I am old enough to remember the dawn of the Internet. I was at law school at the time and the Internet - or "the Web" as it was then called - was starting to escape the University campuses and take hold in the commercial world.  In 1993, when I first logged on to the Web to join a chat group devoted to my favorite rock band, it was seen as a digital village where people from all around the world could reach across geographical, political and religious divides and share information, opinions and ideas.  It was a utopian ideal and for a time, it really did feel like a community.

Fast forward to the present day and things are very different.  The internet has been turned into a commercial tool where personal data can be harvested and used to sell products and services to users.  That in turn has made data a valuable commodity - something that can be bought and sold and, increasingly, stolen or corrupted. 

Recently, however, things have begun to change.  After numerous scandals and public backlash against big internet companies, governments across the world are seeking to address the imbalance between citizens and the organizations that collect, process and use their personal data.  In the EU, that has taken the form of the General Data Protection Regulation ("GDPR") which came into force on 25 May 2018.  In China, it has taken the form of the Cybersecurity Law ("CSL") which came into force on 1 June 2017 and related administrative measures, including the "Information Security Technology Personal Information Security Specification" (the "Personal Information Specification")1 which came into force on 1 May 2018 and the "Administrative Measures on the Security Assessment of the Overseas Transfer of Personal Information and Important Data" (the "Data Transfer Law") which is still in draft but likely to come into effect some time in 2019.  For ease of reference, I will refer to the Chinese laws and regulations collectively as the "PRC Laws".

In broad terms, the aim of both sets of legislation is to give data subjects more control over their personal data and place restrictions on how organizations collect, process and use personal data. 

For multi-nationals operating in China, the new legislation may mean that they are subject to two separate but overlapping regimes – one applying to their operations in the EU and another applying to their operations in China.  A question we are commonly asked is – "If we are compliant under the GDPR, will we be compliant under the PRC Laws?".  In this article, we aim to address that question by undertaking a comparative analysis of the two sets of legislation and analyzing the similarities and differences between them. In particular we will focus on:

  • Key definitions;
  • Their territorial scope;
  • Collection and use of personal data;
  • Control over personal data;
  • Sharing and transfer of personal data;
  • Transfer of personal data out of the jurisdiction;
  • Security of personal data; and
  • Enforcement.

In many ways, the GDPR and the PRC Laws are very similar, but there are some differences that organizations operating in China need to be aware of.

Key definitions

The GDPR is a more comprehensive and prescriptive piece of legislation than the PRC Laws.  As a result, it is significantly more detailed in its scope and application than the Chinese legislation.  Having said that, the two sets of laws deal with similar concepts and contain similar definitions of key terms.  Set out below is a comparative table of those key terms.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.