GDPR Meets its Match . . . in China

Most established European and American companies that do business in or with China have already done a good deal to comply with the EU’s General Data Protection Regulation (“GDPR”), and maybe even the California Consumer Privacy Act (“CCPA”). They have likely drafted new privacy policies, re-designed  their websites, and adopted more internal controls to be better about data processing.

If they are going to China, a lot of that’s going to need to change.

One of the common trends for new privacy laws across the globe is the concept that the person who collects or controls a person’s data generally must have a legal, justifiable reason to do so. Each governmental entity that’s adopted a privacy regime has modified what those grounds are, and in many cases if data is collected or used for a reason that’s not on the list, it’s not lawful.

Countries with more robust privacy laws (like those within the EU) are moving more and more towards consent-based processing, meaning businesses must actually inform users why they are processing user data and get their consent. These countries usually do not require consent for all processing. There are usually enumerated exceptions to consent or just other grounds for processing listed. When it comes to GDPR, two of the important non-consent grounds for processing are: (1) the processing is necessary to perform a contract between the parties, and (2) the processing is in the legitimate interest of the controller of the data (usually the company) and it does not violate the fundamental rights of the subject.

The contract performance ground gives the business that controls the user data flexibility over how it uses customer data when it enters into a contract with a party. Companies may not always know how exactly they will use data to carry out their obligations to a customer and explaining everything they intend to do to a customer may be overly complicated.

The legitimate interest ground is more of a catch-all provision that also allows businesses to process data absent express consent. Notably, it will require a careful balancing of the controller’s interests against the subject’s rights, but in many cases it will still allow for processing of the data even without the subject’s consent.

Of all the many obligations GDPR imposes on businesses these exceptions to consent at least give EU companies some breathing room. China is  a completely different story.

China’s Personal Information Security Specification is China’s national standard on the collection and processing of personal information. An English language version of the May 2018 version of the Specification can be found here. Recently, China proposed changes to its May 2018 Specification.

The May 2018 Specification makes clear that consent is the preferred basis for data collection. There are some exceptions to consent enumerated in section 5.4, including for performance of a contract, but excluding legitimate interests. However, in the proposed changes, contract performance is removed. In other words, two of the most significant grounds for processing under GDPR (other than consent) are not allowed in China.

I cannot stress enough the significance of these differences from GDPR. If your business is doing anything in China that involves collecting data, you will soon need to comply not only with the GDPR rules (which will be very strictly enforced against foreign—especially U.S.—companies), but you also must completely revamp your US or EU-centric privacy policies and (probably) websites to explicitly get consent. This will be a lot of work.

U.S. or E.U. companies doing business in China will not be able to rely on having entered into contracts with Chinese citizens to process their data. they will now need to painstakingly explain all of the ways in which they will use the data and get consent for using it, unless one of the other few very narrow exceptions applies. If you want to change in how you processes data after collecting it and getting consent, most of the time that will be just too bad—unless there’s another exception. You will need to go back and get fresh consent. In other words, and as so many of our clients keep wanting us to confirm, what you have done to comply with GDPR and US/California data privacy laws does not really help you much if at all for China. You will need to undertake wholly separate and different compliance work for China.

Needless to say, our clients are not happy about this and many rightly point out the increased trouble, costs and time this is going to take. A few of them not so subtly mention how ridiculous all of this is and how “this seems to benefit nobody but the China data privacy lawyers.” Our response to that is to agree and then to note how China has always gone its separate way on pretty much everything Internet because its goals surrounding the Internet do not in any way line up with those of the West. One of our China data privacy lawyers often says that when thinking about EU/GDPR data privacy goals, think privacy and when thinking about U.S. data privacy laws, think profits with privacy. When thinking about China data privacy laws, think about the Chinese governments goal of protecting its Internet from foreign companies and about not giving private companies too much information about China’s inner workings.

And lest you may be thinking that none of this applies to you because you do not have a company in China or in Europe, you would likely be wrong. Both China’s data privacy laws and the GDPR have a global reach. Companies with absolutely zero footprint in either the EU or in China can be subject to compliance with their vast and complex data privacy laws. Even companies with only U.S. presences who only sell goods in the U.S. can be subject to the GDPR and the same goes for China.

If anything is clear, it is that China’s new data privacy laws are going to be a headache for foreign companies and complying with them will be difficult even for companies that have been ahead of the GDPR and/or CCPA curve.

Read More