What is the process by which such proposed regulations become law in China?
The drafts have been circulated as a potential "national standard" under China's national standardization system. They would first be issued as a voluntary guideline lacking the force of law. Examples of other non-mandatory standards include standards for book numbering, codes for representing the names of countries, and use of punctuation marks.
We do believe that the regulators are testing the waters with these guidelines to see what form and substance national regulations on data privacy would ultimately take. Based on our conversations with relevant regulators, it is expected that these initial draft guidelines may still be changed significantly before being issued due to the extent of comments they have received from the business community.
In the absence of national guidance, have there been regional or city data privacy regulations in effect?
Several provinces and cities have introduced laws to try to regulate data privacy, particularly the online disclosure of personal information. By definition local legislation is limited in territorial scope, and it is therefore difficult to see how it might be sensibly applied to the Internet. The existing patchwork of local laws is actually one of the factors motivating the central government to accelerate progress towards the adoption of a unified national law based on the draft guidelines.
What should companies currently outsourcing IT to China or sending IT work to their own captive centers there do to prepare for increased data security scrutiny?
China recently enacted new criminal and tort laws that could be used to impose liability on companies if information is not properly protected. Companies should be thinking of how to develop internal control procedures to prevent rogue employees from misusing customer data. Incorporating some of these new guidelines may prove to be a useful defense in case of individual lawsuits.
Sign up for CIO Asia eNewsletters.