Evolving Rules Around Data Privacy in China Pose Challenges for Foreign Companies
Companies are buzzing about GDPR, but in-house lawyers can look beyond Europe and into Asia for another source of regulatory scrutiny around their data practices.
February 13, 2018 at 04:11 PM
4 minute read
Credit: Harvepino/Shutterstock.com
As the May 2018 General Data Protection Regulation implementation date looms closer, global companies' legal leaders have data privacy rights in Europe on the brain. But those familiar with China's ever-evolving data rules and standards say it's important global companies focus on more than just Europe.
Though China's Cybersecurity Law, which controls how data in the country can be collected and shared, has been around in some form since 2016, it's been updated and clarified on an ongoing basis. On Jan. 25, the Standardization Administration of China published the full text of the Information Security Technology—Personal Information Security Specification, a set of best practices to ensure CSL compliance.
While these are best practices, not binding rules, regulators who enforce CSL may expect companies to comply, according to attorneys familiar with Chinese law. This could be particularly true when it comes to the requirement that companies get consent from employees before collecting and sharing their personal data. CSL requires employers to get consent, but the voluntary standards take it a step further by stating that consent should be explicitly given.
“Though the new privacy standards are completely voluntary, organizations should aim to comply,” said Yodi Hailemariam, an associate at Drinker Biddle & Reath who focuses on cross-border information governance and data privacy. “I think the standards, we can weave them into the fabric of the evolving data protection framework in China.”
U.S.-based employers who aren't compliant with China's latest standards or laws may not even know that these guidelines exist. Morgan, Lewis & Bockius partner Lesli Ligorner, who is based in Shanghai and works on labor and employment, says U.S. employers have, for instance, disclosed to her a China-based employee's salary casually without that employee's consent, which violates both Chinese law and the new standards.
“You hear so much about cybersecurity in relation to Europe, but then what [employers] don't realize is— they're sitting in LA, and they're looking at employee data, talking about it, technically, they don't have that the right to [share] that data if the employee is in China,” Ligorner said. “So you can access HR data anywhere, it's meant to be global, but now it's not OK for it be that [out in the] open, without specific consent.”
Xiaoyan Zhang, counsel in Reed Smith's IP, Tech & Data Group's San Francisco office, says that if companies are compliant with GDPR, they shouldn't have a problem complying with China's data privacy guidelines and laws. She says the concept of getting explicit consent before sharing users' data was inspired by GDPR.
But she also noted that explicit consent was outlined in the recent voluntary standards, but is not enshrined in binding Chinese law. Consent to share data is mandatory, but the law doesn't state whether it must be explicit, or make any other specifications. It's unclear what forms of consent other than explicit would allow employers to share worker data.
“Cybersecurity law says you need to get user consent before you get personal data and before you share personal data with third parties or across countries, but it doesn't say what kind of consent that should be,” Zhang said. “Those details [are in] the security standards, which, if you follow, you'd likely be considered in compliance with CSL.”
The three agreed that even if the latest standards aren't law, it's a good idea for U.S. companies to comply if possible, especially if they're making parallel efforts for GDPR. It's also possible the standards will one day become actual law.
“I think because the Chinese law in this area sort of changes, some of the Western companies have this forced hope like they [the laws] are probably going to change again and then they don't have to do anything,” Zhang said. “Which is an alarming situation.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Trump Fires EEOC Commissioners, Kneecapping Democrat-Controlled Civil Rights Agency
Spotify GC Steps Down, Opts to 'Step Away From Full-Time Corporate Life'
2 minute read
Trending Stories
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
