Data protection is not yet as high on the agendas of the boards of Chinese companies as it is for multi-national companies (“MNCs”). This is hardly surprising, as China has no designated data protection regulator, has only recently started writing significant regulations in this area, and lists only very modest fines for infringements. Given the disparity of experience between Chinese companies and MNCs, it is worth unpacking what makes data protection such an important issue for many and to test the temperature as to where regulation might go in China in the future.

For MNCs data protection is highly pervasive

The EU led Data Protection Principles, adhered to by most data protecting jurisdictions (outside the United States), encapsulate the whole gamut of the life of data from creation to deletion. Fairness and proportionality are required at every stage of use: collection, transfer, access and deletion. The principles also cover security and rights of access and correction. The EU approach is to protect data as a right of the individual. To date, China’s approach has been to regulate data in order to preserve an orderly market and to enhance Government’s effort to track the spiralling use of personal data in consumer and other business communications.

In developed markets outside China data protection regulation can be a potential blocker for business development. For example:

  • in cloud computing, regulators (both of financial services and data protection) are often nervous that data may be passed to multiple overseas jurisdictions where it may (1) be misused and (2) cease to be susceptible to regulation from the first jurisdiction;
  • similar concerns arise in other types of offshoring of data processing, although these can often be ameliorated if the data user retains direct control over the processing facilities;
  • in market deregulation, shortcomings in obtaining consents to use personal data can stymie a dominant party’s advantage. For example, as long ago as the early 1990s, British Gas intended to use their very extensive customer base to sell services (such as metering and billing services) to customers in the electricity sector. However, they were prevented from using the customer lists for lack of the relevant consents. Certain UK supermarket businesses, who were far more advanced in obtaining such consents, were able to use their own customer databases more effectively, and steal a march on the gas monopolist (which was otherwise very well placed to serve these customers); and
  • more generally, although this has been dealt with in some data protection laws over recent years, due diligence exercises surrounding Merger & Acquisition activity can be severely hampered if the disclosing party is constrained from giving access to personal data (such as data relating to employees and/or customers).

Data law can also give rise to significant issues of reputation management, especially for consumer facing businesses. This screw has been tightened by regulators, especially those in Europe, who are meting out increasingly large fines for breaches of data protection regulations.

China’s approach to Data Protection

Meanwhile, China’s approach is currently fragmented and sectoral. The first recognisable data protection regulations were contained in the Tort Liability Law (with effect from 2010). Article 2 affirmed the right to privacy was categorised as amongst “civil rights and interests”. This was the first time privacy was treated as a “right” rather than an “obligation”.

The Law imposes tort liability for a “network user or network service provider who infringes upon the civil right or interest of another person”.

In 2012 the NPC Standing Committee handed down its “Decision on Internet Information Protection”. This remains the highest level Chinese law on data protection. It is addressed to “internet service providers and other enterprises that collect or use citizens’ personal electronic information in the course of their business”. Given the rise of online services, although this is a law of sectoral rather than universal application, it covers an increasingly large slice of consumer business, in China as in all other highly connected markets.

Another element of the 2012 Decision is the requirement that consumers of online services provide only “real identity information”. This is important for Beijing’s exercise of control over internet activity. However, it is a point of stark comparison in other jurisdictions, even within the EU bloc. Germany is a staunch defender of the right to online anonymity, and this is entrenched within its data privacy laws. However, Ireland, another EU member state, supposedly interpreting the same Directives concerning data privacy, like China does not permit users of internet services to use pseudonyms. This has led to hard fought legal proceedings between a German data protection regulator and Facebook (trading under the laws of Ireland for these purposes). Of course, Facebook wishes to know the true identities of those using its services, as such personal data has significant commercial value to them.

MIIT’s regulatory material

In 2011 the MIIT issued “Several Regulations on Standardising Market Order for Internet Information Services”. This applies to all internet information service providers (“IISPs”). It, in fact, meets many of the OECD guidelines for data protection regulation. Furthermore, it includes some recent privacy principles absent from the regulations of some more mature data protecting jurisdictions (such as requirements surrounding minimal collection of personal data, and data breach notification).

In 2013, MIIT issued “Guidelines for Personal Information Protection within Public and Commercial Services Information Systems”. This is stated as being voluntary in nature and accordingly has received little traction in legal circles. It has a broad scope; covering the “processing of personal information through information systems”. It provides detailed content of regulations on data export, sensitive data (although what is deemed sensitive is much wider in ambit than the European norms); data subject access and the right to rectification of inaccurate data.

In a productive period, also in 2013, MIIT issued a further law, titled “User Data Protection Regulations”. These were broader than the 2011 Regulations; addressed to ISPs and “telecommunications business operators”. They for the first time included a comprehensive definition of “personal data” (with its roots in EU laws, some have observed). These 2013 Regulations provide a more or less complete data protection regime for the internet and telecoms sector in China.

It is these 2013 Regulations that contain the reference to the modest fines for transgressors (up to RMB30,000). They also include provisions allowing for transgressors to be “named and shamed” through public notification, acknowledging the opprobrium attached (by the larger consumer brands at least) to misuse of personal data, and ensuing reputational damage.

Data Protection practice gaining traction in China

Despite the fact there is no overarching data protection regulator, which has led to the regulations being less coordinated than might otherwise be the case, data protection practice is alive and well in China. For example:

  1. The banking regulator has for a number of years banned the export from China of customer data. However, PRC banks often wish to outsource their data processing. This has led a number of banks to seek waivers from their regulators to allow cross border transfers, presumably upon strict undertakings concerning the treatment of data offshore;
  2. There is a significant push for the development of cloud services. The main domestic hub is the Chongqing Data Centre Hub. This is being used as a stepping stone to develop both an internal and an international market for cloud services. This will produce challenges for data protection regulation in China;
  3. Similarly, the ecommerce sector is rapidly expanding, with Alibaba’s Jack Ma predicting that there may be decades of growth left in this sector. It may well be that the major China players in ecommerce will seek to distance themselves from challenger brands through maintaining high standards of data protection compliance.

There are local variances in data protection regulation which add to the complexity of compliance in China. For example:

  1. There is dedicated data protection-relevant legislation in Jiangsu; and
  2. There are additional consumer protections active in Shanghai and Henan.

No international coordination of data protection

It would be easy to criticise policy makers in China for what is something of a patchwork of laws and regulations in the data protection arena. However, the rest of the world is perhaps little better.

One can view Asian data privacy legislation as a kaleidoscope of different rules, seemingly ever changing as jurisdictions constantly play catch up with their neighbours. The contents of data regulation move with time (and the underlying technologies and perceived threats). In terms of privacy, what may seem paramount in one culture (such as banking secrecy in Switzerland) may be anathema in another (for a long time Italian tax authorities made every individual’s tax returns public).

In Asia Pacific we have jurisdictions which are:

  1. Early adopters of data protection (such as Taiwan) and non-adopters (Vietnam);
  2. Reluctant enforcers (Hong Kong really did not enforce the laws between 1996 and 2010, but since a high profile case of misuse of data for marketing purposes has now started to enforce more aggressively), to zealous converts (South Korea’s data protection laws are in some ways more proscriptive than even the EU “gold standard”);
  3. Using fragmentary regulations (China would currently fall into this category) compared to Australia, which has cohesive laws; and
  4. EU comparators (such as New Zealand) to those playing catch up (everyone else).

Country

Legislation

Date

Recent Development

Australia

Privacy Act

1988

Since 12 March 2014 Australian Information Commissioner has significant new enforcement powers

China

  • Decision Relating to Strengthening the Protection of Information on the Internet
  • Information Security Guidelines for Protection of Personal Information Within Information Systems for Public and Commercial Services

2012 - 2013

Draft Provisions Governing Protection of Personal Information issued on April 2013

Hong Kong

Personal Data (Privacy) Ordinance

1996

Personal Data (Privacy) Amendment Ordinance enacted in June 2012

India

Information Technology Act

2000

Indonesia

Various regulations

2012

Japan

Protection of Personal Information Act

2005

Korea

Personal Information Protection Act

2011

Malaysia

Personal Data Protection Act

2010

Malaysia passed the Personal Data Protection Act in 2010, but it came into force on 15 November 2013

New Zealand

Privacy Act

1993

European Commission announced formal recognition of data protection in NZ – adequate protection of personal data under European Data Protection Directive

Philippines

Data Privacy Act

2012

Singapore

Personal Data Protection Act

Jan 2013

- Public consultation on draft Regulations and Guidelines recently concluded

- Key data protection obligations to become operative in mid-2014

Taiwan

Computer – Processed Personal Data Protection Act

Personal Data Protection Act

1995

2012

CPPDPA regulated schools, hospitals, telecoms, finance and insurance

2012 Act extended application to all industries

Thailand

No

Draft data protection legislation under discussion

Vietnam

No

Data breaches

Like other aspects of data protection, a jurisdiction’s legal response to data breach notification is usually driven by local concerns:

  1. In 2005 in the US, ChoicePoint (which compiles information on millions of consumers) fell victim to a security breach which disclosed 145,000 subject records to a criminal enterprise. It notified consumers in California only (as required there), but not in other states whose residents were equally affected. As soon as those non-Californians started to complain about the unequal treatment, states quite quickly fell into line with their own versions of data breach notification legislation. In the absence of coordination, however, there are many differences in approach between different states (eg as to the thresholds for notification, who should be notified and penalties for non-observance);
  2. In the UK there has been a succession of public sector breaches, including in relation to healthcare and children. To date, however, there is no initial requirement for breach notification.
  3. In Hong Kong, there have also been many publicised breaches, in both the public sector (such as Hospital Authority employees using unencrypted USBs containing large amounts of sensitive personal data), the financial services sector, and the commercial sector (the VTech data loss of children’s data for electronic toys). There remains no legal requirement for breach notification in Hong Kong.

Everything will change in the EU with effect from 25 May 2018, however. On that day the General Data Protection Regulation will take effect. This will mean that:

  1. Data controllers must notify most data breaches to the Data Protection regulator in their local jurisdiction (within 72 hours of becoming aware of the problem).
  2. Fines may be levied of up to the higher of EUR 20 million and 4% of worldwide turnover for transgressors.

Data export

Another area of great importance, both to multi-national companies, and single jurisdiction companies who are either supplying customers overseas or processing customer data offshore, is the question of cross-border data transfer.

In the absence of international data protection norms, restrictions to data export are highly important. Different approaches are taken by different jurisdictions:

  1. Some jurisdictions adopt a “fortress” approach, whereby the regulator’s imperative is to avoid the transference overseas of data at any time. Such a heavy-handed approach can be very inconvenient for the more sophisticated data users within the jurisdiction;
  2. Other jurisdictions’ regulators are prepared to allow data transfer offshore so long as the data subject has indicated his/her informed consent. What constitutes adequate consent is often difficult to pre-judge; and
  3. In recent years, some jurisdictions are trying to police the off-shoring of data through extra-territorial enforcement powers. Australia is an example. Although it is currently difficult to predict with certainty how extra-territorial enforcement might work, the hope and anticipation is that, if enough jurisdictions adopt this sort of wording, there will be sufficient mutuality of interest to encourage jurisdictions to enforce the data protection laws of other requesting jurisdictions.

The EU – a multitude of approaches

The EU has adopted or permitted a patchwork of different approaches to transfer offshore of personal data:

  1. A white-list is maintained of jurisdictions deemed to have a sufficiently similar level of data protection legislation such as to be able to receive EU outbound data without further compliance procedures (eg Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay);
  2. Transfers are permitted where exporter and recipient have adopted prescribed forms of data export contracts;
  3. A number of EU Data Protection authorities are receptive to the use of Binding Corporate Rules, whereby an MNC binds itself constitutionally to treat all the personal data it handles in a particular way no matter in which jurisdiction it is using the data;
  4. Informed consent has been obtained; and
  5. To facilitate EU to US transfers, the US recipient has signed up to the EU US Privacy Shield (the replacement to the ill-fated Safe Harbor protocol).

China’s approach to data offshoring

China has to date adopted the “fortress” approach to the offshoring of personal data of banking customers and for most employee data. Other classes of personal data are not specifically regulated when it comes to data outflows.

Hong Kong’s approach is still in gestation

Section 33 of the Personal Data (Privacy) Ordinance is still not yet in force, notwithstanding that it was enacted 20 years ago!

Section 33 provides a functional equivalent to the EU position of operating a white-list; a set of standard clauses, and a fall back provision of the obtaining of adequate subject consent. The Government has been undertaking a consultancy project to move this forward for a number of years now, with nothing currently to show for it. In the meantime, the Privacy Commissioner can only seek to police off shore transfers of data on the basis that consent of the data subject should be obtained.

Right to be forgotten

Data privacy practice is developing in various unforeseen ways.

In 2014 the EU Court of Justice decided that an Internet search engine operator is responsible for the processing that it carries out of personal information contained on its web pages but published by third parties. The search engine can be obliged to remove the content of searched materials. Grounds for removal include where the results are irrelevant, no longer relevant or deemed excessive.

This process involves a considerable amount of compliance machinery.

One question arises as to whether other jurisdictions might have the appetite to follow suit. The Hong Kong Privacy Commissioner has shown at least passing interest in the issue, although there seems no immediate likelihood of its adoption as part of Hong Kong laws. There would seem no likelihood whatsoever of China instituting laws relating to “the right to be forgotten”.

Conclusions

In brief, data protection is a massive regulatory area. Multi-national companies require multi-jurisdictional advice on data protection. In some jurisdictions (notably across the EU), potential fines for data protection compliance infringement now rival anti-trust enforcement penalties. Cyber-security risks are a universal problem. This is well-recognised by China.

All in all, data protection is an expanding area of regulatory advice.