China question: How do I create and implement a data privacy framework?

March 10, 2015 | BY

clpstaff

How can I keep my company's information secure and comply with PRC regulations? How do I manage the information of my business partners, third parties and customers to ensure they are protected?

The law firm perspective

Over the past two and a half years, China has published a raft of laws and regulations concerning data protection, loosely based on the European model. When planning system architectures and business models, companies need to have three main themes in mind: security, collection of personal data and offshoring of data. There is also the need to preserve confidentiality of data which is not personal data, but which consists of commercial secrets. So, underpinning the framework requires imposing contractual obligations on all employees, contractors and business partners to keep information confidential as well as to adhere to all data privacy laws.

|

Security


Although data breaches may occur; whether through hacking or human error, it is imperative that the company's information systems are protected, through physical and technical means, backed by appropriate training of personnel. Security requirements are set out in the Provisions on the Protection of Personal Information of Telecommunications and Internet Users (工业和信息化部电信和互联网用户个人信息保护规定) (Provisions), which were issued by the Ministry of Industry and Information Technology (MIIT) and went into effect on September 1 2013. This law applies to the collection and use of users' personal information during the provision of telecommunications services and internet information services. In the event of a data breach that is “likely to cause serious consequences”, there is a requirement to report the breach to the Telecommunications Administrators (which may lead to intervention and sanction).

|

Collection of personal information


The regulation of personal data is defined at the point of collection, generally by the obtaining of consent from the data subject. Article 4 of the Provisions defines users' personal information as “information that can, individually or in combination with other information, identify a user. This includes the user's name, date of birth, identity document number, address, telephone number, account number, password, the time and place of use of service by the user and other information”. Those covered by the Provisions must formulate rules concerning the collection and use of users' personal information and publish them, not least on their websites.

Collection of personal data should not take place without the users' informed consent. Users should be notified as to the purpose, method and scope of the collection and use of their data, how they may enquire about and correct the data and the consequences of not providing the requested data. Data users subject to the Provisions cannot collect users' personal information which is not required for provision of their services or use the information for a purpose other than the provision of services. This is very restrictive and seems to disallow personal information collection statements which seek consent for additional uses such as marketing or market research.

From February 1 2013, the MIIT issued guidelines of general application to organisations operating in China which also deals with the collection and use of personal data.

The guideline differentiates between what information should be classed as 'sensitive' personal data and 'general' personal data. Sensitive information refers to personal information which would result in negative implications on the data subject in the event of disclosure. Under the guideline, sensitive information should only be collected upon the express consent of the data subject, while general personal information can be collected and processed as long as individuals show “no objection” to the activity.

|

Offshoring of data


Increasingly, business need to send personal data outside of China, either for processing in a cloud environment, for internal reporting reasons or for the purpose of efficient and secure back up. In certain industries, notably financial services, the transfer of customer data outside of China is forbidden (even with the data subject's consent). Even outside the financial services sector, the February 1 2013 guidelines stipulate that express consent from the data subject is required to transfer data outside China.

To produce a data privacy framework it is imperative to know: what personal data is required for the business, where it will be stored, processed and for how long, whether it needs to be sent offshore and what security measures (including encryption) will be applied along the way.

Peter Bullock, Pinsent Masons, Hong Kong


The risk analyst perspective

The wolf close to the door is more dangerous than the wolf in the woods. While Chinese data privacy laws appear lenient, the Chinese authorities do know your office address and could be there in minutes if they chose to be.

Data privacy in Asia is all about actions and training rather than about words and policies. In China specifically, there is, as of 2015, no comprehensive data privacy regime or even comprehensive mandatory requirements, but there are definite signs that this will change. There are requirements which focus more on aggressive marketing and spam filtering, for instance, if you used illegal means to obtain individuals' personal information and used this as a means of telemarketing.

|

Encryption


One way of protecting employees' data from security breaches is the use of encryption. It has been said that encryption is a mere 'sunscreen' protection of electronic data, and that it gives a false sense of security while not offering real protection. But that is not entirely true. A good system involving file level encryption of data can stop unauthorised use of information by third parties with which you are frequently dealing and protect those very important documents, connections and customer details. However, it is not acceptable to just import a forensic encryption product as this is limited in China by the Office of the State Commercial Cryptography Administration (OSCCA). OSCCA will require an import permit for use of a foreign encryption product. There are, however, several types of encryption software which are already approved by the Chinese government.

|

Third parties

The second way in which data privacy becomes an issue is obviously when dealing with third parties. If you need to share customer information with a vendor, supplier or channel partner, you will not have the benefits of a technical protection such as encryption. Practically speaking, you will need to ensure you can discover that the partner is going to use the same standards of information governance as yourself, or that if it does not follow your organisation's high standards, it is aware of the issues and does not have other potential incentives or bad motivations. For this process it is necessary to look beyond the interactions with the company directly, and to ask questions in the marketplace regarding the reputation of that partner company. How do they get things done? Why are they the leader in this area? What other side businesses or government relationships do key employees have which could present conflicts of interest?

|

Employee conduct

Data privacy is still an issue you must consider when things go wrong in another way. If you find that an employee or partner is not following the rules (especially in the case of an employee), you will be able to conduct a covert investigation of their conduct. But the domestic Chinese rules of evidence under the notary system require great care to be taken in the collection of evidence if there is any chance of domestic litigation or criminal accusations being filed about the employee's conduct. For example, if an employee is accused of defrauding the company and is dismissed as a result, there may be evidence on laptops and phones owned by the company that corroborate the employee's guilt, should there be any counter-claim or accusation by that out-going employee. But collecting this evidence will require a notary to be present at the time of handover of these devices to verify they belonged to that employee. Furthermore, the copying of evidence via computer forensics would typically involve the taking of a forensic image of those devices. In China, a notary must be present and able to record the imaging of those computers and phones, and a copy left with the notary or the authenticity of the evidence could be called into question.

Often compliance in fraud cases in China is more about soft approach than hard law. For example, even if an employee was accused of stealing from the company, once the data on the company computer is copied, the employee may ask that certain personal things were on his computer which should not be examined, such as personal bank account dealings, wedding photos, holiday trips and social media discussions. It will be a matter of judgment in the case whether those items could possibly contain evidence that might verify the illegal activity. If they could not possibly contain the evidence, it will normally be best to copy these and give them back to the employee, and to state these will not form part of the investigation.

This overview provides what is more an attitude to dealing with data than with legal compliance. Protect your employees' and customers' important data, but have a strong idea about what forms your company's core trade secrets, client connections and goodwill. Lock away your crown jewels, not your garbage.

Dmitri Hubbard, Control Risks, Hong Kong

This premium content is reserved for
China Law & Practice Subscribers.

  • A database of over 3,000 essential documents including key PRC legislation translated into English
  • A choice of newsletters to alert you to changes affecting your business including sector specific updates
  • Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
For enterprise-wide or corporate enquiries, please contact our experienced Sales Professionals at +44 (0)203 868 7546 or [email protected]