The China Cyber Security Law (hereinafter “CSL”), which came into force on 1 June 2017, is a general rule concerning the control of cyberspace information security and the protection of personal information in China.
With this rule, data management and the regulation of the use of Internet have been reformed with the imposition of new requirements for network security.
With the entry into force of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), we face the problem of a comparison between such Regulation and the Chinese law.
We shall thus analyze the main contents of the China Cyber Security Law.
1. The definitions of personal information and network operator
The CSL provides a definition of “personal information” and “network operators” to determine its scope of application.
«Personal Information» refers “to all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity, including but not limited to natural persons’ full names, birth dates, national identification numbers, personal biometric information, addresses, telephone numbers, and so forth” (art. 76 (5) CSL).
It is clear that the definition of “personal information” is quite similar to the definition of “personal data” in the GDPR where “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
In the CSL «Network operators» refers to “network owners, managers, and network service providers” (Article 76 (3) CSL).
This definition clearly includes not only network service providers, but every entity that owns and manages a network, both internally and externally. For example a company that manages its network for its internal operations or that uses its own website.
The CSL also identifies a further specific category of subjects that deal with data, the “critical information infrastructure” («CII») (art. 31 CSL).
This definition, which is very general and undetermined, includes the structures operating in particular sectors, for example for information services, power, traffic, water resources, finance, public service, e-government, and other critical information infrastructure which—”if destroyed, suffering a loss of function, or experiencing leakage of data—might seriously endanger national security, national welfare, the people’s livelihood, or the public interest” (see art. 311¹).
For these infrastructure, the CSL formulate specific security protection measures as described below in par. 4 (art. 34 CSL).
2. Data collection and storing
The CSL imposes a series of general obligations that must be respected by the «network operators» (art. 21 and from art. 40 to art. 50).
Among these, the duty:
- to strictly maintain the confidentiality of user information they collect, and establish and complete user information protection systems (art. 40 CSL),
- to abide by the principles of legality, propriety, and necessity,
- to publish rules for collection and use, explicitly stating the purposes, means, and scope for collecting or using information,
- and to obtain the consent of the persons whose data is gathered.
Network operators must not gather personal information unrelated to the services they provide (art. 41). These provisions recall the corresponding priciples relating to processing of personal data stated in GDPR (art. 5), or the duty of Information to be provided (articles 13 and 14 GDPR) and the regulation of consent. The consent, however, appears in CSL as the only legal basis of the treatment without alternative, such as the necessity to process for the performance of a contract or for compliance with a legal obligation as provided in GDPR (Article 6).
With reference to the security of personal information the CSL provides that when a leak, destruction, or loss of personal information occurs, or might have occured, remedial measures shall be immediately taken, and provisions followed to promptly inform users and to make a report to the competent departments in accordance with regulations (art. 42 CSL). This provision recall the regulation of the data breach in the GDPR (Article 33).
With regard to the rights of the data subject, provided in artt. 15-22 of the GDPR, under the CSL, measures must be taken to ensure, where individuals discover that network operators have violated the provisions of laws, administrative regulations, or agreements between the parties to gather or use their personal information, to demand their personal information and to demand the network operators to make corrections where discovering that personal information gathered or stored by network operators has errors (art. 43 CSL).
3. The rules for Critical Information Infrastructure
In addition to the measures set out above, the CII, are subject to further obligations.
First of all, CII that gather or produce personal information or important data during operations within the mainland territory of the People’s Republic of China, shall store it within mainland China.
Where, due to business requirements, it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State cybersecurity and informatization departments and the relevant departments of the State Council to conduct a security assessment (art. 37 CSL).
This provision appears immediately different from the GDPR regulation that expressly governs the conditions for the lawful transfer of personal data abroad, also for archiving, such as transfers on the basis of an adequacy decision (Articles 45 GDPR) or transfers subject to appropriate safeguards (art. 46 GDPR), or on the basis of the consent or for other specific cases (art. 49 GDPR).
Again with reference to the territorial scope, it is necessary to highlight another important difference between the two provisions.
As known, the GDPR has adopted some specific choices of “extra-territoriality” as it is applicable not only to the processing of personal data of a controller or a processor in the European Union, but it also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the Union This happens where the processing activities are related to the offering of goods or services to such data subjects in the Union or when the monitoring of their behaviour as far as their behaviour takes place within the Union (Art. 3 GDPR).
The CSL does not have a provision of this kind by arranging its application only in the mainland territory of the People’s Republic of China (art. 2 CSL²).
A Chinese operator, therefore, who is dealing with personal data not only of Chinese subjects but also of subjects belonging to the EU will be subject to both regulations and will have to follow different procedures for the mutual transfer of these personal data from one place to another or for even storing the data.
4. Conclusions
After this brief examination it can be noted that, despite some similarities, the laws display important differences.
At this stage both these laws will have to be implemented by the operators and complemented by specific regulations to effectively verify the way in which they can co-exist.
In general, though, the CSL seems to be based on a vision of “state protection” rather than being oriented to a system of protection of the individual right of the individuals to protect their data.
Moreover, from a point of view of substantial enforcement, while the GDPR is based on the protection of personal data, the CSL tends to unify in a single text the cybersecurity and the regulation of personal data. With the subsequent definition of the rule by the implementing regulations, it cannot be excluded that the CSL could assume an approach where, the concepts not clearly defined, aimed at protecting the personal data, as right of the individual (such as consent, rights of the interested party, communication of data, etc.) can be further extended.
This solution is certainly desirable from the point of view of the companies that will have to adopt compliance systems from the point of view of both the Chinese and the European legislation.
Below is a brief comparison table of the two laws.
Comparison summary
Entry into force
GDPR | 25 May 2018
CHINA CSL | 1 June 2017
Territorial Scope
GDPR | Some specific choices of “extra-territoriality” (Art. 3 GDPR)
CHINA CSL | Applicable within the mainland territory of the People’s Republic of China (art. 2 CSL)
Information
GDPR | Information to be provided (articles 13 and 14 GDPR)
CHINA CSL | Network operators shall explicitly state the purposes, means, and scope for collecting or using information (art. 41)
Consent
GDPR | The consenti is one of the legal basis of the treatment together with the other legal basis defined in art. 6-9 GDPR
CHINA CSL | The consent appears as the only legal basis of the treatment (art. 41 e 42)
Security of processing
GDPR | The GDPR, according to the principle of accountability, makes the data controller in charge for the security measures to be taken
CHINA CSL | The CSL tends to impose a series of rules for cybersecurity
Penalties
GDPR | Subject to administrative fines up to 20 000 000 EUR, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher
CHINA CSL | Subject to fine up to the amount of 1 to 10 times the purchase price; the persons who are directly in charge and other directly responsible personnel shall be fined between RMB 10,000 and 100,000 (art. 64 CSL)
Right of data subject
GDPR | Artt. 15 – 22 GDPR: right of access, to rectification, to erasure, to restriction of processing, to data portability, to object, not to be subject to a decision based solely on automated processing, including profiling
CHINA CSL | Individuals have the right to demand the network operators delete their personal information; where discovering that personal information gathered or stored by network operators has errors, they have the right to demand the network operators make corrections (art. 43 CSL).
Authority
GDPR | National authorities and European Data Protection Board
CHINA CSL | The law does not establish an authority for data protection in China. The relevant offices are: the Cybersecurity Administration of China, the Public Security Bureau and the supervisory authority responsible for telecommunications (Ministry of Industry and Information Technology) working together.
–
1 Article 31 CSL: “The State implements key protection on the basis of the cybersecurity multi-level protection system for public communication and information services, power, traffic, water resources, finance, public service, e-government, and other critical information infrastructure which—if destroyed, suffering a loss of function, or experiencing leakage of data—might seriously endanger national security, national welfare, the people’s livelihood, or the public interest. The State Council will formulate the specific scope and security protection measures for critical information infrastructure.The State encourages operators of networks outside the [designated] critical information infrastructure systems to voluntarily participate in the critical information infrastructure protection system”.
2 Art. 2 CSL: “This Law is applicable to the construction, operation, maintenance, and use of networks, as well as to cybersecurity supervision and management within the mainland territory of the People’s Republic of China”.
