The year 2018 is expected to see great developments in the area of data protection not only across Europe.

The new recommended standard ‘Information Technology - Personal Information Security Specification’ [GB/T 35273-2017] (hereinafter ‘the Specification’) will finally come into effect in China on May 1, 2018. The Specification follows the route taken last year with the entry into force of the China Cybersecurity Law 2016 by providing detailed guidance for compliance in data processing activities including the collection, retention, use, sharing and transfer of personal information.

The Specification applies to any private or public organization that has the power to decide the purpose and method of processing personal information; this seems to be modelled on the concept of ‘data controller’ under the European GDPR.

The Specification regulates the processing of ‘personal information’ and ‘sensitive personal information’; the definition of ‘sensitive personal information’, however, is significantly different from the one provided in the European Regulation.

The Specification defines ‘sensitive personal information’ as any personal information which, if lost or misused, is capable of endangering persons or propriety, easily harming personal reputation and mental and physical health, or leading to discriminatory treatment; in fact, there is not a definition of ‘sensitive data’ but rather a risk-based approach whereby a sensitive information is any type of data whose non-compliant processing is capable of causing damage.

Data controllers are recommended to follow basic principles relating to the processing of personal data, including lawfulness, fairness, transparency, necessity, proportionality, data minimization and security, as well as risk assessment.

Despite being a voluntary standard, and thus not legally binding, the Specification will serve as a reference point for the Cybersecurity Administration of China (‘CAC’) to judge corporate practices adopted to ensure personal data protection.