China releases guidance on ESG commitments to data security and personal information protection

Data security and privacy protection practices are coming increasingly under the environmental, social, and governance (ESG) spotlight. On 8 September 2022, the China Cybersecurity Industry Alliance (CCIA) released the draft Guidance on Social Responsibility of Data Security and Personal Information Protection (Draft for Comments) (Draft Guidance) for public comments.

Unlike the comprehensive raft of all ESG factors discussed in the ESG disclosure standards released earlier this year, the Draft Guidance focuses on ESG commitments in data compliance efforts. It aims to facilitate organisations to fulfil social responsibilities in their day-to-day data compliance efforts, achieve higher social value and maximise their commitment to sustainable development. Once finalised, to further bolster the growing awareness of the multitude of different ESG compliance obligations, the Draft Guidance will be the first set of industry standards in China to explicitly connect data protection with social responsibility.

The “S” of ESG concerns 

Although data protection can also fall under the “G” (i.e. governance) of ESG issues, the Draft Guidance focuses on the “S”, i.e., social responsibility commitments to data security and personal information protection. The proposed guidance on these commitments straddles the following five topics and 24 sub-topics:

• Organisational governance and management: organisational level guidance such as core values and development philosophy, social responsibility strategy and objectives of work; guidance relating to internal governance such as management commitment or statement, implementation and supporting resources, internal publicity and training, internal supervision and employee motivation.
• Compliance, innovation and value: compliance of products and services, innovation and advancement of technology, user value, social governance, digital inclusion and special protection.
• Fair operation, competition and cooperation: transparency of data processing rules, sharing of knowledge and technical achievements, construction of effective platform rules, joint formulation of supplier rules and relevant assistance, and construction of a fair competition environment.
• Consumer rights protection: protection of personal interests and property interests, handling of consumer complaints and disputes, accepting supervision from independent social organisations, consumer education and cultivation of awareness.
• Participation in public welfare and social development: charitable donation and public welfare undertakings, event holding and science popularisation, industry autonomy and coordinated efforts, provision of jobs and industry investment.

The Draft Guidance helpfully clarifies that the recommendations on the above topics may not apply to all organisations. Specific content regarding each topic should be considered together with the specific conditions of the organisation, such as the level of regional development, the scale and nature of the organisation, the current stage of the organisation’s development generally, the characteristics of the industry, and the expectations of stakeholders.

Broader data compliance framework

Unsurprisingly, most of the topics align with the core data protection principles and requirements under the Personal Information Protection Law and the Data Security Law (DSL).

For instance, the sub-topic of “digital inclusion and special protection” requires organisations to consider the special need of diversified user groups when providing digital products and services to them, including to develop accessible products or programs that provide equal access to digital products and services for users, taking into consideration different regions, knowledge levels, languages and dialects, youth, people with disabilities, seniors, etc. This sub-topic appears to address one of the new clauses introduced in the final draft of the DSL, which explicitly calls out the protection of the elderly and the disabled from a data protection perspective, i.e. in developing and improving "intelligent/smart public services", the needs of the elderly and the disabled should be fully considered to avoid creating obstacles to their daily life. In practice, for example, some app operators have published a special version of their mobile applications for elderly, with larger font and simplified displays.

Evaluating ESG performance in data practices

The Draft Guidance also provides methods of evaluating an organisation’s performance when engaging in activities in relation to data security and personal information protection. The performance of organisations is divided into three grades with scores ranging from zero to 15 across each of the 24 topics discussed in the Draft Guidance. The overall performance level of an organisation is determined as a composite of the scores obtained under each topic and the total scores obtained by the organisation.

In addition, the Draft Guidance identifies some key issues with higher risk which would negatively affect the evaluation result of an enterprise:

• Consumer rights protection: harming consumers and leaking consumer’s personal information and other private information;
• Fair operation, competition and cooperation: infringement of intellectual property rights, unfair competition, and illegal manager conduct; and
• Participation in public welfare affairs and social development: hindering community stability (such as endangering public safety).

Implications for businesses

Growing data privacy awareness and increasing concerns among institutional clients and individuals about data breaches and misuse is encouraging more companies to place data security and privacy protection at the forefront of their compliance strategies. More managers are beginning to understand this as an ESG issue too.

The Draft Guidance can be used by China-based enterprises as a point of reference for best practice when considering the social responsibility aspects of their activities involving protection of personal information and other data.

Although the Draft Guidance does not have the force of law, failure to comply with its commitments may correspond to non-compliance under China’s data protection laws and regulations. This may lead not only to sanctions, including a steep fine of up to RMB 50 million or 5% of an organisation’s annual turnover in the previous year, but also to reputational damage in eyes of investors, financiers, business partners or other stakeholders.

It is time for businesses to embrace the push for enhanced data protection and consider utilising it as a tool which may help further their ESG goals and practices.