This article summarizes the relevant content and data compliance knowledge that needs to be paid attention to for overseas products, and I hope it will be helpful to you.
1. International business and data compliance background
Cross-border data transmission and data compliance are two topics that many people are familiar with.
But it also makes many domestic enterprises feel worried and headaches about it, especially in cross-border e-commerce, cross-border logistics, international SaaS and other companies, the business is usually to serve the world, users will come from many countries, when the customer's transaction or purchase and sale is completed overseas, it will inevitably involve the collection and processing of overseas consumer and employee information, international companies in order to unify the management of business and employees, data transmission between cross-border subjects is indispensable.
In the past, I thought that data transmission was very simple, just like mutual Send/Chase between two servers, but after working as a product manager in the field of cross-border e-commerce over the years, I gradually learned some knowledge of it after I had some contact with international business/product solutions, but it was only the tip of the iceberg.
Transnational data transmission is not so easy, or domestic enterprises collecting user data overseas, storing, processing, and transmitting it are not simple system behaviors, but need to be based on the constraints and guidance of local national security policies to make comprehensive solutions. For example, there are many laws and regulations set in overseas countries, such as the EU GDPR, and once a company is caught secretly transferring overseas user information to China, it will face high fines.
Therefore, for a global company, it is very necessary to do a good job in local data compliance, and for product managers, if they understand some of the laws and policies for going overseas and are familiar with the product design scheme under the compliance business, it will be very advantageous in the field of internationalization in the future.
2. What are the compliance issues that overseas companies usually encounter?
There are two typical types, one is to build a website or App, through such a product directly serve overseas consumers of the company, such as Temu, Shein, Shopify, etc., overseas users on their platform before buying, must complete the registration, fill in the user's personal information, such as name, phone number, delivery address, etc.
The other type is not directly to consumers, but as a middleman of cross-border services, such as cross-border logistics and cross-border ERP, companies will not collect user data directly from consumers, but will receive data to assist merchants in completing package fulfillment.
Such a company, if it operates in Europe, is subject to the EU General Data Protection Regulation:
- Protect user privacy and respect users' right to choose;
- Users need to know what information will be collected and for what purpose;
- Freely authorised, rejected, and deleted
- Cross-border transfer of data is not permitted
For example, when a domestic app is launched in a country in the European Union, and a local customer registers it and fills in a series of basic information, the user has the right to know what information you collect, what it is used for, where it is stored, whether it has the right to cancel, and there must be an officially recognized privacy agreement after collection. Secondly, when the user does not need your product, the user has the right to choose to cancel the data authorization, and delete the data after the user logs out, if you continue to retain or transmit to other countries that are not recognized, it will be subject to policy supervision, and it will be very troublesome if you are complained.
Therefore, when facing overseas business, if the product manager involves the collection of users' personal information, he needs to be keenly aware that your data and servers are not overseas, how does the product make users perceive data collection, how does the product make users agree, how does the user consent cancels the authorization of the entire link after the user consents, and how to design the product plan and page.
In addition, China is not currently recognized by the EU as a data security country, which includes: Andorra, Argentina, Canada (commercial organizations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan. Therefore, if you need to do cross-border transmission, you need to use other methods;
3. What are the EU-approved security measures for cross-border transfers?
There are many ways to sort out data that are recognized by the European Union, and the following content comes from the knowledge document of "Dr. Zhao Xiaopeng" law on the Internet, and does not come from individuals, but only for reference and learning. Of course, after learning it myself, I feel that there are three types of processing;
Category 1: Treatments in accordance with EU compliance requirements
- the data exporter enters into a data transfer agreement with the data recipient and uses standard data protection clauses given by the European Commission;
- In the case of data transfers within a multinational group, a set of so-called Binding Corporate Rules can be established within the group, which are strictly adhered to within the group and approved by the European Commission;
- An industry association draws up a set of rules of conduct for data protection, and the members of the industry association as data recipients declare compliance with these rules of conduct, which are subject to prior approval by the European Commission;
- Certification of the data processing process of the data recipient, which needs to be renewed every three years.
Category 2: Programs with the user's consent
Even if none of the above four measures are met, data processors can transfer their personal data to China if they can obtain the consent of the data subject, but the EU General Data Protection Regulation imposes high requirements on the consent process:
- The consent must be voluntary, i.e. the data subject must explicitly give a reply of consent, and it is implicitly that consent is not recognized;
- The data subject must be informed of the destination country of the planned cross-border transfer of data and the risks that may arise for the data subject;
- The content of the consent must be clear, and the manner, scope and purpose of the data transfer must be specified in the consent form.
Usually this method is not feasible, because like many domestic e-commerce companies, after collecting user data, they will continue to transmit the data to cross-border logistics companies, carriers, customs brokers, customs clearance agencies, etc., involving multi-link sharing, and these follow the company's business development and changes, there is no way to make it clear in the contract;
Category 3: Processing without the user's consent
- Necessary for the performance of a contract with the data subject,
- For the data subject's own interests, or;
- In order to assert or defend the legal rights of a data subject.
For example, in cross-border e-commerce, in order to smooth customs clearance in the destination country, the buyer's address and contact information will definitely need to be used, and if the transmission is not allowed in order to protect privacy, there is no way to play the business, but there is a customs clearance contract, so it is reasonable to some extent, as long as the data is not downloaded, but through encrypted interaction between systems.
In summary, from the perspective of global compliance business, the most time-saving and labor-saving way to transfer personal data collected in the EU to China, e-commerce platforms or overseas software service providers in order to comply with them is to use the standard data protection clauses given by the European Commission to enter into a data transfer agreement with the domestic data recipient. Of course, the best way is: overseas storage, overseas operation, and no domestic data connection;
Fourth, what product managers need to pay attention to
It is necessary to understand what information will be classified as private information when expanding business in the EU, what are the requirements of the EU for the processing of such private information, and what needs to be paid attention to when these requirements are related to product solutions or business development. Refer to the above article on cookies, data authorization, agreement description, cancellation of authorization, data deletion, and page interaction for C-end consumers or users;
Knowing the legal importance of cross-border data transmission and improving your overall international vision, for example, you need to know that overseas servers and overseas data storage are the current standard configuration of many international companies' globalization, know the interaction between data, and make targeted suggestions and thoughts when participating in transnational conferences in the future;
Finally, if it involves cross-border data transmission and the company is large, you need to pay attention to the legal risks, and the product students should be keenly aware of whether the company has collected the personal information of overseas users, and must consult professional legal students to cooperate with the international legal affairs team to complete the plan.
The above is all the content of the article, if you are also a product manager of going overseas, or you are interested in going overseas, you can follow the official account to contact me, looking forward to learning together.
Citations:
- GDPR:https://gdpr-infoeu/art-9-gdpr/
- Legal knowledge: https://mpweixinqqcom/s/uEcVf_yanOx-iKFKPorqBQ
- Tripartite interpretation: https://learnmicrosoftcom/zh-cn/compliance/regulatory/gdpr?view=o365-worldwide#what-is-the-gdpr
This article was originally published by @Lea on Everyone is a Product Manager and is not allowed to be reproduced without permission
The title image is from Unsplash and is licensed under CC0
The views in this article only represent the author's own, everyone is a product manager, and the platform only provides information storage space services.