Although China currently has no comprehensive data privacy law, China is taking steps toward protecting personal information through various national, local and sector-specific rules, regulations and guidelines. Some of the recent developments are summarized below.
Privacy in credit rating information
In 2016, the Chinese government proposed an initiative to develop a national credit rating system. As part of this initiative, the Standing Committee of the Shanghai Municipal People's Congress reecently issued a draft regulation on establishing this credit rating system. In general, the draft creates a credit rating scoring system with associated incentives and penalties, categorizes credit-related information, and provides rules on the collection and sharing of information.
In terms of collecting and sharing information, the draft:
• prohibits the collection of certain private information, such as religious belief, genetic information, fingerprints, blood type and disease history
• requires written consent from an individual before a credit service organization or other enterprise or institution can collect any income, bank deposit, market security, commercial insurance, real estate or tax information
• limits any collected information that impacts negatively on an individual's or entity's credit rating to only be used and disclosed for five years.
Protection of consumer financial information
The People's Bank of China issued the Implementation Measures for Protecting Financial Consumers' Rights and Interests. The implementation measures:
• require an individual's financial information collected in China to be stored, processed and analyzed in China
• generally prohibit Chinese financial institutions from releasing to an overseas party the financial information of an individual located in China
• require the transfer of personal financial information to an overseas entity in a cross-border transaction to be authorized by the relevant individual and to meet the requirements established in laws and regulations.
The above measures would likely impact companies' ability to conduct financial background checks of prospective employees.
Elimination of cyber fraud
As part of the campaign to crack down on cyber fraud, the Supreme People's Court is reportedly drafting a judicial interpretation on the criminal infringement of personal data.
Guidelines for security of personal information
On December 20, 2016, China's National Information Security Standardization Technology Committee issued for public comment a draft national standard called the Information Security Techniques — Personal Information Security Specifications. The draft aims to set out general principles for personal data protection in terms of collection, storage, transfer and publication of personal data. Such draft guidelines would be similar to another national standard document providing guidance on the handling of electronic personal information that took effect in 2013.
Key take-away points:
Every employer should monitor for regulatory changes in China's personal data privacy laws and regulations. Based on those changes, each employer should review its company policies and contracts to: (i) ensure internal compliance with those changes in the collection, use, storage and transfer of its employees' personal information; and (ii) ensure its employees are also aware of and compliant with China's data privacy rules while fulfilling their job duties.