American Chamber of Commerce releases China data regulation compliance advice
2019-08-15 10:49 Thursday
The latest report released by the American Chamber of Commerce (AmCham) in Shanghai has recently shed light on how China's personal data regulations affect foreign firms.
Many overseas companies who do business in the country have looked at these regulations to make sure they are compliant, but there is some difference of opinion as to their clarity and how best they should be approached.
There is no doubt that data is fast becoming the world's most valuable resource. It represents both the future and the present, and its significance to officials, businesses, and individuals has given rise to wide-scale debate over how they should manage the critical space data occupies.
China's data privacy regulatory framework as it is written falls mainly under the 2017 Cybersecurity Law and its related guidelines and standards, as well as an array of earlier regulations, like the country's Commercial Banking Law.
The Chamber said that while businesses understand the need for data laws, several elements of the framework do little to actually protect data and instead act as a bottle-neck to the normal flow of business operations, according to the report.
High among their concerns are ambiguities and vagueness in the details of the laws. The Personal Information Security Specification, which became a cornerstone of the data regulations after its passing in May 2018, is a directive that offers guidelines on how to and how not to collect and process personal information.
While the Specification is only classified by Chinese authorities as “recommended,” many businesses said that regulators have indicated it must be followed as a de-facto law.
Many industry insiders have complained of sector-specific ambiguities, like in health, where laws are opaque over what parts of medical patient data must be kept anonymous. Someone with a particularly uncommon illness can be identified by their medical records easily even if their name and ID number is redacted. But completely anonymizing the data makes it unusable for healthcare research and development purposes.
Such vagueness creates compliance nightmares for firms, who find themselves second-guessing where they should follow the laws and when they can get by turning a blind eye. One food and beverage company said: “If we can comply with the recommendation without much cost, we'll take it as a new standard. But if we have to pay a lot for that, we'll wait and see.”
Other topics, like data localization and overpriced security assessments, have almost no impact on making data more secure, and instead force overbearing, costly, and unnecessary onuses on companies.
Many such problems are a result of how China institutes fresh laws. As opposed to the EU, which has its own data framework, legislation in China is often left incomplete from the start, with the retroactive intention of filling in the gaps, according to experts.
Optimistic commentators argue that this gives laws more flexibility as their effects become apparent, but in reality it causes a big headache for enterprises – especially global firms – who need clarity to mitigate risk and create legal compliance actions.