IT Outsourcing in China: What CIOs Need to Know About New Data Privacy Guidelines
China has proposed strict new data security regulations that could hamper the country's nascent IT outsourcing industry if made into law, even as they aim to give foreign business leaders confidence in the way the Chinese handle sensitive business and personal data.
Wed, May 04, 2011
CIO — China's data privacy protection has long been considered one of the world's weakest. But the government's proposed data security guidelines may go too far in the opposite direction.
The People's Republic of China took a step toward addressing its lack of comprehensive data privacy laws earlier this year: It issued a series of proposed data security guidelines intended to better protect the privacy of Chinese citizens and provide guidance for international businesses operating in the country. The document, developed in consult with China's Ministry of Industry and Information Technology, contains a set of broadly applicable rules and principles for storing, handling and transferring personal information.
Some business leaders worry the regulations, as they are currently written—with requirements stricter than those that exist in the U.S. or Europe—are too expansive and could cause serious damage to China's growing IT and business process outsourcing industry and to its customers. Specifically, the proposed rules indicate that information sent to China would face restrictions in getting back out again.
To shed light on China's proposed data privacy regulations, CIO.com interviewed Paul McKenzie, managing partner of the Beijing office of law firm Morrison & Foerster. He explains what the draft guidelines say, how likely they are to pass as written, and what offshore outsourcing customers can do to prepare for them.
CIO.com: Data security and intellectual property protection are always a concern when offshoring, but China has a particularly bad reputation in this area. Is that perception of lax information security in China warranted?
Paul McKenzie, managing partner, Morrison & Foerster: High levels of employee churn amongst outsourced service providers—particularly in the application development and maintenance field—coupled with limited cultural awareness of the importance of proprietary information tend to exacerbate the problem in China. Proper compartmentalization and practical data security controls can be worth far more than a contractual right, which may be difficult to enforce. An ounce of prevention is often worth a pound of cure.
What are the most noteworthy new personal data protection guidelines the Chinese government has proposed?
The most significant concepts in the guidelines involve:
An overarching principle that the holders of personal information keep such information confidential, and a specific requirement that express consent be obtained for all third-party disclosures of personal information;
A set of more specific principles to be observed during the collection, processing, use, transfer and maintenance of personal information;
Application of such principles specifically to personal data on computer networks (as opposed to other data storage media in hard copy form);
Restrictions on outsourcing the handling of personal information;
Prohibition on the export of personal information unless expressly permitted by law or otherwise approved by government authorities.
How do these restrictions compare to data privacy regulations in the U.S. and Europe?
The most significant way in which the guidelines are different from the U.S. and the European Union relates to the transfer of data. The U.S. has no general prohibition against transferring data across borders. Rather, U.S. companies that are regulated are expected to protect personal information wherever it is located—in the U.S. or outside of the U.S.
If these data security guidelines are enacted in China, express consent from an individual must be obtained in connection with the transfer of personal information to any other organization. Yet no exceptions are provided, unlike rules in other jurisdictions, such as the E.U., where sharing customer information is permitted without consent if it is necessary to complete a contract between the customer and the company. Without a clear definition of "other organizations," the guidelines could even prevent transfers of data to company affiliates and could be a significant impediment to outsourcing.