Whether you need a Data Processing Agreement (DPA) for a particular software service used in China depends on whether your use case falls into one of three categories defined by law. The classic DPA use case is classified as where a provider is processing data on behalf of another party, and this triggers the monitoring and audit requirements of a data controller, in which case a DPA is absolutely required. Otherwise, the activity is classified as either “sharing” or “joint processing,” in which case a DPA is not mandated but can be highly beneficial. Unlike every other jurisdiction in the world, China’s legal focuses on whether the activity itself as a “behalf” relationship or a “sharing” relationship, and not whether a party is a controller, processor, or associate. If the counterparty is processing data on your behalf, you need a typical DPA, but if classified as data sharing, other requirements such as disclosing the counterparty’s identity is required.
Businesses have been caught willfully misclassifying themselves to evade compliance requirements because legal requirements differ based on classification. For example, a “sharing” classification can be used to evade monitoring and audit requirements. However, the law and regulators base these classifications on the substance, not the form, of how personal information is being processed. This article will explain whether you need a DPA at all China or instead should be following other legal requirements.
Contents
Difference Between the Three Processing Classifications
Different Use Cases for Personal Information Processing
Difference Between the Three Processing Classifications
In general, the China Personal Information Protection Act requires a business must have a lawful purpose for personal information collection, use, and transfer, and to minimize such activities to the extent necessary to achieve their purpose. Any sale, transfer, or sharing of data with recipients requires individuals’ consent, and unlawful provision of data creates liability. A Data Processing Agreement must prohibit the processor from using personal data for its own purposes, and they must delete data and return it to the client once the project ends. Separate consent must be obtained to share personal information.
Data processing activity defined. Under the Act §§ 22-25, it is defined as processing it on behalf of, providing, transferring, and publishing to another party; and this is expanded to also include disclosing under the Information Security Technology – Personal Information Security Standards § 9. Thus, “providing” activity encompasses both sharing and assignment, with exceptions for mergers, spin off, dissolution, or bankruptcy. Moreover, “to provide” includes more than physical transfers, merely providing a recipient with data access constitutes providing. The recipient of a providing use case is well defined, whereas recipients for the publishing use case are not.
The processing “on behalf” relationship occurs when an organization lacks its own personal data processing purpose and acts entirely according to the directions of another business. The semantics can cause some confusion here, because Mandarin Chinese focuses on the nature of the activity, whereas US and European law focuses on whether the parties are classified as controllers, processors, or sub-processors. China lawyers with limited English skills relying on dictionaries confusingly translates the Mandarin word weituo as “entrusts,” and introducing the confusing terms “entrusted parties”, “entrusted processing”, and “re-entrust.” However, as the word is normally understood in English, whether you entrust data to another party does not put you in this category since you are also entrusting data to the other party in ordinary sharing arrangements, the key factor is that the contractor is processing data on your behalf.
Mandarin Chinese does not have a single word for “processing”, rather the word chuli can refer ambiguously to processing or controlling activities, thus is is very common to refer to a data controller that has no data processing capabilities, as a “processor.”
Post-Project Requirements. When performance of the data processing contract is completed, the contractor must either delete the data or return it to the controller. In the event of infringement on personal data rights where the data controller is liable and the contracted processor’s performance was defective, the controller may demand indemnification from the contracted processor.
The purposes that a contracted data processor can do on behalf of the controller are anything defined as processing under the Act § 4, which is personal information:
- Collection
- Saving
- Using
- Improving
- Transmitting
- Providing
- Publishing
- Deleting
Personal information sharing implies the recipient party to the data is independently processing data for its own purposes, and there is no relationship of control between the parties, therefore an infringement on a data subject’s rights imposes liability solely on the party at fault.
Personal information assignment is contrasted from sharing under Chinese law in that the data controller stops processing or storing the personal data that has been sent to the recipient. A data assignment rarely occurs; usually it is limited to events where an entity has lost qualification to do business, or where a successor entity in M&A, reorganization, or bankruptcy, will continue providing services to the entity’s customers after having been assigned rights to the personal information.
Joint controller joint processing occurs where neither data processor is in sole control of the purpose or method of the data processing, and this status gives rise to joint and several liability for infringement by either joint processor on personal data rights. The following factors can help establish that a use case constitutes processing data on a controller’s behalf:
- The contracted processor does not have its own personal information processing purpose.
- The contracted processor does not interact with data subjects in its own name.
- The data controller has the power to monitor and audit the contracted processor’s practices.
- The data controller has the power to direct the contracted processor to return or delete all personal data once the project is complete.
Under China data regulation, does a Data Processing Agreement have to include an obligation to perform the duty to notify and obtain separate consent, despite there is no such inherent obligation for processing on “behalf” arrangements? Most experts agree that notice and consent obligations are not required in personal information Data Processing Agreements. “Providing” is defined similarly to sharing and assignment, and the Act requires notice and consent for providing, transferring, or publishing data, but is silent as to whether processing on behalf requires notice and consent. This conclusion has also been reached by the courts, such as in the Internet civil infringement case Wang Qiang v. Guangzhou Youshun Information Technology LLC, reported as Guangzhou Internet Court Case No. 0192-cv-44778.
Different Use Cases for Personal Information Processing
1. Contracted Services
A data processing relationship that is a commercial contract but may or may not be processing data on behalf of another party in China. A classic example of this type of contract is paying a company to do market research surveys, wherein deliverables are produced, and the business can terminate the contractual relationship at any time, so whether it implicates processing on behalf depends on the service model.
The service does not constitute processing on behalf of the controller if the market research provider works under the name of its client, usually by putting its business logo on surveys and analyzes them to produce quantitative deliverables, but otherwise does not store the collected personal information and instead transfers everything to the client. The Act is also inapplicable if the report does customer profiling to identify buyer persona archetypes that do not contain specific personal information.
In one context, it could be classified as sharing. That is where the market research provider has a significant number of its own registered users from which it obtains consent and surveys them using a mobile app. The provider gives that personal information and the research deliverables to the client, who can then send promotions to potential customers. Several factors lead to the conclusion that the provider in this case is acting under its own processing purpose. Here, the data subject is the market research provider’s customers; the provider is acting under its own name; and there is a transfer of personal information from one server to another server.
The reason the provider’s users in China are willing to fill in market surveys is they are given point rewards or free product samples. At the expiration of its contract, the market research provider cannot lawfully delete personal information and survey records, because as an Internet business and personal information processor, they must retain logs about user comments and transactional practices.
2. HR Services
A business contracts a third-party human resources service provider in China to manage employee compensation and benefits. There are several reasons why this use case falls under processing on behalf. The business can administer employee compensation and benefits without contracting a third party, and they are not handling personal employee data for their own processing purposes, but instead provide a service under a contract, for example processing employee social security contributions under the name of its client. At the end of its contract, the human resources service provider will transfer all personal information to its client and then delete it. Since the provider does not interact with employees, any legal claims for harm to their interest must be raised against the client business.
3. Online Office Software (i.e. Microsoft Teams or ByteDance Feishu)
A business pays for office software that requires its employees to register an account which is part of the business’s organization. The software features include attendance tracking, approvals, clock in, task lists, scheduling, group chat, and file sharing. The provider is processing data on behalf of the business for several reasons. The office software provider is following directions from the client as to what happens with the data and not taking action for its own purposes and will return or delete the data at the end of the contract. The client is liable for ensuring there is a lawful basis for the processing.
4. Distribution Agreement
An investment funds company enters into a distribution contract where a Chinese bank will sell shares in public offerings. The individuals purchasing investment funds this way have active accounts at the bank and use its mobile app, and the bank will transfer investor personal information including name, ID, and purchase quality to the investment fund company. The overall relationship is a classic delegation of duties contract relationship where the investment funds company pays the bank for fund product distribution services.
Nonetheless this is classified as a data sharing relationship when it comes to the investors’ personal information. This is because the investment fund must evaluate the risk tolerance capacity of its investors and retain copies of such evaluations but the personal data the bank uses to prepare the risk tolerance capacity evaluations such as annual income and disposable income will not be provided to the investment fund company. Therefore, the bank has its own processing purpose for the personal data, notwithstanding how it is contracted by the investment fund to provide distribution services.
Since banking regulations require banks to retain user transaction logs, the bank’s personal data processing related to investment fund sales will continue after the distribution contract ends. The bank provides personal information processing policy notices to investors so that the investment fund company has no direct investor interaction. Separate consent from investors is not required because the bank shares personal information with the investment fund company as a necessary step for performing the investment funds purchase contract.
5. Trade Show Contacts
A business sponsors a trade show hosted in China and asks for personal information about attendees from the event organizer so that it can be used in advertising, and the organizer accepts the offer to contract for the collection of attendee data. The business wants to classify this arrangement as data sharing so that they are not required to monitor or audit how the event organizer uses the data and whether it is deleted and can also avoid legal liability for unlawful use of personal information.
Here, the organizer is processing data on behalf of the business because of what substantively happens, even if their agreement is in the form of a sharing arrangement. The key difference between the classifications of processing on behalf of another party, and data sharing are whether the data processor has its own processing purpose. Here, the processing purpose of collecting attendees’ personal information and whether impact has been minimized classifies this as sharing.
The situation would be different if the event organizer were collecting this data for event registration and security purposes and then shared with the business. They would need to obtain separate consent from individuals before transferring attendee data to the business.
Conclusion
In Chinese data privacy law, outsourcing will not necessarily eliminate your duty to monitor and audit providers of push marketing, geolocation, cloud storage, and account security services. Data compliance obligations apply based on the substantive nature of the activity and not the form of the contract with the service, and where ambiguous the safest option is to adopt a comprehensive compliance strategy.
The current law is very murky as to the rights of different actors when processing personal data, because the law has emerged over a very short period of time and few judicial precedents have accumulated. This article has looked at data processing classifications from practitioner perspectives and considering what best practices emerged in Europe and the United States that are likely to also be adopted in China.