It would be a falsehood to say that the GDPR did not change the legal landscape of how businesses and consumers handle their data, far more than that, it has begun to shape even the policies of other jurisdictions.
Yet how does GDPR compare to other data security law around the world? We discuss the answer to that question by looking at the Chinese Cyber Security Law.
Take 30 seconds to sign up to TLP and you’ll receive free, tailored information for your aspirations and stage straight to your inbox, as well as be the first to know about new, free events – what are you waiting for?
For some background, the law that China released on the 1stof June 2017 (a good year before the release of GDPR officially came into force) drew strongly from the GDPR, as the latter was framed in November 2016. This was a few months after GDPR became formalized for the public in April 2016.
The similarities contained within the two acts, which suggest a copying of the legal requirements are as follows:
That consumers be notified about data leaks or breaches
That consumers be made aware of the use for their data
That consent to gather data be acquired
The appointment of personnel to ensure compliance
Financial penalties and enforcement procedure
However, that is where the similarities appear to end. In a broad sense the two laws were the same, however some differences at least at the outset emerged. Within the Chinese law:
Those in breach faced prison sentences of up to seven years
Those in breach, if in a serious industry could have assets, licenses and money seized
The terminology of personnel was different, with a ‘network operator’ rather than a ‘data handler’
The law focused on the Socialist Market Economy rather than a capitalist economy
Instead of isolating information to Europe the law required data gathered in China to remain in China
These similarities and differences existed within the 2016/17 versions, however following the implementation of GDPR in May 2018 the Chinese Cyber Security law underwent further modification in order to gain the benefits from the new European system.
Level 3 and above (highly important Chinese industries) need to adhere to more regulations
Incorporates Supreme Court decisions that set out what constitutes a serious or non-serious breach.
It also set out which areas are deemed as critical industries and thus deserve greater protections:
Energy and transport
Other critical information infrastructure
The Chinese cyber security law has some other differences namely in reference to governing bodies, however the starkest contrast has been in the implementation.
For many, the current laws have been used to target firms with international interests. This is because many of the laws, for example information being kept within China give Chinese firms an automatic edge. This means that they would be unaffected in their practices anyway since companies such as Alibaba have a predominately Chinese market base.
Impact on International Firms including those from the UK
For international firms such as Whatsapp, which transports data between countries via encryption, issues may occur unless the Chinese government grants the company in question permission to transfer information. However even in that case, a clause within the amendments article 36 of the act requires that:
“Where such information and data have to be provided abroad for business purpose, security assessment shall be conducted pursuant to the measures developed by the CAC together with competent departments of the State Council, unless otherwise provided for in laws and administrative regulations”.
This means that the Chinese government, if they so desire, can look at business information including trade secrets where it relates to Chinese citizens personal information being sent abroad.
This specific approach differs significantly from GDPR which under article 42 permits data transfer without checking the information so long as the third-party country in receipt of the data can prove its ability to keep the data secure.
At present, GDPR and the Chinese Cyber Security Law have not run foul of one another, yet both are newly introduced and only starting to acclimatise. On top of that, both are open to innovation and will have to deal with new technologies handling data as well as navigate a changing political landscape from Brexit.
Do you want a training contract or a vacation scheme? Our Training Contract and Vacation Scheme Conference, in partnership with BPP University Law School, will provide you with all the knowledge and skills you need to ace your applications and impress every interviewer – for only £5!