For many U.S. companies, the concepts of “China” and “data privacy” collide only in the context of ensuring their private data is protected from the prying eyes of China-based cyberspies. In recent months, the U.S. has revved up the dialogue around cybersecurity issues with China and has diplomatically put pressure on the country to address cybersecurity. In a March speech, President Obama’s national security adviser, Tom Donilon, called the issue of cybersecurity “a growing challenge” to the economic relationship between the U.S. and China. In April, Secretary of State John Kerry announced that the U.S. and China would form a working group on cybersecurity.
However, companies that have any sort of business operations in China should be aware of a separate but quickly growing trend in the country: a move toward cybersecurity and, more specifically, data privacy protections within its borders. In recent years, China has been taking incremental but meaningful steps toward regulating the collection and use of its citizens’ personal data.
Despite this focus, “China lacks a single, unified and coordinated data protection law,” says Manuel Maisog, chief representative of Hunton & Williams’ Beijing office. “The development of personal information protection law in China has been proceeding on a piecemeal, sector-by-sector, act-by-act basis.
Although the government has taken some significant steps in 2013, none of them represents a final resolution of the situation, Maisog says.
Earlier this year, China’s Ministry of Industry and Information Technology (MIIT) issued, implemented and published China’s first attempt at national personal information protection standards in its “Guidelines for Personal Information Protection,” which took effect Feb. 1 after existing in draft form since early 2011. The guidelines define personal information privacy concepts and establish some basic principles surrounding the handling, retention and security of data at personal information organizations and other information collectors.
However, the guidelines are not binding. That’s not to say they won’t have an impact. Many lawyers counsel that it’s safer to abide by guidelines in case they do become law. Furthermore, developing the guidelines is the closest China has come to drafting comprehensive personal information legislation, says Eric Carlson, a partner at Covington & Burling in Beijing.
“[Although voluntary,] the more precisely drafted provisions found in the guidelines may help provide further context and instruction for interpreting generally drafted provisions in other personal information laws and regulations,” Carlson says.
Binding but Unclear
In April, China’s legislature released for public comment a draft regulation, “Provisions on Protecting the Personal Information of Telecommunication and Internet Users.” It is a step toward implementing a December 2012 decision (i.e., resolution) of China’s Standing Committee of the 11th National People’s Congress (NPC), which established a number of protections related to Internet service and content providers and other organizations’ collection and use of personal electronic data. The draft regulation gives the government broad inspection rights for it to assess compliance. It also expands rules governing the collection and handling of personal information, such as requirements to post personal data use policies, to obtain user consent before collecting personal data, to implement organization-wide privacy- and security-management systems, and to maintain strict confidentiality of user data.
The key difference between the guidelines and the NPC decision is that the decision is legally binding—it has the effect of rewriting the law. And whereas the guidelines merely outline principles, the decision provides some detail on potential sanctions for data privacy violations, ranging from warnings to civil and criminal liability to administrative punishments that some commentators think could amount to the forced winding down of operations.
That’s in contrast to the guidelines, which “seem to be aimed more at creating an awareness of data privacy issues among businesses in China and [promoting] a culture of compliance,” says Veronica Lockyer, of counsel at Orrick, Herrington & Sutcliffe in Shanghai.
Although commentators and legislators are still debating and finalizing details of the decision, and the guidelines are not officially binding, Scott Thiel, a DLA Piper partner in Hong Kong, says Western companies nonetheless should start moving toward compliance, even vis-à-vis the voluntary guidelines.
“Will you always be compliant in every sense? Almost certainly not,” he says. “But the more you can put a proper privacy compliance strategy in place, the more likely you are to be able to have sensible conversations with regulators and really hose down issues as they arise.”
For Western companies operating in China, perhaps the biggest compliance challenge they face will be the guidelines’ limit on extraterritorial transfers. Businesses would likely face roadblocks if they had to get consent from employees or government agencies for every data transfer related to updating employee records or transmitting monthly payroll information to compensate China-based employees.
“If put into effect, this would complicate the conduct of a legitimate cross-border transfer in many circumstances,” Maisog says. “Businesses are often dependent on being able to transfer personal information across borders, and they also may need to centralize the processing of data at a single location to increase efficiency.”
Another provision of the guidelines says that personal information must be deleted “immediately” after its purpose and use are achieved. Maisog says the provision is unrealistic and notes that last year Hong Kong had to amend its own Privacy Ordinance to remove a similar provision in favor of greater flexibility. In Hong Kong, the law now states that data collectors must take “all practicable steps” to ensure the data isn’t kept for longer than necessary.