While we have mentioned in the first article of the series about Internet platform data compliance (《互联网平台数据合规体系建设和平台治理》) how the Personal Information Protection Law (“PIPL”) identifies Gatekeepers among internet operators, this article will provide further insights on the unique social responsibility role created by PIPL Article 58 that Gatekeepers must adopt and suggestions on how this obligation may actually add value to the organization.
Article 58 of the PIPL sets out the social responsibility obligations of Gatekeepers. It states:
“Any personal information processor that provides important Internet platform services with a large number of users and complicated business type shall perform the following obligations:
(I) establishing a sound compliance system for personal information protection in accordance with the provisions of the State and setting up an independent agency mainly composed of external members to supervise personal information protection;
(II) following the principles of openness, fairness, and impartiality, formulating platform rules specifying the standards for the processing of personal information by product or service providers on the platform and their obligations to protect personal information;
(III) ceasing to provide services to product or service providers on the platform that process personal information in serious violation of laws and administrative regulations; and
(IV) regularly releasing social responsibility reports on personal information protection for social supervision.”
Unlike most jurisdictions, Article 58(I) and (IV) of PIPL introduces two new concepts ensuring that actions taken by Gatekeepers are in line with the expectations of society. In particular, it introduces the compulsory requirement for an independent supervisory agency mainly composed of external members (“Independent Agency”) and the further compulsory obligation on Gatekeepers to regularly release social responsibility reports on personal information protection (“Social Responsibility Report”) for social supervision.
How to Comply with The Social Responsibility Obligations Under Article 58 of PIPL?
1. Setting up of an Independent Agency
At the time of writing the qualifications and criteria for selecting external members, the exact scope of their responsibilities, reporting line for such Independent Agency, and the extent of their supervisory powers have not been clarified. Pending further clarification from the authorities, Gatekeepers should start by considering the benchmarks to be achieved for their data compliance programs. In particular, standards and certification levels to be achieved and the applicable legal landscape which will apply to their organization’s use of data globally.
Gatekeepers take into account the need to ensure that the majority of members should be comprised of external members (i.e., non-employees) when considering the size and composition of the supervision committee.
To help ensure that the Independent Agency can also operate in an open, fair, and impartial way, Gatekeepers should consider how the renumeration plan for external members and their reporting structure will ensure independence by avoiding conflict of interest (i.e., they should not be placed in a situation of conflict where they need to supervise parties to whom they need to report to or who determine their renumeration).
Gatekeepers can also ensure that there is accountability to such Independent Agency by allowing escalation to the organization’s board of directors. Where organizations have already set up data compliance committees, it will also be important to define their roles clearly so that there is no misunderstanding of their respective obligations and duplication of roles.
To improve the effectiveness of this Independent Agency, platforms should ensure that the Independent Agency is integrated into their PDCA continuous improvement cycle or 360 performance reviews for management.
A further detail that is not specified under the PIPL includes whether the Independent Agency members must operate on a full-time basis, platforms should evaluate the level of engagement required from such Independent Agency against the risk levels presented by their data operations and state of deployment of their data compliance program. This will help organizations consider the extent of engagement required and the frequency of reports to be submitted by the Independent Agency.
Gatekeepers can also ensure improve the effectiveness of the Independent Agency in 4 ways. Firstly, by selecting members with a broad range of experience and skillsets going beyond legal backgrounds to include members with backgrounds in public relations, business, operations, HR, and IT security so that the interests of key stakeholders can be represented. Secondly, by ensuring that the Independent Agency has adequate resources to fulfil their roles. This includes access to compliance tools (for example, compliance dashboards, investigation reporting, request tracking tool, etc.), internal audit resources and external experts if needed. Thirdly, by ensuring that the members are given access to essential data within the organization to allow them to adequately perform the supervisory roles. This may include timely updates and reports of measures such as training numbers, new policies and security systems, audit reports, data subject’s requests or complaints and information relating data security incidents. Lastly, the members should be given the authority to call for audits or investigations.
2. Regular publication of Social Responsibility Reports
By approaching data protection as a core business strategy, rather than just a compliance or security issue, can set a company apart from competitors. As a result, rather than retrospectively responding to the laws and consumer demands, platforms should choose to make data privacy rights a priority and a part of their social responsibility plans from the start.
While the PIPL does not specify the frequency for when such report must be issued, the recent Regulations on the Protection of Minors on the Internet (Draft for Comments) (《未成年人网络保护条例(征求意见稿)》) specifies that for important internet platform service providers with a large number of minor users and significant influence in the minor community should publish a special Social Responsibility Report on the online protection of minors annually. It is therefore likely that future laws or clarification will consistently require Social Responsibility Reports to be issued on an annual basis.
It is further noted that PIPL does not specify the content to be included in such Social Responsibility Report. As discussed above, while the Privacy Impact Assessment (“PIA”) is a risk assessment and a targeted explanation of the effectiveness of security protection measures for specific processing practices and is mainly for internal consumption, the Social Responsibility Report, on the other hand is meant for a broader group of stakeholders and focuses on providing:
(1) a macro-level overview of the platform’s fulfillment of the obligations mandated by law on personal information protection.
(2) information on other enhanced personal information protection measures taken by the platform in addition to its legal obligations.
(3) information on the platform’s use and development of personal information protection technology to improve its products and services.
(4) the platform’s contribution to raising awareness and protection of personal information in society, etc.
(5) tone from the Top by showing that your social responsibly programs are supported by your top-level executives.
(6) that introduce your governance organization, structure, and their respective roles in support of social responsibly targets, reporting, monitoring, auditing, remediation. (e.g., board of directors, executive leadership, committees, sponsors, and compliance officers)
(7) that elaborate on the focus areas of your social responsibly program (e.g., privacy, digital safety, and wellbeing).
(8) that provide success stories. For example, LEGO® showcases its Build & Talk series that was introduced to help parents talk to their children about important digital safety and wellbeing topics in a playful and memorable way through its range of activity packs to help parents start conversations about online privacy and safe sharing, screen time and false information online.
(9) that share Key Performance Indicators. Measuring and making performance indicators public will promote accountability and build trust with all your stakeholders. Examples for indicators that can be tracked include training numbers for employees and partners, security risk assessments and impact assessments conducted, compliance certifications obtained (e.g., ISO37301:2021, etc.).
What Are the Underlying Benefits for Platforms to Comply with The Social Responsibility Obligations Under Article 58 of PIPL?
By establishing and integrating a professional data compliance Independent Agency within its organization and holding itself accountable for progress in social responsibly through public reports, platforms will not only be avoiding non-compliance and fines, but also improve its brand image by building long term trust and engagement with current and future stakeholders and clients. A higher level of stakeholder trust and acceptance will lead to higher quality data collected by Gatekeepers and ultimately saving time and resources for its business and research teams. Higher levels of trust will also lead to cooperation opportunities in the market with clients and partners who share the same principles and place importance on data compliance.
An effective social responsibility program may also help establish credibility and market differentiation for investors (e.g., sustainable equity funds), protect its supply chain and partner ecosystems.
To conclude, as Gatekeepers are responsible for immense volumes of personal information, Article 58 has taken the lead to raise the bar on traditionally reported data and recognizing the role and effectiveness of policing through social accountability. In other words, businesses should understand that the creation of financial value and differentiation is increasingly linked to its value to society, as consumers are progressively aware of and care about sustainable and fair business practices. Given that social responsibility reporting is still a new concept in China, businesses should seize this opportunity to set themselves apart from their competitors and lead by example.