By Tracy Zhu, Firm: Fangda Partners
Since 2018, the GDPR has attracted interest in China, resulting in nationwide data and privacy protection campaigns and the multiplication of data protection standards.
The GDPR has been drawing the attention of various Chinese companies and the regulators since 2018 for the following reasons:
- The magnitude of fines that can be imposed for violations of its provisions.
- Its extra-territorial reach to organisations that are outside the EEA but collect and process personal data of data subjects in the EEA; and
- It is seen by Chinese regulators as a good example of comprehensive legislation on personal data protection.
Unlike Japan, South Korea, Thailand or other countries in APAC where the GDPR is used as a benchmark for reviewing current legal regimes on personal data protection, the Chinese authorities do not recognise the direct application of such a foreign law but instead use the GDPR as a good reference for the developing data protection regime in China. In 2018 and the first half of 2019, in awe of the record-breaking fines that were imposed in a few headline law enforcement actions in the EU, the national standard committee (TC260) and some research institutions respectively published white papers commissioned by the Chinese authorities and provided guidance to Chinese organisations on complying with the GDPR, particularly where they have business in the EU or offer services globally, including to data subjects in the EU.
To catch up with the trend of increasing transparency of personal data processing activities, China has launched a few nationwide law enforcement initiatives and campaigns focussing on privacy notices and curbing certain privacy practices such as bundled or forced consent. While there is no accountability principle in the Chinese Cyber Security Law, the way that the authorities approach organisation that are in violation of personal data protection laws in China is similar to the GDPR, in the sense that the authorities require those organisations to provide evidence of their compliance with the laws.
GDPR also sheds light on how to interpret the fundamental principles of data protection, particularly the European Data Protection Board’s guidelines and clarification. National standards on data protection and cyber security are multiplying in China. These include various principles and requirements under GDPR, such as data protection by design and by default, data protection impact assessments, vendor due diligence and more.
China is neither a signatory to Convention 108 nor a participating member of any regional cross-border data transfer regime such as CBPR. For the past two years, China has been working on its cross-border data transfer regime and the Chinese authorities are also seeking inspiration from the GDPR.
While Chinese companies have not yet received any fines from DPAs in the EU, after how Facebook monetised data was exposed in various incidents and in view of DPAs’ focus on GAFA (Google, Amazon, Facebook and Apple), Chinese companies are mindful about personal data protection, particularly where data subjects in the EU are under discussion. Where Chinese organisations have operations in the EU and local employees’ data is transferred back to headquarters in China, these organisations would also need to consider compliance with the GDPR.