Access to personal information can present enormous opportunities in the big data era.This has led to increasing concern for data privacy and data protection among businesses and individuals. In turn these concerns have resulted in aggressive legislation being passed by authorities in Europe, the United States and China. In the following article, Barbara Li, lawyer and partner with Norton Rose Fulbright, examines the risks and details what companies involved in gathering and transferring personal data should do to ensure compliance with Chinese law.

Unlike the European Union, which has issued a Data Protection Directive requiring European Union member states to adopt a local law, China does not have a comprehensive national law that specifically addresses data privacy. Instead, data protection and privacy requirements can be found scattered among various regulations, rules, policies and industry standards such as the Decision on Strengthening the Network Information Protection issued by the Standing Committee of the National People’s Congress; the Regulation on Protection of Telecom and Internet Users’ Personal Data issued by the Ministry of Industry and Information Technology (MIIT); and the Guidelines on Information Security and Personal Data Protection of Public and Commercial Information System, also issued by the MIIT. It is important to note, though, that the Chinese authorities have enhanced the enforcement of data privacy rules. The most high profile case in this regard relates to a large international company’s compliance investigation case in which two senior executives of a foreign-invested consulting company were indicted for criminal liability on the grounds of illegally collecting and trafficking personal data in breach of Chinese data rules.

Under Chinese law personal data refers to computer data which, used solely or in combination with other information, can identify a certain individual. A company must take care in collecting, processing and transmitting personal data, which is classified as being either ‘sensitive’ or ‘non-sensitive’. Express consent from the individual from whom the data is collected is required both at the point of collection and while handling such information as their personal identification, mobile number, ethnic origin, religious belief, genetic information and fingerprints.

A company must provide proper notification to data subjects in relation to the collection and use of their personal data. This notification should be provided in a clear, easy-to-understand and appropriate manner and set out the purpose of the data collection. In cases where a third-party service provider is engaged to process the data the notice must disclose the identity of the third-party service provider.

Transfer of personal data across borders is subject to special requirements. Prior consent from the relevant individuals must be obtained before a company can transfer the personal data it has collected to another country. Careful review of data to be transferred abroad is also highly recommended to ensure that it doesn’t inadvertently ‘spill over’ into the category of state secrets, which are prohibited from being transferred abroad.

All industries are affected by privacy and data protection requirements but certain sectors such as healthcare, banking and insurance industries are subject to stricter data protection rules due to the relatively higher level of data sensitivity involved. For example, according to relevant Chinese regulations banks can only store, analyse and process personal banking data in China and cannot send personal banking data abroad, unless specifically permitted under relevant regulations.

Breach of data protection and privacy rules will give rise to serious legal consequences. Chinese authorities have the power and authority to impose administrative sanctions on individuals and companies which fail to follow the legal requirements, and criminal liability may be triggered for severe breaches. Companies in breach are also likely to suffer serious damage to their reputation for violating data privacy rules.

With respect to global data flow, European companies conducting business in China must follow both European and Chinese data privacy regulations. Given the risks and the related requirements ensuring full compliance of data privacy rules should be a top-of-mind issue for management teams of multinational corporations. Some companies have already adopted and implemented data privacy and data protection programmes but many of these fall short for a variety of reasons, including a lack of understanding of the regulatory and legal landscape in China. Companies seeking to build and maintain an effective and compliant data privacy programme may consider the following best practices:

• Review data privacy programmes to ensure compliance with Chinese data privacy requirements.
• Draft/review data transfer agreements to address data risks from a contractual perspective.
• Monitor third-party service providers and address data privacy risks when outsourcing projects.
• Provide data privacy training to internal teams and key stakeholders to improve data awareness.
• Formulate procedures for handling possible data breaches.

In response to public concerns about personal data China is stepping up its efforts to upgrade its legal framework to reflect the rapid developments in data privacy. A proposed comprehensive data privacy law is expected to bring China closer in line with global standards on personal data protection. In light of the developments in big data and cloud computing, European companies are increasingly engaged in the collection and use of personal data as part of their business in China. They need to keep a close eye on Chinese regulatory developments in data privacy and take steps for data compliance and risk mitigation whenever necessary.

For more information please contact the author, Barbara Li, a partner of the Beijing office of Norton Rose Fulbright LLP, on +86 (10) 6535 3130 or email Barbara.li@nortonrosefulbright.com.

Norton Rose Fulbright is a global legal practice, providing the world’s largest corporations and financial institutions with a full business law service. Norton Rose Fulbright has more than 3,800 lawyers based in over 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.