How China is protecting data privacy
European regulations for online safeguards take effect on the same day, but the Chinese version is more far-reaching
This month is set to be a big one for personal data protection across the world. Just two weeks ago, China implemented its new standard on personal information protection. The provision outlines the new regulations that users have for online personal data consent, and how that data is taken, stored and shared with third parties. The introduction of these regulations coincides with the implementation of the European Union's General Data Protection Regulation (GDPR) in Europe on May 25, which will also change how businesses and public sector organizations can handle customer information.
So, after this month, just how safe is your data if it was collected in China or Europe? The two regulations, twins born in the same month, herald a new age for global data privacy and security. The new Chinese regulations in the standard are extremely comprehensive, as noted by an independent report from the Center for Strategic and International Studies. According to the report, the standard contains more onerous and strict safety requirements than the GDPR. However, there are still strong parallels between China's and Europe's approaches toward data protection regimes, which leave the United States ever so slightly more isolated in its systematic approach.
The GDPR protects specific types of "sensitive personal information", such as ethnic origin, biometric information and sexual orientation. However, under the new Chinese standard the regulations are more far-reaching, extending to any personal data that may potentially be able to cause harm to individuals, property, reputation and mental or physical health if lost or abused. This wider scope means that Chinese citizens will be safer under provisions that have the end goal of protecting the person holistically against misused or mishandled data as a whole.
The Chinese standard does not allow for certain kinds of third-party consent for sharing a consumer's data. Consent must be directly and explicitly derived from the individual, which prevents potential abuse from companies that may otherwise exploit vulnerable or technologically illiterate individuals. The GDPR on the other hand, is more permissive regarding consent requirements for the collection of personal data. The European regulations allow for legitimate interests of a controller or third-party that would otherwise be restricted in China.
There are rigorous requirements in both the European and Chinese regulations regarding what kind of information must be included in privacy notices. The GDPR has strict requirements for privacy notices, stating that the information a company provides about how it processes personal data must be concise, transparent, intelligible and easily accessible. The information must also be written in clear and plain language, particularly if addressed to a child, as well as being free of charge. The Chinese standard also contains strict regulations for privacy notices, but states that they are to be presented more on a "one by one" basis, indicating a degree of customized flexibility for different or unique cases.
One additional element to note is that the Chinese standard contains more specific information relating to security testing and procedures for entities that process personal information. This segment of the standard adds a broader national security element to the regulation and offers a much wider scope than the GDPR, which may be due to the fact that EU member states have their own domestic security infrastructures, better managed by executive powers on a national level.
For the rise of Chinese technology companies, the manner in which these two regulatory structures intersect will greatly affect global business aspirations. This is especially important for companies such as Alibaba, which are in the process of setting up cloud data centers across Europe. The long-term protection of Chinese consumer personal data also looks more structured and a little more secure. Given recent debates within the Chinese government and companies regarding the handling of personal data within the artificial intelligence industry, it is important that a foundational constitution of values is established and adhered to as machine learning and AI capabilities grow.
It is clear that both European and Chinese data protection provisions are extensive in their reach. Their protective power will no doubt provide a welcome update to an infrastructure covering a combined population of 1.8 billion people across the world for years to come.
The author is a London-based columnist. Contact the writer at firstname.lastname@example.org.