How Does the GDPR Compare to China’s Cybersecurity Law?

May 25th is quickly approaching and with it the enforcement of the General Data Protection Regulation. Email inboxes are being filled with updates on how companies are embracing the GDPR and everyone is in a turmoil to make sure everything is ready.

However, the GDPR isn’t the first legislation of its kind to revolutionize the data security landscape. Although it slipped under the radars, it is of the utmost interest for marketers to look into what happened in China since its Cybersecurity Law (CSL) was approved in November 2016 and has been enforced since June 1st, 2017.

The CSL is a national standard framework on personal information protection. It is quite broader than the GDPR. It aims to govern everything within the country’s digital infrastructure, from information to the transfer of data and its management. This standard is an evolving project that is still being worked on by players such as the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), among others.

The Six Systems

At the moment, six systems constitute the CSL, and together they create the framework and put it into action. Here’s a quick description of what each one of them does:

1. The Internet Information Content Management System — A regulation that expands the legal tools available for the government to control and oversee the content spread online.
2. The Cybersecurity Multi-Level Protection System — The ranking of various institutions and infrastructures according to the level of sensitivity of the data they hold and manage. The higher the score, the stricter the security requirements are.
3. The Critical Information Infrastructure Security Protection System (this one is a mouthful) — This law identifies “Critical Information Infrastructures” (CII), like public communication and information services, power, traffic, finance and others, and those entities have to cope with more strict and burdensome requirements. However, the final definition of what a CII is still pending.
4. The Personal Information and Important Data Protection System — This seems to be the part of the standard closest to the GDPR. It focuses on what should be considered personal information and procedures on how it must be collected, stored and protected.
5. Network Products and Services Management System — This law requires network products that are used in critical information infrastructure (see number 3) to go through a cybersecurity review.
6. The Cybersecurity Incident Management System — Guidelines and measures, for the public and private sectors, to be activated in response to cybersecurity incidents.

The CSL vs. the GDPR

In sum, the CSL is an even more in-depth approach to the GDPR. Its definition of “sensitive personal information” is broader — it extends to any personal data that “would cause harm to persons, property, reputation, and mental and physical health if lost or abused” — and their requirements for the collection of personal data and security testing and procedures are stricter.

When it comes to sanctions, the highest fine is ten times what you gained on illegal gains, opposing to the GDPR where fines go up to 4% of the annual turnover of a company. However, for serious offenses, other sanctions can be applied: website shutdown, suspension of the business liscence or the detention of the person responsible for the violation.

So you may be wondering why you haven’t heard of this before. That’s because these standards only affect companies based in China while the GDPR includes European companies and all the others that act there, so there’s a much bigger probability it will affect you directly. This doesn’t mean the CSL should be discarded. China is a huge market but one that most Western companies have a tough time understanding, let alone succeed in it, so if you’re ready for their legislation, preparing for the GDPR should be a piece of cake.