Enterprise big data strategy and compliance

By Wu Weiming, AllBright Law Offices

There is no time at which an enterprise is not required to access and use big data in its product research and development, precision marketing, customer service, order processing and production management. Big data is one of the core strategies of modern enterprises. The implementation of a big data strategy signifies that an enterprise must become a collector, processor and applier of data, but what runs in parallel to a big data strategy is information security and protection. Data collection, processing and application all touch upon the issue of compliance.

吴卫明  WU WEIMING 锦天城律师事务所 高级合伙人 Senior Partner  AllBright Law Offices
Senior Partner
AllBright Law Offices

The Cybersecurity Law that entered into effect on 1 June 2017 and the subsequent complementary rules of such ministries/commissions as the Ministry of Industry and Information Technology and the Ministry of Public Security directly regulate the protection of personal information and clarify the principles and methods for, and the legal liability associated with, obtaining information. In fact, the protection of personal information is also provided for in the General Provisions of the Civil Code, the Criminal Law, relevant decisions of the National People’s Congress and judicial interpretations of the Supreme People’s Court.

Enterprise big data strategies and protection of personal information represent a clash of interests that needs to be balanced by the law and are factors that an enterprise must take into account in the course of creating its big data strategy.


Protection of personal information is the most important issue in a big data strategy and is also the fundamental task of compliance. If improperly handled, it can trigger a legal dispute aimed at the enterprise and, in the worst case, can result in criminal liability. In general, an understanding of the following principles is required:

(1) Users are to be expressly informed that their information will be collected and their consent needs to be secured. This is a basic principle stipulated in the Cybersecurity Law. However, in practical operation, the principle of expressly informing users is often easily overlooked or the way in which users are informed is inappropriate, resulting in them ignoring the effort to inform them. This type of situation is quite common in mobile apps. For example, in certain apps, the default is set to obtaining the user’s geographical information, with information collection only stopping after the user closes the app. Such apps use the user’s geographical information as an important data source to provide analysis of user preferences and improve the service experience. Commercially speaking, this is quite reasonable, but presents problems because the personal information is collected without expressly informing the user or securing his or her consent.

(2) A third party may not be permitted to use such information without the user’s consent. A network operator may not divulge personal information that it has collected, and may not provide the same to a third party without the consent of the person whose information was collected. This rule is also a basic requirement of the law. However, this principle may sometimes be improperly understood inside large enterprise groups. The shared use of data and information within a group has become a legal risk that can easily be overlooked by an enterprise.

(3) Lawfulness of the data source. This is a basic requirement that the law makes in respect of information collectors. However, in actual operation, an enterprise often will, out of the need for big data credit reporting and risk control, opt to purchase personal information from a third party. If, in the course of providing personal information, the third party data provider failed to obtain users’ authorization or if the third party data itself was improperly obtained, obtained in bad faith or illegally bought, the way by which the third party obtained the information could present major legal and compliance risks.


The cross-border use of data is a management stratagem or business model commonly used in multinational corporations. However, under the rules and requirements of the Cybersecurity Law, this model faces legal and compliance risks.

Pursuant to the Cybersecurity Law and complementary rules, if a network operator needs to use personal information obtained in China across borders, it is required to undergo a specific security review procedure. In this respect, the Cybersecurity Law sets the rules for the cross-border use of data by, and security reviews of, “operators of key information infrastructure”. The Measures for Security Assessments of the Outbound Transfer of Personal Information and Important Data (Draft for Comment) issued by the State Internet Information Office expands the scope of application of the outbound transfer of personal information to all network operators. The above mentioned rules for the cross-border use of data will undoubtedly expose organizations that have cross-border business to new risks.


Based on the Cybersecurity Law and other laws, statutes, rules and regulations on the protection of personal information, enterprises need to pay attention to the following issues in the course of managing big data:

(1) Hierarchical management of data: different data have different value and the harm caused to users, the public interest and national security by their leakage or shared use is also different. Before collecting user information, an enterprise needs to carry out a reasonable analysis of the dimensions of the data and set different levels of sensitivity for them. Following the hierarchical processing of data, an enterprise can, in respect of different compliance requirements and compliance matters, take more precisely targeted response methods.

(2) Establishment of a data protection system and improvement of data protection rules: with respect to the protection of personal information, the Cybersecurity Law adopts the principle of public responsibility legislation. If an information leak or other such security related incident occurs, the network operator will not only bear civil damages in accordance with the law towards the individuals who were harmed but also bear the attendant administrative penalties or criminal liability. Whether a network operator has established cybersecurity and personal information protection systems in accordance with laws, statutes, rules and regulations and whether it has sound operating rules and sound internal departments can, on the one hand, prevent or reduce the occurrence of civil claims and, on the other hand, can also become one of the conditions that determine whether it can be exempted from, or bear reduced, administrative and criminal liability after a data security incident.

Wu Weiming is a senior partner at AllBright Law Offices



上海中心大厦11及12层 邮编:200120

11/F and 12/F, Shanghai Tower

No. 501 Yincheng Middle Road

Pudong New Area, Shanghai 200120, China

电话 Tel: +86 21 2051 1000

传真 Fax: +86 21 2051 1999

电子信箱 E-mail: