Are Europe’s GDPR and China’s Cybersecurity Law two sides of the same coin? Lawyers from Kirkland & Ellis’s Hong Kong, Shanghai and London offices give a practical primer for global compliance
The EU’s General Data Protection Regulation (GDPR) officially came into effect on 25 May 2018, and is intended both to harmonize the various national data protection laws across the EU and modernize Europe’s overall data protection framework to reflect new technological developments.
Meanwhile, in China, a similar revolution has also taken place, with a new Cybersecurity Law (CSL), effective as of 1 June 2017, which has consolidated the country’s patchwork of cybersecurity and data-related regulations under one comprehensive law.
At first glance, it may be tempting to classify the GDPR and CSL as similar regimes, given certain commonalities between them. However, the regulations are not congruent, and multinational companies seeking to effectively address their privacy and security obligations and responsibilities under the respective regimes require a holistic understanding of both.
This article provides an overview of the key common requirements under the GDPR and the CSL in the areas of personal information protection, data security and cross-border data transfers for companies operating in China and the EU, including those companies that may not have a physical EU presence but that transact business with individuals located in the EU.
Overview of GDPR and CSL. The current EU Data Protection Directive has not kept pace with increases in cross-border data processing, use and transfer of personal data by data-intensive businesses, and global cybersecurity concerns. The GDPR was designed to provide individuals permanently or temporarily located in the EU with increased control over their personal data, and to place restrictions on the collection and use of such data by entities “established” in the EU, or by overseas entities with no physical presence in the EU, but that offer goods or services to, or monitor the behaviour of individuals in, the EU.
The CSL, which was adopted by the Standing Committee of the China National People’s Congress in November 2016, was China’s first overarching law governing cybersecurity issues. Although the CSL also covers issues related to personal data privacy, it differs in important ways from the GDPR and emphasizes to a greater degree than its European counterpart the role of national-level network and data security in protecting individual privacy.
Personal information protection. Whereas the GDPR approaches data protection as a critical component of individual rights, the CSL’s data protection measures flow from that legislation’s objectives to secure China’s network infrastructure, and in turn the data that passes through it. Nonetheless, there are certain similarities to both regimes’ approaches to the protection of personal data.
The GDPR applies to the processing of “personal data”, which is broadly defined as “any information relating to an identified or identifiable natural person”. In addition, the GDPR imposes enhanced obligations on the processing of “special categories of personal data”, which include: race or ethnicity; political opinions; religious or philosophical beliefs; trade union membership; health data or sex life and sexual orientation; and genetic or biometric data.
The CSL similarly broadly defines “personal information” as “any information recorded in an electronic or other forms which can be used, independently or in combination with other information, to identify a natural person’s personal identity”. This would include, but is not limited to: individuals’ names; identification numbers; birthdates; biometric information; and addresses. Under both the GDPR and the CSL, individuals have the right to request the correction and deletion of their personal data/information.
With regard to the processing of personal data, the GDPR provides that where consent is relied upon as the basis for such processing, the consent must be “freely given, specific, informed and unambiguous, and demonstrated either by a statement or a clear affirmative action”. In addition, where a “special category” of personal data is processed, explicit consent relating to this data must be obtained.
The CSL’s key requirements mirror those of the GDPR in this respect: specifically, both “network operators” (which would include most companies operating in China) and critical information infrastructure operators (CIIOs – a more restrictive group of companies in key sectors) must provide adequate disclosure to data subjects for data collection, and obtain individual informed consent for the collection and use of personal information. Consent must also be obtained before personal information may be provided to third parties.
It is important to note that the consent requirements differ in that the GDPR requires affirmative “opt-in” consent, whereas the statutory language of the CSL does not explicitly state that consent must be affirmative (although forthcoming implementing regulations may provide more clarity on the definition of “informed consent”). There are six separate legal bases upon which personal data may be processed under the GDPR, of which consent is just one. Depending on the particular circumstances, consent may not always be the most appropriate legal basis for processing.
Data security requirements. The GDPR imposes principles-based accountability for data security, under article 5(2). Covered businesses must implement appropriate technical and organization measures to comply with the data protection principles, and are required to conduct a data protection impact assessment for processing activities likely to result in a high risk to the rights and freedoms of individuals.
Cori Lable, Richard Sharpe and Jodi Wu are partners in Kirkland & Ellis’s government and internal investigations group, where Gerald Lam is an associate. All are based in Hong Kong except for Wu, who is based in Shanghai. Emma Flett is a partner in Kirkland & Ellis’s technology and IP transactions practice, based in the firm’s London office.