With new privacy law, China could reshape cross-border data rules similar to Europe’s GDPR
- China’s Personal Information Protection Law establishes mutually incompatible data governance standards that could put multinational companies at risk
- With stricter standards and penalties than the EU’s General Data Protection Regulation, China may be looking to set international standards
China’s new privacy law, which takes effect in November, will have far-reaching implications for how companies that do business in the country handle cross-border data, possibly helping Beijing establish global standards for data management, according to legal experts.
“The new law will push data recipients located outside of the country to comply with Chinese laws more seriously, establishing long-arm jurisdiction,” said You Yunting, a senior partner at Shanghai Debund Law Firm. “The strictness of China’s legislation in the area of privacy and data safety is leading the world in terms of both national sovereignty and individual protection,” You said.
According to Chapter III of the law, if a personal information processor needs to move data beyond the country’s borders, it must either pass a security assessment by the Cyberspace Administration of China (CAC), be certified for personal information protection by the government’s cybersecurity department, be concluding a contract with a foreign party in accordance with government standards, or meet “other conditions” set by government agencies.
The law also requires user consent when personal information is transferred abroad, and the person must be informed by the receiving party about how the data will be used if changed from its original purpose.
The law also authorises the Chinese government to blacklist foreign organisations, companies and individuals to prevent them from accessing the data of Chinese citizens. In the event that a foreign government restricts access to personal information, the law provides for retaliatory measures.