I am old enough to remember the dawn of the Internet. I was at law school at the time and the Internet - or "the Web" as it was then called - was starting to escape the University campuses and take hold in the commercial world. In 1993, when I first logged on to the Web to join a chat group devoted to my favorite rock band, it was seen as a digital village where people from all around the world could reach across geographical, political and religious divides and share information, opinions and ideas. It was a utopian ideal and for a time, it really did feel like a community.
Fast forward to the present day and things are very different. The internet has been turned into a commercial tool where personal data can be harvested and used to sell products and services to users. That in turn has made data a valuable commodity - something that can be bought and sold and, increasingly, stolen or corrupted.
Recently, however, things have begun to change. After numerous scandals and public backlash against big internet companies, governments across the world are seeking to address the imbalance between citizens and the organizations that collect, process and use their personal data. In the EU, that has taken the form of the General Data Protection Regulation ("GDPR") which came into force on 25 May 2018. In China, it has taken the form of the Cybersecurity Law ("CSL") which came into force on 1 June 2017 and related administrative measures, including the "Information Security Technology Personal Information Security Specification" (the "Personal Information Specification")1 which came into force on 1 May 2018 and the "Administrative Measures on the Security Assessment of the Overseas Transfer of Personal Information and Important Data" (the "Data Transfer Law") which is still in draft but likely to come into effect some time in 2019. For ease of reference, I will refer to the Chinese laws and regulations collectively as the "PRC Laws".
In broad terms, the aim of both sets of legislation is to give data subjects more control over their personal data and place restrictions on how organizations collect, process and use personal data.
For multi-nationals operating in China, the new legislation may mean that they are subject to two separate but overlapping regimes – one applying to their operations in the EU and another applying to their operations in China. A question we are commonly asked is – "If we are compliant under the GDPR, will we be compliant under the PRC Laws?". In this article, we aim to address that question by undertaking a comparative analysis of the two sets of legislation and analyzing the similarities and differences between them. In particular we will focus on:
- Key definitions;
- Their territorial scope;
- Collection and use of personal data;
- Control over personal data;
- Sharing and transfer of personal data;
- Transfer of personal data out of the jurisdiction;
- Security of personal data; and
In many ways, the GDPR and the PRC Laws are very similar, but there are some differences that organizations operating in China need to be aware of.
The GDPR is a more comprehensive and prescriptive piece of legislation than the PRC Laws. As a result, it is significantly more detailed in its scope and application than the Chinese legislation. Having said that, the two sets of laws deal with similar concepts and contain similar definitions of key terms. Set out below is a comparative table of those key terms.
|Term||GDPR definition||CSL Definition||Comment|
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The GDPR also recognizes "special category data" such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and genetic and biometric data the processing of which is subject to tighter restrictions.
Information, recorded electronically or otherwise, that can be used separately or in combination with other information to identify a particular natural person or to reflect a person's activities.
Personal Information includes a person's name, date of birth, ID number, personal biometric information, address, contact means, content of communication, account number and password, property information, credit information, whereabouts, residence, health and transaction information.
The Personal Information Specification also recognizes the category of "Personal Sensitive Information" which is any information which, if unlawfully disclosed, may endanger a person's physical and mental wellbeing, their reputation and/or their property and/or lead to discrimination. This category of data is subject to tighter restrictions on collection and processing.
|Both sets of legislation define personal data as data which, on its own or combined with other information, identifies a natural person|
Personal Data Subject
|Identified or identifiable natural persons – note that such persons must be living in order for the legislation to apply||Natural persons||Both sets of legislation define a data subject as a natural person, as opposed to a corporate entity.|
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law
Note that under the GDPR, where two or more Controllers jointly determine the purposes and means of processing, they will be 'joint Controllers' and must enter into an arrangement to determine their respective responsibilities for compliance with the GDPR.
|The organizations or individuals that have the right to determine the purposes and means of processing the personal data, etc.||
The GDPR distinguishes between – (a) Controllers, who make the key, overarching decisions about how and why personal data will be processed; and (b) Processors, who process data on behalf and on the instructions of the Controller. There are separate definitions for each. The PRC laws refer only to Controllers.
Under both laws, the primary obligations will fall on the organization that controls (or "determines the purposes and means of processing") personal data.
|Processor||A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. For the first time in European data protection law, the GDPR imposes certain obligations directly on Processors, rather than simply on Controllers.||No equivalent definition||There is no separate definition of a "Processor" under the PRC Laws. The obligations under the PRC Laws apply only to the Controller. However, where data is shared with another organization, the second organization may be deemed to be a "Co-Controller" and subject to the same obligations as the original Controller.|
|Collection and processing||
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Under the GDPR, where two or more Controllers jointly determine the purpose and means of processing, they will be "joint Controllers" and must enter into an arrangement to determine their respective responsibilities for compliance within the GDPR.
The act of gaining control over the personal data, including the voluntary provision of personal data by the Personal Data Subject, the automatic collection of information through interacting with or recording acts of Personal Data Subject, and indirect access to data through sharing, transferring and collecting public information.
|Under the GDPR, the act of collecting data is part of a broader definition of "processing" which includes storage, adaptation or alteration, retrieval of data and so on. Under the PRC Laws, there is no separate definition for "processing". Subject to further regulations being passed, any dealing with data (including collection) by a Controller is likely to be considered "processing".|
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
The Personal Data Subject gives explicit authorization for specific processing of Personal Information through written statements or affirmative acts voluntarily.
Note. Affirmative acts includes the Personal Data Subject making voluntary declarations (electronically or in written), choose or click "agree", "register", "send" or "call", etc.
The PRC Laws are arguably stricter and more prescriptive than the GDPR when it comes to the requirement to obtain consent from the Data Subject.
We discuss consent under both sets of legislation in more detail below.
Note in particular that under the GDPR, "explicit consent" is one potential legal basis for processing special category data.
The GDPR applies to:
- The processing of personal data by an organization established in the European Union ("EU"), regardless of whether or not the processing takes place in the Union. In other words, the GDPR potentially applies if an organization processes personal data in the context of any presence - such as a branch or office - in the EU (which need not be an incorporated entity) even if the processing of the personal data takes place out of the EU, such as in China;
- The processing of personal data of subjects in the EU by an organization that is not established in the EU, where the processing relates to the offering of goods or services to such data subjects in the EU or monitors the behavior of data subjects, as far as their behavior takes place within the EU;
- The processing of personal data of subjects in the EU by an organization that is not established in the EU, where the processing relates to the monitoring of the behavior of such data subjects in the EU;
- The processing of personal data by an organization that is not established in the EU, but where EU Member state law applies by virtue of international public law.
The GDPR could therefore apply to entities in China where there is a connection to the EU, either because the organization processing the personal data has a presence there, or processes the personal data of EU subjects in the course of selling goods and services, or monitors their behavior in the EU.
The CSL applies to the "..operation, maintenance and use of computer networks and the supervision and administration of cybersecurity within the territory of the People's Republic of China" and is intended to protect "[Chinese] citizens, legal persons and other organizations".
Unlike the GDPR, it is not entirely clear whether the PRC Laws apply extra-territorially. For example, it is unclear if the CSL would apply to an overseas company collecting personal data from Chinese citizens where the overseas company has no presence in China. Similarly, it is unclear whether the Laws would apply to a situation where a Chinese company is collecting personal data from a foreign citizen outside of China only.
In our view, the CSL will apply to an overseas company collecting personal data from Chinese citizens if that data is collected from within China (although it is difficult to see how the authorities would enforce the legislation against the overseas company unless that company had some sort of presence in the jurisdiction). However, the CSL would probably not apply in the converse situation where a Chinese company collects personal data from a foreign citizen outside of China.
What is certainly the case is that the CSL will apply extra-territorially where any person\ attempts to hack into any computer system in China regardless of whether that person is a foreign national and/or resides outside of China.
The GDPR is based on a number of principles. These are:
- The principle of lawfulness, fairness and transparency Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject;
- The principle of purpose limitation Personal data may only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- The principle of data minimization The personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is to be processed;
- The principle of accuracy Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- The principle of storage limitation Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- The principle of integrity and confidentiality Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
- The principle of accountability The Controller shall be responsible for, and be able to demonstrate compliance with the first six principles.
These principles are largely self-explanatory.
The Personal Information Specification also sets out a number of principles. These are as follows:
- Rights and responsibilities The Controller shall be liable for the damage caused by its Personal Information processing activities to the legitimate rights and interests of the Personal Data Subject.
- Definite objective The Controller should have legal, legitimate, necessary and definite purposes for processing Personal Information.
- Option to consent The Controller shall clarify to the Personal Data Subject the purpose, means, scope and rules of processing Personal Information, in order to solicit the latter's authorization and consent.
- Minimum use Unless otherwise agreed with the Personal Data Subject, only the minimum number and type of Personal Information required to satisfy the purpose of consent granted by the Personal Data Subject shall be processed. After the purpose is achieved, the Personal Information shall be deleted in time according to the agreement.
- Disclosure The Controller shall disclose the scope, purpose, rules, etc. of the processing of Personal Information in a clear, understandable and reasonable manner, subject to external supervision.
- Ensuring security The Controller shall have the security capability to overcome the potential security risks and shall take adequate management and technical measures to protect the confidentiality, integrity and usability of Personal Information.
- Participation of Subject The Controller shall provide to the Personal Data Subject methods to access, correct, delete his or her Personal Information, as well as withdrawal of consent and cancellation of account, etc
These overriding principles are broadly similar save for one key difference. The GDPR principles do not contain a general requirement to obtain consent from the Data Subject (although these rights are covered elsewhere in the Regulation and implied within several of the principles), whereas the PRC Laws do expressly incorporate these rights into the core principles. This is probably intentional. The GDPR is concerned with striking a balance between the Data Subject's rights and the free flow of commerce, which would explain why concepts of consent and participation are not enshrined in the core principles of the Regulation. The PRC Laws, however, are less concerned about the free flow of commerce and more concerned about regulating the Controller's activities and so consent and participation are key principles of the Law.
Collection of personal data and the requirement of consent
Under the GDPR, Controllers must ensure that:
- personal data is processed in a lawful, fair and transparent manner;
- there is lawful basis for the processing of personal data; and
- the collection and processing of personal data is minimized to only that which is necessary for the intended purpose (e.g. selling goods or services).
The PRC Laws contain similar provisions. Under the Personal Information Specification, Controllers must expressly disclose to the data subject the type of information to be collected and what that information is to be used for. They cannot employ any "fraud, trick or coercion" to force the Data Subject to provide his or her information and must only collect the minimum amount of information necessary to provide the relevant product or service. Finally, as is the case under the GDPR, personal data may only be kept for the minimum amount of time required to achieve the intended purpose.
The GDPR does not impose a general requirement to obtain consent. Instead, it sets out several legal bases for processing, one of which is where the Data Subject has given his or her consent. The other legal bases for processing are where the data is necessary:
- For the performance of a contract to which the Data Subject is a party;
- To comply with a legal obligation to which the Controller is subject;
- To protect the vital interests of the Data Subject or another natural person;
- For the performance of a task in the public interest or in the exercise of official authority vested in the Controller;
- For the purposes of legitimate interests pursued by the Controller or by a third party (such as where the Data Subject is a client or employee of the Controller) except where that interest is overridden by the Data Subjects fundamental rights and freedoms.
These legal bases are quite broad and provide a significant amount of scope for Controllers to avoid having to obtain consent. By contrast, the exceptions to consent under the Personal Information Specification are narrower. While there are exceptions where the personal data is necessary to perform the contract with the Data Subject, or to maintain the safe and stable operation of the products and/or services provided, or is required to promote and/or protect the public interest and state security, in all other cases, consent will be required.
Under both sets of legislation, where consent is required, it must be obtained for each purpose for which the data is to be used. Further, that consent must be express - silence will not amount to consent - and may be withdrawn by the Data Subject at any time.
Processing of personal data
Part of the reason so many people get upset with internet companies is that they have little control over how their personal data is used, whether the information is correct and how long it will be used for. The GDPR and The Personal Information Specification have sought to redress that imbalance.
Both sets of legislation contain provisions which require Controllers to (subject to certain exceptions):
- Restrict the use of the personal data to only those purpose for which the Data Subject has been informed;
- Rectify inaccurate personal data;
- Erase personal data when requested to do so (this provision enshrines the principle of the "right to be forgotten" which has caused Google so many issues) or when the data is no longer needed;
- Provide the personal data to the Data Subject in a format that can be transferred to another Controller;
- Refrain from subjecting data subjects to decisions based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The only substantive difference between the two sets of legislation is that under the GDPR, there is a distinction between a Controller and a Data Processor (the legislation imposes obligations on both) whereas the PRC Laws apply only to the Controller, although a third party will be deemed to be a Controller if they have "independent control" over the data.
Sharing of personal data
The GDPR and Personal Protection Law both place restrictions on the transfer of personal data to third parties such as suppliers, retailers, advertisers and app developers.
Under the GDPR, personal data can be shared provided that Data Subjects have been informed of the sharing in a privacy notice and subject to certain other conditions (e.g. the establishment of a legal basis for the transfer and the implementation of any further steps required by the GDPR). For example, in a Controller to Processor transfer, an agreement containing all of the terms required by Article 28 must be entered into.
Under the Personal Information Specification, the overriding principle is that personal data shall not be shared or shared unless it is "necessary". The Law does not prescribe when sharing and/or transfer of data is necessary and when it is not. Presumably, sharing and transfer or data will be necessary if the good or service being provided cannot be provided with it. For example, retailers might need to pass on personal data to suppliers so that they can fulfill customer orders.
Under both sets of legislation, where data is shared with or transferred to a third party, the Controller has an obligation to ensure that the third party has adequate systems in place to ensure the data is secure.
Transfer of personal data out of the jurisdiction
The transfer of data out of the jurisdiction is one area where there is a marked difference between the GDPR and the PRC Laws.
Under the GDPR, a Controller may transfer personal data outside the European Economic Area (EEA) without needing to obtain consent from the data subject, provided that one of the potential methods of transferring data set out in the GDPR is used, e.g. standard contractual clauses in the form approved by the European Commission. Processors may transfer data outside the EEA where this has been authorized by the Controller, subject to appropriate conditions to ensure that the transfer is carried out in accordance with the GDPR.
Under the Data Transfer Law, however, personal data can only be transferred out of China if:
- The Controller notifies the Data Subject of the purpose, scope, content and the recipient of the overseas transfer;
- The Data Subject gives his or her consent; and
- The Controller undertakes a security assessment to ensure the personal data is safe from cyber security risks.
These are quite onerous obligations and have created significant problems for companies operating in China. The problem is particularly acute for international companies doing business in China who may have their servers outside of the country or use a cloud based storage provider in another country to store customer data. Due to the logistical difficulties in obtaining consent, some companies have had to set up separate storage facilities in China to comply with the Data Transfer Law.
Security of personal data
Cyber-attacks and information theft are a disappointing fact of modern life. Almost every other day it seems that networks are coming under attack from hackers - the attacks on Sony and Adobe, the hacking of the US Democratic Party email servers and the "Wanna Cry" virus being recent examples.
Security of personal data is a key feature of both the GDPR and the PRC Laws.
Under the GDPR, the Controller must:
- Anonymize, pseudonymise and encrypt data (where appropriate) to ensure personal data is kept confidential;
- Undertake a data protection impact assessment if the processing to be undertaken is likely to involve a high risk of the data subject's rights being infringed; and
- Notify the relevant supervisory authorities of data breaches in cases where there is a risk to the rights and freedoms of individuals. The affected data subjects must also be notified where the breach is likely to result in a high risk to the rights and freedoms of individuals. See below for further information on this point.
The GDPR also requires both Controllers and Processors to appoint a Data Protection Officer in certain circumstances, such as where the processing is carried out by a public body, or where the organization's core activities require large scale, regular and systematic monitoring of individuals, or large scale processing of special categories or data/data relating to criminal convictions and offences. The role of the Data Protection Officer is to inform the Controller and/or Data Processor of their obligations under the law, monitor compliance with the law and co-operate with the supervisory authorities.
While the GDPR requires Controllers and Data Processors to take steps to ensure that personal data is protected against "unauthorized or unlawful processing … accidental loss, destruction or damage" the provisions that deal with these threats are quite broad. The GDPR does not, for example, set out what measures Controllers and Data Processors must take to ensure compliance with the principle of data integrity, at least not in any significant detail.
If a security breach does occur, the Controller is obliged to report the breach to the Data Subject unless the data has been encrypted so that it is unintelligible to unauthorized persons or the Controller has taken measures to mitigate against the risk or informing the Data Subject would involve disproportionate effort to the harm caused.
By contrast, the PRC Laws contain a number of provisions that impose strict obligations on Controllers to ensure personal data is protected from security threats with few exceptions. The CSL requires Controllers to undertake a range of internal security measures including implementing cyber security policies and procedures, installing anti-virus and anti-malware software and backing up and encrypting data to maintain the integrity of personal data. In addition, the Personal Protection Law requires Controllers to:
- Notify data subjects that its legal representative or principal person bears overall responsibility for the security of personal data;
- Appoint a data security officer (that must a full time position if the organization deals with personal data as its main line of business and employs over 200 people, or processes personal data for more than 500,000 people);
- Devise emergency plans to deal with security issues;
- Undertake security audits at least once per year;
- Provide training to relevant staff on data security at least once a year.
Further, the Personal Protection Law contains mandatory provisions requiring Controllers to report security breaches to the Data Subject and the relevant authorities. Significantly, there are no exceptions. These provisions are mandatory and apply to all Controllers. They are not restricted to certain categories of data or classes of Controllers. To that end, the PRC Data Protection Laws are more prescriptive and more onerous than the provisions of the GDPR when it comes to data security.
Enforcement and penalties
A feature of both the GDPR and the CSL is that they lay down stiff penalties for breach of their provisions.
Under the GDPR, Controllers and Data Processors may be faced with fines for breaches of specific Articles of the Regulation including:
- A fine of up to EUR 10,000,000 or 2% of total worldwide annual turnover in the event of a failure to implement technical and organizational measures to implement the data protection principles enshrined in the Regulation.
- A fine of up to EUR 20,000,000 or 4% of total worldwide annual turnover in the event of: a. A breach of the articles dealing with the basic principles processing of personal data; or b. A breach of the various express rights of the data subject; or c. A transfer of data to a third country in breach of the Regulation; or d. A failure to comply with an order from the relevant regulatory authorities.
In addition, EU member states may enact their own regulations setting out the penalties that apply to breaches of articles that are not subject to the above fines.
Under the CSL, there is wider range of punishments for breach which apply to both individuals and corporations. For example:
- In the event of a failure to take corrective action to remedy a security breach, the Controller may be subject to a fine of between RMB 10,000 and RMB 100,000 and the directly responsible person subject to a fine of between RMB 5,000 and RMB 50,000;
- In the event of an act which endangers cyber security, the Controller may be subject to a fine of between RMB 100,000 and RMB 1,000,000 and the directly responsible person subject to a fine of between RMB 50,000 and RMB 500,000 and/or a sentence of imprisonment. In addition, the relevant authorities may confiscate any income earned by the Controller as a result of the breach and/or suspend the Controller's business;
- In the event the Data Subject's rights are infringed, the Controller may be subject to a fine of up to RMB 1,000,000 or, where the breach has resulted in the Controller earning an illegal income, a fine of up to ten times the income earned from the breach. In addition, the relevant authorities may suspend the Controller's business and impose a fine on the directly responsible person of between RMB 10,000 and RMB 100,000;
- In the event of a failure to assist the relevant authorities to discharge their duties under the CSL, Controllers may be subject to a fine of between RMB 50,000 and RMB 500,000. The directly responsible person may also be subject to a fine of between RMB 10,000 and RMB 100,000.
The similarities and differences between the GDPR and PRC Laws can be summarized as follows
|What is the territorial scope of the Law?||
Applies to organizations that either:
Applies to natural persons in China
Applies to organizations that collect personal data from Chinese citizens regardless of whether or not they have a presence in China (although this is subject to further clarification)
|Does the Law recognize the following principles: 1. The principle of lawfulness, fairness and transparency||
|2. The principle of purpose limitation||Yes||Yes|
|3. The principle of data minimization||Yes||Yes|
|4. The principle of storage limitation||Yes||Yes|
|5. The principle of integrity and confidentiality||Yes||Yes|
|6. The principle of accountability||Yes||Yes|
|7. The principle of consent||No, although there are specific provisions in the Regulation that deal with consent||Yes|
|8. The principal of participation||No, although there are provisions in the Regulation that deal with the data subject's right to control how their data is processed||Yes|
|Does the Controller need to obtain consent from the Data Subject to: 1. Collect personal data?||
No to all (unless consent is used as the legal basis for processing)
Yes, with some limited exceptions
|2. Process personal data?||Yes, with some limited exceptions|
|3. Share personal data with a third party?||Personal data cannot be shared unless it is "necessary"|
|4. Transfer personal data to a third country?||Yes, and only after a security assessment has been undertaken|
|Does the Data Subject have the right to: 1. Withdraw consent at any time?||
|2. Request that the purposes for which the personal data is to be collected be restricted?||Yes||Yes|
|3. Request that inaccurate data be corrected?||Yes||Yes|
|4. Request that personal data be deleted?||Yes||Yes|
|Are the following security measures mandatory? 1. Implementing internal cyber security policies and procedures;||
|2. Appointment of data protection officers;||Only in specified circumstances||Yes|
|3. Training staff to observe cyber security||No||Yes|
|4. Undertaking cyber security audits;||No||Yes|
|5. Notifying the Data Subject of security breaches||No, if certain conditions are met||Yes|
|6. Notifying the relevant authorities of security breaches.||Yes - where the applicable criteria are met||Yes|
|What are the penalties under the Law||Fines levied against the Controller or Data Processor||
Fines levied against the Controller or Data Processor
Confiscation of illegal profits
Fines levied against responsible individuals
Imprisonment of responsible individuals
Closure of the business
What should companies operating in China do to comply with the PRC Laws?
Referring back to the original question in the introduction, does an organization who conducts business in China and who has a comprehensive data protection policy that is compliant with the GDPR need to take any additional steps to comply with the PRC Laws? The short answer to that question is yes. Under the PRC Laws, organizations that collect personal data from citizens have stricter obligations that is the case under the GDPR. In particular there are stricter, more prescriptive rules concerning;
- The requirement to obtain consent;
- The sharing of personal data;
- The transferring of data outside of the jurisdiction;
- The appointment of a data security team and a data security officer to oversee compliance with the law;
- Training of staff in data protection and cyber security; and
- Undertaking security audits.
In addition, organizations operating in China face a wider range of penalties than is the case under the GDPR which apply to both the organization itself and any individuals within that organization who may be responsible for any breach of the PRC Laws.
Against that background, we recommend that organizations operating in China who collect personal data from Chinese citizens undertake an assessment to confirm if they are in compliance with PRC Laws. Such a review may highlight the need to:
- Update data protection and cyber security policies;
- Undertake a security assessment of the organization's systems (hardware and software) to ensure they are safe from cyber threats;
- Appoint a data protection officer and data security team to ensure compliance with the organization's policies;
- Provide training to staff;
- Set up separate servers in the PRC or engage third party cloud storage services in the PRC.
We also recommend that organizations look at whether their insurance arrangements are adequate to respond to potential fines and legal defence costs in the event the organization and/or its employees are prosecuted under the PRC Laws. Many insurers in China are offering bespoke policies to cover cyber risk which may be more offer more comprehensive cover than an existing global policy.
While it is true that the PRC Laws are still developing, it is fairly clear from the draft laws that have been published what the regulatory landscape will look like in relation to cyber security in the near future. Accordingly, organizations operating in China would be well advised to make themselves familiar with the PRC Laws and start taking steps to ensure they will be compliant.