CII Operators
Subscribe to CII Operators's Posts

The GDPR’s Effects in China: Comparison with Local Rules and Considerations for Implementation

As Europe’s General Data Protection Regulation (GDPR) takes effect, companies around the world are racing to implement compliance measures. In parallel with the GDPR’s development, China’s new data protection framework has emerged over the past year and is in the final stages of implementing the remaining details. With similar and often overlapping obligations, full compliance with the GDPR and China’s data protection framework presents a significant new challenge for companies with operations in China.

Does the GDPR Apply to Companies in China?

The GDPR applies to the processing of personal data of people who are in the European Union, even for a controller or processor in China, where the processing of the data is related to:

  • The offering of goods or services to the data subjects in the European Union, regardless of whether a payment is required; or
  • The monitoring of people’s behavior in the European Union.

As a result, even if a Chinese company does not have any formal establishments in the European Union, the GDPR will nonetheless apply if it is conducting either of these two types of activities.

What Are the Requirements for Companies in China Subject to the GDPR?

The GDPR primarily focuses on two categories of entities: “controllers” and “processors.” These two types are similar to concepts in the Chinese rules.  “Controllers” are entities that, alone or jointly with others, determine the purposes and means of the processing of personal data. “Processors” are entities that carry out the processing of personal data on behalf of the controllers.

Key requirements for most controllers under the GDPR: (more…)




Transferring Data from China: Who Must First Pass a Pre-Export Security Assessment?

China’s new data protection framework clearly creates a requirement for local storage and conducting a security assessment before personal information or important data is shared with other jurisdictions, but it is currently much less clear what types of entities fall under this requirement.

Localization and Transfer Assessment Requirements Related to CII Operators

Under the People’s Republic of China Network Security Law, also known as the Cybersecurity Law, personal information and important data collected and generated in the operation of critical information infrastructure operators (CII operators) is required to be stored in China and, before providing that information abroad, a security assessment is required to be passed. This new requirement caused a significant amount of concern for entities that fall within the category of CII operators because of the need to potentially restructure their data systems, but there was also a general appearance of acceptance within the business community due to the relatively targeted scope of the definition of CII operators and acknowledgement that critical infrastructures require elevated protections. (more…)




China’s Network Security Law Comes into Effect: What It Means for Your Company

Today, China’s much anticipated Network Security Law comes into effect after two years of review, revisions over three drafts and a public commenting process. The law is a historical development for China’s legislative coverage of information security and data protections. It also represents one of the strictest approaches in any jurisdiction worldwide, and a continuation of a broader effort at demonstrating the government’s cyber-sovereignty goals through control and regulation of data and the internet.

Overview of the Network Security Law

Commonly referred to as the “Cybersecurity Law,” the new piece of legislation has a broad scope and covers a range of issues related to data privacy, security and cross-border transfers, including:

  • Increasing security measures and strengthening data security through a variety of specific obligations
  • Ensuring consent for collection of personal information through the principles of legality, proper justification and necessity
  • Screening equipment and products for security testing and certification
  • Ensuring real-name registration for users
  • Strengthening requirements to cooperate with government agencies during criminal investigations or to protect national security
  • Requiring personal information to be stored in China under some circumstances
  • Increasing confidentiality measures for user information
  • Setting up a complaint and reporting platform for network security

(more…)




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021