In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Partner Zhong Lin and Researcher Galaad Delval, CIPP/E, both specialists in data protection, cybersecurity and telecom laws at EY Chen & Co. Law Firm, compare key provisions of the Cybersecurity Law of the People's Republic of China with the EU GDPR.

The institutions of the European Union passed the GDPR in May 2016, and the National People’s Congress of the People’s Republic of China passed in November of the same year the Cybersecurity Law of China — new legislation meant to form a general law due to its application and content on data protection and cybersecurity. While companies are still working toward compliance with the GDPR by its enforcement date in May 2018, the CSL became effective June 1, calling to an end the grace period to require full compliance with the law by network operators. In this particular time, discussing the similarities and differences between the compliance requirements ought to help companies doing business both in China and the EU.

A legal web for compliance

One of the most flagrant similarities between the GDPR and the CSL is the external character of the laws. Considering the fact that the GDPR is a regulation, it will directly affect the member states; however, member states are still able to enforce stronger privacy laws to supplement the EU Regulation on limited topics (e.g., DPOs or children’s data). In addition, the content of the GDPR is to be further discussed within the future European Data Protection Board (gathering member states’ data protection supervisory authorities, EDPS and EU Commission).

While China does not share the particularities of the law of the European Union, its set of data protection provisions is extensive, including numerous normative texts scattered across various industries, such as the Administrative Measures for Online Trading for e-commerce, the Administrative Provisions on Short Message Services for SMS and the Provisions on Protection of Personal Information of Telecommunication and Internet Users for the telecom industry, all those existing along general data protection laws, such as the CSL. This particular formation hints to companies of a field of law that is in constant development and must be often reviewed to ensure continued compliance. 

Personal information: The same basic unit across the globe

One point of conformity between the GDPR and the CSL is the definition of personal data. The definition of personal data given in Article 4.1 of the GDPR can be stripped down into four components:

  • Any information
  • Relating to
  • An identified or identifiable
  • Natural person

These four components are also present in the definition of personal information given in Article 76.5 of the CSL, in addition to the form of personal data:

  • All kinds of information
  • Recorded electronically or otherwise
  • That can be used independently or combined with other information
  • To identify
  • Natural person

The key element to draw from this comparison is that the personal information definition in China and in the EU is similar, allowing data controllers and network operators to assess quickly whether data should be considered personal data in both systems of laws and therefore trigger data protection provisions.

Between extraterritoriality and cybersovereignty

The scope of the GDPR and the CSL should also be considered in an analysis of the differences between them. Article 3.2.a of the GDPR makes explicit the fact that a company located outside of the EU that offers “goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union,” can fall within the obligation of the GDPR, thus granting the regulation an extraterritorial effect. In contrast, the principle of cybersovereignty on which the CSL is based is reflected in the territorial scope of the CSL that is under Article 2 strictly limited to the “territory of the People’s Republic of China.”

With such a stark contrast, it can be concluded that companies located solely in China doing business in China and the EU should comply with both the CSL and the GDPR, while companies solely located in the EU would only be bound by the GDPR.

The cybersecurity focus of the Chinese law

The cybersecurity aspect of the CSL is another of its core differences with the GDPR. While the latter leaves this matter to the Directive on security and network information systems, the CSL’s main legal focus is to set up a general layout for cybersecurity in China through its extensive scope depicted in Articles 2 and 9. As such, the CSL can be understood as a law that bridges the gap between cybersecurity and data protection to fuse them together in one law, further pushing forward the idea that cybersecurity and data protection cannot subsist without each other.

Bracing for compliance

A crucial similarity between the GDPR and the CSL is the severe sanctions possible for data controllers or network operators found in a state of noncompliance. In the case of the GDPR, and depending on the violation, Articles 83.4 and 83.5 of the GDPR respectively set a fine between “EUR 10,000,000, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher” and between “EUR 20,000,000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.” 

Regarding the CSL, while the fines can be considered as lower in comparison with the GDPR (the highest fine is 10 times the illegal gains under Article 64 of the CSL), this should not be understood as the CSL being without means of redress. Relevant authorities can, for serious offenses, sanction a network operator with a website shutdown, a temporary or definitive suspension of the business license or detention of the person responsible for the violation in the case of serious circumstances. Would either a GDPR fine or a CSL sanction be imposed on a company, they would both have a grievous effect on the violator.

photo credit: Peter Fuchs Flag via photopin(license)

photo credit: MPD01605 EU Flagga via photopin(license)