China has set out new data protection guidance with the draft of Personal Data Protection Guidelines for Public and Commercial Service Information Systems. Expected for publication “soon” according to the Ministry of Industry and Information Technology, the changes are not mandatory, though they are expected to have “comply or explain” status.
To date, no comprehensive legal framework regarding this area has been established in China, but the patchwork of local and provincial data protection laws is growing. While the new guidelines will not have the force of law, and China has a different take on right to privacy, it is clear that the furor over recent widespread leaks of personal data (particularly from internal sources) has had an impact. As a best practice, employers should take steps to adhere to the eight principles outlined in the new guidelines.
They cover gathering, processing, transmitting and removing of data. In line with other DP best practice, all data collection in China requires a clear purpose, prior notification, user consent, security, trust and accountability. The collection of personal data (home address, phone numbers etc.) must be limited, and organizations will be required to delete personal information once the purpose for its collection has been met. Authorization from a “relevant, competent authority” must be obtained before personal information is transmitted outside of China.
For a European high tech company, expanding into the US can be a complicated, unfamiliar process. High Street Partners, in cooperation with Silicon Valley Bank, provided a highly effective solution with much needed clarity, and reduced risks significantly.
High Street Partners