IT outsourcing in China and data privacy guidelines

China's data privacy protection has long been considered one of the world's weakest. But the government's proposed data security guidelines may go too far in the opposite direction.

The People's Republic of China took a step toward addressing its lack of comprehensive data privacy laws earlier this year: It issued a series of proposed data security guidelines intended to better protect the privacy of Chinese citizens and provide guidance for international businesses operating in the country. The document, developed in consult with China's Ministry of Industry and Information Technology, contains a set of broadly applicable rules and principles for storing, handling and transferring personal information.

Some business leaders worry the regulations, as they are currently written-with requirements stricter than those that exist in the U.S. or Europe-are too expansive and could cause serious damage to China's growing IT and business process outsourcing industry and to its customers. Specifically, the proposed rules indicate that information sent to China would face restrictions in getting back out again.

To shed light on China's proposed data privacy regulations, interviewed Paul McKenzie, managing partner of the Beijing office of law firm Morrison & Foerster. He explains what the draft guidelines say, how likely they are to pass as written, and what offshore outsourcing customers can do to prepare for them. Data security and intellectual property protection are always a concern when offshoring, but China has a particularly bad reputation in this area. Is that perception of lax information security in China warranted?

Paul McKenzie, managing partner, Morrison & Foerster: High levels of employee churn amongst outsourced service providers-particularly in the application development and maintenance field-coupled with limited cultural awareness of the importance of proprietary information tend to exacerbate the problem in China. Proper compartmentalization and practical data security controls can be worth far more than a contractual right, which may be difficult to enforce. An ounce of prevention is often worth a pound of cure.

What are the most noteworthy new personal data protection guidelines the Chinese government has proposed?

The most significant concepts in the guidelines involve:

An overarching principle that the holders of personal information keep such information confidential, and a specific requirement that express consent be obtained for all third-party disclosures of personal information;

A set of more specific principles to be observed during the collection, processing, use, transfer and maintenance of personal information;

Application of such principles specifically to personal data on computer networks (as opposed to other data storage media in hard copy form);

Restrictions on outsourcing the handling of personal information;

Prohibition on the export of personal information unless expressly permitted by law or otherwise approved by government authorities.

How do these restrictions compare to data privacy regulations in the U.S. and Europe?

The most significant way in which the guidelines are different from the U.S. and the European Union relates to the transfer of data. The U.S. has no general prohibition against transferring data across borders. Rather, U.S. companies that are regulated are expected to protect personal information wherever it is located-in the U.S. or outside of the U.S.

If these data security guidelines are enacted in China, express consent from an individual must be obtained in connection with the transfer of personal information to any other organization. Yet no exceptions are provided, unlike rules in other jurisdictions, such as the E.U., where sharing customer information is permitted without consent if it is necessary to complete a contract between the customer and the company. Without a clear definition of "other organizations," the guidelines could even prevent transfers of data to company affiliates and could be a significant impediment to outsourcing.

Export of personal data from China would also be prohibited under the draft guidelines unless an exception was found under Chinese law. But without a clear Chinese law currently in effect, the guidelines, if made mandatory, would prohibit the export of such data even when a customer had consented.

That sounds like bad news for Western companies sending IT work to China-and for China's outsourcing industry.

This would likely have a crippling effect on the growing Chinese outsourcing industry. Companies would be reluctant to outsource customer data processing to China-based providers for fear of a prohibition on having such data returned to them. However, there are reasons to expect that export carve-outs will eventually be forthcoming, as other sections on outsourcing in the draft guidelines are very much in line with requirements in other countries.

How likely is it that these rules will be tweaked to allow exceptions for IT outsourcing?

The guidelines are still very much in draft form, and regulators have received a heavy volume of comments from the public. While on the surface, some of the restrictions on export of data would appear draconian, we expect that more explicit exceptions will be put in place-for example, allowing transfer of data to affiliates and transfer of data back to the companies which outsourced their data processing to a firm in China.

What is the process by which such proposed regulations become law in China?

The drafts have been circulated as a potential "national standard" under China's national standardization system. They would first be issued as a voluntary guideline lacking the force of law. Examples of other non-mandatory standards include standards for book numbering, codes for representing the names of countries, and use of punctuation marks.

We do believe that the regulators are testing the waters with these guidelines to see what form and substance national regulations on data privacy would ultimately take. Based on our conversations with relevant regulators, it is expected that these initial draft guidelines may still be changed significantly before being issued due to the extent of comments they have received from the business community.

In the absence of national guidance, have there been regional or city data privacy regulations in effect?

Several provinces and cities have introduced laws to try to regulate data privacy, particularly the online disclosure of personal information. By definition local legislation is limited in territorial scope, and it is therefore difficult to see how it might be sensibly applied to the Internet. The existing patchwork of local laws is actually one of the factors motivating the central government to accelerate progress towards the adoption of a unified national law based on the draft guidelines.

What should companies currently outsourcing IT to China or sending IT work to their own captive centers there do to prepare for increased data security scrutiny?

China recently enacted new criminal and tort laws that could be used to impose liability on companies if information is not properly protected. Companies should be thinking of how to develop internal control procedures to prevent rogue employees from misusing customer data. Incorporating some of these new guidelines may prove to be a useful defense in case of individual lawsuits.

Read more about outsourcing in CIO's Outsourcing Drilldown.

Join the PC World newsletter!

Error: Please check your email address.

Tags business issuesManagement Topics | OutsourcingChina data privacy lawsdata securityprivacyIT outsourcingservicesManagement Topicsoutsourcingoutsourcing in Chinasecuritydata privacyChinabusinessdata protection

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stephanie Overby

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?