Is China Converging With EU on Personal Information Protections?

China is moving fast building up its data regulation regime. In June of 2017, China’s Cybersecurity Law came into force, the first national-level and cross-sector legislation in China to protect personal information. Since 2017, China also has launched a pragmatic guidance Information Security Technology – Personal Information Security Specification (“Specification”) and the drafts of three supporting national standards (regarding cross-border data transfer, data de-identification and privacy impact assessment). At the time of writing, at least three other related national standards are underway, plus a formal personal information protection law.

China’s rapid progress has attracted global attention, with some scholars concluding that China is converging with the European Union (EU) on personal information protections, especially when looking at Chinese efforts in comparison to the General Data Protection Regulations (GDPR). China’s approach might be even more far-reaching to some extent, some have said, raising the example that while the GDPR allows ample flexible options for compliance besides “consent,” China’s Cybersecurity Law focuses entirely on consent which further strengthens individuals’ control over their data. (More details about the comparison of “consent” can be found in my previous post.)

At first glance, China’s rules may resemble the GDPR. They both follow the principles like data minimization, transparency, and data security, and they both give individuals similar rights to control their data, such as right of access, right to rectification, and right to erasure, to name a few. However, this similarity is only superficial. Driven by the disparate values and national priorities of China and EU governments, China is fundamentally different from the EU in regards to personal information protections, and such difference influences how the laws of each will be interpreted and enforced. Awareness of this sheds light on where China’s data regulation may lead in the future.

Difference by Design – The Legislative Context

The history of the GDPR can be traced back to the Universal Declaration of Human Rights (1948) and the European Convention of Human Rights (1950), which expressly recognize privacy as a fundamental human right. EU people have greatly valued the right to a private life and associated freedoms as essential for the protection of democracy, individual freedom, and other fundamental human rights like free speech for a long time.

Under this rubric, the GDPR is a human-centric law. As its official name suggests, this regulation is “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data….” The GDPR focuses on protecting individual’s privacy balanced with the need to promote free flow of data. The “rights and freedom [of data subjects / individuals]” is a frequent phrase in the GDPR as a required consideration for data controllers when they make decisions on data processing. Protecting the rights and freedom of people is embedded in the genes of the GDPR, and reaches through every article of this law and their interpretations.

China is different; personal information is protected – or more precisely, regulated – under a bigger framework of national security. The focus of Chinese regulation is not the same as the European Union’s. China government has deemed cybersecurity a necessary part for national security. Protecting personal information is more to serve the national purpose, rather than for human rights. China’s Cybersecurity Law is currently the overarching law to protect personal data. But this law, as its name suggests, primarily aims to maintain the cybersecurity and control over any and all information the government thinks may endanger national security. It concerns itself with “cyberspace sovereignty” and how to implement robust government control over every sector of network, including critical information infrastructure, products used for maintaining cybersecurity, cross-border data transfer, and even online content. Compared to the detailed deployment for security purposes, the Cybersecurity Law only gives a few high-level principles addressing personal information protections, leaving a lot of vagueness and no effective enforcement mechanism.

The Specification as a recommended national standards supporting China’s Cybersecurity Law provides more concrete details about what the Chinese government may expect as good industrial practices in handling personal information. In many ways, it indeed looks similar to the GDPR, but as a non-legally binding standard subject to the Cybersecurity Law and similarly providing no pragmatic solutions for the impacted to seek remedies, the existence of the Specification does not help much to truly bring China closer to the EU. In addition, China’s national priority of becoming a global leader in AI development indicates a strong government determination in data control while maximizing data value, as reflected by a series of important government policies such as The Action Outline for Promoting the Development of Big Data and The 13th Five-year Plan.

An Example: Cross-Border Data Transfer

How China and the EU each regulate cross-border data transfer is a good example to illustrate this point. They bear a surface resemblance. The GDPR does not allow data to leave the European Economic Area unless satisfying a three-tiered mechanism, and China’s Cybersecurity Law requires data localization for personal information and important data generated by the local business of critical information infrastructure, except for business necessity subject to a security check following government rules.

The key difference is, the GDPR offers ample practical options to facilitate compliance under the principle of respecting human rights and individual control over their data, while China adopts a much more restrictive mechanism to facilitate government control. Under the GDPR, if the recipient country or organization cannot satisfy the adequacy test, data can still leave if there are appropriate safeguards respecting human rights or specific situations. Simply speaking, the GDPR provides such a wide range of solutions that generally any good-faith entity should be able to find a compliant way to transfer data across the border.  

As said earlier, China’s Cybersecurity Law requires data localization for personal information and important data generated from the local operations of critical information infrastructure. How to exactly implement this has not yet been fully determined by the government. Nonetheless, clues can be found in two proposed implementation policies, both still on the drafting stage now – Measures for the Security Assessment of Personal Information and Important Data Leaving the Country (Measures) and Guidelines for Data Cross-Border Transfer Security Assessment. The former would be a government rule-making with binding effect, and the latter is designed to be, like the Specification, a non-legally binding national standard. The draft Measures further tightens the already stringent restrictions under the Cybersecurity Law via expanding the applied entities beyond critical information infrastructure to cover all network operators. It also proposes a broad list of situations mandating security assessment and another broadly forbidden list where the data will not be allowed to transfer cross-border.

While the necessity to perform a business contract can be sufficient to allow data to leave the EU, this merely satisfies the condition to request a security assessment in China where the government will have a final say. While the EU limits the data transfer with a focus on whether individual rights can be properly protected, China’s approach emphasizes on governmental control over data.

A few final words

It is also worth noting that in China, the public sector and the private sector are not on the same track in respect to personal information protections. China’s Cybersecurity Law regulates network operators in data collection and usage, and the government is not deemed as network operators. This can be interpreted that China government almost has a free pass under the current law to collect and process personal data, which is not the case in the EU.

As briefly addressed before, the effectiveness and enforceability is another variable. Strong regulations mean little if there is no effective enforcement and remedy to the impacted. Prior to China’s Cybersecurity Law, there actually were many other sectoral laws and rules designed to protect personal information, but they were rarely enforced. The problem still exists today; data abuse is still rampant one year after China’s Cybersecurity Law became effective. The coming official personal information protection law may improve this, possibly bringing China a little bit closer to the EU. But as analyzed above, it is incorrect to expect that, in the foreseeable future, China will truly create as strong protections to personal information as the EU.