TABLE OF CONTENT
Introduction.
Chapter I. The Personal Data Regulation in China under the PRC Cybersecurity Law.
Section 1. The principles guiding data protection in China.
Section 2.The main legal sources of personal data protection.
Section 3. The Key Definitions of personal data protection under the Chinese Law.
Section 4. The Collection and Use of Personal Data under the Chinese Regulation.
Section 5. The transfer of Personal Data.
1. General data transfer rules.
2. The Privacy Impact Assessment under Chinese regulation.
Section 6. Sanctions.
Chapter II. The Personal Data Regulation in UE under GDPR.
Section 1. The principles guiding GDPR.
Section 2. The Key definitions in GDPR.
Section 3. The Collect and Use of Personal data.
Section 4. The Transfer of Data outside of UE.
Section 5. The Privacy Impact Assessment (PIA)
Section 6. The sanctions for violation of the GDPR.
Chapter III. Analysis of the differences between the UE and the Chinese system..
Section 1. The influence of the GDPR on the Chinese Regulation: A Chinese GDPR?.
Section 2. The GDPR, a move towards Cyberspace sovereignty, echoing the Chinese Policy on Cyberspace.
Section 3. Economic and trade motivations behind the GDPR and the Chinese Personal Data Regulation criticized by members of the International community.
Conclusion.
Bibliography.
Introduction
While European States are preparing the new European regulation on personal data, the General Data Protection Regulation (GDPR), on 25 May 2018, China is also preparing the application of the new data regulation in May 2018[1].
Due in particular to its communist past, China has for a long time almost ignored the right to privacy and the protection of personal data. But since the beginning of its work on the subject in 2005, the Chinese legislator has been looking towards the European model.
In 2005, when no data protection law yet existed in the country, China had considered adopting an ambitious text, similar to the EU directive on the subject of the personal data protection. A law had been prepared, with a broad European scope, covering the private and public sectors, inspired by international standards and the strictest European principles. However, this text did not pass the draft stage and never became a Chinese Law.
Years after this first attempt, the emergence of Big Data persuaded China to strengthen its cyber security in the broadest sense, a belief encouraged by Edward Snowden’s revelations[2]. In 2012, as the EU begins work on the GDPR, China adopts its first data protection laws for the private sector[3]. At this time, it was the American sectoral approach that was favored by China.
At that time, many sectors were concerned by specific personal data regulations (postal, medical, banking, etc.), but it was especially the rules intended for the Internet sector that were the most developed. Gradually, their level of protection increases and their scope extends, while observers see a European inspiration in the content.
These last years, China has become more aware of the personal data problematics because notably of the leakage of these data has reached unbearable levels for the country. In 2016, it is estimated that caused a loss of 91.5 billion yuan to the Chinese economy (around 11.5 billion euros), raising public concern already shaken by several high-profile cases. There were also national scandals that made the Chinese aware of the risks of data leakage like for example, the Xu Yuyu case where following the disclosure of personal data, a criminal stole money saved by a family for their 18-year-old daughter’s education, the girl died of a heart attack when she discovered the hacking.
This renewed attention has strengthened the data protection concern and is had led to the reactivation of the 2005 project with a bigger ambition like GDPR. China’s recent cyber security law covers a broader field than data protection in the strict sense. Many provisions deal with the security of systems and their control.
In fact, this trend has been completed by the Cybersecurity Law of 2016[4], the major text of China’s strategy for cyberspace. In particular, the legislation is accompanied by non-binding guidelines encouraging the adoption of best practices, clearly inspired by the GDPR. It clearly appears that the GDPR is already seen by the Chinese legislator as an example to be followed, moreover making it could be seen as an advantage for Chinese companies for compliance with EU law, necessary to take advantage of the European market.
The Cybersecurity law extends data protection obligations to the entire private sector in China. It incorporates new principles and reinforces others existing in previous text. Additionally, the Law develops restrictions on the transfer of personal data and business data overseas that bring new problematics to foreign enterprises and organizations normally need to transfer information outside China especially because the Law stipulates that “sensitive data” and important data must be stored domestically. All these new constraints for domestic and foreign businesses are sanctioned by heavy penalties.
The GDPR and the Chinese Regulation follow apparently different goals but share common visions and purposes. Europe and China will share in May a similar legislation on data regulation different from the American standards.
[1] Information Security Technology – Personal Information Security Standards – the National Information Security Standardization Technical – 29 December 2017 – effective on 1 May 2018
[2] Edward Snowden’s revealed in December 2013 the worldwide monitoring of the Internet, but also mobile phones and other means of communication, mainly by the US National Security Agency (NSA).
[3] For example: Provisions on Protecting the Personal Information of Telecommunications and Internet Users – Ministry of Industry and Information Technology – Effective: September 1st, 2013
[4] PRC Cybersecurity Law, Effective July 1st 2017
Chiche-Attali Avocats 