China: Data Protection Guidelines

China has set out new data protection guidance with the draft of Personal Data Protection Guidelines for Public and Commercial Service Information Systems. Expected for publication “soon” according to the Ministry of Industry and Information Technology, the changes are not mandatory, though they are expected to have “comply or explain” status.

To date, no comprehensive legal framework regarding this area has been established in China, but the patchwork of local and provincial data protection laws is growing.  While the new guidelines will not have the force of law, and China has a different take on right to privacy, it is clear that the furor over recent widespread leaks of personal data (particularly from internal sources) has had an impact.  As a best practice, employers should take steps to adhere to the eight principles outlined in the new guidelines.

They cover gathering, processing, transmitting and removing of data.  In line with other DP best practice, all data collection in China requires a clear purpose, prior notification, user consent, security, trust and accountability. The collection of personal data (home address, phone numbers etc.) must be limited, and organizations will be required to delete personal information once the purpose for its collection has been met.  Authorization from a “relevant, competent authority” must be obtained before personal information is transmitted outside of China.

Please contact Arden Ng or Paul Sutton for more information or assistance with internal policy setting.