China's version of GDPR

Most countries that have strong data protection regulations have moved towards a consent model for collecting personal data. For example in the UK, businesses must inform users why they are processing user data and get their content to do so. China's Personal Information Security Specification is no different in terms of consent, but there are some key differences between GDPR and China's rules, which have a rather amusing acronym. This article will explore a few of the key differences that I found interesting.

Consent

GDPR, has two key exceptions to the consent rule. The first being when processing of data is necessary to preform a contract between the parties and secondly, the processing is in the legitimate interest of the controller of the data and it does not violate the fundamental rights of the subject.

With China's rules, these two exceptions do not exist. This has significant implications for companies that does anything in China that involves collecting data as these rules will need to be complied with. The requirement to obtain consent will involve extra compliance work and planning, as any change in the way the company needs to use the data will require obtaining fresh consent.

Personalised feeds

A revised version of the Specification also requires "personalised displays" of content like news feeds of search results to be clearly marked as such, and users should be able to opt out of such personalisation.

Data localisation

Data localisation requirements mean that foreign companies must either invest in new data servers in China or to incur costs by hiring a local server provider such as Huawei, Tencent or Alibaba, which have spent billions of dollars investing in creating domestic data centres. This measure is a surefire sign that China does not intend to make compliance easy for global competitors.

Critics of this approach have suggested that increasingly burdensome regulations may lead to foreign firms moving out of China which could lead to a less vibrant and competitive marketplace.

This will generate work for lawyers and compliance teams world-wide, as the data law has a global reach.