Since we have discussed privacy laws as a priority in "applicable laws",
sharing the article below about new data privacy guidelines in China.

There are also new legal privacy requirements in India.  News on that topic will be forwarded next.

Just want to re-state that privacy law on a global scope is still emerging and we can expect it
to continue.
Lynn




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This From: Computerworld, May 4, 2011
http://www.computerworld.com

IT Outsourcing in China And Data Privacy Guidelines
http://www.computerworld.com/s/article/9216417/IT_Outsourcing_in_China_And_Data_Privacy_Guidelines?taxonomyId=145

Stephanie Overby
May 4, 2011 (CIO)

China's data privacy protection has long been considered one of the world's
weakest. But the government's proposed data security guidelines may go too
far in the opposite direction.

The People's Republic of China took a step toward addressing its lack of
comprehensive data privacy laws earlier this year: It issued a series of
proposed data security guidelines intended to better protect the privacy of
Chinese citizens and provide guidance for international businesses operating
in the country. The document, developed in consult with China's Ministry of
Industry and Information Technology, contains a set of broadly applicable
rules and principles for storing, handling and transferring personal
information.
http://advice.cio.com/beth_bacheldor/what_google_vs_china_says_about_security_and_offshore_outsourcing

Some business leaders worry the regulations, as they are currently
written-with requirements stricter than those that exist in the U.S. or
Europe-are too expansive and could cause serious damage to China's growing
IT and business process outsourcing industry and to its customers.
Specifically, the proposed rules indicate that information sent to China
would face restrictions in getting back out again.
http://www.cio.com/article/11865/Outsourcing_Is_Cheaper_In_China

To shed light on China's proposed data privacy regulations, CIO.com
interviewed Paul McKenzie, managing partner of the Beijing office of law
firm Morrison & Foerster. He explains what the draft guidelines say, how
likely they are to pass as written, and what offshore outsourcing customers
can do to prepare for them.

CIO.com: Data security and intellectual property protection are always a
concern when offshoring, but China has a particularly bad reputation in this
area. Is that perception of lax information security in China warranted?

Paul McKenzie, managing partner, Morrison & Foerster: High levels of
employee churn amongst outsourced service providers-particularly in the
application development and maintenance field-coupled with limited cultural
awareness of the importance of proprietary information tend to exacerbate
the problem in China. Proper compartmentalization and practical data
security controls can be worth far more than a contractual right, which may
be difficult to enforce. An ounce of prevention is often worth a pound of
cure.
http://www.cio.com/article/642105/Why_I_Outsourced_Application_Development_to_China

What are the most noteworthy new personal data protection guidelines the
Chinese government has proposed?

The most significant concepts in the guidelines involve:

An overarching principle that the holders of personal information keep such
information confidential, and a specific requirement that express consent be
obtained for all third-party disclosures of personal information;

A set of more specific principles to be observed during the collection,
processing, use, transfer and maintenance of personal information;

Application of such principles specifically to personal data on computer
networks (as opposed to other data storage media in hard copy form);

Restrictions on outsourcing the handling of personal information;

Prohibition on the export of personal information unless expressly permitted
by law or otherwise approved by government authorities.

How do these restrictions compare to data privacy regulations in the U.S.
and Europe? <| Powered by www.ISPIClips.com |>

The most significant way in which the guidelines are different from the U.S.
and the European Union relates to the transfer of data. The U.S. has no
general prohibition against transferring data across borders. Rather, U.S.
companies that are regulated are expected to protect personal information
wherever it is located-in the U.S. or outside of the U.S.

If these data security guidelines are enacted in China, express consent from
an individual must be obtained in connection with the transfer of personal
information to any other organization. Yet no exceptions are provided,
unlike rules in other jurisdictions, such as the E.U., where sharing
customer information is permitted without consent if it is necessary to
complete a contract between the customer and the company. Without a clear
definition of "other organizations," the guidelines could even prevent
transfers of data to company affiliates and could be a significant
impediment to outsourcing.

Export of personal data from China would also be prohibited under the draft
guidelines unless an exception was found under Chinese law. But without a
clear Chinese law currently in effect, the guidelines, if made mandatory,
would prohibit the export of such data even when a customer had consented.

That sounds like bad news for Western companies sending IT work to China-and
for China's outsourcing industry.

This would likely have a crippling effect on the growing Chinese outsourcing
industry. Companies would be reluctant to outsource customer data processing
to China-based providers for fear of a prohibition on having such data
returned to them. However, there are reasons to expect that export
carve-outs will eventually be forthcoming, as other sections on outsourcing
in the draft guidelines are very much in line with requirements in other
countries.

How likely is it that these rules will be tweaked to allow exceptions for IT
outsourcing?

The guidelines are still very much in draft form, and regulators have
received a heavy volume of comments from the public. While on the surface,
some of the restrictions on export of data would appear draconian, we expect
that more explicit exceptions will be put in place-for example, allowing
transfer of data to affiliates and transfer of data back to the companies
which outsourced their data processing to a firm in China.

What is the process by which such proposed regulations become law in China?

The drafts have been circulated as a potential "national standard" under
China's national standardization system. They would first be issued as a
voluntary guideline lacking the force of law. Examples of other
non-mandatory standards include standards for book numbering, codes for
representing the names of countries, and use of punctuation marks.

We do believe that the regulators are testing the waters with these
guidelines to see what form and substance national regulations on data
privacy would ultimately take. Based on our conversations with relevant
regulators, it is expected that these initial draft guidelines may still be
changed significantly before being issued due to the extent of comments they
have received from the business community.

In the absence of national guidance, have there been regional or city data
privacy regulations in effect?

Several provinces and cities have introduced laws to try to regulate data
privacy, particularly the online disclosure of personal information. By
definition local legislation is limited in territorial scope, and it is
therefore difficult to see how it might be sensibly applied to the Internet.
The existing patchwork of local laws is actually one of the factors
motivating the central government to accelerate progress towards the
adoption of a unified national law based on the draft guidelines.

What should companies currently outsourcing IT to China or sending IT work
to their own captive centers there do to prepare for increased data security
scrutiny?

China recently enacted new criminal and tort laws that could be used to
impose liability on companies if information is not properly protected.
Companies should be thinking of how to develop internal control procedures
to prevent rogue employees from misusing customer data. Incorporating some
of these new guidelines may prove to be a useful defense in case of
individual lawsuits.


Copyright © 1994 - 2011 Computerworld Inc. All rights reserved.


~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~