Data Protection in China Part 1:

Data Protection in the International Market

The Chinese economy is one of the largest in the world and a big part of this is international trade, which means that China handles a lot of personal information for people all over the world. It is therefore very important for companies within China to comply with the data protection laws in the countries where these people are from, otherwise they could not only face massive fines but also find themselves unable to do business with those countries.

In terms of requirements and restrictions, Europe’s General Data Protection Regulation (GDPR) is one of the strictest. The key points of GDPR that will affect organisations based in China are:

  • Organisations based outside the EU will need to designate a representative within an EU country. 
  • Transfer of data to countries outside the EU is prohibited, unless certain conditions are met.
  • People have the right to know and access the data you hold on them.
  • People have the right to have their data updated, deleted and moved.
  • Organisations must take appropriate technical and organisational measures to protect the data that they hold.
  • Any suppliers that a company uses that has access to personal data must be governed by legally binding agreements on how they should process and protect that data.

Two of the largest trading partners of China are Japan and South Korea, so many businesses in China will need to comply with Japan’s Act on Protection of Personal Information (APPI) and South Korea’s Personal Information Protection Act. These acts are less strict than GDPR but still have a number of requirements and restrictions in place that need to be considered when handling personal data.

Chinese organisations also need to consider China’s national laws and standards. A first draft of a new data protection regulation was submitted for public comment in May 2019, which, once accepted, will sit alongside the new cybersecurity law from 2017. This regulation largely follows the Personal Information Security Standard (PISS), which previously served as a guideline for Chinese organisations to follow but was not mandatory.

….To be continued in Part 2

If you want to speak to one of our experts about any of the content in this article, you can book a free 30 minute no commitment consultation here.