Evolving Rules Around Data Privacy in China Pose Challenges for Foreign Companies
Companies are buzzing about GDPR, but in-house lawyers can look beyond Europe and into Asia for another source of regulatory scrutiny around their data practices.
February 13, 2018 at 04:11 PM
4 minute read
As the May 2018 General Data Protection Regulation implementation date looms closer, global companies' legal leaders have data privacy rights in Europe on the brain. But those familiar with China's ever-evolving data rules and standards say it's important global companies focus on more than just Europe.
Though China's Cybersecurity Law, which controls how data in the country can be collected and shared, has been around in some form since 2016, it's been updated and clarified on an ongoing basis. On Jan. 25, the Standardization Administration of China published the full text of the Information Security Technology—Personal Information Security Specification, a set of best practices to ensure CSL compliance.
While these are best practices, not binding rules, regulators who enforce CSL may expect companies to comply, according to attorneys familiar with Chinese law. This could be particularly true when it comes to the requirement that companies get consent from employees before collecting and sharing their personal data. CSL requires employers to get consent, but the voluntary standards take it a step further by stating that consent should be explicitly given.
“Though the new privacy standards are completely voluntary, organizations should aim to comply,” said Yodi Hailemariam, an associate at Drinker Biddle & Reath who focuses on cross-border information governance and data privacy. “I think the standards, we can weave them into the fabric of the evolving data protection framework in China.”
U.S.-based employers who aren't compliant with China's latest standards or laws may not even know that these guidelines exist. Morgan, Lewis & Bockius partner Lesli Ligorner, who is based in Shanghai and works on labor and employment, says U.S. employers have, for instance, disclosed to her a China-based employee's salary casually without that employee's consent, which violates both Chinese law and the new standards.
“You hear so much about cybersecurity in relation to Europe, but then what [employers] don't realize is— they're sitting in LA, and they're looking at employee data, talking about it, technically, they don't have that the right to [share] that data if the employee is in China,” Ligorner said. “So you can access HR data anywhere, it's meant to be global, but now it's not OK for it be that [out in the] open, without specific consent.”
Xiaoyan Zhang, counsel in Reed Smith's IP, Tech & Data Group's San Francisco office, says that if companies are compliant with GDPR, they shouldn't have a problem complying with China's data privacy guidelines and laws. She says the concept of getting explicit consent before sharing users' data was inspired by GDPR.
But she also noted that explicit consent was outlined in the recent voluntary standards, but is not enshrined in binding Chinese law. Consent to share data is mandatory, but the law doesn't state whether it must be explicit, or make any other specifications. It's unclear what forms of consent other than explicit would allow employers to share worker data.
“Cybersecurity law says you need to get user consent before you get personal data and before you share personal data with third parties or across countries, but it doesn't say what kind of consent that should be,” Zhang said. “Those details [are in] the security standards, which, if you follow, you'd likely be considered in compliance with CSL.”
The three agreed that even if the latest standards aren't law, it's a good idea for U.S. companies to comply if possible, especially if they're making parallel efforts for GDPR. It's also possible the standards will one day become actual law.
“I think because the Chinese law in this area sort of changes, some of the Western companies have this forced hope like they [the laws] are probably going to change again and then they don't have to do anything,” Zhang said. “Which is an alarming situation.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllGC With Deep GM Experience Takes Legal Reins of Power Management Giant
2 minute readUS Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
'Unlawful Release'?: Judge Grants Preliminary Injunction in NASCAR Antitrust Lawsuit
3 minute readEx-Red Robin CLO Joins Norton Rose Fulbright After Helping Sell Latest Employer for $4.9 Billion
Trending Stories
- 1Litigation Leaders: Greenspoon Marder’s Beth-Ann Krimsky on What Makes Her Team ‘Prepared, Compassionate and Wicked Smart’
- 2A Look Back at High-Profile Hires in Big Law From Federal Government
- 3Grabbing Market Share From Rivals, Law Firms Ramped Up Group Lateral Hires
- 4Navigating Twitter's 'Rocky Deal Process' Helped Drive Simpson Thacher's Tech and Telecom Practice
- 5Public Notices/Calendars
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250