Going Global Think Tank Observation

Recently, the investigation of Didi has triggered heated discussions on the cross-border data compliance of listed companies. In the first half of this year, domestic Internet companies flocked to the U.S. stock market. However, a series of impacts caused by cross-border data security issues forced these companies to re-examine related compliance issues.

Jia Shen, special legal expert of the Going Global Think Tank (CGGT) and consultant of Zhong Lun Law Firm, believes that judging from recent regulatory trends, cross-border data transmission is a compliance point that new economy companies should pay special attention to when listing. . According to the "Cybersecurity Law" and "Data Security Law", operators of critical information infrastructure, including public communications, information services, finance and other important industries and fields, should collect and generate data during domestic operations. Personal information and important data are stored within the country. If they need to be transmitted overseas, security assessments should be conducted in accordance with relevant regulations.

How do (planned) listed companies in the new economy implement cross-border data compliance? Today, the Going Global Think Tank (CGGT) published articles by Jiang Huikang, Jia Shen, Li Menghan, Yu Jiayong, and Luo Yihan of Zhong Lun Law Firm for readers who are concerned about cross-border data compliance.

Key Points

CGGT, CHINA GOING GLOBAL THINKTANK

1. For companies listed overseas, the VIE structure is a common company structure. It is recommended that In the process of building a VIE structure and actually operating the business, the enterprise fully considers the business type and transaction structure, system, personnel, equipment settings, and capital and data flow, supplemented by complete internal regulations, agreements, information disclosure systems and authorization arrangements to ensure Fully comply with data compliance requirements.

2. Enterprises in the new economic field should also pay special attention to the intersection of data compliance and antitrust compliance. The "Platform Economy Guide" clearly mentions various behavioral patterns in which operators use data or algorithms to eliminate or restrict competition.

3. Industry regulatory policies change frequently, especially in important areas related to the national economy and people’s livelihood. Relevant departments have clearly signaled strong supervision. Taking the education and transportation industries as examples, platform companies in related fields should pay close attention to the compliance requirements under industry regulatory policies.

Text

CGGT, CHINA GOING GLOBAL THINKTANK

About the author

Lawyer Jiang Huikang

Partner, Beijing office

Business areas: Antitrust and competition law, cross-border investment and mergers and acquisitions, compliance and anti-corruption

Featured industry categories: Energy and natural resources, communications and technology, health and life sciences

Jia Shen

Beijing Office Consultant

Practice areas: Antitrust and competition law, trade compliance and relief, litigation and arbitration

Li Menghan

Compliance and Government Supervision Department, Beijing Office

Yu Jiayong

Compliance and Government Supervision Department, Beijing Office

Luo Yihan

Beijing Office Compliance and Government Supervision Department

On July 6, 2021, the General Office of the Central Committee of the Communist Party of China and the General Office of the State Council issued the "Regulations on Strictly Cracking Down on Illegal Securities Activities in accordance with the Law" Opinions" ("Opinions"), including "improving relevant laws and regulations on data security, cross-border data flow, confidential information management, etc." and "effectively taking measures to respond to risks and emergencies of Chinese concept stock companies" and other opinions , clearly indicates another important compliance direction in the current capital market, and fully reflects my country's determination and strength in the supervision of listed companies. Recently, the China Cybersecurity Review Office (“CAC”) has successively conducted cybersecurity reviews on several platform companies listed in the United States, and released the “Cybersecurity Review Measures (Revised Draft for Comments)” on July 10, 2021 )", triggered strong public and industry attention and extensive discussion on China's cross-border data security supervision and cross-border securities supervision policies for Chinese concept stocks. (Related interpretation: Activate the network security review system to build a strong data security firewall - Analysis of the "Cybersecurity Review Measures (Revised Draft for Comments)") On July 30, 2021, Gary Gensler, Chairman of the U.S. Securities and Exchange Commission (SEC) issued a statement Said that the SEC will amend the information disclosure rules involving Chinese companies’ overseas listings and add specific information disclosure requirements (including explaining the financial relationship between the VIE company and the issuer, whether the listing in the United States has obtained government approval, etc.) to better Protect the interests of investors.

In recent years, there have been an endless stream of judicial and administrative law enforcement cases involving domestic and foreign listed companies in various industries. The risk warning instructions and lists of government supervision in the listing prospectuses of relevant companies have become longer and longer. Compliance issues with Chinese concept stocks have also This has attracted great attention from Chinese and American regulators, and the importance of improving compliance levels and improving compliance systems has become increasingly prominent for (planning) listed companies. In this context, this article combines past experience and observations to analyze the cooperation of (to-be) listed companies in new economic fields such as Internet platforms from aspects such as network security and data compliance, antitrust, anti-unfair competition, and industry regulatory policies. Key points of regulations are provided in order to provide reference for the compliance construction and compliance response of relevant enterprises.

Compliance Point 1: Cybersecurity and Data Compliance

The composition of my country’s “Cybersecurity Law”, “Data Security Law” and the upcoming “Personal Information Protection Law” It has become the “Troika” in the field of network security and data security compliance. Listed companies and companies planning to be listed in the new economic field usually have a large amount of data of various dimensions, and should pay special attention to the relevant requirements of network security and data compliance.

Judging from recent regulatory trends, cross-border data transmission is a compliance point that companies should pay special attention to when going public.

According to the "Cybersecurity Law" and "Data Security Law", operators of critical information infrastructure, including public communications, information services, finance and other important industries and fields, should collect and generate data during domestic operations. Personal information and important data are stored within the country. If they need to be transmitted overseas, security assessments should be conducted in accordance with relevant regulations. However, there are currently no formal regulations or guidance on how to conduct such safety assessments. This may have an impact on Internet companies that have multiple data centers and may need to transfer certain personal data between different countries and regions. Relevant companies should pay close attention to legislative and law enforcement developments in this area. In addition, the "Data Security Law" has clearly proposed the establishment of a data hierarchical classification protection system and a national core data management system: on the one hand, national core data related to national security, the lifeline of the national economy, important people's livelihood, and major public interests shall be implemented A more stringent management system; on the other hand, relevant regions and departments will further formulate specific catalogs of important data in their regions, departments and related industries and fields, and focus on protecting the data included in the catalog. After a more detailed data classification system is introduced in the future, enterprises should do a good job in data classification in accordance with laws and regulations, and strictly adopt corresponding data management and protection measures.

In terms of personal information protection, regardless of whether the relevant company is listed overseas or domestically, data compliance issues are likely to attract great attention from the media and the public, and will also be subject to key inquiries from regulatory authorities, including the source of the data. Legal and compliance issues, data use legal and compliance issues, data-related business operation issues, etc.

For example, for Internet platform companies that master a large amount of user data, they should pay special attention to the compliance of data sources:

The source, acquisition method, and authorization method of obtaining user data information and agreement, whether the authorization is clear, legal and valid, and whether the scope and purpose of use of the collected information are clearly informed when collecting user information;

Whether there is a clear prompt for users to obtain personal data, and whether the collected data is limited to the necessary scope

Whether the collection of user information is only a general reminder, whether the data is used beyond the scope of user authorization, or whether there is any behavior of directly collecting data without authorization from other platforms;

Through the APP, use the "User Agreement", "Privacy" Policy" and other agreements stipulate that in the process of obtaining user authorization, whether to collect personal user information, push advertisements to individual users, etc., whether users are clearly informed of the purpose, method and scope of collecting and using information.

Compliance Point 2: Antitrust Compliance

Antitrust compliance is a hot area, and the importance of compliance construction for companies before and after listing is gradually becoming prominent. Since the beginning of this year, various antitrust penalty decisions or rumors about domestic Internet giants have had a certain impact on corporate stock prices and the market. For example, on April 10, 2021, the State Administration for Market Regulation (“SAMR”) made an administrative penalty decision on an e-commerce platform for abusing its market dominance in the “choose-one” monopoly behavior and imposed a fine of 2019 on domestic sales in China. The amount of fines totaling 18.228 billion yuan has become the largest fine issued by China's anti-monopoly law enforcement agencies so far. (Related interpretation: The importance of corporate antitrust compliance based on the highest fine in history) At the same time, the State Administration issued an administrative guidance letter to the platform and subsequently required 34 Internet platform companies to make a "Commitment to Legally Compliant Operations." A series of enforcement and administrative guidance measures reflect the importance of comprehensive compliance by enterprises in the antitrust field.

We recommend that platform companies in the new economy (including companies that adopt/plan to adopt a VIE structure to be listed overseas) should pay special attention to the compliance requirements for anti-monopoly declarations for concentration of undertakings.

Article 18 of the "Anti-Monopoly Guidelines for the Platform Economy" ("Platform Economy Guidelines") issued by the Anti-Monopoly Commission of the State Council stipulates that "concentrations of undertakings involving agreement control structures fall within the scope of anti-monopoly review of concentration of undertakings." , it is clarified that when enterprises with a VIE structure carry out a concentration of undertakings, if the turnover standard reaches the standard, the anti-monopoly declaration obligation shall be triggered. Since 2020, the General Administration has successively investigated and announced more than 40 administrative penalty cases involving VIE structures that failed to declare concentration of undertakings in accordance with the law. Many well-known domestic Internet companies have related cases. Of particular concern is the recent review of concentration of operators and failure to declare in accordance with the law in the platform economy, with decisions banning concentrated transactions and requiring operators to take necessary measures to restore market competition in response to reportable but unreported transactions:

On July 10, 2021, the State Administration issued an antitrust review decision prohibiting the merger of two game live broadcast platforms, and detailed the reasons for determining that this concentration has the effect of excluding and restricting competition. This case is the first case prohibiting the concentration of business operators in the platform economy in my country, and also the first case prohibiting the concentration of business operators involving only domestic enterprises.

On July 24, 2021, the General Administration made an administrative penalty decision on an Internet platform’s illegal implementation of operator concentration, requiring relevant operators to take necessary measures to restore market competition, including ordering the platform to take measures to lift exclusive copyrights and other measures to lower market entry barriers and reshape the competition order in relevant markets.

In addition, we suggest that companies in the new economy should also pay special attention to the intersection of data compliance and antitrust compliance. The "Platform Economy Guide" clearly mentions various behavioral patterns in which operators use data or algorithms to eliminate or restrict competition. (Related interpretation: Is it time for anti-monopoly in the platform economy? - Interpretation of highlights of relevant draft guidelines) For example:

Monopoly agreements and algorithm conspiracy: For example, operators use data, algorithms, platform rules or other Behavior that substantially achieves a coordinated approach;

Abuse of market dominance to restrict transactions: Operators restrict transactions by actually setting restrictions or obstacles in terms of platform rules, data, algorithms, technology, etc.;

Abusing market dominance to implement differential treatment: based on big data and algorithms, and based on the payment ability, consumption preferences, usage habits, etc. of the counterparty, implementing differential transaction prices or other transaction conditions;

In addition, the data held by platform operators is of great significance in determining the operator's market dominance. The "Platform Economic Guide" clearly mentions that comprehensive considerations need to be taken into consideration when determining whether the relevant platform constitutes a "necessary facility" for other operators to enter the relevant market. The circumstances under which the Platform takes possession of the data and other circumstances.

Under the current regulatory situation, the importance of antitrust compliance is needless to say. Relevant companies should continue to pay attention to regulatory developments in the antitrust field and continuously improve their own antitrust compliance levels.

Compliance point three: Anti-unfair competition compliance

Anti-unfair competition compliance is another compliance hotspot. In the Internet era, the high frequency of information dissemination has shortened the time difference. Reports from competitors, complaints from consumers, complaints from professional anti-counterfeiters, and strong supervision from relevant departments will all put considerable pressure on enterprises. If enterprises do not have proper Plans and risk management may not only face current operating difficulties, but also bring huge obstacles to future listings. Take the listing of a stranger dating app as an example. It originally planned to go public on June 24, but recently announced the suspension of the U.S. stock IPO process. The market generally believes that the emergency suspension of the IPO may be due to the fact that it was involved in an unfair relationship with a competing app. Competition cases are not irrelevant.

Unfair competition behaviors in the Internet field mainly include two categories: one is the extension of traditional unfair competition behaviors in the Internet field, such as using the Internet to implement unfair competition behaviors such as confusion and counterfeiting, false propaganda, and commercial slander. , and the other category belongs to the unfair competition behavior that is unique to the Internet field and implemented by using technical means. For example, the typical unfair competition behavior "false propaganda", the relevant provisions are scattered in the "Advertising Law", "Interim Measures for the Administration of Internet Advertising", "Anti-Unfair Competition Law" and related regulations and normative documents. In the process of daily operations and preparations for listing, companies often lack professional understanding of how to ensure the authenticity of publicity and avoid the possible scope of "false publicity". There are some incomplete quotations, one-sided publicity, and ambiguous language that have resulted in penalties. Condition. At this time, enterprises should use professional teams to estimate risks, and at the same time make predictions based on many factors such as the law enforcement bias of law enforcement personnel in different regions, release areas, and covered populations.

Since 2020, many Internet companies have been caught in anti-unfair competition investigations by regulatory authorities. On February 8, 2021, the General Administration issued an administrative penalty decision on a certain brand sales platform, determining that the platform disrupted the order of fair competition and imposed a fine of 3 million yuan. This case fully demonstrates that the iteration and development of Internet business models have given rise to more different types of unfair competition behaviors, and the diversification of data collection and application methods has also made competitive behaviors more hidden and complex. As law enforcement becomes increasingly strict, Internet industry operators should adopt reasonable and appropriate compliance ideas to build a compliance system.

Compliance point 4: Changes in industry regulatory policies and compliance

Since the beginning of this year, industry regulatory policies have changed frequently, especially in important areas related to the national economy and people’s livelihood. Relevant departments have A clear signal of strong supervision. Taking the education and transportation industries as examples, platform companies in related fields should pay close attention to the compliance requirements under industry regulatory policies.

Recently, companies in the transportation field have received close attention from regulatory authorities. On July 30, 2021, the Inter-Ministerial Joint Meeting on Collaborative Supervision of New Transportation Business Forms held its second plenary meeting in 2021 to review the "Opinions on Strengthening the Protection of the Rights and Interests of Employees in New Transportation Business Formats" and proposed to optimize the regulatory framework. Accelerate the realization of full-chain supervision before, during and after the event, especially strengthen anti-monopoly supervision and anti-unfair competition, and investigate and deal with illegal activities such as monopolization of online ride-hailing and freight platforms, elimination and restriction of competition, disruption of market order, and infringement of the legitimate rights and interests of drivers in accordance with the law. In addition, the aforementioned cyber security review initiated by the Cyberspace Administration of China on a travel service platform also fully demonstrates that transportation companies (especially Internet new economy platform companies) should pay special attention to the focus of industry regulatory policies. One of the particularities of the transportation industry is that relevant Internet platform companies will inevitably master a large amount of data related to freight, urban transportation, users and drivers during their operations, and should pay special attention to compliance requirements related to data security. For example, a large amount of data in the transportation industry may be included in the important data directory, and the "Data Security Law" has clearly stated a number of data security protection obligations for important data processing activities, including:

Processors of important data The person in charge of data security and the management organization should be clearly defined;

Processors of important data should conduct regular risk assessments of their data processing activities in accordance with regulations and submit risk assessment reports to the relevant competent authorities;

Conduct cybersecurity reviews of data processing activities that affect or may affect national security;

Operators of critical information infrastructure should comply with the outbound security management of important data collected and generated during operations within my country. stipulations of relevant laws and regulations.

Similarly, the education industry is also a key regulatory industry in the field of people's livelihood.

Since the beginning of this year, all major online education platforms have faced strong supervision from the General Administration, the Ministry of Education and other departments:

In early May, the General Administration organized local market supervision departments to form a task force to conduct inspections on 15 off-campus training institutions. After key inspections, it was found that they had committed false propaganda or price fraud violations, and they were each subject to a maximum fine, totaling more than 36 million yuan.

On June 15, the Ministry of Education announced the "Notice on the Establishment of the Off-Campus Education and Training Supervision Department", announcing the establishment of the Off-Campus Education and Training Supervision Department, which will be responsible for the management of off-campus education and training for primary and secondary school students (including kindergarten children) , Party building guidance and policy formulation.

Recently, the General Office of the Central Committee of the Communist Party of China and the General Office of the State Council issued the "Opinions on Further Reducing the Homework Burden and Off-Campus Training Burden of Students in Compulsory Education", which proposed more changes for Internet platform companies in the education industry. High compliance requirements.

Under the heavy pressure of the industry, online education platforms and off-campus training institutions should do a good job in business license filing, institutional filing review, compliance publicity, and fully implement the requirements in terms of teacher qualifications, information security, and fee supervision. Comply with relevant requirements of laws and regulations.

In addition, Article 18 of the "Administrative Measures for the Initial Public Offering and Listing of Stocks" (2020 Amendment) requires that the issuer shall not commit any major illegal acts during the reporting period. In principle, any behavior that is subject to an administrative penalty of a certain amount or more by relevant administrative agencies may be regarded as a major illegal act (i.e., "violation of industry and commerce, taxation, land, environmental protection, customs and other laws and administrative regulations within the last 36 months, Subject to administrative penalties, and the circumstances are serious"), unless the penalty enforcement agency determines that the behavior does not constitute a major illegal act and makes a reasonable explanation in accordance with the law. Therefore, enterprises and intermediaries should also carefully grasp the review scale of "major illegal acts". For example, for platform enterprises, major administrative penalties in network security and data compliance, anti-monopoly, anti-unfair competition, etc. are not Being completely excluded from the category of "major illegal acts" also suggests that relevant companies should pay full attention to all aspects of compliance construction and system improvement before launching listing plans.

As mentioned earlier, the "Opinions" particularly emphasize "adhering to zero tolerance requirements" for securities violations and crimes, which echoes the "Securities Law" revised in 2019 and the "Criminal Law Amendment" introduced in 2020 ( 11)", reflecting the trend of strong supervision under the comprehensive implementation of the registration system reform. Article 20 of the "Opinions" also emphasizes strengthening the supervision of Chinese concept stocks, requiring effective measures to be taken to respond to risks and emergencies of Chinese concept stocks companies, and to promote the construction of relevant regulatory systems. Relevant companies should pay attention to the dynamic changes in regulatory policies. Whether listed domestically or overseas, companies (to be) listed in new economic fields such as Internet platforms should strengthen compliance construction and prevention of violation risks to create value through compliance.

Notes:

[1] See: The General Office of the Central Committee of the Communist Party of China and the General Office of the State Council issued the "Opinions on Strictly Cracking Down on Illegal Securities Activities in accordance with the Law", access address: /zdgz /202107/t20210706_523196.shtml.

[2] See: "Announcement of the Cybersecurity Review Office on Launching a Cybersecurity Review of "Didi Chuxing"", access address: /2021-07/02/c_1626811521011934.htm; "Network Security Review Office’s Announcement on Launching a Cyber ??Security Review of “Yunmanman”, “Wagon Gang” and “BOSS Direct Recruitment”, access address: /2021-07/05/c_1627071328950274.htm

[3] See: Statement on Investor Protection Related to Recent Developments in China, accessed at: /xw/zj/202104/t20210410_327702.html.

[7] See: "The State Administration for Market Regulation prohibits the merger of Company A and Company B in accordance with the law", access address: /xw/zj/202107/t20210710_332525.html.

[8] See: "The State Administration for Market Regulation ordered a holding company to lift the exclusive copyright of online music and other penalties in accordance with the law", access address: /xw/zj/202107/t20210724_333016.html.

[9] According to information on the official website of the Shanghai Higher People’s Court, Company U sued Company S for other unfair competition disputes and was filed on April 21, 2021. Company U demanded compensation of 26.93 million yuan and applied to the court. property preservation. On May 11, Company S submitted a prospectus to the U.S. Securities and Exchange Commission and applied for listing on Nasdaq. On May 21, the court froze Company S’s 26.93 million yuan, and at the end of the month, the court date for the case was set as June 29.

[10] The "Anti-Unfair Competition Law" adds a new "Internet Special Article" (Article 12), which requires operators not to use technical means to affect user choice or other means to implement the following Behaviors that hinder or disrupt the normal operation of network products or services legally provided by other operators: (1) Inserting links and forcing target jumps in network products or services legally provided by other operators without their consent; (2) ) Mislead, deceive, or force users to modify, close, or uninstall network products or services legally provided by other operators; (3) Maliciously implement incompatibility with network products or services legally provided by other operators; (4) Other obstruction or damage to other The normal operation of network products or services legally provided by operators.

[11] See: The State Administration for Market Regulation issued an administrative penalty decision on an unfair competition case against a certain brand sale company, access address: /nsjg/jjjzj/202102/t20210210_326097.html. Its unfair competition behaviors include: developing and using inspection systems to obtain information about brand operators that are sold on the shelves of our company and other companies at the same time, and using technical means provided by supplier platform systems, intelligent networking engines, and operation middle platforms. , by affecting user choices, limiting current flows, blocking, and removing products from shelves, it reduces the consumer attention, traffic and transaction opportunities of brand operators, restricts the sales channels of brand operators, and hinders and destroys brand operators and other operators. Legally provided network products and services operate normally.

[12] See: "Inter-ministerial Joint Conference on Collaborative Supervision of New Transportation Business Forms Held the Second Plenary Meeting in 2021", access address: /jiaotongyaowen/202107/t20210730_3613683.html.

[13] See: "The State Administration for Market Regulation holds a special press conference on strengthening market supervision of off-campus training institutions", access address: /xw/xwfbt/202106/t20210601_330032.html.

[14] See: "Notice of the General Office of the Ministry of Education on the Establishment of the Off-Campus Education and Training Supervision Department", access address: /srcsite/A04/s7051/202106/t20210615_538134.html.

[15] See: The General Office of the Central Committee of the Communist Party of China and the General Office of the State Council issued the "Opinions on Further Reducing the Homework Burden and Off-Campus Training Burden of Students in Compulsory Education", access address: /jyb_xxgk/moe_1777/moe_1778 /202107/t20210724_546576.html.

Source: Zhonglun Vision