

Register
close
See benefits
Register