China’s Data Protection Laws Go Further Than GDPR

Published On January 22, 2019

Though much of the news concerning China and data protection in recent months has featured Chinese threat actors, the country’s citizens are often targets, too. China’s data protection laws have been presented as a response to the data security threats facing the nation.

For example, this January more than 200 million Chinese resumes were hacked, according to the South China Morning Post. The breach exposed job seekers’ names, phone numbers and political affiliations to anyone who wanted them. Breaches like this one — along with more than 3.82 billion Chinese records exposed in 2017, according to Risk Based Security’s data breach report — explain the motivation behind China’s new data protection laws, which were announced in October 2018 and take effect on May 1 of this year. They join China’s existing Cyber Security Law, which went into effect in June 2017, helping to bring its previous data protection regulations into the 21st century.

The Scope of the Laws

Introduced by the State Administration for Market Regulation (SAMR) and the Standardization Administration of the People’s Republic of China (SAC), the six new national standards include the Information Security Technology — Security Technique Requirements for Citizen Cyber Electronic Identity. These new standards apply to personal data collected over networks. They’re also intended to improve the security of networks and supply chains. The reach of the standards, which haven’t yet been published in English, extends to internet service providers and any organization that provides internet services. This could include any organization that operates a website or service in the country.

According to Mondaq, under China’s data protection laws, the Chinese government or other security organizations can inspect any internet service provider from a security and data protection standpoint. China’s new laws require organizations to comply with security regulations, such as having dedicated cybersecurity personnel, securely collecting and storing user registration and information, and implementing technical measures designed to prevent cyberattacks and network intrusions. The laws also call for mandatory cybersecurity management and software. The law states that inspections of organizations and infrastructure can be conducted at any time without prior notice and may involve intrusion and threat testing, along with search and seizure of any information.

Why These Data Protection Laws Are Different

It is these last elements of the new Chinese regulations that distinguish them from other global regulations. For instance, although industry experts say the new Chinese laws were inspired by the EU’s General Data Protection Regulation (GDPR), furnishing both infrastructure and governance, the Chinese law takes everything one step further, notes Mondaq.

GDPR directs organizations to gather personal data legally and store and manage it correctly to protect it from theft, leaving data ownership in the hands of end users. The Chinese law puts ownership and control squarely in the hands of the government. Yes, data must be stored securely and consumers must be informed about what organizations are collecting, processing and sharing, but the end user has little control over their own personally identifiable information (PII).

From a business perspective, this means any organization doing business in China must not only disclose how and when they are collecting PII but also understand that the data being collected can be searched and seized at any time. Plus, organizations must understand how to protect that data or face severe financial penalties. For this reason alone, it will become more important for organizations to work with technology partners that are well-versed in Chinese law as well as data protection and records and information management.