Buying a distributor does not mean you can use its client data. Points of attention when you are conducting your due diligence. Or structuring your relationship with a distributor in China…
Written under the supervision of Bruno Grangier, Managing Partner at Leaf (b.grangier@leaf-legal.com)
Many European businesses who are looking to get a foothold in China start by partnering with a distributor or a local company. When they finally decide to expand and set up their own subsidiary in China, either directly or through acquisition, they need their customers’ data transferred from the partner’s database into their CRM.
This move always raises the question of feasibility and conditions for data transfer in China, where most consumers are linked to WeChat, and personal data handling is subject to close scrutiny by authorities. Below, Bruno GRANGIER, a corporate lawyer and partner of Leaf based in Shanghai in collaboration with Maxime OLIVA, the founder of the data risks & security advisory firm called TEKID, outline the main issues to be considered when planning for such a transfer to ensure compliance with Chinese data privacy laws.
Legal Framework for Data Transfer in China
There are three main pieces of legislation regulating the handling of data and personal information in China, which include the Personal Information Protection Law, the Cybersecurity Law and the Data Security Law. In addition, the privacy and protection of personal information are regulated by the Civil Code of the People’s Republic of China, effective January 01, 2021, which has introduced a unified legal framework for civil law in China for the first time.
The Personal Information Protection Law (PIPL), which came into effect on November 01, 2021, applies to the handling of personal information of natural persons in China. It provides protection of personal data and standardizes its handling by individuals and organizations.
The Cybersecurity Law (CSL), effective June 01, 2017, includes additional requirements for the protection of personal information, applying to organizations operating computer network systems. In its turn, Data Security Law (DSL) sets policies for data security, data classification, security reviews and contingency responses.
Feasibility Study
When companies expand their presence in China and seek to transfer the personal data of their customers from the partner’s CRM into their internal database, they need to start with a feasibility study. This step involves determining the nature of the data in question, its storage, the stakeholders and defining exact processes for data transfer.
Verifying the Nature of the Data
When building a plan for data transfer in China, it is essential to classify the data to determine whether it is personal information, sensitive information or other types of data. This first step allows to determine the regulations applicable to such data and outline proper handling methods. This stage includes data inventory, identifying all possible data points, for example, phone number, date of birth and other details, and legal qualification of how the data in question are regulated.
Understanding the Stakeholders
The next stage of the feasibility study includes locating where the data is collected and stored and identifying the stakeholders and their roles. Where the GDRP in Europe sets specific duties for data controllers and data processors, the PIPL defines the roles of personal information handlers and their entrusted parties processing personal information on behalf of the PI handler.
During data mapping, it is essential to identify the sources of data, whether they are held in the distributor’s CRM, a professional e-commerce platform like Tmall Partner or other entities. Knowing each of the stakeholders is essential for understanding the governance applied by the platform and answering questions about the legality of such data.
Transfer Conditions
When defining the transfer conditions, it is important to distinguish between the data collection phase and data re-engagement. These stages can occur at the same or different moments, depending on the user environment and the availability of user consent. The collection of consent must be validated and its contents verified, including the consent for the transfer of data to a new personal information handler.
The PIPL law is specific about the notification requirement in cases where information is transferred as a result of mergers, separations and “other such reasons.” The personal information handler should notify individuals whose personal data is transferred about the name and contacts of the recipient. If the recipients change the purpose of collecting personal information or the handling method, they should notify the affected individuals and obtain their consent.
The transfer should be preceded by developing basic contractual documents covering data handling methods laid out in the Privacy Policy. Meanwhile, the terms of the transfer should also include guidelines for the deletion of data by the distributor or the seller after the transfer and provide for other closing conditions. Last but not least, if the transfer is implemented by someone other than the recipient, it is essential to choose the right operators to exclude the risks for the former.
All these steps can be specified in the proper contractual documentation and proper experts shall ensure the proper execution of such undertakings. These specific constraints may also be a point of attention to select an asset deal and an equity deal to acquire the targeted distribution network. It may also determine the way you want to structure the distribution network with a distributor in China if you want to be able to take it back later on.
Personal Information Security Assessment
According to the PIPL, entrusting the handling of personal information to other handlers as a result of the data transfer triggers an additional check referred to as personal information protection impact assessment.
The scope of this stage includes the following checks:
- whether the purpose and the method of personal information are necessary and compliant,
- the level of risks involved and the impact on the rights and interests of individuals whose personal data are processed,
- whether the measures taken to protect personal information are compliant, effective and proportionate to the level of risk.
When conducting a protection impact assessment, the personal information handlers are required to keep the report of the assessment and handling status records for not less than three years.
Penalties for Non-Compliance
The law defines specific consequences and penalties for violating obligations related to personal information, including its handling during data transfer. The list of sanctions includes ordering correction, confiscation of income, suspension or termination of service provision.
If the party at fault refuses to correct the violation, it will additionally be liable to a fine amounting to 1 million RMB (approx. 136 thousand EUR), while the responsible persons will be subject to fines ranging from 10,000 RMB (1,363 EUR) up to 100,000 RMB (13,625 EUR).
For grave consequences, the fines are increased to 50 million RMB (approx. 6.8 million EUR) or 5% of annual revenue, while personal penalties can be as high as 100,000 or 1 million RMB. While the term ‘grave consequences’ is not defined by the law, the applicable penalties, in this case, can additionally include cancellation of administrative or business licenses.
Learn More About Data Transfer in China with the lawyers from Leaf and the tech experts from TEKID
All these steps can be specified in the proper contractual documentation and proper experts shall ensure the proper execution of such undertakings. These specific constraints may be a point of attention to select an asset deal and an equity deal to acquire the targeted distribution network. It may also determine the way you want to structure the distribution network with a distributor in China if the brand wants to be able to take it back later on.
The above report is a general overview of the regulatory landscape applicable to data transfer in China in the context of an asset deal. The personal information framework in the PRC is continuing to evolve, so new rules, guidelines and standards are yet to be developed. For more detailed information on the transfer of digital assets in China and handling personal information during data transfer, please don’t hesitate to contact Bruno GRANGIER from Leaf (b.grangier@leaf-legal.com) and Maxime OLIVA from TEKID (maxime.oliva@tek-id.com).
About Leaf
Leaf is a multi-awarded corporate law firm specialized in cross-border M&A transactions in Asia.
Leaf is advising international corporations and mid-cap enterprises to safely complete their cross-border operations and their joint-ventures with state-owned and private partners. We also assist our clients in their strategic operations across Asia or to structure investments in Asian-based start-ups.
The team is composed of international corporate lawyers based in China and in France.
About TEKID
TEKID is a Digital Risks and Security firm focusing on protecting the interests of its customers operating in the Cyberspace.
TEKID provides advisory, consulting, and engineering services for multinational companies as well as medium-sized enterprises. Their uniqueness resides in its tri-expertise in legal, security and operations, that only a lean, cross-trained, imaginative, and adaptable team can provide, together with the additional personal attention and hands-on executive involvement.
TEKID is composed of an international team and operates in France, China, Vietnam, and Hong Kong.