Though clearly modelled on GDPR, there are some key differences
While most of us were focused on meeting the May 25th GDPR deadline, China had quietly introduced its own data privacy law a few weeks earlier, on May 1st.
The country might have strict censorship laws, but it also happens to have the world’s largest and most advanced digital economy. What the government can do and what companies can do are two very different things.
What is it?
The Personal Information Security Specification (an unfortunate combination of words …), governs the collection and use of the personal data of Chinese residents by “network operators”. These are entities that own and manage a network. This can be for internal company use or for “domestic operations”, i.e. doing business in China.
There is a special category of network operator called “Critical Information Infrastructure Operator” (CIIO). They process information related to national security, the economy or public interest — e.g. in energy, transportation or public services — and are subject to more stringent requirements.
Comparisons with GDPR
Now if you feel that this reads suspiciously like GDPR, you’d be right, since the law was very much modelled on GDPR. However, there are some key differences.
Main differences with GDPR
- To start with, the specification is not yet a law, so is not legally binding. However, there is a strong incentive for compliance because the authorities have investigatory powers over infringements on personal data and can impose administrative sanctions.
- Whereas the EU law upholds personal rights and freedoms, the Chinese law forms part of the Cybersecurity law of 2017, a comprehensive framework governing information and communication technology in China. Data privacy therefore operates under the umbrella of national security.
- Under GDPR, consent is explicit; in China it is looser, and may even be “implied”. This makes their notion of consent more like America’s, and less like Europe’s. Apparently, the government does not want to the law to be so strict that it undermines the growth of its national champions in AI (Baidu) and ecommerce (Alibaba and Tencent), who benefit from huge datasets and an advanced digital economy.
- Consent is the only lawful basis, whereas GDPR has five others, including the joker of Legitimate Interests. There are however two “exemptions to obtaining consent”. These are to fulfil a contract (with a broader scope than in GDPR), and to maintain a safe and stable operation of a product or service.
- Both categories of network operator are required to store personal information and important data on servers within China. Cross-border transfers are allowed for valid business needs, as long the data subjects have provided their consent and the operator has passed a security assessment. But there is an override clause, whereby the authorities can block any cross-border data transfers for reasons of public interest or national security.
In conclusion, though the new Chinese law has clearly been modelled on GDPR, there are some key differences, mainly a focus on national security and a balancing act between data privacy and economic growth in AI and ecommerce. Now if only they could only start working on changing that unfortunate name…