Article - Privacy and outsourcing to China (January 2008)
Data protection law in China is currently going through a significant reform. There is potential for China’s existing patchwork of data protection requirements to be transformed into a strong, comprehensive data protection regime. This paper canvases the recent developments, particularly from the perspective of offshore outsourcing - a growing industry sector in China.
Outsourcing in China
China’s outsourcing industry has received increased attention in recent years as it begins to rival the outsourcing powerhouse, India. Much of China’s outsourcing is in IT, but a substantial offshore business processing outsourcing (BPO) industry exists, and is growing. A company in China might process medical files from New York, car loan applications from Detroit, or high school examinations from Melbourne.
BPO invariably leads to concerns about individuals’ personal information - and a series of leaks in India in recent years has highlighted the risks, real or perceived, of sending personal information offshore. As an example, in 2005 a group of employees of a company providing BPO services to a bank used the personal information of the bank’s customers to gain their bank account details, and then defrauded them of around US$350,000. In a second example, in 2005, an undercover journalist was able to purchase personal information from call centre employees on two separate occasions.
Although such incidents are rare, they highlight the need for some kind of assurance that personal information will not be abused, particularly because the individuals whose data might be abused have virtually no contact with the BPO provider.
Privacy in China
The concept of privacy has a somewhat complex history in China, but this is not to say that it does not exist. There is, at present, no consolidated national data protection legislation in China, although privacy is recognised to a limited extent in a selection of laws:
- There is a law prohibiting the disclosure, without consent, of consumers’ information (including name, gender, job, education, income, etc.) operating in Shanghai municipality;
- The Constitution recognises several ‘fundamental rights’ of citizens, including a right to ‘freedom and privacy of correspondence’;
- The General Principles of the Civil Law provide a ‘right to reputation’;
- No organization or individual may disclose a minor’s ‘personal secrets’;
- Medical practitioners must respect patient privacy, and criminal liability may apply if the patient’s privacy is violated; and
- ‘Single item’ statistical data concerning an individual or their family may not be divulged without consent.
These provisions are, however, of limited application, and in many cases the rights or protections are expressly granted to citizens, and their extension to non-citizens - as is necessary, of course, in the context of BPO - is questionable at best. Additionally, the laws tend to suggest an understanding of privacy as a protection against divulgence of embarrassing information, rather than the broader concept present in many legal or regulatory instruments, and do not allow for the full range of legal rights generally provided under data protection legislation, such as an individual’s right to access and correct information about them held by a company. The current legislative framework for protecting the personal information of China’s citizens, to say nothing of the foreign customers of BPO clients, is therefore quite limited.
Highlighting the need for a privacy and data protection regulatory regime are reports of a number of data protection problems:
- New mothers receiving marketing calls from infant formula retailers, baby haircutters and insurance companies after delivery rooms release their contact details;
- Websites making individuals’ contact details publicly available, ostensibly to facilitate business communication - users of the website are granted access to two online name cards in exchange for providing one person’s information;
- Real estate agents selling clients’ contact details to interior decorators, and stockbrokers contacting new investors; and
- Information from job applicants’ resumes being leaked to insurance companies, real estate agents and investment companies.
In recent years, there have been movements within China towards a comprehensive data protection law. It was reported in 2005 that a draft law had been developed by the Chinese Academy of Social Sciences.  More recently, China’s State Council’s Informatization Office, with the support of the EU-China Information Society Project has taken up the work. In April 2007 the SCIO was drafting a data protection law, with the support of the ECISP, and a statement by the deputy director of the policy and planning department of the SCIO, reported in August 2007, suggested that the draft law would soon be put before the Legal Affairs Office of the State Council.
Whereas the privacy reforms recently considered in India were largely an attempt to set aside concerns about data protection in the BPO industry, the reforms in China appear to be a response to the widespread breaches of citizens’ privacy - that is, there is recognition of a right to privacy, rather than an ends-driven business motive. Interestingly, this has been framed - in at least one report - as a matter not only of individual rights, but also of state property:
Better protection of private information, part of our national privacy and non-intangible property, is a testimony to a society’s civilization level and conforms to the country’s commitment to making continuous progress in the field of human rights protection.
A number of statements made in and around the drafting process give reason to expect that the law will primarily address the concerns of individuals, rather than businesses:
- A 2006 draft of the law stipulated that personal information was the ‘intangible property’ of an individual;
- The need for individuals to be able to access and correct their own personal information held by organisations has also been noted, and a call made for its inclusion in the law; and
- The majority of the media coverage, as discussed above, seems to side with individuals; there are numerous criticisms of the ease with which businesses can obtain contact details.
There is public support for such a law: eighty-nine per cent of respondents to a survey conducted by the People’s Daily news service called for legislation to be introduced ‘as soon as possible’, suggesting that earlier calls for greater awareness of privacy issues in the Chinese population have to some extent been answered.
The law, even in a draft form, is not yet publicly available, and so its content remains unknown. Some possibilities can be drawn from existing standards in data protection laws, such as the OECD’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; these Guidelines set out the principle-based approach reflected in a number of current data protection regimes, including, for example, in the EU and Australia, and the Safe Harbor principles in the US. The APEC Privacy Framework adopted a similar set of principles, and was recently endorsed by Google’s Global Privacy Counsel, although a number of weaknesses in the Framework have been observed.
On the other hand, China’s response to the APEC Privacy Framework has not been positive, and China is not participating in the APEC Data Privacy Pathfinder program, although the reasons for this are not clear. It may be that China considers the Privacy Framework to be inadequate, as many do - or it may be that China considers the Privacy Framework to give too much protection.
From the perspective of the BPO industry, the law should perhaps be developed with one eye on the data export (transborder data flow) laws of those countries from which Chinese providers are likely to receive outsourcing business. The EU Data Protection Directive is the archetype of these regimes. Under the Directive, personal information may not be transferred (subject to some limited exceptions) to a country outside the EU unless that third country ‘ensures an adequate level of protection’; the European Commission, on the advice of the Article 29 Working Party, determines whether a country meets this requirement. To date, only Argentina, Canada, Guernsey, the Isle of Man, and Switzerland have been found to ensure an ‘adequate level of protection’, along with the US in the specific case of companies operating under the Safe Harbor principles.
Restrictions on transborder data flows similar to those in the EU exist in a number of jurisdictions, for example:
- Section 33 of the Hong Kong Personal Data (Privacy) Ordinance (which is not yet in force) restricts transfers to cases where the transferor ‘has reasonable grounds for believing’ that a law similar to the Ordinance is in force at the destination, or the Privacy Commissioner has, under the Ordinance, specified the destination as having such a law;
- National Privacy Principle 9 of Australia’s Privacy Act also limits international transfers of personal data to situations where the transferor ‘reasonably believes’ that the recipient is bound by ‘a law, binding scheme or contract’ providing data protection similar to that under Australian law;
- Principle 4.1.1 of Singapore’s Infocomm Development Authority’s voluntary Model Data Protection Code requires a transferor to ‘take reasonable steps to ensure that the data which is to be transferred will not be processed inconsistently with this Model Code’;
- Article 22 of Japan’s Act on the Protection of Personal Information requires a data controller, when transferring personal information to a third party, to ‘exercise necessary and appropriate supervision over the [third party] to ensure the control of security of the entrusted personal data, and article 23 requires that consent be obtained from the individual when personal information is to be disclosed to a third party (domestically or internationally) except in a handful of cases; although no specific transborder provision exists, the requirements of articles 22 and 23 do restrict the export of data.
Similar restrictions on transborder data flows are recommended by the OECD Guidelines:
A Member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation.
and by Principle IX of the APEC Framework:
A personal information controller should be accountable for complying with measures that give effect to the Principles stated above. When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles.
The EU Data Protection Directive clearly sets a high standard for data export requirements, but even the more relaxed requirements of other jurisdictions demand some level of safeguards in the destination jurisdiction. Meeting these export laws is good not only for the BPO industry, but for a variety of industries with international aspects.
Of course, legislation is not the only possibility for a systematic protection of personal information in the BPO sector. Indian BPO companies, keen to allay the privacy concerns of their clients, commonly implement strict controls on employees, such as limiting the possessions that employees may take into the workplace; removing all phones and CD burners from workstations, and restricting Internet access; and voluntarily meeting international standards on information protection, such as BS7799 and ISO17799.
There is a strong business case for outsourcing providers in India to use such measures - lest they lose customers to competitors with better data protections in place - and the outsourcing industry as a whole has an interest in encouraging a perception that all outsourcing companies in India offer strong data protection mechanisms. A number of industry initiatives have been introduced to strengthen data protection in the outsourcing industry, in particular:
- The National Skills Registry, in which employees in the outsourcing sector can register their skills and qualifications, and in which employers in the sector can register criminal or legal proceedings taken against employees (so long as a formal complaint has been made to a court or the police); and
- The (proposed) Data Security Council of India, a self-regulating organisation to be charged to ‘establish, popularize, monitor and enforce privacy and data protection standards’ in the outsourcing sector.
But these alternative, non-legislative schemes of data protection generally face shortcomings. Any voluntary, industry-regulated, competition-based data protection scheme would potentially take some time to be widely adopted - too long, given the rampant violations of privacy in China suggested in the media - and would potentially fail altogether. Industry standards such as BS7799 and ISO17799 are not readily available to consumers; certainly not to the degree that national laws are increasingly becoming available. Internal policies, such as have been employed in India’s BPO companies, may also not be readily available to consumers, and in any case, lack any strong enforcement mechanism. And, ultimately, there is too much uncertainty involved in these methods for data export laws to be reliably satisfied.
In the context of BPO, contractual terms between a provider and a client can also be used to safeguard personal information. But contractual terms are ultimately unsatisfactory for protecting data:
- Contractual terms must be negotiated between the BPO provider and the BPO client, increasing the complexity of the business arrangement, and potentially resulting in weak data protection requirements;
- Contractual terms are open to greater uncertainties than legislative requirements, both in terms of the requirements placed on the BPO provider, and the adequacy of the protections for the purpose of data export laws - particularly where there is no central authority for making an adequacy determination;
- The terms of a contract between the BPO provider and the BPO client will generally only be known to the two companies - not the individuals whose privacy is at stake; and
- Contractual terms offer limited scope for remedies for individuals whose privacy is violated - a breach of a contract must ultimately be remedied by a court (which brings with it the usual problems of time and cost, and in the case of offshore BPO, conflict of law issues) and under privity of contract (where it exists) the individual can take no action for a breach of a contract between the two companies.
Although more elaborate contractual schemes can be imagined, the increased complexity and uncertainty involved do not recommend such solutions. Legislation is not a panacea - it may not provide a remedy for a foreign individual who has suffered a data protection violation, and any cause of action it provided to such an individual would still need to be pursued through a foreign court or other dispute resolution system. Legislation is, however, more transparent, and potentially less complex, than a contract, and a BPO provider has a greater incentive to comply with legislation and avoid any civil or criminal penalties it provides.
Furthermore, a system of contractual protections of personal data, even if they were suited to data protection in BPO, would be unsatisfactory in the domestic context. The risk of privacy violations, such as those in the examples given earlier, could theoretically be offset by contractual terms between individuals and data handlers, but it is clear that, from a consumer protection perspective, this is inadequate - not least due to the power imbalance between the data handler and the individual, and the time and expense of suing for a breach of the contract. A comprehensive data protection law, on the other hand, can avoid these problems in the domestic context, and at the same time improve protections for foreign individuals whose data is transferred to BPO providers.
Privacy in China needs strengthening, and a data protection law is one of the better ways to achieve this. The development of the law has taken place behind closed doors, and so the details of the law, and the provisions it will make for protection of specific types of data remain to be seen. The limited publicly available information, however, gives some hope that there is a genuine effort being made to create a law largely in the spirit of international data protection standards. If this hope is answered, the law will be a significant development for those affected by offshore data transfers, including customers of companies that send their data to BPO providers in China.
 The Economist, Chinese city next outsource capital, 21 May 2006, <http://rgweb.registerguard.com/news/2006/05/21/ed.col.chinaout.0521.p1.php?section=opinion>.
 Ribeiro J, Indian call center workers charged with Citibank fraud, 7 April 2005, <http://www.infoworld.com/article/05/04/07/HNcitibankfraud_1.html>.
 ABC News Online, Indian call centres sell off Australians’ details, 15 August 2005, <http://www.abc.net.au/news/newsitems/200508/s1437366.htm>.
 For an analysis of existing privacy protections and threats, refer to Privacy International, People's Republic of China, 18 December 2007, <http://www.privacyinternational.org/article.shtml?cmd=x-347-559508>.
 Article 29, Regulations of Shanghai Municipality on the Protection of Consumers' Rights and Interests 2002 (China), <http://www.shanghai.gov.cn/shanghai/node8059/Rules&Laws/node15375/userobject6ai1278.html>.
 Article 40, Constitution of the People’s Republic of China 1982 (China), <http://english.people.com.cn/constitution/constitution.html>.
 Article 101, General Principles of the Civil Law of the People’s Republic of China 1986 (China), <http://en.chinacourt.org/public/detail.php?id=2696>.
 Article 30, Law of the People's Republic of China on the Protection of Minors 1991 (China), <http://www.womenofchina.cn/policies_laws/law_reg/1479.jsp>.
 Article 22, Law of the People's Republic of China on Medical Practitioners 1998 (China), <http://www.chinalaw.gov.cn/jsp/jalor_en/disptext.jsp?recno=1&&ttlrec=1>.
 Article 37, Law of the People's Republic of China on Medical Practitioners 1998 (China).
 Article 15, Statistics Law of the People's Republic of China 1983 (China), <http://www.stats.gov.cn/english/lawsandregulations/statisticallaws/t20020329_15257.htm>.
 This echoes the common claim that a person with ‘nothing to hide’ should not fear an invasion of privacy. For an examination of the history of this approach to privacy in China, see Zhu, G, The Right to Privacy: An Emerging Right in Chinese Law, Statute Law Review, vol. 18 no. 3, 1997, pages 208-214. For a discussion of the validity of such an approach, refer to Solove D, ‘I've Got Nothing to Hide’ and Other Misunderstandings of Privacy, San Diego Law Review, vol. 44, 2007,
 Refer, for example, to article 17, International Convention on Civil and Political Rights, 1976, <http://www2.ohchr.org/english/law/ccpr.htm#art17>. Unlawful attacks on ‘honour and reputation’ are recognised under this article as distinct from arbitrary or unlawful ‘interference with privacy, family, home or correspondence’.
 CRIEnglish.com, Name Card Website Raises Online Privacy Concerns, 23 August 2006, <http://english.cri.cn/3100/2006/08/23/[email protected]>.
 China Economic Net, Law on personal info ‘next year’, 6 August 2007, <http://en.ce.cn/National/Politics/200708/06/t20070806_12435867.shtml>.
 China View, Online leaks anger job seekers, 31 July 2007,
 People’s Daily Online, China to legislate for protection of personal information, 25 January 2005, <http://english.peopledaily.com.cn/200501/25/eng20050125_171801.html>.
 EU-China Information Society Project, Workshop on Data Protection Issue Identification, 20 April 2007,
 China Economic Net, Law on personal info ‘next year’, 6 August 2007, <http://en.ce.cn/National/Politics/200708/06/t20070806_12435867.shtml>.
 Information Technology (Amendment) Bill 2006 (India), <http://18.104.22.168/ls/bills-ls-rs/2006/96_2006.pdf>.
 Sharma D, India to tighten data protection laws, ZDNet Australia, 30 June 2005, <http://www.zdnet.com.au/news/security/soa/India_to_tighten_data_protection_laws/0,130061744,139199808,00.htm>.
 China Daily, Private information, 17 November 2007, <http://www.chinadaily.com.cn/cndy/2007-11/17/content_6261066.htm>.
 China View, New law expected to protect privacy, 6 August 2007,
 Organisation for Economic Co-operation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 23 September 1980, <http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html>.
 Clarke R, Beyond the OECD Guidelines: Privacy Protection for the 21st Century, 4 January 2000, <http://www.anu.edu.au/people/Roger.Clarke/DV/PP21C.html>.
 Asia-Pacific Economic Co-operation, APEC Privacy Framework, October 2005..
 Fleischer P, Call for global privacy standards, 14 September 2007,
 Pounder C, Why the APEC Privacy Framework is unlikely to protect privacy, 15 October 2007, <http://www.bakercyberlawcentre.org/ipp/apec_privacy_framework/0710_pounder.pdf>.
 Asia-Pacific Economic Cooperation, APEC Data Privacy Pathfinder, 2007/CSOM/019, September 2007, <http://aimp.apec.org/Documents/2007/SOM/CSOM/07_csom_019.doc>.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281/31, 23 November 1995,
 Commission Decision 2003/490/EC of 30/06/2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina, Official Journal L 168/19, 5 July 2003,
 Commission Decision 2002/2/EC of 20.12.2001 on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act, Official Journal L 2/13, 4 January.2002,
 Commission Decision 2003/821/EC of 21 November 2003 on the adequate protection of personal data in Guernsey, Official Journal L 308/27, 25 November 2003,
 Commission Decision 2004/411/EC of 28 April 2004 on the adequate protection of personal data in the Isle of Man, Official Journal L 151/48, 30 April 2004,
 Commission Decision 2005/518/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland, Official Journal L 215/1, 25 August 2000,
 Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, Official Journal L 215/7, 25 August 2000,
<http://eur-lex.europa.eu/LexUriServ/site/en/oj/2000/l_215/l_21520000825en00070047.pdf>. The Safe Harbor is a voluntary code of conduct for businesses wishing to receive personal data from the EU; see Department of Commerce, Safe Harbor principles, Department of Commerce, 21 July 2000, <http://www.export.gov/safeharbor/SH_Privacy.asp>.
 Schedule 3, Privacy Act 1988 (Cth), <http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/sch3.html>.
 The requirement of ‘reasonable belief’ in these laws is somewhat weaker than the stricter adequacy requirements under the EU Directive, allowing some measure of subjectivity on the part of the transferor. Nevertheless, the Australian Law Reform Commission did not call for an amendment to this test in its recent review of the Privacy Act; see Chapter 28, Australian Law Reform Commission, Review of Australian Privacy Law, Discussion Paper 72, September 2007, <http://www.austlii.edu.au/au/other/alrc/publications/dp/72/39.pdf>.
 Singapore Infocomm Development Authority, Model Data Protection Code, 18 June 2003, <http://www.trustsg.com.sg/downloads/Data_Protection_Code_v1.3.pdf>.
 Act on the Protection of Personal Information 2003 (Japan), <http://www5.cao.go.jp/seikatsu/kojin/foreign/act.pdf>.
 Paragraph 17, OECD Guidelines.
 Paragraph 26, APEC Framework.
 Kobayashi-Hillary, M, Data theft scandal: What we can learn from India, Silicon.com, 6 October 2006, <http://services.silicon.com/offshoring/0,3800004877,39163049,00.htm>.
 India Web Developers, Outsourcing Information Security: How is India dealing with data privacy and security issues?, <http://www.indiawebdevelopers.com/outsourcing/data_privacy.asp>.
 Agarwal A, Need for data protection law, The Hindu, 24 May 2005, <http://www.hindu.com/op/2005/05/24/stories/2005052400481700.htm>.
 National Association of Software and Service Companies, National Skills Registry for IT/ITES Professional (NSR-ITP), 9 May 2007, <http://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id=51441>.
 National Association of Software and Service Companies, Data Security Council of India (DSCI), 8 August 2007, <http://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id=51973>.