Restrictions on outsourcing the handling of personal information;
Prohibition on the export of personal information unless expressly permitted by law or otherwise approved by government authorities.
How do these restrictions compare to data privacy regulations in the U.S. and Europe?
The most significant way in which the guidelines are different from the U.S. and the European Union relates to the transfer of data. The U.S. has no general prohibition against transferring data across borders. Rather, U.S. companies that are regulated are expected to protect personal information wherever it is located—in the U.S. or outside of the U.S.
If these data security guidelines are enacted in China, express consent from an individual must be obtained in connection with the transfer of personal information to any other organization. Yet no exceptions are provided, unlike rules in other jurisdictions, such as the E.U., where sharing customer information is permitted without consent if it is necessary to complete a contract between the customer and the company. Without a clear definition of "other organizations," the guidelines could even prevent transfers of data to company affiliates and could be a significant impediment to outsourcing.
Export of personal data from China would also be prohibited under the draft guidelines unless an exception was found under Chinese law. But without a clear Chinese law currently in effect, the guidelines, if made mandatory, would prohibit the export of such data even when a customer had consented.
That sounds like bad news for Western companies sending IT work to China—and for China's outsourcing industry.
This would likely have a crippling effect on the growing Chinese outsourcing industry. Companies would be reluctant to outsource customer data processing to China-based providers for fear of a prohibition on having such data returned to them. However, there are reasons to expect that export carve-outs will eventually be forthcoming, as other sections on outsourcing in the draft guidelines are very much in line with requirements in other countries.
How likely is it that these rules will be tweaked to allow exceptions for IT outsourcing?
The guidelines are still very much in draft form, and regulators have received a heavy volume of comments from the public. While on the surface, some of the restrictions on export of data would appear draconian, we expect that more explicit exceptions will be put in place—for example, allowing transfer of data to affiliates and transfer of data back to the companies which outsourced their data processing to a firm in China.
Sign up for CIO Asia eNewsletters.