Until recently, China’s data privacy framework consisted only of a patchwork of fragmented rules found in various laws, measures and sector-specific regulations. And while the sources of law remain many and overlapping in this area, the Cyber Security Law, which came into effect on 1 June 2017, included for the first time a comprehensive set of data protection provisions in the form of national-level legislation.

The Cyber Security Law is of general application to personal data collected over information networks. Numerous regulations, guidelines and other subsidiary measures remained to be adopted under the umbrella of the law when it came into effect. Drafts of many of these have now been published, and the entire package, including the controversial provisions affecting transfers of certain data, including personal data out of China are expected to be brought into force from the beginning of 2019.

Meanwhile, a national standard known as the Personal Information Security Specification entered into effect on 1 May 2018. This non-binding guideline contains detailed requirements on data handling and data protection. No penalties apply for breach. However, given its comprehensive nature, Chinese government agencies are expected to apply the Specification as an important measure of compliance with all of China’s data protection rules, including those contained in the Cyber Security Law. 

It is acknowledged that the Specification was drafted with reference to the European General Data Protection Regulation (GDPR). And it adopts GDPR concepts such as privacy impact assessments and individual rights such as variations on the right to be forgotten, right of data portability and the right not to be subject to automated decision making.

Chinese data privacy law is therefore a fascinating mixture of advanced consumer protection provisions, attuned the demands of a extremely digital-savvy population - who are also increasing willing to speak out about companies' perceived abuses of their personal data - and a laser focus on national security and cyber security.

My briefing on our website here summarises the most important personal data privacy provisions now in effect or published in draft.