Data Privacy under the PRC Network Security Law and the Draft PRC E-Commerce Law

First, here are some slides for quick reference if you are lazy and don’t want to read.

Capture6

Capture7
Capture8

The PRC Network Security Law (“NS Law”) has come into force on June 1, 2017. This law provides certain provisions in relation to the data privacy. Some of them appear to be beneficial to the individual data owners, whilst some others may be counter-productive to the protection of data privacy.

In parallel, the legislative branch of the Chinese government has published a draft PRC E-Commerce Law (“Draft EC Law”) for public consultation in December 2016.  This draft law has not yet to be passed by the PRC National People’s Congress (NPC) to become effective. However, its provisions have reflected some basic attitudes of the Chinese authority towards the protection of data privacy.

This essay sets out and provides my comments on the key provisions with respect the data privacy under the NS Law and the Draft EC Law.  In order to make readers digesting these laws easily, I will apply Daniel J. Solove’s theory of categorization of the data privacy issues.

1. Data Collection and Aggregation

“Aggregation” means the gathering of a person’s data from different sources and then combining them to form a clearer image of the person.

  • Art. 22.3 of the NS Law: ISP cannot collect its users’ personal information without the expressive consent. Art. 41 of the NS Law: ISP shall publish the rules, purpose, method, and scope of collection of personal information. No collection without users’ consent.[Comments: (i) These provisions do not distinguish “collection” and “aggregation”.  (ii) As a result, although these provisions have clearly required an operator to obtain consent before collecting its users’ information, they did not address the issue whether a third party can search and aggregate personal information (either from the public domain or from the first-hand data collectors.)]

2. Surveillance

Surveillance means the act or system enabling the government or a company to monitor user’s activities (“Big brother is watching you”).

  • Art. 51 of the Draft EC Law obliges E-commerce business operators to provide data to government authority (although it also said that the government authority should adopt “necessary measures” to protect data security).
    [Comments: (i) This provision legitimized (rather than prohibited) the surveillance practice.]
  • Art. 21.3 of the NS Law: ISPs are obliged to monitor and record user’s activities and should keep records for no less than 6 months.
    [Comments: (i) this could be counter-productive to protecting privacy from the individual data owner’s perspective; (ii) the 6 months storage obligation is not new in China, but the NS Law makes the compliance to be a necessity (at least on paper). ]

3. Identification

Identification means to identify a particular person or a particular group of persons by data analysis.

  • Art. 42.1 of the NS Law: No sharing of identifiable personal data without consent. Art. 50 of the Draft EC Law: an E-commerce business entity is obliged to take protection measures to ensure anonymity before it shares the e-commerce data with another E-commerce business entity.[Comments: Article 42 of the NS Law first prohibits business operators from divulging personal information to a third party. Then it says that if the data cannot identify a particular person, then it is fine to transfer without the data owner’s consent. Article 50 of the Draft EC Law has generally kept consistency with the NS Law on this regard. ]
  • Art. 45 of the Draft EC Law confirms that the buyers have autonomy over their personal data; it also defines the personal data with a detailed list, such as name, ID certificates number, address, contact details, information of geographical location, bank card info, transaction records, payment records and records of accepting logistic services.[Comments: The Draft EC Law did not distinguish the “private personal data” and the “business personal data”.  In some countries, use and aggregation of the business contacts (e.g. office telephone numbers, office email address and other info shown on a business card) may enjoy certain exemptions.]
  • Art. 46 of the Draft EC Law first provides that collection of personal data requires user consent; then it prohibits the denial of service due to the user’s refusal of providing personal data.

4. Disclosure and Insecurity

Disclosure means the data holder’s own act of disclosing the private facts. Insecurity means the situation that the data is attacked and stolen.

  • Art. 21. 2 and 21.4 of the NS Law request ISP to take technical measures to protect its system from attack; ISP also needs to classify, backup and encrypt data.
  • Art. 22.1 and 22.2 of the NS Law request ISP to take remedial actions when its system is in risk; provide security maintenance during the term of service. These provisions also generally requested the producer of network security products or services to report the authority about the data breach.
  • Art. 27 of the NS Law generally prohibits hacking acts. It also prohibits the assistance of hacking practice, such as tech support, advertising, and settlement of payment.
    [Comments: The provision did not clarify if the “assistance” means knowingly assistance. It also did not clarify if “constructive knowledge” also applies to this provision.]
  • Art. 42.2 of the NS Law requests ISP to take technical measures to protect data from disclosure, damages or loss. It also mentioned that the data holder shall report the data breach to the relevant authority.
  • Art. 49 of the Draft EC Law provides that e-commerce business entities must establish rules and technologies to prevent disclosure of data. It also provides if there is a data breach, the e-commerce business entity is obliged to (i) take remedial measures, (ii) notify the users and (iii) report to government authorities.

5. Exclusion 

Exclusion means the act/rule disabling/excluding a user from maintenance and deletion of his personal data from the system. The reason for deletion can be either those data are objectively outdated or the data owner simply changed its mind of disclosing the data.

  • Art. 43 of the NS Law: User has right to request deletion if the service provider’s collection or use of personal information in breach of the law/agreement; or there are mistakes in the personal information.[Comments: According to this provision, if there is no mistake in the personal information and the service provider does not breach the contract, then the data owner will not have right to remove the data he/she has provided to the service provider. It is not clear whether “mistake” herein includes “outdated”.  However, it seems clear that data owner would have lost an absolute right of deletion.]
  • Art. 47 of the Draft EC Law: provides that when a user requests correction or supplement of his/her personal information, the E-commerce business entity should correct or supplement the information accordingly.
  • Art. 48(3) of the Draft EC Law: provides that a user has right to delete its personal information. However, such right of deletion only arises (and is only mentioned) upon lapse of agreed / statutory term of preservation of personal data.

6. Increased Accessibility

Increased accessibility means, without the consent of the personal data owner, making the information that is already available to the public EASIER for a wider scope of the audience to access.

E.g., a buyer’s review of a particular product is usually made available to the public.  However, the buyer might not want his friends or colleagues to know that he purchased such product.

Neither the Draft EC Law nor the NS Law has provision preventing increased accessibility of data.

7. Blackmail, which means using a person’s personal data to blackmail him/her.

In e-commerce scenarios, it is possible that an e-commerce vendor may blackmail a buyer with the buyer’s personal records when the vendor gives a negative review of the vendor’s product. The Draft EC Law has no provision preventing such blackmails.

8. Distortion

Distortion: means disseminating false and misleading information to manipulate the way a person is perceived and judged by others.

  • Art. 42.1 of the NS Law provides that service providers cannot distort personal information. But this appears to be too general.
  • Art. 52 of the Draft EC Law stipulates that the state should promote all e-commerce business entities to ensure that information is accurate and reliable etc.

9. Second Use

Second use means the use of data for purposes unrelated to the purposes for which the data was initially collected without the data subject’s consent.

  • Art. 52 of the Draft EC Law provides that the State shall establish public data sharing mechanism. Such mechanism necessarily involves the second use of data. However, no guidance or rules are provided in relation to second use except to the extent that the State should ensure e-commerce business entities shall protect the liability, security, and authenticity of aggregated data.

 

Draft PRC E-Commerce Law: Compliance Check

Below are a few slides reflecting the result of a compliance check of the leading e-commerce service providers’ user terms or privacy policies (sorry I will not disclose their names).  The survey was conducted under the assumption that the provisions in Draft PRC E-Commerce Law (as published for public comments on December 27, 2016) will be effective.

Capture1

Capture2

Capture3

Capture4 Capture5

How to request Taobao / Alibaba disclosing seller’s info

天猫阿里怎么披露卖家信息
http://blog.sina.com.cn/s/blog_cf8a85980102w3ii.html 

如何取得涉嫌侵权的淘宝卖家信息
http://www.wangjinglvshi.com/archives/222.html

平台治理假货的法律义务和责任
http://mt.sohu.com/20160520/n450588557.shtml

双边市场和第三方电子商务平台商标侵权的替代责任
http://pkulaw.cn/fulltext_form.aspx?Db=qikan&Gid=1510138009

面对侵权投诉ISP如何履行信息披露义务
http://wap.chinaxwcb.com/2013/0801/6095.html

从淘宝侵权看网络交易平台商的法律地位
http://www.xzbu.com/2/view-5475664.htm

侵犯商业秘密行政查处流程及需提交的材料说明
http://www.wuji8.com/meta/886544282.html

原告郭东林与被告王洁琼因商标权侵权纠纷一审民事判决书
http://ipr.court.gov.cn/jx/sbq/201410/t20141029_3712081.html

浅析电商在知识产权纠纷中的侵权责任承担——《关于审理电子商务侵害知识产权纠纷案件若干问题的解答》解读
http://www.debund.com/info/f3554e4507da4e04934b1545ceb61e2d

北京高院出台关于电子商务侵害知识产权纠纷案件若干问题的解答
http://www.wanhuida.com/tabid/142/ArticleID/1625/Default.aspx

北京高院关于审理电子商务侵害知识产权纠纷案件若干问题的解答
http://www.jianfazhiku.com/ReadNewsAll.asp?newsid=16255

田方舟与浙江淘宝网络有限公司侵权责任纠纷一审民事判决书
http://www.qiduowei.com/court-MDAwMDEyMzA42NDIy

Book Chapter – Taxation Issues in the E-commerce

DONG Hao, “Taxation Issues in the E-commerce”, in LI Zuming (ed.), E-commerce Law, Beijing: University of International Business and Economics Press (2009), 19,000 words;

Introduction:

The E-commerce should not escape itself from the taxation. However, the troditional tax law and taxation policies would not cope with the new challenges including the identification of the taxpayer, the jurisdiction issues, the "new" objects of taxation, etc. This chapter firstly analyzed the impacts of the online commerce to the traditional tax law. Then it introduced the achievements either in the academia or in the legislations in various countries. China’s relevant taxation policies and the future development are discussed in the third section of this chapter. To make this book more practical,  although the structure of the chapter can be divided to the above three parts, the whole chapter always focuses on the possible dilemma as well as the solution in the context of Chinese taxation system.


书章:电子商务中的税收问题

DONG Hao, “Taxation Issues in the E-commerce”, in LI Zuming (ed.), E-commerce Law, Beijing: University of International Business and Economics Press (2009), 19,000 words;

Introduction:

The E-commerce should not escape itself from the taxation. However, the troditional tax law and taxation policies would not cope with the new challenges including the identification of the taxpayer, the jurisdiction issues, the "new" objects of taxation, etc. This chapter firstly analyzed the impacts of the online commerce to the traditional tax law. Then it introduced the achievements either in the academia or in the legislations in various countries. China’s relevant taxation policies and the future development are discussed in the third section of this chapter. To make this book more practical,  although the structure of the chapter can be divided to the above three parts, the whole chapter always focuses on the possible dilemma as well as the solution in the context of Chinese taxation system.


书章:电子商务中的税收问题

董皓

 

本章内容全文载:李祖明主编:《电子商务法教程》(高等院校法学专业规划教材)第十章,对外经济贸易大学出版社,2009年9月。如需引用,请查阅正式出版的书 本以获取准确页码。本作品不适用本站所通常采用的创作共用 (Creative Commons)条款。未经许可,任何网站不得转载本作品

 

  电子商务作为一种营利性的活动,自然要与税收征管发生关系。税收作为财政收入的主要来源,不仅是政府履行职能的物质基础,也是国家宏观调控的重要方式。而电子商务的出现和发展,在为经济提供新的增长点、为国家提供新的税源的同时,也给税收征管带来新的挑战。如何确定纳税主体、征税对象、税收管辖权等等问题,都需要在不断实践中予以总结。因此,和与电子商务相关的许多其它法律问题类似,本章中的许多内容,无论是在理论层面还是实践中,都还处于不断摸索和探讨中。

本章首先从税收基本要素的角度,分析了电子商务对传统税法的影响,然后介绍了国际社会和国内学界对相关问题的探索性成果,最后介绍了我国目前与电子商务有关的税收政策及未来的发展方向。在叙述这些内容的过程中,本章始终以中国税法环境下的具体问题为核心。力求让读者既掌握对实际工作有价值的税法知识,又认识到电子商务税收问题的复杂性、探索性,在应用和理论层面都有一定的知识储备,为今后的工作打下基础。

 

点击此下载PDF版本阅读