The GDPR and China's Cyber Law: Following One Doesn't Mean Following Both
The General Data Protection Regulation and China's Cybersecurity Law are aligned in many ways, though there are enough divisions that privacy counsel should be wary in creating a plan to comply with both.
May 24, 2018 at 12:00 PM
8 minute read
|
With the European Union's General Data Protection Regulation (GDPR) deadline for compliance imminent, there's been a focus on whether U.S.-based multinational company can get their data practices up-to-date in time for compliance. As to how the GDPR will coexist on the global business stage alongside China's controversial Cybersecurity Law, however, is a different story.
Set into effect in June 2017, China's Cybersecurity Law (CSL) has been a source of controversy. Initially promoted as a method for enhancing national cybersecurity, the law requires that “network operators” store data within China while allowing government officials access to it. What's more, many have criticized it for having vague language and penalties disproportionate with infractions, as well as providing Chinese companies a considerable advantage while risking intellectual property.
In some ways, the law resembles the GDPR. Both have been characterized as somewhat open-ended in application and enforcement, with GDPR's “legitimate interest” data processing requirement leaving many scratching their heads, while the same could be said of China's classification of “network operators,” which could be applied to practically any business in China administering or owning its networks.
There are also notable ways in which the laws differ. Cori Lable, a Hong Kong-based partner at Kirkland & Ellis, explained the GDPR “is a very rights-based code to provide every individual protection.” And while the Chinese law places some individual protections on personal data, it instead is tied to larger national security requirements.
“Moreso than GDPR, the China Cyber Law has different requirements for various state level review,” Lable said, specifying that government reviews and notification requirements come into play before a cross-border transfer of personal data. “Some of that incongruence grows out of the different primary motivations of the regimes.”
|The Devil's in the Details
Under CSL, if the data for transfer contains certain criteria—containing the personal information of half a million citizens, for example—the Chinese government is required to undergo its own review and assessment prior to the transfer's execution. This is similar to GDPR in that both require citizens' consent for data collection and processing.
Yet multinationals face challenges in determining where their data actually resides, a fact not always obvious given the amount of digital information generated by individuals and entities. This could determine whether an organization is subject to complying with CSL, GDPR or both.
Article 3.2 of GDPR stipulates that entities in countries beyond the EU providing services or goods to its citizens can fall under GDPR requirements, while CSL jurisdiction, under Article 2, is limited to Chinese territory. Therefore, write Galaadd Delval and Zhong Lin for the International Association of Privacy Professionals, “With such a stark contrast, it can be concluded that companies located solely in China doing business in China and the EU should comply with both the CSL and the GDPR, while companies solely located in the EU would only be bound by the GDPR.”
“A company may have a global data set where they're piling in personal data from individuals located in China or Europe, and depending on where that data is, both need to comply with storage and process requirements,” Lable added. What's more, the consent requirements differ between the two laws. GDPR contains six different legal bases under which personal data can be processed, including consent, in which someone “has to proactively agree.” Meanwhile, CSL “is not that explicit.”
“There are still a lot of areas of the China Cyber Law waiting where we're waiting for specific government regulations. The full of extent of what the government intends remains to be seen,” she said.
For Morrison & Foerster partner Miriam Wugmeister, the “vagueness” that surrounds both laws presents a key compliance challenge. Contrary to popular belief, she said GDPR “doesn't have very many details,” and many of its directives have been in law since the EU's 1995 Data Protection Directive. Likewise, CSL's “language is not entirely clear.”
“A real problem for organizations with China Cyber Law is not what the obligations are but to whom it applies,” said Wugmeister. And “any time there's uncertainty, organizations over prepare or under prepare.”
Much of the confusion with CSL surrounds who is classified under “critical information infrastructure” (CII), a category in which much of the CSL's obligations apply. While the category includes traditional sectors like energy, it also includes companies holding considerable amount of data on a Chinese citizen, as well as companies that service critical industries. And definitions for both important and personal data, both of which are regulated under CSL, aren't defined clearly.
Another “real problem” cited by Wugmeister is CSL's data localization rules, which require CII data be kept in the country and only copies, after review, to be shared in a transfer. GDPR, meanwhile, places mechanisms for data transfers. “If you have to keep data in the country, that can be problematic, because basic Cyber 101 is the more places, the bigger your surface area, the harder it is to protect organizations.”
“It's not necessarily a conflict of law, but if you're trying to use the best security, you can't do it if it's in 50 places,” she added. “It's not that [international privacy frameworks are] brand new, it's just the more countries that do it, the harder it is.”
|Playing Off One Another
Given the nascent nature of both laws, it remains to be seen how either operates with relation to the other. As written in the Center for Strategic and International Studies, “For Chinese companies, the way in which these two regimes intersect will affect their global aspirations, particularly as internet companies like Alibaba set up data and cloud centers in Europe. Chinese telecom firms vying to build out internet infrastructure across Europe under the One Belt, One Road initiative will also have to reckon with the relationship between their two systems.”
While Kirkland doesn't “advise specifically” on CSL, Lable said for multinationals reconciling data practices, she points clients towards baseline regulatory requirements and assists in mapping data flows and storage. She also emphasizes to make sure they have “the right internal information security and privacy map” and “the right network security protocols.”
“Both of these laws have different requirements on basic network security assessments and require to have people involved in the organizations to have oversights on privacy and security,” she said.
And complying with both is likely of utmost importance to most multinationals. In 2017, China and the EU were listed by the CIA as the world's two largest markets, with economic outputs of about $23 trillion and $20 trillion, respectively. What's more, GDPR has steep penalties for noncompliance—a maximum of the greater between €20 million (roughly $23.4 million USD) or 4 percent annual revenue. While China's financial penalties are lower (the maximum 1,000,000 RMB, or roughly $156,000 USD), noncompliance could result in a revoking of a business license or suspension of operations.
Wugmeister noted that “the trickiest part” of mutual compliance is “when you have legal obligations that conflict.” For example, she noted that multinationals have to ensure they aren't doing business with people listed as criminals under the GDPR or on lists precluding transactions.
As to whether methods for redress make compliance with one regulation over another a favorable option, Wugmeister noted that most organizations are likely to undergo efforts for mutual compliance. And, if anything, the heightened focus on GDPR may help in addressing frameworks in Latin America and Asia.
“GDPR has gotten a lot of press and a certain amount of hysteria associated with it that may not be warranted,” she said. “I think what's going to happen is the sky isn't going to fall, and people are going to say, 'Hey, I put this privacy [effort] in place, and I need to think about the rest of the world I operate in.'”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250