Investigations and Information Transfer: China

Privacy laws are established and enforced for a good reason. I for one wouldn’t want the company I work for making my personal information available to everyone.

Posted by Joe Gerard in on April 22nd, 2011

Privacy laws are established and enforced for a good reason. I for one wouldn’t want the company I work for making my personal information available to everyone. Internal investigations deal with a significant amount of information, including personal employee information. The various privacy laws in each country have an impact on the way investigations are conducted. When it comes to cross-border investigations, privacy laws might seem more like “the Great Wall of Information Transfer,” blocking investigators from gathering all the facts about the incident under investigation.

Until now, there had been virtually no guidance as to how personal information was to be treated in China. The guidelines issued by the General Administration of Quality Supervision Inspection and Quarantine and the Standardization Administration of the People’s Republic of China, are only in draft form and could be revised before they are officially brought into law. However, once the privacy laws are in place, the ways that companies store, process and transfer information in China will be greatly impacted.

Information Transfer

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

Information transfer is important in the success of cross-border investigations. Privacy laws vary by country, making it difficult, and sometimes impossible, for investigators to get the information they need. Companies must ensure compliance with local privacy laws and plan ahead in order to ensure that their offices overseas are cooperative during investigations. In China, the proposed privacy laws offer a very broad definition of what is considered personal information, which doesn’t make matters any easier.

Gastón Fernández, Associate at Hogan Lovells, contributed a fabulous article to Chronicle of Data Protection, titled “China Publishes Draft Privacy Guidelines”. Fernández notes that compliance with the proposed guidelines could be very time consuming and costly for organizations.The article covers all of the different aspects of the proposed privacy laws in China, including how to handle the transfer of information:

“The draft Guidelines take a restrictive position on the transfer of personal information between data processors and could create difficulties for multinational corporations relying on third party data processing companies or routinely passing information between affiliates.

1. Presumption against transfer to third parties
The draft Guidelines generally prohibit transfer of personal information to third parties. In situations where personal information would be transferred to third parties, the data processor would have to disclose the identity of the transferees and obtain consent from the data subject.

2. Presumption against allowing cross-border transfer of personal information
Under the draft Guidelines, transferring personal information to foreign data processors is prohibited except where there are clear laws or regulations permitting the transfer or the industry regulator has agreed. Given the lack of current PRC laws and regulations on this subject, the proposed rule could have a major impact on companies using offshore data centers or transferring information to foreign affiliates, especially in the financial services and insurance industries, where collection and transfer of personal data is necessary for business operations.
In this respect, the position in the draft Guidelines is far more restrictive than the proposed Draft Privacy Law, which would generally allow international transfer of information subject to informed consent, national security considerations and the adequacy of data privacy laws in the recipient’s jurisdiction.

3. Use of personal information following mergers or acquisitions
The draft Guidelines require that in the event a data processor is involved in a merger or acquisition, the transaction documents would have to specify that the use and level of protection of personal information would not change.”

Joe Gerard
Joe Gerard

CEO, i-Sight

Spend my days showing off the i-Sight investigative case management software and finding ways to help clients improve their investigations. Usually working with corporate security, HR & employee relations, compliance and legal teams.

Visit Website