China’s data-privacy law vs. GDPR

Michael Gentle
Oct 11, 2018 · 3 min read

Though clearly modelled on GDPR, there are some key differences

Image for post
Image for post

While most of us were focused on meeting the May 25th GDPR deadline, China had quietly introduced its own data privacy law a few weeks earlier, on May 1st.

The country might have strict censorship laws, but it also happens to have the world’s largest and most advanced digital economy. What the government can do and what companies can do are two very different things.

What is it?

The Personal Information Security Specification (an unfortunate combination of words …), governs the collection and use of the personal data of Chinese residents by “network operators”. These are entities that own and manage a network. This can be for internal company use or for “domestic operations”, i.e. doing business in China.

There is a special category of network operator called “Critical Information Infrastructure Operator” (CIIO). They process information related to national security, the economy or public interest — e.g. in energy, transportation or public services — and are subject to more stringent requirements.

Comparisons with GDPR

The specification states that companies must have valid grounds for collecting personal data, and must have a transparent privacy policy explaining why they are collecting it and how it will be used. They can only take the minimum data required, cannot use it for other purposes, and can only retain it for the minimum extent necessary. Individuals have to provide their consent, and have full rights to their data, including erasure. And then there are requirements for security, breach notifications, DPOs and cross-border transfers.

Now if you feel that this reads suspiciously like GDPR, you’d be right, since the law was very much modelled on GDPR. However, there are some key differences.

Main differences with GDPR

In conclusion, though the new Chinese law has clearly been modelled on GDPR, there are some key differences, mainly a focus on national security and a balancing act between data privacy and economic growth in AI and ecommerce. Now if only they could only start working on changing that unfortunate name…

Michael Gentle is the founder of The Balance of Privacy, based in Geneva. For similar articles by Michael, click here.

Further Reading

China Data Protection Regulations (CDPR)

New China Data Privacy Standard Looks More Far-Reaching than GDPR

China To Implement Widespread Data Localization For Personal Information And Important Data

The Balance of Privacy

Data privacy is the new normal

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store