It would be a falsehood to say that the GDPR did not change the legal landscape of how businesses and consumers handle their data, far more than that, it has begun to shape even the policies of other jurisdictions.
Yet how does GDPR compare to other data security law around the world? We discuss the answer to that question by looking at the Chinese Cyber Security Law.
Take 30 seconds to sign up to TLP and you’ll receive free, tailored information for your aspirations and stage straight to your inbox, as well as be the first to know about new, free events – what are you waiting for?
For some background, the law that China released on the 1stof June 2017 (a good year before the release of GDPR officially came into force) drew strongly from the GDPR, as the latter was framed in November 2016. This was a few months after GDPR became formalized for the public in April 2016.
The similarities contained within the two acts, which suggest a copying of the legal requirements are as follows:
However, that is where the similarities appear to end. In a broad sense the two laws were the same, however some differences at least at the outset emerged. Within the Chinese law:
These similarities and differences existed within the 2016/17 versions, however following the implementation of GDPR in May 2018 the Chinese Cyber Security law underwent further modification in order to gain the benefits from the new European system.
This modified law placed new emphasis on:
It also set out which areas are deemed as critical industries and thus deserve greater protections:
The Chinese cyber security law has some other differences namely in reference to governing bodies, however the starkest contrast has been in the implementation.
For many, the current laws have been used to target firms with international interests. This is because many of the laws, for example information being kept within China give Chinese firms an automatic edge. This means that they would be unaffected in their practices anyway since companies such as Alibaba have a predominately Chinese market base.
For international firms such as Whatsapp, which transports data between countries via encryption, issues may occur unless the Chinese government grants the company in question permission to transfer information. However even in that case, a clause within the amendments article 36 of the act requires that:
“Where such information and data have to be provided abroad for business purpose, security assessment shall be conducted pursuant to the measures developed by the CAC together with competent departments of the State Council, unless otherwise provided for in laws and administrative regulations”.
This means that the Chinese government, if they so desire, can look at business information including trade secrets where it relates to Chinese citizens personal information being sent abroad.
This specific approach differs significantly from GDPR which under article 42 permits data transfer without checking the information so long as the third-party country in receipt of the data can prove its ability to keep the data secure.
At present, GDPR and the Chinese Cyber Security Law have not run foul of one another, yet both are newly introduced and only starting to acclimatise. On top of that, both are open to innovation and will have to deal with new technologies handling data as well as navigate a changing political landscape from Brexit.
For more legal news hot topics:
Author: Cameron Haden
Sign up to our commercial awareness newsletter for updates sent straight to your inbox!
Sign Up to Boost Your Commercial Awareness
Loading More Content