In the News Legaltech News

The GDPR and China's Cyber Law: Following One Doesn't Mean Following Both

With the European Union’s General Data Protection Regulation (GDPR) deadline for compliance imminent, there’s been a focus on whether U.S.-based multinational companies can get their data practices up-to-date in time for compliance. How the GDPR will coexist on the global business stage alongside China’s controversial Cybersecurity Law, however, is a different story.

Set into effect in June 2017, China’s Cybersecurity Law (CSL) has been a source of controversy. Initially promoted as a method for enhancing national cybersecurity, the law requires that “network operators” store data within China while allowing government officials access to it. What’s more, many have criticized it for having vague language and penalties disproportionate with infractions, as well as providing Chinese companies a considerable advantage while risking intellectual property.

In some ways, the law resembles the GDPR. Both have been characterized as somewhat open-ended in application and enforcement, with GDPR’s “legitimate interest” data processing requirement leaving many scratching their heads, while the same could be said of China’s classification of “network operators,” which could be applied to practically any business in China administering or owning its networks.

There are also notable ways in which the laws differ. Cori Lable, a Hong Kong-based partner at Kirkland & Ellis, explained the GDPR “is a very rights-based code to provide every individual protection.” And while the Chinese law places some individual protections on personal data, it instead is tied to larger national security requirements.

“Moreso than GDPR, the China Cyber Law has different requirements for various state-level review,” Lable said, specifying that government reviews and notification requirements come into play before a cross-border transfer of personal data. “Some of that incongruence grows out of the different primary motivations of the regimes.”
The Devil’s in the Details
Under CSL, if the data for transfer contains certain criteria—containing the personal information of half a million citizens, for example—the Chinese government is required to undergo its own review and assessment prior to the transfer’s execution. This is similar to GDPR in that both require citizens’ consent for data collection and processing.

Yet multinationals face challenges in determining where their data actually resides, a fact not always obvious given the amount of digital information generated by individuals and entities. This could determine whether an organization is subject to complying with CSL, GDPR or both.

Article 3.2 of GDPR stipulates that entities in countries beyond the EU providing services or goods to its citizens can fall under GDPR requirements, while CSL jurisdiction, under Article 2, is limited to Chinese territory. Therefore, write Galaadd Delval and Zhong Lin for the International Association of Privacy Professionals, “With such a stark contrast, it can be concluded that companies located solely in China doing business in China and the EU should comply with both the CSL and the GDPR, while companies solely located in the EU would only be bound by the GDPR.”

“A company may have a global data set where they’re piling in personal data from individuals located in China or Europe, and depending on where that data is, both need to comply with storage and process requirements,” Lable added. What’s more, the consent requirements differ between the two laws. GDPR contains six different legal bases under which personal data can be processed, including consent, in which someone “has to proactively agree.” Meanwhile, CSL “is not that explicit.”

“There are still a lot of areas of the China Cyber Law waiting where we’re waiting for specific government regulations. The full of extent of what the government intends remains to be seen,” she said.

For Morrison & Foerster partner Miriam Wugmeister, the “vagueness” that surrounds both laws presents a key compliance challenge. Contrary to popular belief, she said GDPR “doesn’t have very many details,” and many of its directives have been in law since the EU’s 1995 Data Protection Directive. Likewise, CSL’s “language is not entirely clear.”

“A real problem for organizations with China Cyber Law is not what the obligations are but to whom it applies,” said Wugmeister. And “any time there’s uncertainty, organizations over- prepare or under-prepare.”

Much of the confusion with CSL surrounds who is classified under “critical information infrastructure” (CII), a category in which much of the CSL’s obligations apply. While the category includes traditional sectors like energy, it also includes companies holding a considerable amount of data on a Chinese citizen, as well as companies that service critical industries. And definitions for both important and personal data, both of which are regulated under CSL, aren’t defined clearly.

Another “real problem” cited by Wugmeister is CSL’s data localization rules, which require CII data be kept in the country and only copies, after review, to be shared in a transfer. GDPR, meanwhile, places mechanisms for data transfers. “If you have to keep data in the country, that can be problematic, because basic Cyber 101 is the more places, the bigger your surface area, the harder it is to protect organizations.”

“It’s not necessarily a conflict of law, but if you’re trying to use the best security, you can’t do it if it’s in 50 places,” she added. “It’s not that [international privacy frameworks are] brand new, it’s just the more countries that do it, the harder it is.”

Playing Off One Another
Given the nascent nature of both laws, it remains to be seen how either operates in relation to the other. As written in the Center for Strategic and International Studies, “For Chinese companies, the way in which these two regimes intersect will affect their global aspirations, particularly as internet companies like Alibaba set up data and cloud centers in Europe. Chinese telecom firms vying to build out internet infrastructure across Europe under the One Belt, One Road initiative will also have to reckon with the relationship between their two systems.”

While Kirkland doesn’t “advise specifically” on CSL, Lable said for multinationals reconciling data practices, she points clients towards baseline regulatory requirements and assists in mapping data flows and storage. She also emphasizes to make sure they have “the right internal information security and privacy map” and “the right network security protocols.”

“Both of these laws have different requirements on basic network security assessments and require to have people involved in the organizations to have oversights on privacy and security,” she said.

And complying with both is likely of utmost importance to most multinationals. In 2017, China and the EU were listed by the CIA as the world’s two largest markets, with economic outputs of about $23 trillion and $20 trillion, respectively. What’s more, GDPR has steep penalties for noncompliance—a maximum of the greater between €20 million (roughly $23.4 million USD) or 4 percent annual revenue. While China’s financial penalties are lower (the maximum 1,000,000 RMB, or roughly $156,000 USD), noncompliance could result in a revoking of a business license or suspension of operations.

Wugmeister noted that “the trickiest part” of mutual compliance is “when you have legal obligations that conflict.” For example, she noted that multinationals have to ensure they aren’t doing business with people listed as criminals under the GDPR or on lists precluding transactions.

As to whether methods for redress make compliance with one regulation over another a favorable option, Wugmeister noted that most organizations are likely to undergo efforts for mutual compliance. And, if anything, the heightened focus on GDPR may help in addressing frameworks in Latin America and Asia.

“GDPR has gotten a lot of press and a certain amount of hysteria associated with it that may not be warranted,” she said. “I think what’s going to happen is the sky isn’t going to fall, and people are going to say, ‘Hey, I put this privacy [effort] in place, and I need to think about the rest of the world I operate in.’”