On 7 November 2017, the National People's Congress of China made public for comments the second draft of the E-commerce law (the "drafted E-commerce Law"). One step closer toward its final version, important modification was made to the drafted E-commerce law compared to the first draft of the E-commerce law (the "first draft"). In this article we will focus on the importance for E-commerce compliance with Chinese data protection and cybersecurity. In particular, the narrowing down of the drafted E-commerce law scope of application and its conformity to the Cybersecurity Law (CSL) for data protection and cybersecurity matters.
Narrowing down application to mainland China
The deletion of the second part of Article 2 and of Chapter V on Cross-border E-commerce has for effect to render the drafted E-commerce law fully domestic. As a result, the drafted E-commerce law will now solely cover E-commerce activities occurring within mainland China without considering cross-border E-commerce operation where domestic operators or consumes participate.
A narrower scope for Chinese E-commerce eliminates the issue of Chinese law extra-territoriality alongside the enforcement outside of the Chinese territory.
Furthermore, the deletion of Chapter V is appraising questions regarding the involvement of the government in the development of a Chinese cross-border E-commerce specific legal framework. Provisions meant at supporting such framework and economic sector including Article 68 to Article 70 were deleted without counterparts in the second draft. This also raise the issue of cross-border transfer of personal information without such legal framework.
Regarding the cross-border transfer of personal information, the deletion of Chapter V and its inclusion of Article 71 on cross-border personal information protection is to be considered. Now devoid of specific provisions, cross-border transfer of personal information will now be subject to the general data protection regime. This regime is currently being reformed by various draft standards issued by the TC260 and the drafted Administrative measures for cross-border transfer of personal information and important data, which was published for comments on 11 April 2017 by the Cyberspace Administration of China but yet to be finalized. If the drafted E-commerce Law was to be passed as such, without further evolution on the general cross-border transfer of personal information legal framework, the current rules for cross-border transfer of personal information would continue to apply.
Data protection for E-commerce relegated to the Cybersecurity Law
A major overhaul given to the drafted E-commerce Law is the subsidizing of its data protection and cybersecurity elements under the CSL. With the deletion of Chapter IV, Section 1 on E-commerce data information, relevant provisions on data protection and cybersecurity were taken from the drafted E-commerce law.
Similarly, relevant sanctions to the provisions of Chapter IV, Section 1 were taken away from Chapter VII of the drafted E-commerce Law on legal liability.
As replacement the drafted E-commerce Law is now relegating those issues to the CSL through Article 20. While this prevents any question regarding potential conflict of law between the drafted E-commerce law and the CSL, it has for effect to also greatly expand relevant sanctions for data protection and cybersecurity. Article 87 of the first draft regarding data protection is now replaced by the enforcement of Article 64 of the CSL in case of violation of personal information rights and obligations. This replacement has for consequence to have potential fines for the violation of personal information rights and obligation to jump from between CNY 30,000 to CNY 100,000, to the confiscation of illegal gains, or a fine of no less than one but no more than ten times the illegal gains or be subject to a combination thereof as the case may be; where there is no illegal gain, a fine of no more than CNY1 million shall be imposed;
For cases where the circumstances are serious, in addition to the possibility to order the entity to stop business for rectification or revoke the business license, the authority may close the infringing website if there is any.
The second version of the E-commerce Law is subject to comments until the 6 December 2017 on the website of the NPC, www.npc.gov.cn. Following the collection and examination of received comments, the law will further proceed toward another draft version or final version for publication. Based on the progression of this law, its adoption could happen within 2018.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.