• About
  • Archive
  • Contact
  • Home 1
  • Submit a Story
  • Submit a Story
  • USCBC Podcasts
China Business Review
  • Operations
    Managing Risk in the “New Era”

    Managing Risk in the “New Era”

    Design Patents vs. Trade Dress: Protecting IP in China

    Design Patents vs. Trade Dress: Protecting IP in China

    As China Emerges from COVID-19, US Companies Invest to Compete

    As China Emerges from COVID-19, US Companies Invest to Compete

    Inside the Mad Rush for Masks – Anatomy of a 10 Million Mask Order

    Inside the Mad Rush for Masks – Anatomy of a 10 Million Mask Order

    Addressing Risk in the Era of US-China “Great Power” Competition

    Addressing Risk in the Era of US-China “Great Power” Competition

    The Year in Social Credit: Where is Corporate Social Credit Going in 2020 and Beyond?

    The Year in Social Credit: Where is Corporate Social Credit Going in 2020 and Beyond?

  • Politics
    Hong Kong’s National Security Law, Five Months In

    Hong Kong’s National Security Law, Five Months In

    China Implements its Long-Awaited Unreliable Entities List Mechanism

    China Implements its Long-Awaited Unreliable Entities List Mechanism

    Competing WTO Reform Agendas and the Contest for the Next Director-General

    Competing WTO Reform Agendas and the Contest for the Next Director-General

    China Eyes Further Northeast Asian Economic Integration in RCEP

    China Eyes Further Northeast Asian Economic Integration in RCEP

    COVID-19 Could Doom or Deliver US-China Commercial Relations

    COVID-19 Could Doom or Deliver US-China Commercial Relations

    A Game of Chicken

    A Game of Chicken

  • Tech
    Export Controls on Emerging and Foundational Technologies: A Null Set?

    Export Controls on Emerging and Foundational Technologies: A Null Set?

    How Companies Are Reacting to China’s New Data Security Scheme

    How Companies Are Reacting to China’s New Data Security Scheme

    China’s Participation in International Standards Setting: Benefits and Concerns for US Industry

    China’s Participation in International Standards Setting: Benefits and Concerns for US Industry

    The Hidden Challenges of China’s Booming Medical AI Market

    The Brave New Business Models Making Waves in China’s Ecommerce Market

    Defining “Emerging Technologies”: Industry Weighs In on Potential New Export Controls

    Defining “Emerging Technologies”: Industry Weighs In on Potential New Export Controls

    Trending Tags

    • Intellectual Property
    • innovation
    • cybersecurity
    • ecommerce
    • tech
  • Society
    COVID-19 Could Doom or Deliver US-China Commercial Relations

    COVID-19 Could Doom or Deliver US-China Commercial Relations

    The Year in Social Credit: Where is Corporate Social Credit Going in 2020 and Beyond?

    The Year in Social Credit: Where is Corporate Social Credit Going in 2020 and Beyond?

    Open Government Developments in China: Implications for US Businesses

    The Hidden Challenges of China’s Booming Medical AI Market

    The Handshake that Changed the World

    President Carter and Vice Premier Deng at the Performance of American Arts

    January 29, 1979 Performance of American Arts for Deng Xiaoping

  • Media

    Gallery: Craig Allen’s Trip to China

    USCBC 45th Annual Membership Meeting

    USCBC 45th Anniversary DC Open House

    USCBC President’s China Visit

    USCBC Hosts Business Roundtable with Zhejiang Party Secretary Che Jun

    USCBC hosts Comprehensive Economic Dialogue (CED) Luncheon

  • Podcasts
No Result
View All Result
  • Operations
    Managing Risk in the “New Era”

    Managing Risk in the “New Era”

    Design Patents vs. Trade Dress: Protecting IP in China

    Design Patents vs. Trade Dress: Protecting IP in China

    As China Emerges from COVID-19, US Companies Invest to Compete

    As China Emerges from COVID-19, US Companies Invest to Compete

    Inside the Mad Rush for Masks – Anatomy of a 10 Million Mask Order

    Inside the Mad Rush for Masks – Anatomy of a 10 Million Mask Order

    Addressing Risk in the Era of US-China “Great Power” Competition

    Addressing Risk in the Era of US-China “Great Power” Competition

    The Year in Social Credit: Where is Corporate Social Credit Going in 2020 and Beyond?

    The Year in Social Credit: Where is Corporate Social Credit Going in 2020 and Beyond?

  • Politics
    Hong Kong’s National Security Law, Five Months In

    Hong Kong’s National Security Law, Five Months In

    China Implements its Long-Awaited Unreliable Entities List Mechanism

    China Implements its Long-Awaited Unreliable Entities List Mechanism

    Competing WTO Reform Agendas and the Contest for the Next Director-General

    Competing WTO Reform Agendas and the Contest for the Next Director-General

    China Eyes Further Northeast Asian Economic Integration in RCEP

    China Eyes Further Northeast Asian Economic Integration in RCEP

    COVID-19 Could Doom or Deliver US-China Commercial Relations

    COVID-19 Could Doom or Deliver US-China Commercial Relations

    A Game of Chicken

    A Game of Chicken

  • Tech
    Export Controls on Emerging and Foundational Technologies: A Null Set?

    Export Controls on Emerging and Foundational Technologies: A Null Set?

    How Companies Are Reacting to China’s New Data Security Scheme

    How Companies Are Reacting to China’s New Data Security Scheme

    China’s Participation in International Standards Setting: Benefits and Concerns for US Industry

    China’s Participation in International Standards Setting: Benefits and Concerns for US Industry

    The Hidden Challenges of China’s Booming Medical AI Market

    The Brave New Business Models Making Waves in China’s Ecommerce Market

    Defining “Emerging Technologies”: Industry Weighs In on Potential New Export Controls

    Defining “Emerging Technologies”: Industry Weighs In on Potential New Export Controls

    Trending Tags

    • Intellectual Property
    • innovation
    • cybersecurity
    • ecommerce
    • tech
  • Society
    COVID-19 Could Doom or Deliver US-China Commercial Relations

    COVID-19 Could Doom or Deliver US-China Commercial Relations

    The Year in Social Credit: Where is Corporate Social Credit Going in 2020 and Beyond?

    The Year in Social Credit: Where is Corporate Social Credit Going in 2020 and Beyond?

    Open Government Developments in China: Implications for US Businesses

    The Hidden Challenges of China’s Booming Medical AI Market

    The Handshake that Changed the World

    President Carter and Vice Premier Deng at the Performance of American Arts

    January 29, 1979 Performance of American Arts for Deng Xiaoping

  • Media

    Gallery: Craig Allen’s Trip to China

    USCBC 45th Annual Membership Meeting

    USCBC 45th Anniversary DC Open House

    USCBC President’s China Visit

    USCBC Hosts Business Roundtable with Zhejiang Party Secretary Che Jun

    USCBC hosts Comprehensive Economic Dialogue (CED) Luncheon

  • Podcasts
No Result
View All Result
China Business Review
No Result
View All Result
Home Policy & Regulations

The Challenge of Conducting Data Collections and Investigations under Unclear Data Privacy Rules

Ben Baden by Ben Baden
October 1, 2011
Share on FacebookShare on TwitterLinkedin

Draft data privacy guidelines provide some regulatory clarity but would add new hurdles for companies collecting data in China.

By Tom Antisdel and Tarek GhalayiniThe protection of personal data is a hot topic on many legislative agendas as lawmakers around the world attempt to catch up with the dramatic rise in electronically stored personal information and the explosion of new data collection technologies. The situation in China is no different, and PRC officials are in the early stages of figuring out how to handle the issue.

To date, PRC authorities have not implemented a comprehensive privacy framework that governs the collection, use, and transfer of personal information (geren xinxi) in their country. For companies that collect and review personal electronic information during the ordinary course of business (such as law and accounting firms that conduct investigations and online marketers that study consumer habits), understanding China’s data privacy regulations presents a mission-critical challenge. Though the state of affairs in this area is still in flux, recent developments indicate that China’s emerging privacy regulations may end up being more stringent than comparable laws enacted in the West.

Electronic data and the legal discovery process

Litigation and investigation professionals are seeing a significant rise in the number of cases that involve the collection and processing of electronic information originating from China. This increase is a byproduct of the large number of multinational corporations with operations and associated data in China, as well as the rising number of Chinese companies that are subject to foreign legal jurisdiction as a result of their overseas operations. For example, in the United States alone, 25.5 percent of all federal securities class-action lawsuits filed in the first half of 2011 were brought by investors in China-based companies that obtained listing on US stock exchanges through reverse mergers. A reverse merger is an alternative to an initial public offering (IPO) whereby a private company acquires a publicly listed company, thus bypassing the standard IPO process. In recent years, this has been a popular method for Chinese companies to attain listing on US exchanges. Reverse mergers are now under considerable scrutiny, and in fact the US Securities and Exchange Commission issued a bulletin in June 2011 that urges investors to exercise caution when investing in these companies. In order to comply with and provide discovery and investigation services for lawsuits arising out of reverse mergers and other international disputes with a connection to China, US law and accounting firms must access data sourced from China. As a result, many firms are now experiencing firsthand the challenges of collecting, exporting, and reviewing evidence stored in China.

Legal and investigative professionals have long considered China to be the “Wild West” of evidence collection because it lacks clear data privacy use and transfer regulations. Unlike the United States, European Union, and other jurisdictions that have more mature protocols around this area, China lacks a regulatory framework to govern data privacy, collection, transfer, and processing. Though pieces of the PRC Constitution, Criminal Law, and Tort Law touch on certain data privacy issues, current PRC laws dealing with data privacy are piecemeal at best, and in reality they provide little concrete guidance to practitioners.

An eye on the new draft guidelines

Developments earlier this year indicate that the situation may be changing soon. On January 30, 2011, China circulated a draft of its most detailed framework yet for governing the storage, collection, transfer, and processing of electronic information from computer networks. The Information Security Technology Guidelines for Personal Information Protection (the “guidelines”) were issued as draft voluntary national standards (guobiao) and thus do not have the force of a full compulsory law. Nevertheless, the guidelines have enough detail to provide valuable insight into how China may intend to implement its own version of data privacy regulation.

Anyone involved in gathering or reviewing data sourced from China should pay careful attention to these draft guidelines and plan to adjust operations accordingly as these or similar guidelines become solidified. The guidelines include measures that would change the way in which firms and companies store, collect, export, analyze, and otherwise use electronic information stored in China. Highlights of the guidelines and examples of how certain provisions would impact practitioners follow.

Personal information

These guidelines broadly define personal information as any electronic data that can be collected and processed, that by itself, or in combination with other information, could disclose the identity of an individual.

The phrase “in combination with other information” makes it almost impossible to know what is considered personal information. For example, would an employee’s job title be considered personal information because it could be combined with the employer’s organizational chart and employee list to identify the individual?

The guidelines specifically forbid collection of certain categories of personal information, such as data related to race, religious beliefs, health, and sex life. As such, these types of material would need to be screened out during the collections process to ensure compliance.

Confidentiality

Under the guidelines, data handlers are required to keep all personal information confidential.

Informed and specific consent

According to the guidelines, no one can collect or process information unless the data subject provides informed, specific consent. This provision could limit the ability of investigative professionals to gather data without disclosing to the data subjects exactly why their information is being gathered. It seems unlikely that a target of a US Foreign Corrupt Practices Act or other type of investigation would voluntarily consent to the collection of evidence proving wrongdoing.

Data subjects may also later withdraw consent and request that data processors stop processing personal information and delete it. This means that data processors would need to be prepared to delete material belonging to data subjects who withdraw their consent even after data has been previously collected in accordance with the guidelines.

In addition, data handlers must obtain further express consent from the data subject for any transfers to third parties after the initial collection. The data transferor must disclose the identity of the transferee as part of this consent process.

Minors

Specific and restrictive regulations apply to any information related to minors under the age of 16. If a minor’s information is inadvertently collected, data handlers must immediately halt the data collection.

It is common in China for company employees to store family-related and other non-commercial information (such as personal photos and e-mails) on company computer systems, resulting in corporate data storage systems that often include information related to minors under the age of 16. The product of such an intermingled corporate data environment is that data handlers must identify and cull out this information as part of the collections process to ensure that otherwise compliant information collections do not run afoul of the guidelines.

Data collection tools

The guidelines specifically outlaw surreptitious data collection tools that operate without the data subject’s knowledge. This provision would ban compliance tools that screen e-mail content for company human resource and legal violations, certain forensic evidence collection technologies, and cookies that track online users across the Internet without their express consent.

Data export

Such data cannot be transferred out of China, presumably even between corporate affiliates, unless expressly permitted by law or by relevant governmental authority.

This provision would preclude the export of data to other countries for use in investigations and litigation and would also impede the routine intra-company transfer of data between a company’s offices in China and abroad.

Reading between the lines

Though the draft guidelines shed some light on a murky legal area, the lack of detail (or any accompanying implementing legislation), means that many questions remain unanswered. Practitioners need to pay close attention to and understand the boundaries of “personal information” and the interplay between the guidelines and existing PRC law.

For example, even if the guidelines are implemented as drafted, practitioners must also watch out for other potentially relevant regulations, such as China’s State Secrets Law. The State Secrets Law acts as a catch-all over the existing framework and would presumably function the same way vis-a-vis the proposed draft guidelines. Specifically, even if practitioners comply with all other privacy regulations, the State Secrets Law can prevent anyone from collecting, reviewing, or transporting data out of China if it is deemed to contain a state secret, which, much like “personal information,” is also broadly defined.

How to aim at a moving target?

With the state of regulation in flux and great variance in legal interpretation, current operational practices fall along a wide spectrum. Many multinational law firms and companies accustomed to certain Western practices that focus on data protection regardless of where the data lies (thus lacking restrictions on data movement) simply operate as they would in the West. Others, uncertain of their ability to export their own data back out of China, have operations designed around storing as little data there as possible, which can interfere with business efficiency. As the guidelines move toward further review, finalization, and implementation, companies and law firms should start thinking about how they will develop the right internal control procedures, workflows, and technology to prevent violations during the ordinary course of business.

If implemented in a form that is close to the current draft, the guidelines would drastically alter how companies conduct their affairs in China. For example, the process of obtaining specific, informed consent from all data custodians prior to collection, and then again for any future transfers, would vastly lengthen the time required for China-based data collection and review projects. Any transfer of data to a party that differs from the one who collected it (which is common in US litigation and investigations where productions are made to various co-counsel, opposing sides, and regulatory authorities) would need to be pre-approved before the transfer could take place. It may be difficult to meet deadlines if a key requirement of data production lies beyond the producing party’s control. Furthermore, if such consent is withheld to begin with, data handlers would not be able to collect any data from that custodian—and someone with data damaging to himself or herself might be unlikely to provide such permission.

Under the guidelines, data handlers would need to use strict filtering and blocking technologies during the collection process, so that data related to minors and other heightened protection categories would not be collected. In addition, data processing providers would need to be prepared to stop processing and delete the data of any subject who withdraws a previously given consent. US and other foreign practitioners would likely need to use China-based data centers for forensic and investigative work, as China has no existing legal mechanism to allow for data transfer out of the country, which is a requirement for export under the guidelines. Practitioners should pay careful attention as the guidelines get flushed out to ensure that they are in compliance with all applicable regulations.

Some analysts believe that the current guidelines are indicative of the privacy pendulum swinging too far in the opposite direction—that the PRC government is creating the foundation for a framework that is too restrictive to be effective and quite difficult to comply with. Though it is too early to predict exactly when and in what form the guidelines or their related privacy framework will be promulgated, a few worst-case scenarios can be imagined if they are implemented in their current form.

For example, the guidelines could result in companies not wanting to store any data in China for fear of having to comply with these and the other related regulations. Data located in China would be virtually out of reach to extra-territorial courts and regulatory authorities, which would impede the ability of Chinese companies to operate in foreign markets. Disputes involving data created or stored in China would be challenging, if not impossible, to adjudicate, given the difficulties involved in collecting the necessary evidence. This could cause investors to avoid Chinese-related securities and businesses as no recourse would be available for deals that turn sour.

PRC authorities have reportedly received many comments on the draft guidelines, and most interested parties are hopeful that the government will ultimately enact a set of clear and reasonable privacy regulations. Though practitioners would welcome clarity with regard to China’s data privacy governance, they hope that the PRC government creates a reasonable and workable system—one that strikes a balance between protecting an individual’s right to privacy and not unduly interfering with commerce and the flow of business critical information.

Tom Antisdel is a director at AlixPartners, LLP in Washington, DC. Tarek Ghalayini is a director at AlixPartners, LLP in Hong Kong.

Tags: Data PrivacyTechnology
Ben Baden

Ben Baden

Next Post

Government Provides Clues into China's Foreign Investment Plans for Strategic Industries

Recommended.

How Biden’s Economic Team Views China Trade Policy

January 14, 2021

Hong Kong’s National Security Law, Five Months In

November 25, 2020

China Implements its Long-Awaited Unreliable Entities List Mechanism

October 7, 2020

Competing WTO Reform Agendas and the Contest for the Next Director-General

September 22, 2020

Latest Podcasts.

A COVID update, a record trade surplus, and new PRCG personnel

January 19, 2021

New MOFCOM rules on extraterritorial application of foreign laws

January 12, 2021

The EU-China agreement and a look at other market liberalizations

January 6, 2021

Is the BRI debt trap diplomacy? And how can the US compete with it?

December 18, 2020
China Business Review

China Business Review is the official magazine of the US-China Business Council, a nonprofit and nonpartisan trade association that represents more than 200 American companies doing business in China.

  • How to contribute to China Business Review

Categories

  • Bilateral Relations
  • Business Etiquette
  • CBR Spotlight
  • China Deals
  • Corruption
  • Cybersecurity
  • Ecommerce
  • Environment
  • Finance
  • Galleries
  • Getting Started
  • HR & Staffing
  • Infographics
  • Innovation
  • Intellectual Property
  • Management
  • Media
  • Operations
  • Opinion
  • Policy & Regulations
  • Politics
  • PR & Marketing
  • Rural Issues
  • Safety
  • Social Policy
  • Society
  • Standards + Licensing
  • Sustainability
  • Tax
  • Tech
  • Top Story
  • Trade
  • Uncategorized
  • US-China Business Council
  • Videos

Tags

Agreements Agriculture Alibaba Best Practices Business Environment China China's Investments Abroad China Market Intelligence Chinese Consumers Chinese Investment Commentary Consumer Trends E-Commerce Economic Trends Energy Environment Events Food Foreign Investment Going Global Healthcare Reform Human Resources Infrastructure Internet Interview Investment Investments into China IPO Joint Venture Labor Legal Analysis M&A Manufacturing Media National People's Congress Q&A Strategic and Economic Dialogue Supply Chains Technology Trade Transparency US-China Relations USCBC US Exports to China Xi Jinping

Join our Mailing List

Sign up for the US-China Business Council's newsletters to stay ahead of the game with roundups, analysis, and commentary.

Sign Up

Follow Us

  • About
  • Archive
  • Contact
  • Home 1
  • Submit a Story
  • Submit a Story
  • USCBC Podcasts

© 2020 China Business Review

No Result
View All Result
  • Operations
  • Politics
  • Tech
  • Society
  • Media
  • Podcasts

© 2020 China Business Review