ChinaMarket Insights

Is European GDPR sufficient in the Chinese business environment?

By 24 May, 2018June 30th, 2023No Comments

European Union flag with the letters GDPR

European GDPR will enter into force by end of May. This means that all companies operating in the European Union must abide by the rules as of day one.

Reliable data on general GDPR compliance is hard to find as many companies still don’t even give a passing mention to the issue. Naturally larger companies have taken the issue more seriously as GDPR compliance is seen not only as a legal obligation but also as a statement to their stakeholders.

The respective Chinese initiative was to improve national level cybersecurity for the biggest digital shopping and mobile based financial service market in the world. Chinese data protection rules are laid out in the standards of the Cybersecurity Law, which, by definition, may at first sight sound confusing. As a general remark and as opposed to EU level GDPR, the data protection principles set forth in the standard of Cybersecurity Law are broad, and the implementation and scope are still obscure. Nevertheless, Chinese Cybersecurity Law will have significant implications to foreign businesses operating in or with China although its final shape will be achieved later. The China data protection targets personal data, data transfer and data management.

Unfortunately, the divergence of the content between European, Chinese and US data protection rules imposes great challenges. The EU GDPR applies to specific data while its Chinese counterpart focuses generally on sensitive personal information eventually harming individuals, property, mental or physical health if not taken care of properly. In addition, Chinese data protection put a great emphasis on the quality of handling the information and related processes. EU level GDPR is more permissive as to necessary consent requirements and it allows e.g. legitimate interests of controllers or third parties which the Chinese counterpart in turn is silent of.

Chinese Cybersecurity Law generally prohibits unauthorized data transfer abroad. The law obliges operators to localize the personal data information in mainland China. This does not ease the work of human resources and marketing operations of a foreign company, which traditionally transfer a lot of now sensitive data to their other business entities abroad. Hosting e.g. in Hong Kong and other China Special Administrative Regions is considered non-compliant.

The complexity of the partly overlapping legal systems have also an impact on e-commerce operating across jurisdictions. All companies whether local or foreign, hosting a website in China are obliged to obtain a provincial Internet Content Provider (ICP) License. Failing to abide by the law one may risk significant fines or blackout.

ARC Consulting can provide your businesses with necessary assistance in ensuring compliance with the aforesaid obligations.

Read about our consulting services and our experience in the technology sector.

    Ready to talk to our experts?