Chemical firms have been operating in China as long as any industry and have watched the business environment transform from an unregulated Wild West to a regulatory environment that is not all that dissimilar from that of the United States or Europe. With this transformation, China operations now may face compliance issues that would not have been relevant a decade ago.
Data privacy protection is one such issue. A patchwork of laws currently governs data protection; a new, more comprehensive statute is likely to be adopted next year.
Data Protection In China Today
China does not have a single national comprehensive law to protect privacy and personal data. Instead, a number of different laws regulate the disclosure and dissemination of individual data including bank customer records, credit status, rating and history data and tax data. Businesses involved in data collection and processing need to be aware of the various applicable local and national laws to incorporate appropriate possible safeguards for personal data in China operations.
This current legal regime is cumbersome and insufficient in light of the size and growth of China's economy. A new law under consideration for the protection of personal data imposes many obligations and restrictions on handling personal data that can be found in the data privacy laws of other jurisdictions including Hong Kong and the European Union. It regulates data processors (governmental and nongovernmental) regarding their collection and processing of personal data including the international transfer of personal data outside China. Although this law remains in the draft stage, its existence provides guidance for developing a data protection program that could accommodate a new PRC data protection law with minimal changes.
Best Practices
China will likely adopt some form of data protection law over the next 12 to 18 months. The following guidelines can help your business be prepared for data protection compliance in China:
- Assess the types of personal data your company collects,
processes and transfers.
- Inform individuals of your intent to collect their personal
data and the intended uses of the data.
- Limit the use of personal data to those directly related to the
stated purpose of collection.
- Make sure data are not kept longer than necessary.
- Make sure appropriate security measures are in place to protect
collected and transferred data including data encryption and
confidentiality obligations for employees who handle personal
data.
- Appoint a data privacy officer to develop and manage your
personal data compliance program including individual requests to
access and correct data and to ensure adherence to applicable
laws.
- Make efforts to integrate data protection throughout your
organization.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.