Interpretation and Analysis of the Chinese Version of the "Gatekeeper" Regulations in the Network Data Security Management Regulations

LABEL： Telecommunications, media, entertainmentand high technology , Compliance business , Digital economy ,

introduction

  The network security and data compliance team of King&Wood Mallesons conducted a comprehensive interpretation of the "Regulations" in a timely manner (see "New Fire Testing New Tea, Poetry Wine Seizing the Time" - Interpretation of the "Network Data Security Management Regulations" under the New Situation "for details). The content of the Regulation is very rich and deserves more in-depth interpretation. We will focus on special topics for in-depth exploration. At the same time, interested companies are also welcome to contact us and raise concerns. We will create specialized interpretation articles to discuss compliance issues with the Regulations with various sectors. This issue mainly interprets the "gatekeeper" system that many companies are concerned about.

The Regulation defines "large-scale online platforms" in its annex, which means that the Chinese version of the "gatekeeper" rule has entered the practical level for the first time. Starting from January 1 next year, after the official implementation of the Regulation, it will achieve compliance implementation. So, which companies need to pay attention to the rules of gatekeepers? What are the rules for gatekeepers? How should we comply specifically? This article will analyze and interpret them one by one.
1、 The 'gatekeeper' rule belongs to an aggravated obligation

The Gatekeeper theory was first formed in the field of communication studies and has been subsequently introduced into the fields of networking, platform regulation, and digital markets. The most typical legislation is the European Union's Digital Markets Act (DMA), which considers core platform service providers who meet certain standards as gatekeepers of the digital market and imposes increased obligations on gatekeepers outside of competition rules such as antitrust laws. Article 5 of DMA specifies 9 specific obligations of gatekeepers, including data usage restrictions, prohibition of self preferential treatment, advertising transparency, interoperability, etc., to prevent gatekeepers from affecting fair market competition. Gatekeepers who violate these obligations may face fines of up to 10% of global annual revenue, while for repeated violations, fines may be as high as 20%.

It is not difficult to find that "gatekeeper" regulation not only has anti-monopoly functions, but also further plays a role in regulating "platform power". The platform has certain digital social infrastructure attributes and can provide basic social products and services such as highways, railways, hydropower, electricity, gas, etc. Therefore, as an infrastructure or quasi infrastructure platform, it may have an impact on the basic operation of the digital society, affecting the power of platforms with social control, and this power is particularly evident in large platforms. Based on the new organizational form of the digital society and the power constraint mechanism it brings, it is necessary to adjust it through legal norms to prevent the negative externalities of platform power and the possibility of platform abuse of power. In specific legal provisions, it is manifested as imposing higher obligations on "gatekeepers", and this obligation has gone beyond the original scope of anti-monopoly and anti unfair competition, further requiring "gatekeepers" to fulfill more responsibilities in safeguarding public interests and citizen interests. Or it can be more commonly understood as transforming certain social responsibilities of general enterprises into legal responsibilities of "gatekeepers".
2、 Which companies may be identified as "gatekeepers"?

At present, China's legislation in the fields of personal information protection and online protection for minors involves "gatekeeper" provisions, specifically the Personal Information Protection Law, the recently issued Regulations, and the Regulations on Online Protection for Minors. It should be noted that the term "gatekeeper" is not directly used in these three pieces of legislation, but rather some qualitative descriptions are made (see table below for details). For the convenience of reading, the term 'gatekeeper' is used in the following text to refer to relevant legal expressions.

           

According to the provisions of Chapter 6 of the Regulations, the "gatekeeper" should first be the "network platform service provider". There is no definition of "network platform service provider" in China's legal provisions, and literally it should include at least two elements: network platform and service provider.

For online platforms, Article 40 (1) of the Regulations stipulates that service providers of online platforms shall clarify the network data security protection obligations of third-party products and service providers accessing their platforms through platform rules or contracts, and urge third-party product and service providers to strengthen network data security management. Combining economic concepts, "platforms" have the attribute of "two-sided markets". As stipulated in the Electronic Commerce Law, e-commerce platform operators refer to legal persons or illegal organizations that provide online business premises, transaction matching, information release and other services for two or more parties in e-commerce transactions, allowing them to engage in trading activities in opposition to each other. Therefore, those who meet the requirements of a "network platform" should have third-party product and service providers, and those who do not introduce third parties and directly provide services to users should not belong to a network platform. For example, whether a purely self operated mall meets the concept of an online platform needs to be explored.

For service providers, according to China's legal system, there are actually two categories, namely, telecommunications services and Internet information services. Telecommunications services should be determined based on the Telecommunications Regulations and the Telecommunications Business Classification Catalogue; Internet information services should be determined based on the Administrative Measures for Internet Information Services, which refers to the service activities of providing information to Internet users through the Internet. Formally, Internet information services can be provided to users through blockchain, network audio and video, live broadcast, group, forum community, search, in-depth synthesis, algorithm recommendation, generative AI and other ways. In short, the Internet is essentially an information network. Almost all services provided through the Internet belong to service providers. Those who do not provide information services do not belong to network service providers, such as device producers. However, it should be noted that Article 40 (2) of the Regulations makes special provisions for "producers of smart terminals and other devices pre installed with application programs", and they should also comply with the obligations of Article 40 (1).

According to Article 62, Item 8 of the Regulations, a large-scale network platform refers to a network platform with more than 50 million registered users or more than 10 million monthly active users, complex business types, and significant impact of network data processing activities on national security, economic operation, national economy and people's livelihood. This can be understood as a specific interpretation of "personal information processors who provide important Internet platform services, have a large number of users and complex business types" as stipulated in Article 58 of the Personal Information Protection Law.

The "gatekeeper" requirements stipulated in the Personal Information Protection Law include three elements, which provide important Internet platform services, a large number of users and complex business types. The three are in a parallel relationship, and one cannot be missing. The Regulation provides corresponding explanations for three elements, namely, a large number of users refers to registered users of over 50 million or monthly active users of over 10 million; Providing important Internet platform services should mean that "network data processing activities have an important impact on national security, economic operation, international people's livelihood, etc."; The business type is complex and not explained.

Based on this, the identification of a "gatekeeper" should meet the following conditions: ① Firstly, determine whether it is a "personal information processor"; ② Is there a registered user. If so, whether the registered users exceed 50 million or the monthly active users exceed 10 million; ③ Is the business type complex? ④ Does it have a significant impact.

Among them, conditions ③ and ④ do not yet have objective standards and need further confirmation in practice. And conditions ① and ② are relatively easy to confirm and can serve as important compliance standards at present. However, it is worth noting that compared to the Personal Information Protection Law, the Regulation no longer limits "gatekeepers" to "personal information processors" in literal terms, and this does not mean that there has been a change in practice. Because the 'gatekeeper' needs to have registered users and must process personal information, becoming a personal information processor.

Overall, to determine whether one belongs to a network platform service provider, the following conditions should be met: ① using the network to provide services; ② For the purpose of providing information; ③ Has platform nature.
3、 How to identify a 'gatekeeper'?

What companies are more concerned about is who will identify the "gatekeepers"? According to DMA regulations, companies can determine whether they have met the threshold based on quantitative standards. If they have, they must declare to the European Commission, which designates them as gatekeepers after receiving the declaration. At present, the European Commission has designated six gatekeeper companies (Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft).

Neither the Regulations nor the Personal Information Protection Law specify the mechanism for recognition, but it is recommended that relevant enterprises make a pre judgment based on the quantitative standards of the aforementioned gatekeeper conditions, clarify whether the registered users have met the threshold, and if they have already met it, carry out compliance work in advance to ensure compliance with the obligations of the gatekeeper.
4、 What obligations do gatekeepers need to comply with?

As mentioned earlier, in addition to complying with general regulations, "gatekeepers" also need to fulfill increased obligations to ensure fair market competition order and the legitimate interests of users. Combining the relevant provisions of the Regulations and the Personal Information Protection Law, it seems that the "gatekeepers" do not bear significant and differentiated obligations, and only need to fulfill more obligations in external supervision and annual reporting.

           

Compared to the "gatekeeper" obligation stipulated in the Personal Information Protection Law, the Regulation has made some additions and refinements:

1. Add cross-border obligations. By comparison, the Regulation adds a special obligation on the basis of Article 58 of the Personal Information Protection Law, which states that large network platform service providers providing cross-border network data shall comply with national data cross-border security management requirements, improve relevant technical and management requirements, enhance relevant technical and management measures, and prevent cross-border security risks of network data (Article 45). However, Article 11 of the "Regulations on Promoting and Regulating Cross border Data Flow" stipulates that data processors who provide data overseas shall comply with the provisions of laws and regulations, fulfill their data security protection obligations, take technical and other necessary measures, and ensure data security. From a content perspective, there is no significant difference between the two in terms of substantive obligations. It seems that Article 45 of the Regulation does not impose additional obligations on large online platforms, but rather imposes consistency obligations with general data processors.

2. Regarding Article 58, Paragraph 1 of the Personal Information Protection Law. Article 58, Paragraph 1 of the Personal Information Protection Law stipulates that a sound compliance system for personal information protection shall be established in accordance with national regulations, and an independent organization mainly composed of external members shall be established to supervise the protection of personal information. The Regulation does not provide specific requirements for the compliance system of personal information protection, independent institutions, etc., but requires large network platform service providers to disclose in their annual social responsibility reports on personal information protection the performance of "personal information protection supervision institutions mainly composed of external members".

3. Regarding Article 58, Paragraph 2 of the Personal Information Protection Law. Article 58, Paragraph 2 of the Personal Information Protection Law stipulates that platform rules shall be formulated in accordance with the principles of openness, fairness, and impartiality, clarifying the norms for the processing of personal information by product or service providers within the platform and their obligations to protect personal information. According to Article 40, Paragraph 3 of the Regulations, if a third-party product or service provider violates the provisions of laws, administrative regulations, platform rules, or contractual agreements to carry out network data processing activities, causing harm to users, the network platform service provider, third-party product and service provider, and device producers such as pre installed application programs shall bear corresponding responsibilities in accordance with the law. For network platform service providers, the Regulations do not specify the corresponding responsibilities, which may be interpreted as joint liability or supplementary liability. However, regardless, network platform service providers need to bear responsibility. In order to avoid liability risks, network platform service providers should actively clarify the network data security protection obligations of third-party products and service providers that access their platforms through platform rules or contracts, as required by Article 40 (1) of the Regulations. Therefore, large network service platforms and general network platform service providers have similar obligations in this regard.

4. Regarding Article 58, Paragraph 3 of the Personal Information Protection Law. Article 58, Paragraph 3 of the Personal Information Protection Law stipulates that product or service providers on platforms that seriously violate laws and administrative regulations in processing personal information shall cease to provide services. This obligation is similar to the obligation mentioned in the preceding paragraph. Network platform service providers, based on compliance considerations in Article 40 (3) of the Regulations, shall supervise and manage products or service providers within the platform in accordance with relevant laws and administrative regulations, or through platform rules, contracts, etc., and take measures to stop providing services in accordance with the law and the agreement. Therefore, large network platforms and general network platform service providers have similar obligations in this regard.

5. Regarding Article 58, Paragraph 4 of the Personal Information Protection Law. Article 58, Paragraph 4 of the Personal Information Protection Law stipulates that social responsibility reports on personal information protection shall be regularly released and subject to social supervision. Article 44 of the Regulation clarifies this, which sets the release cycle as "annually" and specifies the content of the report as follows: personal information protection measures and their effectiveness, the acceptance of applications for individual exercise of rights, and the performance of duties by the personal information protection supervision agency mainly composed of external members. It is worth noting that the Regulation does not make clear provisions on whether personal information protection social responsibility reports should be published separately or as part of ESG reports? Compared with Article 20, Paragraph 1, Item 6 of the Regulations on the Protection of Minors' Networks, which stipulates that "a specialized social responsibility report on the protection of minors' networks shall be issued annually and subject to social supervision", neither the Regulations nor the Personal Information Protection Law stipulate the term "specialized". Therefore, there is a tendency to understand that personal information protection social responsibility reports can be published separately or as part of ESG reports, as long as the content composition complies with the provisions of Article 44 of the Regulations.

In summary, only the second and fifth obligations mentioned above have specificity for large network platforms, while the other three obligations are consistent for both large network platforms and general network service providers. On the contrary, only the second and fifth obligations are typical special obligations of large online platforms. From a compliance perspective, large online platforms should prioritize the second and fifth obligations. In practice, there are not many companies that have established external independent institutions and released social responsibility reports on personal information protection. The main reason may be that previous legislation and regulation did not clearly define the "gatekeeper", and relevant companies still hold a wait-and-see attitude. With the promulgation and implementation of the Regulations, for enterprises, especially those that meet the requirements of "large network platforms", it is necessary to accelerate compliance practices, establish external independent institutions, and prepare for the release of personal information protection social responsibility reports.
5、 Implications for Corporate Compliance

The management of "gatekeepers" can be said to be one of the key means of digital governance, and the promulgation of the "Regulations" means that the Chinese version of "gatekeepers" is moving from exploration to implementation. Clarifying the relevant provisions of the Regulations and the Personal Information Protection Law has practical compliance significance for eligible enterprises. According to the regulations, enterprises can make preliminary judgments on whether they belong to the "gatekeepers" based on quantitative standards, so as to further fulfill relevant obligations and avoid compliance risks in accordance with the regulations and the Personal Information Protection Law.

It is worth noting that, as mentioned above, China also has a "gatekeeper" system in the field of minors' network protection, and Jindu's network security and data compliance team is also cooperating with the Internet Association of China to develop standards for minors' network protection groups (see details: the "group logo leading" plan of the Internet Association of China - the release of the "minors' protection" focus area, https://mp.weixin.qq.com/s/ybAcCdVyGhby6noFe8eUlg ）We have taken the lead in drafting the "Guidelines for Identifying Large Platforms for the Protection of Minors on the Internet", which has now entered the approval stage. Standards and industry codes of conduct can provide practical support for network governance work, offer real experience to enterprises, and we also look forward to reaching consensus with everyone on industry standards and norms.