Privacy & Information Security Law Blog

On March 22, 2016, the Ministry of Commerce of the People’s Republic of China published drafts of its proposed (1) Specifications for Business Services in Mobile E-commerce (“Mobile E-commerce Specifications”) and (2) Specifications for Business Services in Cross-border E-commerce (“Cross-border E-commerce Specifications”). A public comment period on these drafts is now open. Comments will be accepted until May 31, 2016.

The Mobile E-commerce Specifications contain several provisions that require service providers in the e-commerce sector to take measures to ensure the security of operational data and service platforms. According to the Mobile E-commerce Specifications, “service providers in the electronic commerce sector” refers to platform service providers who provide e-commerce transaction platforms that are accessed over mobile devices. The Mobile E-commerce Specifications apply whenever these platforms are accessed or used by online sellers, logistics services providers, payment service providers and purchasers via mobile devices.

Under the draft specifications, platform service providers would be responsible for the handling of transaction information and relevant personal information from online sellers. The authorization of the data subject would be required before collecting and processing personal information. The collection of transaction information would have to be authorized by the parties to the transaction.

In addition, personal and transaction information may not be directly used for commercial purposes unless it has been desensitized. Platform service providers could, with the consent of an online seller, transfer, copy, transmit or process desensitized data from the online seller. Personal information would have to be encrypted before being transferred online. Also, a record must be maintained of any disclosures of personal and transaction data to administrative authorities, enforcement authorities or the judiciary.

Platform service providers also would be responsible for the management of the platform’s data security. Personal data from online sellers should be isolated on the platform, and only the data owner should have access to the data. Modifications to original data stored on the platform should be authorized only by the data subject. Platform service providers would be responsible for protecting personal data from online sellers from loss.

The Cross-border E-commerce Specifications would impose similar requirements and obligations in a separate, but closely related, category and would apply the same obligations under the Mobile E-commerce Specifications to e-commerce service providers who provide e-commerce transaction platforms for the purchase and sale of cross-border goods. The Cross-border E-commerce Specifications apply whenever these platforms are accessed or used by online sellers, logistics providers, payment service providers and purchasers of cross-border goods.