New data standard signals change ahead
Scott Thiel, a partner at DLA Piper Hong Kong, discusses data privacy changes on the mainland
China is one of the few major countries in Asia without a comprehensive law regulating the use and handling of personal information. Instead, data privacy is governed by way of a regime that includes the constitution, criminal law, civil law, tort law and some sector-specific regulations.
Concepts such as "personal information" and "consent" are not well defined, so protection of data privacy on the mainland is piecemeal at best. In addition to this, the exact obligations of those who use personal data are vague and unclear.
This ambiguity, however, has been significantly addressed by China's recent issuance of a standard named "Information Security Technology - Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems". These guidelines, which came into effect on February 1, have not only shed some much-needed light on China's data privacy regime, but have also paved the way for more comprehensive regulation in future.
The new guidelines represent China's first serious attempt to define data privacy concepts for more general application. That said, their scope is still limited, as they cover only personal data in computer networks and apply only to the private sector.
More importantly, the guidelines serve only as a voluntary national standard and do not have the force of law. Compliance is not mandatory. However, in practice, it is possible that they may be used for reference by local authorities and courts, and it is expected that they will serve as an important reference when China enacts its own comprehensive data privacy law.