China: Key pointers on the Cybersecurity Law

Mainland China’s Cybersecurity Law marks not just heightened security requirements but also a change in approach to the enforcement of data protection laws. We consider the state of play in mainland China and how the privacy regime compares to the GDPR.
What is the Chinese Cybersecurity Law?
The Cybersecurity Law was the first legislation in mainland China to comprehensively regulate the country’s cyber networks. It came into effect on 1 June 2017. 
The Cybersecurity Administration of China, which is the central regulator for cyber networks, released the first draft just five days after the National Security Law was passed on 1 July 2015 by the National People’s Congress. President Xi Jinping himself emphasised the link between the two concepts: “without cybersecurity there is no national security”. 
This is not unique to mainland China and Governments around the world are wrestling with new or heightened national security concerns due to the growing importance of online networks. Other examples include the Trump administration’s action against Chinese-headquartered companies Tik Tok and WeChat, and the ban by the Indian Government on Chinese apps.
How does it relate to data privacy?
Chinese data privacy requirements have historically been scattered across various laws and regulations, including general principles relating to privacy in the Chinese Constitution and the Civil Code and sector-specific laws and regulations relating to sectors such as the internet, financial services and e-commerce. In addition, there are a number of regional laws, such as the Shanghai Consumer Protection Rules. 
This position changed with the Cybersecurity Law in 2017. Since it came into effect, there has been a rise in administrative enforcement action, with the Ministry of Industry and Information Technology publishing quarterly lists of enterprises in violation of the personal data regulations. 
Even the biggest tech players in mainland China have faced reprimands for non-compliance with data privacy laws and there have also been criminal cases with individuals being imprisoned for selling personal data in violation of the Chinese Criminal Law.
How does Chinese data law compare with GDPR?
The EU’s GDPR has had a strong influence in mainland China and other Asia Pacific states where governments have looked to the GDPR to formulate data protection rules to better protect their citizens’ interests. Certainly, aspects of the data protection regime in China are closely modelled on the GDPR. 
For example, Chinese mandatory laws use a concept of personal information that is similar to the definition of personal data under the GDPR – i.e. information which relates to an individual and which by itself or in combination with other information could disclose the identity of that individual. 
In addition, while there is no formal equivalent to the concept of special category personal data, authoritative guidelines on the use of personal information in online networks define sensitive personal data in a manner very similar to that of special category personal data under the GDPR.
However, there are differences. For example, the ability to process personal data under the GDPR hinges around the six distinct processing conditions in Article 6. Conversely, in mainland China, the sole statutory processing condition is obtaining consent of the individual.
In this respect, the GDPR is arguably more flexible and business-friendly as companies do not have to get individuals to, for example, sign contractual terms and conditions to give written consent or provide a click-through to consent in an online onboarding scenario. 
This may change as mainland China’s top legislature published the long-awaited first draft of its Personal Information Protection Law in October last year, which contains a nod towards business efficiency by introducing new grounds for collection and processing of personal information.
What about the protection of citizens’ interests?
The GDPR provides a number of rights for data subjects, such as the right to have inaccuracies in data rectified, the right to erasure, the right to access your personal information, and the right to data portability. 
China’s Cybersecurity Law currently only formally grants individuals the right to correction and erasure. However, equivalents to the other rights are set out in best practice guidelines in China and the privacy policies of many large companies incorporate that guidance into their operations. In addition, the new Personal Information Protection Law expected this year is likely to make compliance with these rights mandatory.
By Alex Roberts
Alex Roberts (our TMT Counsel in Shanghai) recently sat down with Greg Au-Yeung, the host of video series Inspiring China, to discuss these issues. A link to the video is here.
More insights on the latest developments in Chinese data law are here.