<html><body><span style="font-family:Verdana; color:#000000; font-size:10pt;"><div>Since we have discussed privacy laws as a priority in "applicable laws",</div><div>sharing the article below about new data privacy guidelines in China.</div><div><br></div><div>There are also new legal privacy requirements in India. News on that topic will be forwarded next.</div><div><br></div><div>Just want to re-state that privacy law on a global scope is still emerging and we can expect it</div><div>to continue.</div><div>Lynn</div><div><br></div>
<blockquote id="replyBlockquote" webmail="1" style="border-left: 2px solid blue; margin-left: 8px; padding-left: 8px; font-size:10pt; color:black; font-family:verdana;">
<div id="wmQuoteWrapper"><br>
<br><br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
This From: Computerworld, May 4, 2011<br>
<a href="http://www.computerworld.com">http://www.computerworld.com</a><br>
<br>
IT Outsourcing in China And Data Privacy Guidelines<br>
<a href="http://www.computerworld.com/s/article/9216417/IT_Outsourcing_in_China_And_Data_Privacy_Guidelines?taxonomyId=145">http://www.computerworld.com/s/article/9216417/IT_Outsourcing_in_China_And_Data_Privacy_Guidelines?taxonomyId=145</a><br>
<br>
Stephanie Overby<br>
May 4, 2011 (CIO)<br>
<br>
China's data privacy protection has long been considered one of the world's<br>
weakest. But the government's proposed data security guidelines may go too<br>
far in the opposite direction.<br>
<br>
The People's Republic of China took a step toward addressing its lack of<br>
comprehensive data privacy laws earlier this year: It issued a series of<br>
proposed data security guidelines intended to better protect the privacy of<br>
Chinese citizens and provide guidance for international businesses operating<br>
in the country. The document, developed in consult with China's Ministry of<br>
Industry and Information Technology, contains a set of broadly applicable<br>
rules and principles for storing, handling and transferring personal<br>
information.<br>
<a href="http://advice.cio.com/beth_bacheldor/what_google_vs_china_says_about_security_and_offshore_outsourcing">http://advice.cio.com/beth_bacheldor/what_google_vs_china_says_about_security_and_offshore_outsourcing</a><br>
<br>
Some business leaders worry the regulations, as they are currently<br>
written-with requirements stricter than those that exist in the U.S. or<br>
Europe-are too expansive and could cause serious damage to China's growing<br>
IT and business process outsourcing industry and to its customers.<br>
Specifically, the proposed rules indicate that information sent to China<br>
would face restrictions in getting back out again.<br>
<a href="http://www.cio.com/article/11865/Outsourcing_Is_Cheaper_In_China">http://www.cio.com/article/11865/Outsourcing_Is_Cheaper_In_China</a><br>
<br>
To shed light on China's proposed data privacy regulations, <a href="http://CIO.com">CIO.com</a><br>
interviewed Paul McKenzie, managing partner of the Beijing office of law<br>
firm Morrison & Foerster. He explains what the draft guidelines say, how<br>
likely they are to pass as written, and what offshore outsourcing customers<br>
can do to prepare for them.<br>
<br>
<a href="http://CIO.com">CIO.com</a>: Data security and intellectual property protection are always a<br>
concern when offshoring, but China has a particularly bad reputation in this<br>
area. Is that perception of lax information security in China warranted?<br>
<br>
Paul McKenzie, managing partner, Morrison & Foerster: High levels of<br>
employee churn amongst outsourced service providers-particularly in the<br>
application development and maintenance field-coupled with limited cultural<br>
awareness of the importance of proprietary information tend to exacerbate<br>
the problem in China. Proper compartmentalization and practical data<br>
security controls can be worth far more than a contractual right, which may<br>
be difficult to enforce. An ounce of prevention is often worth a pound of<br>
cure.<br>
<a href="http://www.cio.com/article/642105/Why_I_Outsourced_Application_Development_to_China">http://www.cio.com/article/642105/Why_I_Outsourced_Application_Development_to_China</a><br>
<br>
What are the most noteworthy new personal data protection guidelines the<br>
Chinese government has proposed?<br>
<br>
The most significant concepts in the guidelines involve:<br>
<br>
An overarching principle that the holders of personal information keep such<br>
information confidential, and a specific requirement that express consent be<br>
obtained for all third-party disclosures of personal information;<br>
<br>
A set of more specific principles to be observed during the collection,<br>
processing, use, transfer and maintenance of personal information;<br>
<br>
Application of such principles specifically to personal data on computer<br>
networks (as opposed to other data storage media in hard copy form);<br>
<br>
Restrictions on outsourcing the handling of personal information;<br>
<br>
Prohibition on the export of personal information unless expressly permitted<br>
by law or otherwise approved by government authorities.<br>
<br>
How do these restrictions compare to data privacy regulations in the U.S.<br>
and Europe? <| Powered by <a href="http://www.ISPIClips.com">www.ISPIClips.com</a> |><br>
<br>
The most significant way in which the guidelines are different from the U.S.<br>
and the European Union relates to the transfer of data. The U.S. has no<br>
general prohibition against transferring data across borders. Rather, U.S.<br>
companies that are regulated are expected to protect personal information<br>
wherever it is located-in the U.S. or outside of the U.S.<br>
<br>
If these data security guidelines are enacted in China, express consent from<br>
an individual must be obtained in connection with the transfer of personal<br>
information to any other organization. Yet no exceptions are provided,<br>
unlike rules in other jurisdictions, such as the E.U., where sharing<br>
customer information is permitted without consent if it is necessary to<br>
complete a contract between the customer and the company. Without a clear<br>
definition of "other organizations," the guidelines could even prevent<br>
transfers of data to company affiliates and could be a significant<br>
impediment to outsourcing.<br>
<br>
Export of personal data from China would also be prohibited under the draft<br>
guidelines unless an exception was found under Chinese law. But without a<br>
clear Chinese law currently in effect, the guidelines, if made mandatory,<br>
would prohibit the export of such data even when a customer had consented.<br>
<br>
That sounds like bad news for Western companies sending IT work to China-and<br>
for China's outsourcing industry.<br>
<br>
This would likely have a crippling effect on the growing Chinese outsourcing<br>
industry. Companies would be reluctant to outsource customer data processing<br>
to China-based providers for fear of a prohibition on having such data<br>
returned to them. However, there are reasons to expect that export<br>
carve-outs will eventually be forthcoming, as other sections on outsourcing<br>
in the draft guidelines are very much in line with requirements in other<br>
countries.<br>
<br>
How likely is it that these rules will be tweaked to allow exceptions for IT<br>
outsourcing?<br>
<br>
The guidelines are still very much in draft form, and regulators have<br>
received a heavy volume of comments from the public. While on the surface,<br>
some of the restrictions on export of data would appear draconian, we expect<br>
that more explicit exceptions will be put in place-for example, allowing<br>
transfer of data to affiliates and transfer of data back to the companies<br>
which outsourced their data processing to a firm in China.<br>
<br>
What is the process by which such proposed regulations become law in China?<br>
<br>
The drafts have been circulated as a potential "national standard" under<br>
China's national standardization system. They would first be issued as a<br>
voluntary guideline lacking the force of law. Examples of other<br>
non-mandatory standards include standards for book numbering, codes for<br>
representing the names of countries, and use of punctuation marks.<br>
<br>
We do believe that the regulators are testing the waters with these<br>
guidelines to see what form and substance national regulations on data<br>
privacy would ultimately take. Based on our conversations with relevant<br>
regulators, it is expected that these initial draft guidelines may still be<br>
changed significantly before being issued due to the extent of comments they<br>
have received from the business community.<br>
<br>
In the absence of national guidance, have there been regional or city data<br>
privacy regulations in effect?<br>
<br>
Several provinces and cities have introduced laws to try to regulate data<br>
privacy, particularly the online disclosure of personal information. By<br>
definition local legislation is limited in territorial scope, and it is<br>
therefore difficult to see how it might be sensibly applied to the Internet.<br>
The existing patchwork of local laws is actually one of the factors<br>
motivating the central government to accelerate progress towards the<br>
adoption of a unified national law based on the draft guidelines.<br>
<br>
What should companies currently outsourcing IT to China or sending IT work<br>
to their own captive centers there do to prepare for increased data security<br>
scrutiny?<br>
<br>
China recently enacted new criminal and tort laws that could be used to<br>
impose liability on companies if information is not properly protected.<br>
Companies should be thinking of how to develop internal control procedures<br>
to prevent rogue employees from misusing customer data. Incorporating some<br>
of these new guidelines may prove to be a useful defense in case of<br>
individual lawsuits.<br>
<br>
<br>
Copyright © 1994 - 2011 Computerworld Inc. All rights reserved.<br>
<br>
<br>
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~<br><br>
</div>
</blockquote></span></body></html>