By Dr. Gunnar Sachs, Maître en droit (Paris); Anja Schwarz, LL.M. (London); and Dr. Qian Ma, LL.M. (Saarbrücken)
The EU General Data Protection Regulation (GDPR) was passed in 2016 and will come into force on May 25, 2018. The GDPR builds on and preserves the principles of the current EU regime, which was designed for a pre-digital age. It seeks to achieve greater legal consistency across the EU and the wider European Economic Area (EEA) while simultaneously introducing a raft of new aggressive and intrusive rules. In particular, there are serious sanctions for breaches, including fines of up to 120 million or 4% of the global turnover of a group of companies.
In contrast, a comprehensive and consolidated personal data protection law such as the GDPR does not yet exist in the People’s Republic of China (PRC). A draft personal data protection law has been under review by the government for many years, but there is still no indication as to whether such a law will be passed in the near future. There are, however, a few provisions to be found across several regulations that address the issue of data protection. The Decision on Strengthening Network Information Protection effective from December 28, 2012 (the Decision), sets out the fundamentals of handling personal data. It has the same legal effect as a law but only addresses internet service providers or other companies dealing with electronic personal data.
The National Standard of Information Security Technology Guideline for Personal Information Protection within Information Systems for Public and Commercial Services, effective from February 1, 2013 (the Guideline), although not legally binding, can be used by Chinese enforcement authorities to assess the data protection efforts of individual companies and may serve as a basis for future legislation in the area of data protection. The Consumer Rights Protection Law of the PRC effective from March 13, 2014 (the Consumer Protection Law), contains data protection obligations applicable to most types of businesses that deal with consumers.
The latest substantial development is the Cyber Security Law, effective from June 1, 2017. It introduces numerous new rules with regard to online activities and networks in the PRC. On the same day, the Interpretation on Several Issues Concerning the Application of Law in Handling Criminal Cases of Violation of Citizens’ Personal Information (the Interpretation) was issued by the Supreme People’s Court and the Supreme People’s Procuratorate. It contains comprehensive and systematic provisions that define citizens’ personal data, the associated convictions and sentencing guidelines as well as applicable laws.
Processing of personal data
Under the GDPR, personal data is broadly defined and covers all information relating to identifiable individuals held either in electronic (or other automatically processable) form or in a structured manual filing system. All processing of personal data is generally forbidden unless justified, e.g., if the data subject gives express consent, or if the processing is required for the performance of a contract, or if compliance is necessary as part of a legal obligation.
There is no general definition of personal data in the PRC. Definitions vary between the different personal data protection regulations. It is generally taken to mean any information that relates to an individual, which by itself or in combination with other information could disclose the identity of that individual, e.g., name, age, address, telephone number, etc. In the PRC, there are no unified rules regarding the processing of personal data. The Consumer Protection Law, however, includes requirements for the processing of personal data that are similar to those under the GDPR.
Entities have to bear in mind that they need to inform the data subject of data processing. The legal systems in both German and Chinese jurisdiction require businesses to consider whether or not they need to collect such data. If they collect sensitive personal data, they must ensure that the specific and strict requirements for data processing are complied with.
Scopes of application
The GDPR applies in principle to all organizations established in the EU. It will even cover overseas controllers, such as supervisory board members, and processors who might not expect to be subject to EU law. It will also apply to processing that occurs entirely outside the EEA if it is carried out to offer goods and services to, or monitor the behavior of, individuals located within the EEA. Under the GDPR, organizations outside the EEA will therefore need to consider whether or not they fall within the scope of the GDPR. Global organizations would be well advised to consider implementing worldwide standards based on the
The GDPR imposes data security obligations on data processors and data controllers, which can be defined as natural or legal persons, public authorities, agencies or any other body that alone or jointly with others determines the purposes and means of the processing of personal data. It sets out very prescriptive rules regarding the contractual terms on which controllers appoint processors. All businesses that process sensitive data on a large scale or whose core activities require regular and systematic monitoring of data subjects on a large scale, as well as practically all public authorities, will have to appoint data protection officers (DPOs) under the GDPR.
Processors will also need to consider the direct compliance implications of the data protection regime for their businesses, rather than merely reviewing their contracts with customers. They should consider the impact of the GDPR on their contracts with controllers in order to ensure appropriate risk allocation. In addition, businesses will also need to evaluate whether or not a DPO has to be appointed.
The personal data protection regulations in the PRC, however, do not provide for any territorial effect. Personal data protection regulations promulgated by a provincial authority would generally only apply to entities processing personal data in that province. Furthermore,
the personal data protection regulations in the PRC do not generally distinguish between data controllers and data processors and do not require a DPO to be appointed. Under the Cyber Security Law, network operators are required to confirm which of their officers or employees will be responsible for network security.
Information on security breaches
The GDPR provides that controllers must report security breaches that affect personal data – with the exception of breaches unlikely to give rise to any risk – to their data protection authority. This authority is an institution independent of the Member State and appointed
for a minimum period of four years. They must also inform the data subjects of security breaches likely to result in a high risk to their rights and freedom. Under the GDPR, businesses will also need to review security arrangements to ensure compliance and prepare a documentation tool to track security breach notifications.
Unlike in Europe, no specific national regulatory authority exists in the PRC. The authorities in some industry sectors are responsible for the enforcement of personal data protection regulations in their respective fields, such as the Ministry of Industry and Information Technology (MIIT) in the telecommunications and internet sector.
Data subject rights
The GDPR provides for data subjects to have a right to access their personal data. They can request that inaccurate personal data be either corrected or deleted and, in limited circumstances, object to the processing of their data entirely.
Based on the Decision in China, a Chinese data subject may ask the person or institution in charge of data processing to rectify, block or delete personal data. Furthermore, a data subject should be able to access his or her personal data stored, for example, in databases of unauthorized users.
Chinese organizations must respond to the requests of a Chinese data subject and build a case for all key processing operations that are not optional from the data subject’s perspective. They must deal with objections swiftly.
Unprecedented sanctions and remedies for breach
Administrative fines of up to a maximum of either 120 million or 4% of the group’s global turnover can be imposed under the GDPR for serious breaches. Furthermore, there can be civil sanctions, regulatory actions and criminal penalties.
Sanctions for contraventions of personal data protection provisions in the PRC will depend on the personal data protection regulation that has been infringed. Sanctions may include administrative sanctions, such as warnings and fines of up to RMB 30,000 (approximately 13,800), while certain regulations apply higher penalties (e.g., under the Consumer Protection Law, fines can amount to RMB 500,000, approximately 164,000). In this regard, the latest Interpretation states the relevant civil and criminal liabilities and the range of fines.
Privacy by design
The GDPR will require businesses to build privacy – particularly focussing on proportionality and the anonymization or pseudonymization of data – into the design of their data processing activities. In the PRC, similar requirements can be found in the Guideline. Although not legally binding, compliance with the Guideline is recommended as good practice.
The GDPR represents the biggest change in EU data privacy law in a generation and is most likely to form a model for new data privacy rules in other jurisdictions. The new rules under the GDPR will require businesses to incorporate privacy in the design of their data processing activities. Appropriate measures to safeguard data protection principles should be considered at the outset of each new data processing arrangement.
The Consumer Protection Law and Cyber Security Law have already increased the protection of data in the PRC tremendously. It remains to be seen whether or not the GDPR will have any impact on Chinese data protection regulations. Organizations conducting business in the PRC must be mindful of future legislative changes.