ChinaMarket Insights

Is European GDPR sufficient in the Chinese business environment?

By 24 May, 2018June 30th, 2023No Comments

European Union flag with the letters GDPR

European GDPR will enter into force by end of May. This means that all companies operating in the European Union must abide by the rules as of day one.

Reliable data on general GDPR compliance is hard to find as many companies still don’t even give a passing mention to the issue. Naturally larger companies have taken the issue more seriously as GDPR compliance is seen not only as a legal obligation but also as a statement to their stakeholders.

The respective Chinese initiative was to improve national level cybersecurity for the biggest digital shopping and mobile based financial service market in the world. Chinese data protection rules are laid out in the standards of the Cybersecurity Law, which, by definition, may at first sight sound confusing. As a general remark and as opposed to EU level GDPR, the data protection principles set forth in the standard of Cybersecurity Law are broad, and the implementation and scope are still obscure. Nevertheless, Chinese Cybersecurity Law will have significant implications to foreign businesses operating in or with China although its final shape will be achieved later. The China data protection targets personal data, data transfer and data management.

Unfortunately, the divergence of the content between European, Chinese and US data protection rules imposes great challenges. The EU GDPR applies to specific data while its Chinese counterpart focuses generally on sensitive personal information eventually harming individuals, property, mental or physical health if not taken care of properly. In addition, Chinese data protection put a great emphasis on the quality of handling the information and related processes. EU level GDPR is more permissive as to necessary consent requirements and it allows e.g. legitimate interests of controllers or third parties which the Chinese counterpart in turn is silent of.

Chinese Cybersecurity Law generally prohibits unauthorized data transfer abroad. The law obliges operators to localize the personal data information in mainland China. This does not ease the work of human resources and marketing operations of a foreign company, which traditionally transfer a lot of now sensitive data to their other business entities abroad. Hosting e.g. in Hong Kong and other China Special Administrative Regions is considered non-compliant.

The complexity of the partly overlapping legal systems have also an impact on e-commerce operating across jurisdictions. All companies whether local or foreign, hosting a website in China are obliged to obtain a provincial Internet Content Provider (ICP) License. Failing to abide by the law one may risk significant fines or blackout.

ARC Consulting can provide your businesses with necessary assistance in ensuring compliance with the aforesaid obligations.


Read about our consulting services and our experience in the technology sector.

    Ready to talk to our experts?


    The insights provided in this article are for general informational purposes only and do not constitute financial advice. We do not warrant the reliability, suitability, or correctness of the content. Readers are advised to conduct independent research and consult with a qualified financial advisor before making any investment decisions. Investing in financial markets carries risks, including the risk of loss of principal. Past performance does not guarantee future results.

    The views expressed herein are those of the author(s) and do not necessarily reflect the company's official policy. We disclaim any liability for any loss or damage arising from the use of or reliance on this article or its content. ARC Group relies on reliable sources, data, and individuals for its analysis, but accuracy cannot be guaranteed. Forward-looking information is based on subjective judgments about the future and should be used cautiously. We cannot guarantee the fulfillment of forecasts and forward-looking estimates. Any investment decisions based on our information should be independently made by the investor.

    Readers are encouraged to assess their financial situation, risk tolerance, and investment objectives before making any financial decisions, seeking professional advice as needed.