Draft data privacy guidelines provide some regulatory clarity but would add new hurdles for companies collecting data in China.
The protection of personal data is a hot topic on many legislative agendas as lawmakers around the world attempt to catch up with the dramatic rise in electronically stored personal information and the explosion of new data collection technologies. The situation in China is no different, and PRC officials are in the early stages of figuring out how to handle the issue.
To date, PRC authorities have not implemented a comprehensive privacy framework that governs the collection, use, and transfer of personal information (geren xinxi) in their country. For companies that collect and review personal electronic information during the ordinary course of business (such as law and accounting firms that conduct investigations and online marketers that study consumer habits), understanding China’s data privacy regulations presents a mission-critical challenge. Though the state of affairs in this area is still in flux, recent developments indicate that China’s emerging privacy regulations may end up being more stringent than comparable laws enacted in the West.
Electronic data and the legal discovery process
Litigation and investigation professionals are seeing a significant rise in the number of cases that involve the collection and processing of electronic information originating from China. This increase is a byproduct of the large number of multinational corporations with operations and associated data in China, as well as the rising number of Chinese companies that are subject to foreign legal jurisdiction as a result of their overseas operations. For example, in the United States alone, 25.5 percent of all federal securities class-action lawsuits filed in the first half of 2011 were brought by investors in China-based companies that obtained listing on US stock exchanges through reverse mergers. A reverse merger is an alternative to an initial public offering (IPO) whereby a private company acquires a publicly listed company, thus bypassing the standard IPO process. In recent years, this has been a popular method for Chinese companies to attain listing on US exchanges. Reverse mergers are now under considerable scrutiny, and in fact the US Securities and Exchange Commission issued a bulletin in June 2011 that urges investors to exercise caution when investing in these companies. In order to comply with and provide discovery and investigation services for lawsuits arising out of reverse mergers and other international disputes with a connection to China, US law and accounting firms must access data sourced from China. As a result, many firms are now experiencing firsthand the challenges of collecting, exporting, and reviewing evidence stored in China.
Legal and investigative professionals have long considered China to be the “Wild West” of evidence collection because it lacks clear data privacy use and transfer regulations. Unlike the United States, European Union, and other jurisdictions that have more mature protocols around this area, China lacks a regulatory framework to govern data privacy, collection, transfer, and processing. Though pieces of the PRC Constitution, Criminal Law, and Tort Law touch on certain data privacy issues, current PRC laws dealing with data privacy are piecemeal at best, and in reality they provide little concrete guidance to practitioners.
An eye on the new draft guidelines
Developments earlier this year indicate that the situation may be changing soon. On January 30, 2011, China circulated a draft of its most detailed framework yet for governing the storage, collection, transfer, and processing of electronic information from computer networks. The Information Security Technology Guidelines for Personal Information Protection (the “guidelines”) were issued as draft voluntary national standards (guobiao) and thus do not have the force of a full compulsory law. Nevertheless, the guidelines have enough detail to provide valuable insight into how China may intend to implement its own version of data privacy regulation.
Anyone involved in gathering or reviewing data sourced from China should pay careful attention to these draft guidelines and plan to adjust operations accordingly as these or similar guidelines become solidified. The guidelines include measures that would change the way in which firms and companies store, collect, export, analyze, and otherwise use electronic information stored in China. Highlights of the guidelines and examples of how certain provisions would impact practitioners follow.
These guidelines broadly define personal information as any electronic data that can be collected and processed, that by itself, or in combination with other information, could disclose the identity of an individual.
The phrase “in combination with other information” makes it almost impossible to know what is considered personal information. For example, would an employee’s job title be considered personal information because it could be combined with the employer’s organizational chart and employee list to identify the individual?
The guidelines specifically forbid collection of certain categories of personal information, such as data related to race, religious beliefs, health, and sex life. As such, these types of material would need to be screened out during the collections process to ensure compliance.
Under the guidelines, data handlers are required to keep all personal information confidential.
Informed and specific consent
According to the guidelines, no one can collect or process information unless the data subject provides informed, specific consent. This provision could limit the ability of investigative professionals to gather data without disclosing to the data subjects exactly why their information is being gathered. It seems unlikely that a target of a US Foreign Corrupt Practices Act or other type of investigation would voluntarily consent to the collection of evidence proving wrongdoing.
Data subjects may also later withdraw consent and request that data processors stop processing personal information and delete it. This means that data processors would need to be prepared to delete material belonging to data subjects who withdraw their consent even after data has been previously collected in accordance with the guidelines.
In addition, data handlers must obtain further express consent from the data subject for any transfers to third parties after the initial collection. The data transferor must disclose the identity of the transferee as part of this consent process.
Specific and restrictive regulations apply to any information related to minors under the age of 16. If a minor’s information is inadvertently collected, data handlers must immediately halt the data collection.
It is common in China for company employees to store family-related and other non-commercial information (such as personal photos and e-mails) on company computer systems, resulting in corporate data storage systems that often include information related to minors under the age of 16. The product of such an intermingled corporate data environment is that data handlers must identify and cull out this information as part of the collections process to ensure that otherwise compliant information collections do not run afoul of the guidelines.
Data collection tools
The guidelines specifically outlaw surreptitious data collection tools that operate without the data subject’s knowledge. This provision would ban compliance tools that screen e-mail content for company human resource and legal violations, certain forensic evidence collection technologies, and cookies that track online users across the Internet without their express consent.
Such data cannot be transferred out of China, presumably even between corporate affiliates, unless expressly permitted by law or by relevant governmental authority.
This provision would preclude the export of data to other countries for use in investigations and litigation and would also impede the routine intra-company transfer of data between a company’s offices in China and abroad.
Reading between the lines
Though the draft guidelines shed some light on a murky legal area, the lack of detail (or any accompanying implementing legislation), means that many questions remain unanswered. Practitioners need to pay close attention to and understand the boundaries of “personal information” and the interplay between the guidelines and existing PRC law.
For example, even if the guidelines are implemented as drafted, practitioners must also watch out for other potentially relevant regulations, such as China’s State Secrets Law. The State Secrets Law acts as a catch-all over the existing framework and would presumably function the same way vis-a-vis the proposed draft guidelines. Specifically, even if practitioners comply with all other privacy regulations, the State Secrets Law can prevent anyone from collecting, reviewing, or transporting data out of China if it is deemed to contain a state secret, which, much like “personal information,” is also broadly defined.
How to aim at a moving target?
With the state of regulation in flux and great variance in legal interpretation, current operational practices fall along a wide spectrum. Many multinational law firms and companies accustomed to certain Western practices that focus on data protection regardless of where the data lies (thus lacking restrictions on data movement) simply operate as they would in the West. Others, uncertain of their ability to export their own data back out of China, have operations designed around storing as little data there as possible, which can interfere with business efficiency. As the guidelines move toward further review, finalization, and implementation, companies and law firms should start thinking about how they will develop the right internal control procedures, workflows, and technology to prevent violations during the ordinary course of business.
If implemented in a form that is close to the current draft, the guidelines would drastically alter how companies conduct their affairs in China. For example, the process of obtaining specific, informed consent from all data custodians prior to collection, and then again for any future transfers, would vastly lengthen the time required for China-based data collection and review projects. Any transfer of data to a party that differs from the one who collected it (which is common in US litigation and investigations where productions are made to various co-counsel, opposing sides, and regulatory authorities) would need to be pre-approved before the transfer could take place. It may be difficult to meet deadlines if a key requirement of data production lies beyond the producing party’s control. Furthermore, if such consent is withheld to begin with, data handlers would not be able to collect any data from that custodian—and someone with data damaging to himself or herself might be unlikely to provide such permission.
Under the guidelines, data handlers would need to use strict filtering and blocking technologies during the collection process, so that data related to minors and other heightened protection categories would not be collected. In addition, data processing providers would need to be prepared to stop processing and delete the data of any subject who withdraws a previously given consent. US and other foreign practitioners would likely need to use China-based data centers for forensic and investigative work, as China has no existing legal mechanism to allow for data transfer out of the country, which is a requirement for export under the guidelines. Practitioners should pay careful attention as the guidelines get flushed out to ensure that they are in compliance with all applicable regulations.
Some analysts believe that the current guidelines are indicative of the privacy pendulum swinging too far in the opposite direction—that the PRC government is creating the foundation for a framework that is too restrictive to be effective and quite difficult to comply with. Though it is too early to predict exactly when and in what form the guidelines or their related privacy framework will be promulgated, a few worst-case scenarios can be imagined if they are implemented in their current form.
For example, the guidelines could result in companies not wanting to store any data in China for fear of having to comply with these and the other related regulations. Data located in China would be virtually out of reach to extra-territorial courts and regulatory authorities, which would impede the ability of Chinese companies to operate in foreign markets. Disputes involving data created or stored in China would be challenging, if not impossible, to adjudicate, given the difficulties involved in collecting the necessary evidence. This could cause investors to avoid Chinese-related securities and businesses as no recourse would be available for deals that turn sour.
PRC authorities have reportedly received many comments on the draft guidelines, and most interested parties are hopeful that the government will ultimately enact a set of clear and reasonable privacy regulations. Though practitioners would welcome clarity with regard to China’s data privacy governance, they hope that the PRC government creates a reasonable and workable system—one that strikes a balance between protecting an individual’s right to privacy and not unduly interfering with commerce and the flow of business critical information.