Firms trying to email into China will be confronted with even tougher regulations than GDPR.
Proposed changes in China’s Personal Information Security Specification would disallow data collection for the performance of a contract.
This activity was allowed previously. But under this proposal, prior consent will be required, as it is for data collection for legitimate interests.
“In other words, two of “most significant grounds for processing under GDPR (other than consent) are not allowed in China,” writes Griffen Thorne, an attorney based in the Los Angeles office of law firm Harris Bricken, on China Law Blog.
Thorne elaborates: “U.S. or E.U. companies doing business in China will not be able to rely on having entered into contracts with Chinese citizens to process their data. They will now need to painstakingly explain all of the ways in which they will use the data and get consent for using it, unless one of the other few very narrow exceptions applies.”
If you want to change the way you process data after collecting it and obtain consent, "most of the time that will be just too bad — unless there’s another exception.”
Clients have complained to Thorne’s firm that “this seems to benefit nobody but the China data privacy lawyers.”
Worse, like GDPR, China’s data laws have a global reach. So make sure you get consent when using data to fulfill a contract.