Published on September 20, 2018 by ottohopkinsfagan


It would be a falsehood to say that the GDPR did not change the legal landscape of how businesses and consumers handle their data, far more than that, it has begun to shape even the policies of other jurisdictions.

Yet how does GDPR compare to other data security law around the world? We discuss the answer to that question by looking at the Chinese Cyber Security Law.

Take 30 seconds to sign up to TLP and you’ll receive free, tailored information for your aspirations and stage straight to your inbox, as well as be the first to know about new, free events – what are you waiting for?

Sign-Up Now


For some background, the law that China released on the 1stof June 2017 (a good year before the release of GDPR officially came into force) drew strongly from the GDPR, as the latter was framed in November 2016. This was a few months after GDPR became formalized for the public in April 2016.


The similarities contained within the two acts, which suggest a copying of the legal requirements are as follows:

  • That consumers be notified about data leaks or breaches
  • That consumers be made aware of the use for their data
  • That consent to gather data be acquired
  • The appointment of personnel to ensure compliance
  • Financial penalties and enforcement procedure


However, that is where the similarities appear to end. In a broad sense the two laws were the same, however some differences at least at the outset emerged. Within the Chinese law:

  • Those in breach faced prison sentences of up to seven years
  • Those in breach, if in a serious industry could have assets, licenses and money seized
  • The terminology of personnel was different, with a ‘network operator’ rather than a ‘data handler’
  • The law focused on the Socialist Market Economy rather than a capitalist economy
  • Instead of isolating information to Europe the law required data gathered in China to remain in China

These similarities and differences existed within the 2016/17 versions, however following the implementation of GDPR in May 2018 the Chinese Cyber Security law underwent further modification in order to gain the benefits from the new European system.

Want to know how to discuss the GDPR at law interviews? Click here to find out more >>


This modified law placed new emphasis on:

  • Level 3 and above (highly important Chinese industries) need to adhere to more regulations
  • Incorporates Supreme Court decisions that set out what constitutes a serious or non-serious breach.

Affected Industries

It also set out which areas are deemed as critical industries and thus deserve greater protections:

  • Public communications
  • Information service
  • Energy and transport
  • Water conservancy
  • Finance
  • Public service
  • E-government
  • Other critical information infrastructure


The Chinese cyber security law has some other differences namely in reference to governing bodies, however the starkest contrast has been in the implementation.

For many, the current laws have been used to target firms with international interests. This is because many of the laws, for example information being kept within China give Chinese firms an automatic edge. This means that they would be unaffected in their practices anyway since companies such as Alibaba have a predominately Chinese market base.

Click here for another big news story that has recently affected the legal industry >>

Impact on International Firms including those from the UK

For international firms such as Whatsapp, which transports data between countries via encryption, issues may occur unless the Chinese government grants the company in question permission to transfer information. However even in that case, a clause within the amendments article 36 of the act requires that:

“Where such information and data have to be provided abroad for business purpose, security assessment shall be conducted pursuant to the measures developed by the CAC together with competent departments of the State Council, unless otherwise provided for in laws and administrative regulations”.

This means that the Chinese government, if they so desire, can look at business information including trade secrets where it relates to Chinese citizens personal information being sent abroad.

This specific approach differs significantly from GDPR which under article 42 permits data transfer without checking the information so long as the third-party country in receipt of the data can prove its ability to keep the data secure.

Did you know the we are now officially partnered with The Law Society? Here’s how it’ll affect you >>

Future dilemma

At present, GDPR and the Chinese Cyber Security Law have not run foul of one another, yet both are newly introduced and only starting to acclimatise. On top of that, both are open to innovation and will have to deal with new technologies handling data as well as navigate a changing political landscape from Brexit.

For more legal news hot topics:

Author: Cameron Haden

Sign up to our commercial awareness newsletter for updates sent straight to your inbox!
Sign Up to Boost Your Commercial Awareness


Loading More Content