Impact of the GDPR in China

• PRC Cybersecurity Law
• Personal Information Security Specification (GB/T 35273-2020)

Under the Chinese data protection law, personal data refers to (i) data that is sufficient to identify an individual’s identity (taken alone or together with other data), and (ii) data that can reflect the activities or status of an identified individual.

Sensitive personal data refers to personal data that: might endanger the safety of persons or property, can easily cause damage to personal reputation, physical and mental health, can cause discrimination once disclosed, is illegally provided to others or is otherwise used in an abusive manner.

While a processor does have its own set of obligations, the Chinese law focuses more on the obligations of a data controller. A controller shall pass the applicable cybersecurity and data protection obligations to a processor via contract, and shall monitor the processor’s performance.

When a data subject’s right is infringed, the data controller usually takes the primary liability and then seeks indemnification from the processor (if available).

A data subject has the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, and certain rights in relation to automated decision making and profiling.

Unlike under GDPR, a data subject does not have the right to data portability under Chinese law.

If a controller or processor processes any personal data of an individual located within China, the Chinese data protection law will apply.

The 2^nd Draft of the Personal Data Protection Law proposes to expand the application scope. Under the draft, if a controller or processor processes any personal data of an individual located within China, the Chinese data protection law will apply even if the processing occurs outside of China, as long as the purpose of the processing is to supply products or services to the individual, or the individual’s activities are being analysed and assessed.

A data protection officer/representative is not expressly required at statutory level. The law only provides for the appointment of designated personnel in charge of security and data protection matters.

The 2^nd Draft of the Personal Data Protection Law may require the appointment of data protection officer or representatives if the processing is in large scale.

A data subject’s remedies mainly include filing a complaint with the supervisory authority, and seeking an effective judicial remedy before the competent courts.

Up to RMB 1 million

The 2^nd Draft of the Personal Data Protection Law proposes to raise it up to RMB 50 million or 5% of the previous year’s revenue.

Critical information infrastructure (CII) operators must store all personal data that it collects during its operation within the territory exclusively within the territory of China, , unless the transfer to overseas countries passes security assessments.

The scope of this data localisation requirement may even be expanded to cover non-CII operators who process data in large scale.

While the Chinese data protection law includes many similar data protection principles as those under the GDPR, being aligned with the GDPR is not a critical factor that may affect the prospective rules.

An organisation’s compliance with the GDPR does not mean that it will be automatically compliant under the Chinese data protection law. A through local law review of the data protection strategies and practice is always recommended.

Following the issuance of the 2^nd Draft of the Personal Data Protection Law in April 2021, it is expected that China will soon have its first designated personal data protection law. For a multi-national company doing business in both EU and China, it is important to take compliant actions in time to localise strategies formulated under the GDPR background.