Are Europe’s GDPR and China’s Cybersecurity Law two sides of the same coin? Lawyers from Kirkland & Ellis’s Hong Kong, Shanghai and London offices give a practical primer for global compliance
The EU’s General Data Protection Regulation (GDPR) officially came into effect on 25 May 2018, and is intended both to harmonize the various national data protection laws across the EU and modernize Europe’s overall data protection framework to reflect new technological developments.
Meanwhile, in China, a similar revolution has also taken place, with a new Cybersecurity Law (CSL), effective as of 1 June 2017, which has consolidated the country’s patchwork of cybersecurity and data-related regulations under one comprehensive law.
At first glance, it may be tempting to classify the GDPR and CSL as similar regimes, given certain commonalities between them. However, the regulations are not congruent, and multinational companies seeking to effectively address their privacy and security obligations and responsibilities under the respective regimes require a holistic understanding of both.
This article provides an overview of the key common requirements under the GDPR and the CSL in the areas of personal information protection, data security and cross-border data transfers for companies operating in China and the EU, including those companies that may not have a physical EU presence but that transact business with individuals located in the EU.
Overview of GDPR and CSL. The current EU Data Protection Directive has not kept pace with increases in cross-border data processing, use and transfer of personal data by data-intensive businesses, and global cybersecurity concerns. The GDPR was designed to provide individuals permanently or temporarily located in the EU with increased control over their personal data, and to place restrictions on the collection and use of such data by entities “established” in the EU, or by overseas entities with no physical presence in the EU, but that offer goods or services to, or monitor the behaviour of individuals in, the EU.
The CSL, which was adopted by the Standing Committee of the China National People’s Congress in November 2016, was China’s first overarching law governing cybersecurity issues. Although the CSL also covers issues related to personal data privacy, it differs in important ways from the GDPR and emphasizes to a greater degree than its European counterpart the role of national-level network and data security in protecting individual privacy.
Personal information protection. Whereas the GDPR approaches data protection as a critical component of individual rights, the CSL’s data protection measures flow from that legislation’s objectives to secure China’s network infrastructure, and in turn the data that passes through it. Nonetheless, there are certain similarities to both regimes’ approaches to the protection of personal data.
The GDPR applies to the processing of “personal data”, which is broadly defined as “any information relating to an identified or identifiable natural person”. In addition, the GDPR imposes enhanced obligations on the processing of “special categories of personal data”, which include: race or ethnicity; political opinions; religious or philosophical beliefs; trade union membership; health data or sex life and sexual orientation; and genetic or biometric data.
The CSL similarly broadly defines “personal information” as “any information recorded in an electronic or other forms which can be used, independently or in combination with other information, to identify a natural person’s personal identity”. This would include, but is not limited to: individuals’ names; identification numbers; birthdates; biometric information; and addresses. Under both the GDPR and the CSL, individuals have the right to request the correction and deletion of their personal data/information.
With regard to the processing of personal data, the GDPR provides that where consent is relied upon as the basis for such processing, the consent must be “freely given, specific, informed and unambiguous, and demonstrated either by a statement or a clear affirmative action”. In addition, where a “special category” of personal data is processed, explicit consent relating to this data must be obtained.
The CSL’s key requirements mirror those of the GDPR in this respect: specifically, both “network operators” (which would include most companies operating in China) and critical information infrastructure operators (CIIOs – a more restrictive group of companies in key sectors) must provide adequate disclosure to data subjects for data collection, and obtain individual informed consent for the collection and use of personal information. Consent must also be obtained before personal information may be provided to third parties.
It is important to note that the consent requirements differ in that the GDPR requires affirmative “opt-in” consent, whereas the statutory language of the CSL does not explicitly state that consent must be affirmative (although forthcoming implementing regulations may provide more clarity on the definition of “informed consent”). There are six separate legal bases upon which personal data may be processed under the GDPR, of which consent is just one. Depending on the particular circumstances, consent may not always be the most appropriate legal basis for processing.
Data security requirements. The GDPR imposes principles-based accountability for data security, under article 5(2). Covered businesses must implement appropriate technical and organization measures to comply with the data protection principles, and are required to conduct a data protection impact assessment for processing activities likely to result in a high risk to the rights and freedoms of individuals.
In China, the CSL requires both network operators and CIIOs to implement a set of baseline security requirements including: internal security management policies and protocols; measures to prevent viruses, cyber-attacks and other security threats; and mechanisms such as automatic backup and encryption to protect sensitive data.
The obligations of network operators in responding to data breaches are not yet fully understood, as the legislation states they must “timely” report security incidents to the relevant Chinese authorities under (yet to be issued) “applicable rules”. CIIOs are subject to more stringent additional requirements, including implementing a disaster recovery backup protocol for important systems and databases, conducting regular inspections and assessments of their network security for potential risks, and carrying out a national security review process before procuring or using network products and services that may affect national security.
To complement the CSL, the Standard Administration of China (SAC) released the National Standard on Personal Information Protection in January 2018. The standard provides guidance on personal information protection and sets out the best practices expected by regulators. It applies to “personal information controllers”, namely any person or organization that has the “power to decide the purpose and method” of processing personal information. This definition somewhat resembles the GDPR’s “data controller” concept. The standard provides the following:
- Consent and other legal grounds for data processing. The collection of personal information, and the subsequent use of this information, requires consent (which is not always the case under the GDPR). For the collection of sensitive personal information, defined as “any personal information which, if lost or misused, is capable of endangering persons or property, easily harming personal reputation and mental and physical health, or leading to discriminatory treatment”, informed consent must be clear and explicit, with such consent to be separately obtained.
- Notices. Prescribed information should be included in privacy notices, such as the methods of collection and the applicable processing rules, including a data subject’s rights and complaints procedures. Note that the GDPR also prescribes what information should be provided to individuals to ensure that processing is fair and lawful.
- Rights of individuals. Certain rights are granted to individuals, similar to those provided under the GDPR, including data request rights, account cancellation rights, data erasure rights and data portability rights for certain information such as health, education or occupational information.
- Vendors/data processors. Prior to outsourcing the processing of personal information, personal information controllers must conduct a risk assessment to ensure that the vendor processor has adequate data security, and thereafter continue to supervise the vendor through audits and assessments. Similar to the GDPR, processors must assist personal information controllers in responding to requests from data subjects, and promptly notify personal information controllers of any security incidents. Under the GDPR, data controllers must ensure that any data processors that they appoint can provide “sufficient guarantees” as to the safe handling of such data, and impose certain obligations on such data processors under contract.
- Data sharing. Individuals must be notified and consent prior to their personal information being shared with third parties (which must be distinct from the consent that covered the initial collection and processing of the data), unless the personal information has been “de-identified”. In contrast, although the GDPR requires that individuals should be informed of the categories of recipients of personal data, consent will only be required in certain circumstances.
- Security and deletion. Controllers should maintain adequate internal procedures for access to personal information, and ensure that adequate records are kept of all data processing. A chief information security officer and other designated “key personnel” responsible for information security should be appointed, with periodic training and security testing conducted. These requirements are very similar to those imposed by the GDPR.
- Incident response. Personal information controllers must maintain information security incident response plans, undertake regular training and drills (at least annually), and adhere to the Cybersecurity Administration of China’s (CAC) incident notification requirements, both to authorities and affected individuals. Notably, the GDPR introduces a 72-hour breach notification reporting deadline for incidents where there is a high risk to the rights and freedoms of the affected individuals.
- Data protection impact assessments. Such assessments (similar to those required by the GDPR) should be conducted when new legislative requirements are enacted, when major changes are made to business models, information systems or operational environments, or when significant personal information security incidents occur.
Cross-border data transfers. Under the GDPR, cross-border transfers of personal data from the European Economic Area (EEA) to a third country are restricted, except where that country has been deemed by the European Commission to have an adequate level of data protection. As under the EU Data Protection Directive, the GDPR permits workarounds such as the use of EU model contract clauses, binding corporate rules, and the EU-US Privacy Shield. The GDPR also provides for two additional mechanisms, namely the use of an approved code of conduct or an approved certification mechanism, both of which may be used with binding and enforceable commitments in the third country to apply these safeguards. Similar to the directive, the GDPR continues to permit the transfer of personal data from the EEA to a third country based on limited and narrowly interpreted derogations such as: explicit informed consent; contractual necessity; or compelling legitimate interest (where the relevant data protection authority is notified and no other safeguard is available).
Although drafts of the CSL included strict data localization requirements, the final version of the law does not prohibit network operators from transferring any data outside of China. Instead, the CSL allows network operators to transfer data freely unless it includes personal information or “important data” (data that is closely related to national security, economic development and the societal and public interests), for which network operators must first conduct a security self-assessment of the risk of overseas transfer.
In addition to the security self-assessments, before transferring personal information overseas, a network operator must disclose the purpose, scope, type of transfer, and the country or region to which the information will be transferred to, and obtain informed consent from, all individuals whose information is included.
Further, draft data transfer regulations suggest that network operators may be required to disclose results of their security self-assessments to relevant industry regulators, such as the Chinese Food and Drug Administration or Chinese Banking Regulatory Commission, prior to conducting any large-scale outbound transfers of personal information (comprising more than 500,000 individuals per year).
The CSL’s draft implementing regulations also suggest that network operators will be required to disclose the results of security self-assessments to (and potentially be required to receive approval from) relevant industry regulators prior to transferring “important data” outside of China.
At the date of writing, the CAC had not finalized the draft regulations detailing how a self-assessment must be conducted, and so the compliance deadline for the CSL’s cross-border data transfer requirement has been deferred until 31 December 2018.
Practical implications for multinational companies. Penalties under the GDPR are substantial, with fines of up to 4% of global annual turnover, or €20 million (US$25 million), whichever is higher. Pecuniary penalties for violations of the CSL are considerably lower, with network operators facing fines of up to RMB500,000 (US$80,000), and CIIOs facing fines of up to RMB1 million per violation.
A breach of the CSL, however, also can be punished by the suspension of operations, or the revocation of business licenses or permits, all of which would have serious and long-lasting ramifications for companies’ continued presence in China. Similarly, under the GDPR, European regulators have additional enforcement powers, including ordering an entity to stop processing personal data altogether. Under both regimes, penalties could expose companies to associated reputational damage, the value of which is difficult to quantify.
Companies subject to the GDPR, which also operate in China, should consider the following measures to ensure their compliance under both regimes:
- Network operator or CIIO? Self-identify your status under the CSL (with legal advice where necessary), to determine the extent of obligations owed in China.
- Notice and consent. Review existing employee and customer data privacy notices, consents and processes. Review the legal grounds for data processing and determine how consent needs to be obtained (i.e. opt-in consents would need to be obtained for EU residents where applicable, but also note consent is not always the most appropriate legal basis, including in an employment context, where there is an imbalance of power between the employer and employee).
- Records of data processing activities. Conduct a data flow analysis to determine and document the use of personal data within the organization, as well as in what jurisdictions the data is stored and processed, and with whom it is shared.
- Data protection. Consider whether a dedicated data protection officer is required to oversee the processing of “special categories of personal data” or monitoring of individuals in accordance with the GDPR. Similarly, consider whether the appointment of responsible person(s) to oversee information security and cybersecurity is required in accordance with the CSL and the SAC national standard.
- Data protection impact assessments (GDPR)/security self-assessments (CSL). Consider whether data protection impact assessments are required in cases where new technologies and processing would likely result in a high risk to EU individuals (e.g., profiling of individuals’ data on a large scale). For data originating from China, ensure that a security assessment is conducted prior to the offshoring of the data, and consider whether the relevant regulators need notification under existing regulations.
- Security breaches and reporting. Under the GDPR and the CSL, personal data/information breaches need to be reported to the relevant regulators and the affected individuals expeditiously (the GDPR requires such breaches to be reported to the Data Protection Authority within 72 hours). Information security standards and policies should therefore be reviewed and updated, and a process implemented for regular security audits. Finally, a response plan should be developed to ensure that data breaches are detected, reported and investigated efficiently and effectively.
- Data processors. Review vendor agreements to verify provisions for liability and breach reporting in accordance with the GDPR requirements for processors, and generally consider implementing a vendor management programme (which should include a vendor questionnaire, minimum acceptable security requirements and vendor audits).
- New data subject rights. Evaluate the impact of new data protection rights under the GDPR and the CSL, namely the right to erasure, objection to processing and direct marketing, and data portability. Develop necessary policies and procedures based on the impact of such rights upon the organization.
- International data transfers. Review existing and planned business operations, and conduct an assessment of data flows to determine what is sent offshore and whether it falls under personal information/personal data under the CSL and the GDPR, respectively, as well as whether it qualifies under the definition of “important data” under the CSL, or “special category data” under the GDPR.
- Closely monitor legislative developments in China. Given the continuing development of the CSL’s implementing regulations, guidelines and standards, including the offshore transfer requirements, companies should actively monitor developments on this front.
Cori Lable, Richard Sharpe and Jodi Wu are partners in Kirkland & Ellis’s government and internal investigations group, where Gerald Lam is an associate. All are based in Hong Kong except for Wu, who is based in Shanghai. Emma Flett is a partner in Kirkland & Ellis’s technology and IP transactions practice, based in the firm’s London office.