In recent years, technologies such as the Internet, big data, cloud computing, blockchain, and artificial intelligence have accelerated innovation and have been continuously integrated into the entire process and fields of economic and social development. The huge commercial value of data is increasingly explored and verified by the market, and it has become a factor resource comparable to land, labor, capital, and technology. The development of data resources as a key production factor, modern information networks as an important carrier, and effective use of information and communication technology The digital economy, which is an important driving force for efficiency improvement and economic structure optimization, has also become a national strategy.
Accompanying the rapid development is the intensive introduction of laws, regulations and policy systems, as well as continuously strengthened law enforcement supervision. On the one hand, the data supervision and regulation system is becoming more and more perfect. Since the implementation of the Cybersecurity Law on June 1, 2017, the Data Security Law, the Personal Information Protection Law, the Regulations on the Security Protection of Critical Information Infrastructure, and the Cybersecurity Review A series of laws, regulations, rules, etc. have been issued successively. On the other hand, data supervision and law enforcement has been continuously strengthened. For example, the Ministry of Industry and Information Technology launched the special rectification work on APPs infringing on users’ rights and interests in October 2019, and the “Didi Chuxing” APP has been collected and used due to serious violations of laws and regulations. The removal of personal information and national security in July 2021 has aroused strong social concern, etc.
Under the background of increasingly strengthened supervision, enterprises are facing more and more strict data compliance requirements, and the risk of non-compliance and legal responsibility cannot be ignored, and the identification of data compliance risks with enhanced due diligence is a key link in data compliance governance. .
1. Application scenarios of enhanced due diligence of data compliance laws
(1) New Contents in the Enhanced Due Diligence of the Law of Investment and M&A Projects
In investment and M&A projects, legal enhanced due diligence is usually carried out on the target company/assets. The routine investigation scope mainly includes historical evolution, main business, qualification license, main assets, creditor’s rights and debts, litigation and arbitration, administrative penalties, etc. However, when the target company/assets involve data, especially when the data has a greater impact on the operation of the target company or the value of the data accounts for a high proportion of the total value of the target assets, the enhanced due diligence for the data compliance of the target company/assets will It is especially important that the existence or non-existence of data compliance issues is likely to affect the transaction plan, progress, valuation, and even whether the transaction can proceed.
Therefore, when carrying out the legal enhancement due diligence of investment and M&A projects, data compliance will become an important content that cannot be ignored in the scope of investigation.
(2) Key steps for data compliance rectification before listing
Enterprises applying for listing in domestic and overseas capital markets must meet compliance requirements, that is, there must be no matters that constitute substantial legal obstacles to the application for listing. In the era of the digital economy, the importance of data compliance in the process of listing companies is highlighted. If there are data compliance issues, it will undoubtedly have an adverse impact on the listing, and may even constitute substantial legal obstacles.
As far as A-shares are concerned, securities regulators are paying more and more attention to data compliance issues in corporate listing review. On the one hand, the cases of feedback and inquiries involving data compliance issues are not limited to artificial intelligence and other technology companies, but also involve e-commerce companies. For example, in its feedback inquiry to Shenzhen Sanstate E-Commerce Co., Ltd., Shenzhen Stock Exchange asked it to “explain the links and main contents of the acquisition and processing of customer information and third-party information in the business process, and whether the relevant data sources used need to go through Authorization, whether there is a risk of data compliance”; on the other hand, feedback inquiries involving data compliance issues are characterized by a wide range and strong technical nature, as required by the Shanghai Stock Exchange in the feedback inquiry to Shanghai Hehe Information Technology Co., Ltd. It explains “what data are acquired, stored and used by each business and R&D, the corresponding data sources, data ownership, whether there is sales data… How to ensure the legality of the source of enterprise data obtained by automated access, investigate suppliers and The specific method and effectiveness of the legality of the data source… The formulation time, main content, and implementation of the relevant systems and specifications on the acquisition, storage, and use of data, whether it can effectively ensure data security and business legal compliance… In recent years, data security , the impact of legislation such as personal information protection on research and development, procurement, sales, etc., and whether business development complies with these laws and regulations.” As far as Hong Kong stocks are concerned, when Keep submitted an IPO application to the Hong Kong Stock Exchange in February 2022, it directly hired We have a dedicated Chinese lawyer for data compliance.
In order to effectively cope with the data compliance challenges in the listing process, companies planning to go public need to complete data compliance rectification in advance, and the implementation of data compliance legal enhanced due diligence to identify risks and determine rectification plans is a key step in rectification.
(3) Important prerequisites for the establishment of a data compliance system in the daily operation of an enterprise
In the process of enterprise development, business development and compliance risk control are prone to conflict, especially for start-ups, emerging business formats, and Internet products, where there is a fluke motive to test the bottom line of supervision. Only regulations can ensure long-term development, and building a data compliance system is the premise and foundation for ensuring enterprise data compliance.
Through enhanced due diligence, comprehensive and in-depth understanding of the enterprise’s business model, business process, data types involved, data sources, external data cooperation, data protection status, etc., to discover and judge the data compliance risks and potential risks involved in the operation of the enterprise Risks, and build a targeted and operable data compliance system on this basis. It can be seen that enhanced due diligence is an important prerequisite for the establishment of a data compliance system in the daily operation of an enterprise.
(4) Effective ways to screen and supervise partners during external data cooperation
When an enterprise cooperates with external data services, the data compliance risks of partners (such as data suppliers and trustees entrusted to process data) will directly affect the enterprise itself. Therefore, before the cooperation, enhance due diligence of the data compliance of the partners is helpful to screen the compliant partners; during the cooperation process, through continuous and phased enhanced due diligence, the partners’ Supervising data processing activities to ensure that partners process data in accordance with the law and contract is an effective way to prevent partners’ data compliance risks.
(5) Necessary measures for data export risk assessment
In the era of digital economy, data is becoming a key force for reorganizing global factor resources, reshaping the global economic structure, and changing the global competition pattern. Active participation and integration into international cooperation in the digital economy will inevitably encounter cross-border data flow. In order to maintain national security, my country implements strict supervision and review of data export. The Cybersecurity Law and the Personal Information Protection Law all require data export to be subject to security assessment. The Measures for Data Export Security Assessment (Draft for Comment) require data export. Before providing data overseas, processors should conduct self-assessment of data export risks in advance. In view of this, according to the requirements of data export risk assessment, the relevant matters should be enhanced due diligence, and data export security risks should be prevented in advance, so that data export can be legally and successfully completed.
In addition to the above application scenarios, in other scenarios with data compliance requirements, the application of data compliance laws enhanced due diligence may be applied. For example, enterprises plan to conduct data processing business before the potential data compliance risk involved in such business. investigation, coordination and communication between data processors and regulatory authorities, criminal risk prevention, and data-related unfair competition. Moreover, with the in-depth development of the digital economy, the application space of data will be broader, and accordingly, the application scenarios of enhanced due diligence of data compliance laws will also expand.
2. Key Contents of Data Compliance Law Enhanced Due Diligence
Data means any record of information electronically or otherwise. As for the connotation of data compliance, combined with the provisions of the “Data Security Law”, “Personal Information Protection Law”, “Shenzhen Special Economic Zone Data Regulations” and “Shanghai Data Regulations”, it includes two aspects of data processing and data security. Data processing, including data collection, storage, use, processing, transmission, provision, disclosure, etc.; data security refers to taking necessary measures to ensure that data is in a state of effective protection and legal use, as well as the ability to ensure continuous security. .
Based on this, data compliance enhanced due diligence needs to focus on two aspects: data processing and data security:
(1) Data processing
The entire life cycle of data “from birth to death” includes eight stages of “collection, storage, use, processing, transmission, provision, disclosure, and deletion”. Whether data processing is compliant or not depends on whether it complies with each of the aforementioned eight stages compliance requirements.
Although data is not equivalent to personal information, because the current key areas of data supervision are important data and personal information, the application of personal information is wider. This article will combine the compliance points of the entire process of personal information processing to explain the enhanced due process of data processing. The key content of diligence.
The collection of personal information needs to comply with the principles of legality, legitimacy, minimum necessity, openness and transparency, and authorization and consent in general. The content of enhanced due diligence at this stage includes but is not limited to: whether the type, quantity, method, and channel of collecting personal information are legal, legitimate, and minimally necessary; The subject informs the purpose, method and scope of the collection and use of personal information; whether the consent of the subject of the personal information has been obtained; whether the sensitive personal information or minor personal information has obtained consent separately; whether a convenient way to withdraw consent is provided; whether the inquiry is provided , channels for correcting, supplementing, and deleting personal information, etc.
Personal information storage needs to meet the requirements of domestic storage, shortest period and classified encrypted storage. The contents of enhanced due diligence at this stage include but are not limited to: personal information storage method and location; whether the storage time is the shortest time necessary to achieve the purpose of processing; whether there is a specific industry-specific storage period; whether to establish storage security on the basis of classification and classification System, including storage carrier, whether to encrypt storage or authorized access, whether to de-identify or anonymize, whether to separate storage, etc.
The main points of the supervision of the use of personal information are display restrictions, user portrait use restrictions, automatic decision-making mechanism restrictions, big data killing and banning, etc. The content of enhanced due diligence at this stage includes but is not limited to: whether to establish a minimum authorization access control strategy; whether to take measures such as de-identification of the personal information to be displayed; whether to exceed the stated purpose of collecting personal information. The scope of reasonable association; whether to express the specific use and main rules of user portraits to personal information subjects; whether to provide personal information subjects with an effective way to reject user portraits in an easily accessible way; Adults recommend personalized products or services; whether the descriptions of personal information subjects in user portraits include obscenity and other content that expresses discrimination against ethnic groups; whether personal information security impact assessments are carried out regularly; Complaint channels for decision-making results; whether to use data analysis to discriminate against counterparties with the same trading conditions; whether to disclose the content of automated decision-making algorithms to users according to the latest “Administrative Regulations on Internet Information Service Algorithms Recommendations”.
4. Processing and Transmission
For the processing and transmission of personal information, although there are currently no specific and targeted provisions, it should still comply with the basic principles of legality, legitimacy and necessity.
In addition, data processing, a common application scenario is to use basic data to conduct in-depth data mining and analysis, and then form valuable data products to provide support for business decisions; when data processing (big data analysis) is combined with artificial intelligence, it will Generate huge imagination space and commercial value. In this case, the key legal issues of enhanced due diligence include the legitimacy of the source of the basic data, whether the analysis results constitute new legal rights (such as copyrights, trade secrets), and whether the company intends to make the data processed products have trade secrets. It has taken necessary confidentiality measures, and whether the use of data processing results will infringe the rights and interests of others, especially competitors.
Data transmission is one of the key links in the occurrence of risk accidents. Therefore, it is necessary to pay special attention to the enhanced due diligence in the form of data in the transmission process and whether security protection measures that match the data level are taken.
The provision of personal information involves the entrusted processing, sharing, transfer, and exit of personal information.
For the entrusted processing of personal information, it should be checked: whether the entrusted behavior exceeds the scope of the authorization and consent of the personal information subject; the type of personal information involved in the entrusted processing; Types of information, protection measures, rights and obligations of both parties, etc.; whether and how to supervise the personal information processing activities of the trustee; whether to entrust others to process personal information; whether to conduct personal information security impact assessment on the entrusted behavior; whether to record accurately And save the entrusted processing status, etc.
For the sharing and transfer of personal information, it is necessary to check: whether the personal information security impact assessment is carried out in advance; whether personal sensitive information is involved; whether the personal information subject is informed of the purpose of sharing and transferring personal information, the type of recipient and the possible consequences, and obtain the authorization and consent of the personal information subject in advance; whether to carry out de-identification processing; whether to stipulate the responsibilities and obligations of the recipient through contracts and other means; whether to accurately record and save the sharing and transfer of personal information, including the date of sharing and transfer. , scale, purpose, and the basic information of the recipient; whether there is any sharing or transfer of personal information with third parties through access to third-party software development kits (“SDK”), and whether the embedded SDK information is listed in the App. Whether to carry out technical testing on third-party SDKs to ensure that the collection and use of personal information meets the agreed requirements, etc.
For personal information going out of the country, it should be checked: the type, quantity, method, and channel of the personal information going abroad; whether it needs to pass or has passed the security assessment organized by the national cybersecurity and informatization department; Protection certification; whether to conclude a contract with an overseas recipient and the content of the contract; measures to ensure that the overseas recipient’s processing of personal information meets the personal information protection standards stipulated in the Personal Information Protection Law, etc.
Personal information is subject to the principle of non-disclosure and the exception of disclosure. Regarding the disclosure of personal information, enhanced due diligence should pay attention to: whether it is authorized by law or there are reasonable reasons for public disclosure; whether to conduct a personal information security impact assessment in advance, and take effective measures to protect the subject of personal information based on the assessment results; Inform the personal information subject of the purpose and type of public disclosure of personal information, and obtain their express consent in advance; whether it involves personal sensitive information; whether it involves personal biometric information; whether it involves the race, ethnicity, political opinion, religious belief of Chinese citizens, etc. Analysis results of personal sensitive data; whether the public disclosure of personal information is accurately recorded and preserved, including the date, scale, purpose, and scope of public disclosure.
Deletion is an independent processing stage under the Personal Information Protection Act. Regarding the deletion of personal information, enhanced due diligence should pay attention to: whether to establish a mechanism for deleting personal information; whether to actively delete personal information in accordance with the law; whether to establish a mechanism to respond to personal information subjects’ requests for deletion of personal information, etc.
It should be noted that when data processing involves data in special fields such as industry, telecommunications, transportation, finance, natural resources, health, education, technology, etc., it is necessary to conduct investigations, investigations, Identify the corresponding compliance risks.
(2) Data security
Compared with data processing, data security is more reflected in the institutional and technical aspects of the enterprise, and the improvement of the system construction and technical capability guarantee for data security is an important part of realizing data compliance.
Combined with the requirements of the Data Security Law for data processors to fulfill their data security protection obligations, the enhanced due diligence for data security should focus on the following aspects:
1. Data security management system
Whether a data security management system covering the whole process of classification and grading, risk monitoring, security assessment, and security education has been established and improved; whether the content of the system matches the organizational structure and personnel settings of the enterprise; how is the implementation of the system; Security level certification, whether the certification is still valid, etc.
2. Data classification and hierarchical protection
Whether to distinguish the types of data processed by itself; whether it involves core data and important data; whether personal information involves sensitive personal information; whether to take corresponding protection measures for different data types.
3. Personnel management
Whether the responsible department and personnel are clearly defined; whether to set up a full-time personal information protection person in charge and a personal information protection work organization; whether to conduct background checks on relevant personnel in personal information processing positions, and whether to sign confidentiality agreements with them; whether to establish corresponding reward and punishment systems, etc. .
4. Data security education and training
Whether to carry out professional training and assessment for relevant personnel engaged in data processing on a regular basis or when necessary.
5. Risk monitoring, assessment and compliance audit
Whether to carry out risk monitoring activities and take remedial measures based on data security defects and loopholes found in the process of risk monitoring; whether to carry out personal information protection impact assessment, and the results of the assessment; whether to regularly comply with laws and administrative regulations in handling personal information compliance audit, and the results of the audit; whether to conduct regular risk assessments and submit risk assessment reports to relevant competent authorities, etc.
6. Data Security Incidents
Whether an emergency plan for data security incidents has been formulated; whether data security incidents such as data leakage, damage, loss, tampering, etc. have occurred; Reports from relevant industry authorities; whether to organize relevant internal personnel to conduct emergency response training and emergency drills on a regular basis.
3. The main ways of data compliance law enhanced due diligence
Combined with the particularity of the data, we believe that the following methods can be used to carry out enhanced due diligence:
(1) Inspection of documents
The scope of inspection documents includes, but is not limited to, all written documents and records related to the company’s business operations, personnel management, data cooperation, etc., such as business contracts, internal control systems, data security management systems, and human resource systems, in order to gain a comprehensive and in-depth understanding of the company. information related to business and data compliance, such as business model, business process, data processing process, and data compliance status.
Corresponding questionnaires can be distributed to enterprise managers, business and technical personnel engaged in data processing, and external data partners, in order to understand data compliance in all aspects in a concise, clear and targeted manner.
(3) Immersive experience
Through immersive experience, try the company’s products (such as APP, applet), understand the company’s data processing process and its compliance; experience the protection of individual user rights (review copy rights, portability rights, deletion rights, etc.) in an anonymous identity Implemented compliance; technical capabilities, response speed and compliance measures in risk handling for participating in security incident drills and investigations.
(4) Interviews and visits
It is possible to conduct interviews with the person in charge of the enterprise, business personnel, technical personnel, relevant personnel engaged in data processing, etc., as well as visit relevant regulatory agencies and external data partners.
(5) Internet search
Through online search, you can learn about the external evaluation of the company’s business/product, whether it involves litigation/administrative punishment, the data compliance of companies in the same industry, and the situation of external data partners.
Of course, in addition to the above methods, the particularity of enhanced due diligence objects and the latest practice of data compliance enhanced due diligence can also be combined to continuously enrich the feasible methods of enhanced due diligence, such as cooperating with professional technicians, simulating data leakage events, etc. .