Chemical firms have been operating in China as long as any industry and have watched the business environment transform from an unregulated Wild West to a regulatory environment that is not all that dissimilar from that of the United States or Europe. With this transformation, China operations now may face compliance issues that would not have been relevant a decade ago.

Data privacy protection is one such issue. A patchwork of laws currently governs data protection; a new, more comprehensive statute is likely to be adopted next year.

Data Protection In China Today

China does not have a single national comprehensive law to protect privacy and personal data. Instead, a number of different laws regulate the disclosure and dissemination of individual data including bank customer records, credit status, rating and history data and tax data. Businesses involved in data collection and processing need to be aware of the various applicable local and national laws to incorporate appropriate possible safeguards for personal data in China operations.

This current legal regime is cumbersome and insufficient in light of the size and growth of China's economy. A new law under consideration for the protection of personal data imposes many obligations and restrictions on handling personal data that can be found in the data privacy laws of other jurisdictions including Hong Kong and the European Union. It regulates data processors (governmental and nongovernmental) regarding their collection and processing of personal data including the international transfer of personal data outside China. Although this law remains in the draft stage, its existence provides guidance for developing a data protection program that could accommodate a new PRC data protection law with minimal changes.

Best Practices

China will likely adopt some form of data protection law over the next 12 to 18 months. The following guidelines can help your business be prepared for data protection compliance in China:

  • Assess the types of personal data your company collects, processes and transfers.

  • Inform individuals of your intent to collect their personal data and the intended uses of the data.

  • Limit the use of personal data to those directly related to the stated purpose of collection.

  • Make sure data are not kept longer than necessary.

  • Make sure appropriate security measures are in place to protect collected and transferred data including data encryption and confidentiality obligations for employees who handle personal data.

  • Appoint a data privacy officer to develop and manage your personal data compliance program including individual requests to access and correct data and to ensure adherence to applicable laws.

  • Make efforts to integrate data protection throughout your organization.

www.ssd.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.