Chinese Personal Information Security Specification and European GDPR: what are the differences and similarities?

As reported in a recent update, the Chinese Government released therecommended standard ‘Information Technology - Personal Information Security Specification’ [GB/T 35273-2017] (hereinafter ‘the Specification’).

The following is a brief comparison between the new Chinese Specification, effective as of May 1, 2018, and the Reg. EU 679/2016, coming into force on May 25, 2018. The first point of divergence is thus the type of measure adopted.

The European Union has opted for a regulation, that is a legal act directly applicable in all EU countries, without the need for national implementation. The European legislator’s choice together with the Article 29 Working Party Guidelines indeed show the intention to achieve uniform interpretation and application of the GDPR across the whole of the EU territory, with the clear purpose to ensure protection and free movement of data.

The Chinese Specification is a voluntary standard, that is a non-binding rule which fits into the Chinese personal data protection regime as a tool for implementing a higher level law, the Cybersecurity Law (2016). The Specification will therefore serve as a reference point for the Chinese Government to judge corporate practices adopted to ensure personal data protection, this is why its application is highly recommended to all those who want to operate on the Chinese market.

Furthermore, the Chinese personal data protection system does not provide for any supervisory authority such as the Data Protection Supervisor, established instead under the European Union law both at EU and national level and charged with the task of ensuring the correct and uniform application of the GDPR. Accordingly, it can be expected an inconsistent application of the Specification across China because of the lack of an authority responsible for ensuring compliance with the obligations set out in the Chinese standard.

Scope of application

As regards the scope of application, both the Specification and the GDPR apply to the processing of personal data,namely the collection, retention, organization, use, sharing and transfer of such data.

The scope of personal data regulated under the GDPR and the Specification is however potentially different, as the rules provide different definitions of ‘sensitive personal data’.

While article 9 of the GDPR deems ‘sensitive’ only specific types of data, the Specification takes a ‘risk-based’ approach by defining ‘sensitive personal information’ as any personal data which, if lost or misused, is capable of endangering persons or property, easily harming personal reputation and mental and physical health or leading to discriminatory treatment.

Consent

The GDPR and the Specification, in addition, differ on an essential element: the definition of consent, and especially how it can be expressed.

Consent under the GDPR shall not only be informed, but also explicit, given ‘by a statement or clear affirmative action’; it can never be implied or silent.

The Specification, conversely, seems to admit implied or tacit consent, at least according to the interpretation provided by the drafters of the standard.

Besides, the Specification diverges from the GDPR when setting out the exceptions to consent.

The GDPR expressly includes the performance of a contract and legitimate interests among the legal grounds for lawful processing of personal data. The Cybersecurity Law instead bases lawful processing of personal data entirely on consent; accordingly, the Specification includes among the exceptions to consent the need to perform a contract to which the data subject is party, but it does not make any reference to the concept of legitimate interest.

Therefore, as consent is the only ground for lawful processing of personal data, the Chinese personal data protection system requires a more flexible interpretation of the concept of consent than the one adopted by the European Union.

Despite the clear and significant differences reported above, the drafters of the Specification have certainly drawn inspiration from the European GDPR and a number of similarities can be found between the two rules. Some American commentators have indeed suggested that China and the European Union are moving forward with establishing data protection regimes that have more in common with each other than with that of the United States, thus globally isolating this latter on data policies.

Finally it is very important to note that both the Specification and the GDPR provide for the principle of accountability, whereby those who process personal data are responsible for compliance, that is the lawfulness of the processing itself, and shall demonstrate to have assessed the risks to which data may be exposed and adopted appropriate technological and organizational measures to avoid them. The GDPR and the Specification thus develop a risk based approach, making data controllers responsible both for the measures to be adopted and for the demonstration to be provided.

The Specification therefore looked at the European Regulation when regulating some aspects of data processing, which are outlined below in order to make clear differences and similarities.