Developments in China’s data protection and privacy regulatory regime

Abstract

On 1st June, 2017, the People’s Republic of China (PRC) Cybersecurity Law (CSL) came into force and became the first comprehensive privacy and security regulation for cyberspace and data protection. The CSL represents the gradual formation of China’s new legal framework for cyber security and data protection, despite the regime being split across various legislation and industry-specific regulations (including their draft versions). In light of the rapidly evolving regulatory environment, the broad and sometimes vaguely expressed obligations imposed by the CSL have added further complexity to the system and attracted significant attention and criticism from international companies due to its unclear application, lack of protection authority, harsh penalties, risk of stolen intellectual property, and strict compliance obligations. While new judicial developments seek to gradually provide clarification of the law — as seen in the outbreak of the COVID-19 pandemic — continuous and thorough review of cybersecurity measures will place foreign entities, ‘network operators’, and ‘critical information infrastructure operators’ in a position to effectively manage unprecedented, paradigm-shifting compliance obligations and risks. This paper outlines China’s data protection and privacy regulatory framework, provides a thorough analysis on important provisions of the CSL, and comments on recent legislative changes. Further, this paper will engage in an in-depth discussion on compliance procedures for best practice, compare the CSL with the European General Data Protection Regulation (GDPR), and analyse the impact of the coronavirus disease 2019 (COVID-19) pandemic on PRC data privacy legislation.