Unlike European Union countries such as Ireland which has comprehensive legal framework governing data protection, China currently lacks comprehensive legal system to regulate the collection, use or other processing of personal data.
Current Data Protection in China
To date, though pieces of the PRC Constitution, Criminal Law, Tort Law and some sector-specific regulations touch on certain data privacy issues, the relevant provisions are commonly ambiguous and abstract which makes interpretation and enforcement difficult. For example, the concepts of “personal data” and “the right to privacy” are not defined in the law in China, and there are no detailed rules addressing practical issues such as who may collect personal data and under what circumstances the data may be collected; what scope of personal data that may be collected; and whether the consent of individuals or authorities is required for data collection, handling and/or transfer.
It is fair to say that the current laws in China dealing with data privacy are actually piecemeal and in reality they provide little concrete guidance to companies on how to collect and use personal data during the ordinary course of business, and the companies have no clear idea on what types of activities are permissible.
Newly Issued Data Protection Guidelines
In response to the growing business needs and consumer awareness, China is taking steps toward addressing its lack of comprehensive data protection laws. On 5 November 2012, China issued a national standard entitled the "Information security technology – Guideline for personal information protection within information system for public and commercial services (信息安全技术、公共及商用服务信息系统个人信息保护指南)" (the Guidelines), which took effect on February 1, 2013.
Even though the Guidelines are just voluntary national standard (lacking of the force of law) and only apply to computer networks (generally understood to also include standalone computers and the Internet), it will still likely serve as an important guidepost for future lawmaking on data protection.
The Guidelines contain a set of broadly applicable rules and principles for collecting, processing and transferring personal information, For instance (1) the consent of data subject should be sought for processing personal data; (2) personal information collected should be deleted after the relevant purpose for data collection is met; and (3) general personal data may be collected/used with the implied consent of the data subject, but sensitive personal data may be collected/used only with the express consent of the data subject. The Guidelines also set out certain data protection principles such as the “minimal use” principle (i.e., data controllers/users should collect only the personal data necessary for fulfilling the relevant purpose) and the security principle (i.e., data controllers/users are required to establish a system to protect the personal data collected and to address the risk of data breach).
The Guidelines’ Possible Impact on International Companies
While the Guidelines do not result in China being 'white-listed' for the purposes of international data transfer, they should help bring some focus to discussions between EU and Chinese entities who are seeking to ensure any international data transfer is lawful. The Guidelines also provide that no 'data administrator' within China may transfer personal information to a foreign administrator unless otherwise having gained consent from the data subject, stipulated in law or regulation, or having gained approval from the relevant ministry. Therefore, data protection should now become a key due diligence issue for those Irish and EU entities looking at doing business with Chinese entities.
With the Guidelines now in effect, the issue of personal data protection in China will increasingly have a higher profile amongst business and consumers alike. For Irish and European businesses who are already well versed in data protection compliance and who are interested in trading in China and with Chinese entities, there may be an opportunity because they will be able to demonstrate best practice in the area and perhaps lead by example. Indeed moving from a piecemeal approach to data protection in China to a more common, consolidated regulatory regime should also help to make China an even better place to do business. Where compliance with non-binding guidelines and codes of practice becomes best practice it is not unusual to see them become law. We are at the early stages of the data protection compliance journey in China and it will be interesting to watch developments.