Preventing data compliance risks involving third parties

By David Pan, Llinks Law Offices

Sourcing data from third parties, or outsourcing data processing to third parties, may put business at risk while boosting its efficiency. Companies today use third-party data suppliers in various scenarios, such as collecting data from third parties in marketing, consumer profiling, market survey and risk control. Companies also outsource data processing to third parties in such scenarios as human resources outsourcing and agency e-commerce operations.

David Pan
Llinks Law Offices

Recent incidents, including forcible debt collection by risk control-related big data firms Weimob database sabotage and Zoom data leaks, are warning companies that they should conduct adequate due diligence, management and risk prevention of third-party data service providers.

Sourcing data

Laws and regulations expressly set out compliance obligations regarding sourcing data from third parties. For example, both the Data Security Management Measures (Exposure Draft) and the Information Technology – Personal Information Security Specification impose requirements on companies acquiring personal information indirectly from third parties and warn that acquiring personal information from other channels creates equal duty and obligation of protection to those arising from direct collection of personal information.

That means a company is obligated to check and ensure the lawfulness of sources of personal information supplied by third parties, including: (1) conformity to the principle of being legitimate, justified and necessary; (2) the rule of explicitly; and (3) consent of the person whose personal information is collected (express consent is required if sensitive personal information is collected).

In practice, a company mainly acquires from third parties the following three categories of user-related data that are of business value, which appear in descending order of risk: (1) raw personal information; (2) de-identified data (encrypted ID card numbers, mobile numbers, device numbers, etc.); and (3) anonymous data (processed data that cannot be used to identify specific individuals and are unrecoverable, such as structured data, group profiles and market analysis reports).

In addition, data risk is also relatively high when sensitive personal information is involved.

When it comes to third-party risk management, the author recommends a progressive examination mechanism according to the volume and risk level of data, taking into account the company nature (whether the company is a critical information infrastructure operator (CIIO) or whether its network is at third or higher level under the multi-level protection scheme (MLPS)). The strictness of the three types of examination appear in an ascending order: (1) text examination, i.e. requiring the data supplier to contractually promise lawful data sources and ensure secure data transmission; (2) substantive examination, i.e. in addition to text examination, identifying sources of data and way of data collection, conducting spot check and reviewing the privacy policy or authorisation documents to ensure lawful sources; and (3) comprehensive examination, i.e. in addition to text examination and substantive examination, check whether the third-party data supplier has completed MLPS determination and established, and followed a complete set of policies and procedures for cybersecurity and data protection and, where necessary, having a third party conduct due diligence or security audit.

Supplying data to third parties

Relative to receiving data from third parties, supplying data to third parties poses a higher compliance risk. The current draft law explicitly provides that where a data subject suffers any loss for any reason on the part of the third-party data supplier, the data supplier must be held liable.

Take outsourcing personal information processing to a third party for example. First, the data supplier must prudently select the service provider and conduct necessary due diligence over it to ensure its well-established data security capability.

Second, the data supplier must ensure that the planned supply of personal information to the service provider, and the purpose and way of data processing by the service provider, have been explicitly notified in advance to that person, whose consent has later been obtained (if any sensitive personal information is involved, the notification should particularly include the type of sensitive personal information, and the identity and data security capability of the data recipient, and that person’s explicit consent must be obtained).

In addition, a security impact assessment should be conducted as to the data processing activity, before the personal information is supplied to the service provider, thereby ensuring that there is no security risk against the personal information subject. After the service provider receives and processes relevant data, the data supplier must supervise its data processing activity to confirm fulfilment of compliance obligations defined in the contract, and audit the service provider where necessary.

Duty boundary with third parties

When either receiving data from, or providing data to, a third party, a company should clearly divide the cybersecurity duty and obligation between itself and the third party to establish a cybersecurity boundary. For example, companies and third parties generally provide their data interfaces and system ports to each other, or a company usually stores or processes data using the platform or system provided by a third party.

In such circumstances, it is very difficult to distinguish the liability between the two sides once a cybersecurity incident occurs (e.g., data leakage), if the boundary of cybersecurity duty is not defined in advance. Even a company totally reliant on third-party systems (e.g., storing user data on a third party’s cloud) can hardly shrug off all the liability when problems such as user data loss or damage emerge, without earlier agreement on a split of cybersecurity duties.

To sum up, a company should pay due attention to data compliance risks involving third parties, while enhancing its own data compliance. It should manage third parties properly and take proper data-related risk precautions so as to avoid any data compliance liability caused by third-party factors where possible.

David Pan is a partner at Llinks Law Offices. He can be contacted on +86 21 3135 8701 or by email at