As the May 2018 General Data Protection Regulation implementation date looms closer, global companies' legal leaders have data privacy rights in Europe on the brain. But those familiar with China's ever-evolving data rules and standards say it's important global companies focus on more than just Europe.

Though China's Cybersecurity Law, which controls how data in the country can be collected and shared, has been around in some form since 2016, it's been updated and clarified on an ongoing basis. On Jan. 25, the Standardization Administration of China published the full text of the Information Security Technology—Personal Information Security Specification, a set of best practices to ensure CSL compliance.

While these are best practices, not binding rules, regulators who enforce CSL may expect companies to comply, according to attorneys familiar with Chinese law. This could be particularly true when it comes to the requirement that companies get consent from employees before collecting and sharing their personal data. CSL requires employers to get consent, but the voluntary standards take it a step further by stating that consent should be explicitly given.

“Though the new privacy standards are completely voluntary, organizations should aim to comply,” said Yodi Hailemariam, an associate at Drinker Biddle & Reath who focuses on cross-border information governance and data privacy. “I think the standards, we can weave them into the fabric of the evolving data protection framework in China.”

U.S.-based employers who aren't compliant with China's latest standards or laws may not even know that these guidelines exist. Morgan, Lewis & Bockius partner Lesli Ligorner, who is based in Shanghai and works on labor and employment, says U.S. employers have, for instance, disclosed to her a China-based employee's salary casually without that employee's consent, which violates both Chinese law and the new standards.

“You hear so much about cybersecurity in relation to Europe, but then what [employers] don't realize is— they're sitting in LA, and they're looking at employee data, talking about it, technically, they don't have that the right to [share] that data if the employee is in China,” Ligorner said. “So you can access HR data anywhere, it's meant to be global, but now it's not OK for it be that [out in the] open, without specific consent.”

Xiaoyan Zhang, counsel in Reed Smith's IP, Tech & Data Group's San Francisco office, says that if companies are compliant with GDPR, they shouldn't have a problem complying with China's data privacy guidelines and laws. She says the concept of getting explicit consent before sharing users' data was inspired by GDPR.

But she also noted that explicit consent was outlined in the recent voluntary standards, but is not enshrined in binding Chinese law. Consent to share data is mandatory, but the law doesn't state whether it must be explicit, or make any other specifications. It's unclear what forms of consent other than explicit would allow employers to share worker data.

“Cybersecurity law says you need to get user consent before you get personal data and before you share personal data with third parties or across countries, but it doesn't say what kind of consent that should be,” Zhang said. “Those details [are in] the security standards, which, if you follow, you'd likely be considered in compliance with CSL.”

The three agreed that even if the latest standards aren't law, it's a good idea for U.S. companies to comply if possible, especially if they're making parallel efforts for GDPR. It's also possible the standards will one day become actual law.

“I think because the Chinese law in this area sort of changes, some of the Western companies have this forced hope like they [the laws] are probably going to change again and then they don't have to do anything,” Zhang said. “Which is an alarming situation.”