New China Data Privacy Standard Looks More Far-Reaching than GDPR
The Chinese government recently released the final version of a new national standard on personal information protection. It lays out detailed new regulations for user consent, as well as how personal data is collected, stored, and shared. Set to take effect May 1, 2018, it is not clear how the standard will be implemented. Despite uncertainty about its effect, the language in the standard is comprehensive and contains more onerous requirements than even the European Union’s General Data Protection Regulation (GDPR). Yet, even with these differences, there is a growing convergence between Europe and China’s approaches in emerging data protection regimes, leading the United States to be more isolated with U.S. companies in reactive mode.
Q1: What is China’s data protection regime?
A1: China’s cybersecurity law (which took effect in June) laid out broad principles, but left key issues related to implementation and scope unresolved. The idea was that follow-on measures and standards would fill in the gaps once stakeholders sorted out their differences. (See Appendix for an overview of what standards mean in China’s system.) The cybersecurity law is made up of six systems, which together form a framework governing information and communication technology (ICT) in China. This standard belongs under the fourth system, called “personal information and important data protection system.”
China’s emerging data regime is likely to take at least another one to two years to be finalized, but with the broad contours beginning to take shape amid ongoing debate and discussion within the government and between the government and companies.
According to conversations with those in China involved with shaping the system, the data protection regime addresses three categories: personal information, data transfer, and data management/governance.
So far, China’s data protection regime consists of the cybersecurity law, a handful of accompanying measures, and at least 10 draft standards. (For a deeper discussion of a thriving debate in China over data localization and rules for cross-border data transfer, please see here.) This year, we are also likely to see the addition of a new law focused specifically on personal information protection. Some argue that the law is not necessary since the topic is already covered extensively by the current data protection framework; however, a National People’s Congress report in December called for drafting a separate new piece of legislation.
What is clear is that China is moving forward with building out a national data regulatory regime with major implications for international interoperability of Chinese and foreign companies.
Q2: Why is this standard important?
A2: Among the hundreds of cybersecurity standards in China, this one dealing with personal information protection is a big deal. There are two main reasons it matters.
First, it covers content that has been the subject of ongoing debate for over a year within the government and with Chinese companies. There is a tug of war within China between those advocating for greater data privacy protections and those pushing for the development of fields like artificial intelligence (AI) and big data, with no accompanying limits on how data is used. The very existence of this debate is not well known to outside observers.
The standard creates a comprehensive framework and process for personal information data collection, storage, handling, and sharing. For example, it covers detailed provisions for user consent, including requirements that data must be de-identified before sharing or else have prior notice and consent from individuals. It also imposes strict limits on “secondary uses” of data beyond the original purpose. Third-party vendors involved with handling this data must undergo extensive security assessments. It is still too early to know how exactly the new standard will be implemented, but the standard makes clear that there is a check on how companies handle user data, with whom, and how it is shared.
Second, the Chinese public are showing a growing awareness of data privacy rights in recent weeks. A Chinese-government-backed consumer protection organization is suing the search engine Baidu for collecting user personal information (i.e., location, messages, contacts) without user consent. The case follows Ant Financial’s apology to users after an Alipay default option allowed its credit scoring system to access user data.
Developments around data privacy also raise questions about the feasibility of carrying out what is known as the social credit system. China’s social credit system has been subject to tremendous attention in Western media around speculation that the Chinese government plans to rate citizens’ trustworthiness or creditworthiness by pooling all their transaction and other data. A coming joint piece by CSIS, the Peterson Institute, and New America will delve deeper into how data privacy and regulation are among a host of factors that will make the social credit system difficult to carry out.
Overall, these trends suggest that the way in which the government and companies share data in practice is not as clear cut as it may seem and is still taking shape under an evolving new framework.
Q3: How does China’s data protection regime compare with the GDPR?
A3: Beyond China, we are seeing global divergence in approaches to data regulation across the European Union, Asia, and the United States. Fragmentation and market barriers are emerging around requirements for privacy and data flows across borders that make international interoperability a growing challenge.
We will do a deeper look comparing China’s broader data protection regime (privacy and data flows) with these other regions in a subsequent post. To be clear, a single Chinese standard is in no way analogous to GDPR. The latter is an extensive legal document that underwent a long legislative process. But on first glance, a few comparisons between China’s personal information security standard and GDPR are worth highlighting:
- While the GDPR applies to specific types of data, “sensitive personal information” under the Chinese standard is more far-reaching. It extends to any personal data that would cause harm to persons, property, reputation, and mental and physical health if lost or abused.
- The GDPR is more permissive about certain kinds of consent requirements for collection of personal information. It does not strictly require consent to share data. It allows for legitimate interests of a controller or third party not found in the Chinese standard.
- The Chinese standard contains more rigorous requirements on what kinds of information must be included in privacy notices. In contrast to the GDPR, the standard does not clearly state information can be left out of notices if the individual has access to it from other sources. Instead privacy notices must be presented “one by one.”
- The Chinese standard contains more specific requirements related to security testing and procedures for entities that process personal information. This is consistent with a broader difference: China’s data protection regime overall (not just the standard) deals with national security risk—giving it a much wider scope—while GDPR does not.
For Chinese companies, the way in which these two regimes intersect will affect their global aspirations, particularly as internet companies like Alibaba set up data and cloud centers in Europe. Chinese telecom firms vying to build out internet infrastructure across Europe under the One Belt, One Road initiative will also have to reckon with the relationship between their two systems.
Q4: Where does the United States fit into the picture?
Appendix: What do “standards” mean in China’s system?
Within China, national standards function more as tools for implementing higher-level laws and measures. In this way they are better understood as a kind of regulation, rather than a technical specification or voluntary framework, which is how we typically think about standards in the Western context. While they are not legally binding, the government refers to them when conducting reviews and approvals, creating strong incentive for foreign and domestic Chinese company compliance.
It is also not clear how this particular standard will work in relation to the broader legal umbrella of the cybersecurity law in practice. It may function as a form of regulation, in which companies will be audited or certified based on its criteria. But this is an open question, especially since the term used in Chinese is “specification” rather than “standard.”
The China National Information Security Standards Technical Committee (TC260) has developed more than 240 national standards related to cybersecurity (i.e., cloud, industrial control systems, and big data) since 2010. Particularly in the wake of China’s cybersecurity law (which took effect in June), there has been increasing focus on this body of standards—many of which are still in draft form and undergoing industry comment. The standards are meant to flesh out the details of broad provisions contained in the cybersecurity law, particularly on controversial elements where there is not yet consensus within the government and industry about implementation.
Samm Sacks is a senior fellow with the Technology Policy Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C. She thanks Jim Lewis, Will Carter, Paul Triolo, and Graham Webster for their helpful review and insights.
Critical Questions is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2018 by the Center for Strategic and International Studies. All rights reserved.