Data Privacy in China is usually only mentioned in discussions on state surveillance, and the legitimate concerns it arises. A lesser known question is the development of obligations for companies towards consumers, i.e. consumer privacy rules. This post focuses on their evolution and their comparison with data privacy rules in the U.S. and the EU.
This post summarizes the main results of my law review article “China’s Approach on Data Privacy Law: A Third Way Between the U.S. and the EU?” to be published in the Penn State Journal of Law and International Affairs, vol. 8.1. This law review article comprehensively details the results of a research that is part of my Ph.D earned from Shanghai Jiao Tong University. Whereas the present post only aims at “briefly” presenting the main findings in a more casual fashion.
This post answers three main questions:
- How is China building its legal framework on data privacy?
- Where does it stand compared to the EU and U.S. approaches?
- What are the specificities of Chinese laws on personal information protection?
These are broad issues opening many doors, including for research in political science and international relations. Therefore, it’s possible that I dedicate future posts to deepen further the explanations (this post is already way too long!). Especially if you readers are interested in it (let me know).
- 1. Data privacy laws in China came 30 years later than in the EU and the U.S.
- 2. China’s Cybersecurity Law as a New Direction: Stronger Than the U.S., Not as Strict as the EU?
- 2.1. Where China Resembles More to the U.S.
- 2.2. Where Chinese Data Privacy Laws Converge with the EU Model
- 3. Data Privacy With Chinese Characteristics
- 4. Conclusion on Data Privacy in China
1. Data privacy laws in China came 30 years later than in the EU and the U.S.
By the time China started to enact data privacy rules, the EU and the U.S. already had long-standing stances on the issue. The two approaches feature important differences (the result of two contrasting philosophies and rationale). Therefore, China had two models it could transplant rules from, with the goal of accelerating the building of its own framework, and to benefit from the EU and the U.S. experiences (to learn more on legal transplantation mechanisms and theories, see this research on comparative law).
1.1. EU’s Strong Protection or U.S.’s Minimalist Approach: The Two Models for China
Rules on data protection appeared in the 1970s in both the U.S. and in Europe. At the international level, the OECD issued its Privacy Guidelines in 1980 and the Council of Europe (which is not an EU body) published its Convention 108 in 1981. Given the political and economical conditions of China at that time, the country did not show signs of interest for these initial legal developments.
The U.S. and the European Union developed different approaches to data protection. The U.S. sticks to a minimal approach where data privacy rules are scattered through a large number of laws with narrow scopes. There, data privacy rules find themselves limited by the right to freedom of speech, which is constitutionally protected. To this day, influential scholars oppose the passing of more protective privacy rules on the basis of freedom of speech.
On the other hand, the EU chose an approach that largely differs from that of the U.S. In the 1995, it enacted the Data Protection Directive, designed to regulate all data-privacy issues (through the implementation of the Directive’s goals in each Member state’s domestic legal framework). This choice for a comprehensive data protection law represents a main difference with the U.S. approach. Most importantly, privacy and personal information protection are now fundamental rights in the EU1 and should receive strong protection as such. In 2018, the General Data Protection Regulation (GDPR) became directly applicable in all Member states, reinforcing the EU model and its stringent requirements.
1.2. China’s Belated Building of its Legal Framework
For a more detailed overview of China’s legal evolutions, please refer to my article in the Penn State Journal of Law & International Affairs.
Laws on data privacy arrived in China decades after most Western countries. For the legal instruments to be used, the country first hesitated between the EU approach (comprehensive data privacy law) and the U.S.’s (numerous provisions scattered among many laws). Although China eventually started to develop its legal framework through sector-specific laws much like in the U.S., the country is now on the path of enacting a comprehensive data protection law as favored by the EU (see below).
It has been argued that traditional Chinese culture was the cause for the lack of privacy protection. However, in culturally similar regions, Taiwan has data protection laws going beyond OECD standards and Hong Kong was the first jurisdiction in Asia to have enacted a comprehensive data privacy law. In mainland China, it’s rather the political situation, at a time when privacy was making a breakthrough at international and national levels, that decisively precluded the emergence of privacy protection and set China apart from the developments happening elsewhere.
China started a long march towards bringing out privacy and data protection rights with its Constitution from 1982,2 where the right to freedom and privacy of correspondence is protected under Article 40. Unfortunately, the Constitution cannot serve as the legal ground for a judicial decision or interpretation in China, which undermines the significance of these provisions.
Civil and criminal laws now provide privacy and personal information protection. In 1986, the General Principles of the Civil Law (GPCL)3 protect the “right to reputation” and serve as a basis for privacy protection.4
On March 15, 2017, the GPCL received an update, providing rules for protection of personal data and underlining the responsibility of individuals and organizations for data protection and collection (Article 111). The Criminal Law and its Amendment VII from 20095 sanction wrongdoings on privacy and personal information on several occasions.
Regulations of businesses’ use of personal data, appeared following the emergence of innovations such as cloud computing and big data analytics, that convinced China to more vigorously regulate (a trend later further encouraged by Edward Snowden’s revelations and related fear over foreign intelligence practices).6
In December 2012, the Standing Committee of the National People’s Congress (NPC) promulgated the Decision on Strengthening Information Protection on Networks (the 2012 NPC Decision), then the highest level law in China about personal information protection. Since this decision, China has made significant efforts and progress in terms of developing the protection of personal data, through including several principles and requirements as part of later rules. But rather than enacting a comprehensive data privacy law in the European way, China continued on a path resembling the U.S. approach, with data protection provisions comprised in laws for sectors such as banking and finance, consumer protection, postal services, healthcare, credit reporting, telecommunications and internet, etc.
China started to build a sector-specific data privacy protection framework following the line of the 2012 NPC Decision. For example, in 2013, the NPC’s Standing Committee updated the Consumer Protection Law,7 making data protection a distinct right for consumers in its Article 14, and notably including the core data protection principles from the 2012 NPC Decision, especially on security and confidentiality, purpose specification and consent. Other examples exist for the Internet sector, the Credit Reporting Industry or for the protection of medical records.
The most important milestone in China’s data protection legal landscape is the Cybersecurity Law, enacted on November 7, 2016 by the Standing Committee of the National People’s Congress and which came into force on June 1, 2017. Requirements about data privacy are comprised among dispositions related to other aspects of cybersecurity. China’s Cybersecurity Law has a broader scope than previous laws and brings the country even closer to global standards. However, the most significant evolutions are in the non-binding guidelines accompanying the Cybersecurity Law, that I will call here the 2018 Specification.8 The following sections analyse the rules existing in these texts.
To understand why the type of non-binding rules that is the 2018 Specification is particularly significant in the Chinese legal system, see my article in the Penn State Journal of Law & International Affairs.
2. China’s Cybersecurity Law as a New Direction: Stronger Than the U.S., Not as Strict as the EU?
Dr. Hong, who led the drafters of the 2018 Specification, argues that these rules are “stricter than the U.S., but not as much as the EU”. Given China’s late awakening to the issue and the state-surveillance problems, this declaration may seem bold and conveys the need for a deeper analysis.
Such analysis of Chinese rules show that they maintain similarities with the U.S. approach on several elements. But China’s Cybersecurity Law, and mostly the 2018 Specification, also feature important signs of convergence with EU law. This demonstrates a significant change in China’s direction, in favor stronger data protection requirements than the U.S. but without going as far as the EU. Ultimately, it is the enforcement of those rules that will matter.
2.1. Where China Resembles More to the U.S.
Requirements for Data Collection and Processing
The requirements for data collection and processing are low in both China and the U.S. The EU provides six different legal bases for the processing of personal data, with stringent obligations attached to them and notably rejects the concept of implicit consent. Neither the U.S. nor China go further than requiring a light implicit consent. While the Cybersecurity Law and the 2018 Specification do not use the term implicit, drafters of the specification later clarified that explicit consent is required only if the term explicit consent is expressly mentioned (e.g. for collecting sensitive information9), not where just consent is used.
Data breach Notification
Another topic where China remains closer to the U.S. approach relates to data breach notification. In the U.S., requirements for data breach notification exist but are not as strict as in the EU.
Once a data breach occurs, the notification requirement obliges the entity in charge of the data to notify the supervisory authority and/or the affected individuals. Such obligations of notifying personal data breaches exist in the U.S. since 2002,10 with a large timeframe for notification, e.g. 30 days11 or even up to a reasonable time.12 A data breach notification requirement was absent from the EU Directive in 1995 (although included in some Member States national laws). Drawing on rules from Member States and the European Union Telecommunications Framework, the EU now goes further than both the OECD and the U.S. and compels data controllers to notify supervisory authorities of a security breach within 72 hours after it became aware of it.13
In China, the Cybersecurity Law requires data controllers to inform authorities as well as individuals in case of a data breach.14 The 2018 Specification gives more details and requires companies to draft a personal information security incident response plan and organize drills annually. In case of a breach, affected entities should record a set of information about the incident, assess its impact, and promptly report it. It further requires to promptly inform data subjects and provides a non-exhaustive list of information to be included in the notice.
But nowhere is the term “promptly” defined specifically. By requiring prompt notification, the Chinese legislator may want to gain more experience before setting a clear timeframe. Therefore, the new provisions of Chinese laws for data breach notification are an improvement, without being as strict as EU rules. It does resemble more the U.S. approach, where notification within a reasonable time is a common requirement.
The authority to which the notification should be made is not apprehended in the same way in the EU and the U.S. Europe requires an independent and dedicated authority. The U.S. does not provide for a regulatory oversight by an independent data protection authority, but rather a combination of “the US Federal Trade Commission, state attorneys general, the Federal Communications Commission, the Securities and Exchange Commission, the Consumer Financial Protection Bureau (and other financial and banking regulators), the Department of Health and Human Services, the Department of Education, the judicial system, and […] the US plaintiffs’ bar”15 The FTC has grown to become the most important privacy enforcement agency in the US.
China’s Cybersecurity Law does not establish single and independent authority dedicated to data privacy enforcement. The Cyberspace Administration of China is dominant, but there are several regulators responsible for data protection enforcement efforts. Therefore, in a manner that recalls that of the U.S., there are several authorities in charge of enforcing privacy provisions on their own sector, and the allocation of competence is not always clear.16 The Cybersecurity Law did not change the situation that still resembles the U.S. approach more than the EU’s.
— Emmanuel Pernot-Leplay (@EmmanuelPernot) February 7, 2020
2.2. Where Chinese Data Privacy Laws Converge with the EU Model
New Chinese rules on data privacy showcase transplants of EU rules, bringing more protection to individuals than most U.S. laws. Most come from the non-binding 2018 Specification, whereas the Cybersecurity Law is often too vague to soundly demonstrate convergence with EU rules.
Towards a Comprehensive Data Privacy Law
First, China progressively moves towards the adoption of a single and comprehensive data protection law, as the EU promotes. To briefly summarize, rules for the Internet sector progressively gain in scope, up to the Cybersecurity Law which broadly targets “network operators” and the 2018 Specification which goes further and makes clear that it is applicable to “all types of organizations’ activities handling personal information,”17 in a similar way as the GDPR.
As a consequence of this trend, chances are high that China soon enacts a dedicated personal data protection law. The NPC Standing Committee’s Five-year Legislative Plan for the period 2018-2023 features a “Personal Information Protection Law” that is now in the “mature” drafting stage. The drafting of this law was commented in 2019 by Zhang Yesui, spokesman for the second session of the 13th National People’s Congress, when he outlined that provisions on personal information were too scattered and so there is a need “to have a law specifically on the protection of personal information to form a unified force of regulation.”
The other main areas where China gets closer to EU rules concern obligations for data controllers towards data subjects. They mainly relate to limitations on data processing activities and direct rights for individuals. Explaining why, how and to what degree there is convergence here is crucial but requires longer explanations. I can only redirect you to the law review article I wrote to get this analysis. Here, for the sake of brevity, I will only skim over these issues.
Limits on Further Processing
The fact that personal data cannot be used for other purposes than those stated to the individual is also a clear requirement. Here, China is in the wake of the European rules and diverges from the U.S., which does not afford the same level of protection and for example allows internet providers to sell users’ data without their consent to this purpose.18
The EU alloaws data collection and processing only to the extent that such data is necessary to the purpose specified – this is data minimization. This principle is either absent or very weak in U.S. legislation. In China, the Cybersecurity Law requires a soft minimization, as network operators are forbidden to collect personal information unrelated to the services they provide. But the 2018 Specification clearly sets a strict data minimization principle, with data processing permitted for only what is necessary to the purposes.19 The is another example where the Cybersecurity Law features loser requirements than the 2018 Specification itself closer to EU rules.
The sensitivity principle is a clear distinction between the EU and the U.S. It means that the processing of sensitive data should be subject to additional safeguards. The requirement exists in EU rules for data such as ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, criminal convictions and the processing of genetic data, biometric data.20 U.S. laws do not protect sensitive data in such a wide manner.
China leans towards the EU approach, but in its specific way. Even though the Cybersecurity Law does not provide any additional protection for sensitive data, the 2018 Specification does require it. However, the definition of sensitive data differs significantly with EU rules, where sensitive data are clearly listed. The 2018 Specification21 defines it as data that, if disclosed or altered, could endanger the safety of persons or property, harm personal reputation and physical or psychological health, lead to discriminatory treatment, etc. This risk-based definition is much broader than the GDPR’s.
Right to be Forgotten
The creation of a right to be forgotten in the EU was received with scepticism in the U.S.,22 where critics like Eugene Volokh, a prominent scholar on American constitutional law, oppose the right to be forgotten on the basis of freedom of speech that the First Amendment of the U.S. Constitution protects.
The conceptual differences between China and the United Nations over the right to freedom of expression are well known. In addition to that, free speech activists sometimes criticize the right as a way to facilitate censorship. This could lead to think that a right to be forgotten would be less problematic in China than in the U.S. However, in May 2016 (before the Cybersecurity Law took effect), the Haidian District People’s Court in Beijing ruled in favor of Baidu, China’s main search engine, against a plaintiff invoking the right to be forgotten, from his right of name and right of reputation. The judges ruled there was no right to be forgotten in Chinese law.
The right to erasure that exists in the CSL but is limited to the cases where the network operator has violated laws or agreements between the parties.23 The 2018 Specification is in line with this.24 It goes further by requiring controllers to also notify third parties to whom data have been shared to delete them, as does the GDPR, but the requirement is still only applicable where a law or an agreement has been breached. Therefore, on the one hand the right to deletion is more established in China than in most laws in the U.S. On the other hand, it remains narrower than EU rules. In the context of the drafting of the upcoming China’s comprehensive data protection law, several Chinese experts call for an extension of that right in the EU way.
The right to data portability allows individuals to ask an organization to port their data directly to another organization or to receive them in an interoperable format. In the U.S., data portability is required in California25 and for certain health data in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but there is no overarching requirement. Data portability as a data right that spans across sectors is a novelty from the GDPR.26
China follows the EU direction in the 2018 Specification, that grants the data portability right to individuals. It requires data controllers to give their personal information to data subjects or directly transfer them to a third party. However, this right is more limited than in the EU because it concerns only individuals’ basic information and information about their identities, and health, psychological, education and work information.27 It is another example where China offers more data rights than the U.S. without going as far as the EU.
Automated Decision-making and Profiling
Finally, another area where China follows the EU in enhancing individuals’ rights is the restrictions on automated decision-making, including through profiling. In the EU, a “data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”28 This requirement is a feature that is specific to the EU approach on data protection.29 In the U.S., there are no similar general prohibition on decisions based solely on automated decision-making.30 U.S. residents do, however, enjoy certain rights to information or to contest in certain situations under specific laws, such as the Fair Credit Reporting Act or the Equal Credit Opportunity Act.
The Cybersecurity Law does not mention automated processing or profiling, nor did previous Chinese laws. The 2018 Specification is the first legal instrument to define profiling31 and to require that in case of an automated decision-making, the data controller should provide means for data subjects to lodge a complaint.32
3. Data Privacy With Chinese Characteristics
The previous developments compared Chinese rules with foreign models. But China showcases significant characteristics which are not found in either the EU or the U.S. approaches, expressing China’s own rationale on personal data protection.
3.1. Data Localization and Cross-Border Data Transfers: Impacts of the Cyber-Sovereignty Principle
Data localization provisions (requiring that at least a copy of personal data should remain within the country’s border) and restrictions applied to cross-border transfers of personal data are among the most contentious legal elements, featuring the less convergence between the three approaches. It is also where Chinese laws show most of their specificities, but are the fuzziest so far.
In the absence of an international treaty to which the EU, the U.S. and China would be parties, they each regulate data exchanges pursuant to their own requirements and philosophies. The U.S way is the simplest, as there are no special requirements for transferring personal data from the U.S. to a third country. The U.S. is also among the strongest opponents to data localization restrictions, seen as trade barriers.33
EU law is more restrictive but has no data localization requirement that would oblige certain personal information to remain within Europe. However, cross-border data transfers can happen only when respecting the level of protection set by the GDPR, therefore to third countries with a level of data protection which the European Commission recognizes as equivalent to the EU’s, or by using appropriate safeguards such as standard contractual clauses or binding corporate rules. This difference with the U.S. has been labelled as a “dramatic distinction” by legal scholars.34
In China, the Cybersecurity Law establishes the principle of cyberspace sovereignty, or cyber-sovereignty, which impact this issue.35 Cyber-sovereignty is part of the broader cyber-strategy of China and geopolitical stance. Pursuant to this concept, the cyberspace is subordinated to the interests and values of a country within its borders, i.e. the application of state sovereignty to cyberspace; it’s opposed to the multi-stakeholder governance model that supports a free and open Internet. The cyber-sovereignty concept was spurred by Edward Snowden’s revelations on foreign access to population and national security confidential data and embraced by China. To ensure its sovereignty over the cyberspace, a country may exert control over the Internet architecture, content, and data flows (exports but also imports, e.g. by blocking foreign content), often for security purposes.
Regarding personal information protection, the cyber-sovereignty principle engenders requirements of localization of data storage and restrictions on cross-border data transfers. Article 37 of the Cybersecurity Law requires “critical information infrastructure operators” that gather or produce personal information or important data during operations in China to store it in China. Those can be transferred out of the country, when it is truly necessary and after passing a security assessment (that has yet to be defined). These provisions were set to take effect months later than the rest of the Cybersecurity Law to grant companies more time to adapt.36 However, the enforcement of those dispositions have been further postponed, sine die. While the press reported that this is meant to avoid exacerbating tensions amid the trade war context, the delay is also explained by the missing of guidelines and texts that should bring more precision to the vague and ambiguous data-transfer provisions. This, also, illustrate the great reliance on non-binding rules for the Cybersecurity Law to be effectively enforced.
These provisions are at the crossroads of China’s concerns involving privacy, surveillance, sovereignty and economic development, that are all addressed within the Cybersecurity Law. Compared with EU and U.S. rules, they serve the need to retain data within the jurisdiction based on a rationale that goes beyond data privacy.
3.2. Surveillance and Privacy: The Data Protection Dichotomy in China
What is striking in China’s system is the difference between the strengthening of protection against private entities and the parallel increase of government’s access to personal data, as there is still no significant privacy protection against government intrusion.
Whereas the rights to privacy and data protection evolved favorably for the individuals/consumers in their relations with the private sector, considerable criticism still exists when those rights are assessed in the context of the relation between the citizen and the government, particularly for surveillance issues. A previous comparative study made by James D. Fry, Hong Kong Faculty of Law Professor, found that many rules exist in the U.S. to regulate surveillance activities, whereas the very few dispositions existing in China are inoperative in practice.37
In contrast, Chinese laws protect better and better individuals’ rights against private entities holding their data and grant them more control over it. However, these progresses are counterbalanced by the increase of the government’s access to data, spurred by innovations such as facial recognition. This dichotomy is observable in the Cybersecurity Law itself, which provides personal data protection but also contains articles limiting it on the basis of public and national security, such as building backdoors into software.
The Chinese rationale is different from both the EU and the U.S. approaches. In China, it is the Chinese consumer’s data privacy protection that progresses, rather than a citizen’s (please read my article in the Penn State Journal of Law & International Affairs for more details). This explains why individuals are gaining significant data protection rights in the private sectors but “cannot claim any remedies for the infringements of their privacy carried out by the state government.”38
To reinforce the issue, cybersecurity is conceptualized as a component of national security. The Cybersecurity Law indeed follows the enactment of the National Security Law,39 which touches on personal data aspects where it allows the government to access information, and the Counterterrorism Law40 which also contains provisions related to cybersecurity and data protection. The inherent consequence of this political and legal framework is that the collective interest outweighs individual freedoms and data privacy. The social credit system rating citizens based on their behavior and facial recognition in public areas for law enforcement purposes are the results of such balancing of interests. As says Xue Lan, former dean of the School of Public Policy and Management at Tsinghua University, “facial recognition may infringe on personal privacy to a certain degree, but it also brings a collective benefit, so it is a question of how to balance individual and societal benefits.”
This balance also goes the way of personal data protection. Despite this context and in contrary to a popular belief, Chinese people worry about the privacy of their personal data. According to a recent survey by the China Consumers Association, 85% of people suffered a data leak, spurring public anger. The leakage of personal data indeed grew to unbearable levels. In 2016, it caused an RMB 91.5 billion loss to the Chinese economy (about USD 13 billion). In addition, dramatic cases making the headlines move the public opinion and stimulate the debate around personal data protection, such as the Xu Yuyu case: following the disclosure of personal information, a scammer stole this 18-year-old student’s money that her family had saved for her to go to college. The young girl then died of heart attack on the way back from the police station.
Facing this situation, China’s government has to act and better protect individuals’ data privacy. With a dual objective: Chinese consumers trust in the digital economy strengthens while the government becomes a privacy protector. China’s challenge is to secure the flow of personal data that is vital for the development of the digital economy, while ensuring government’s control. This explains why, on the one hand, concerns rise about surveillance – e.g. around the social credit system and facial recognition – while on the other hand, new rules go beyond the minimalist protections as found in the U.S., and towards the more protective EU model. This forms China’s dual approach on personal data protection.
4. Conclusion on Data Privacy in China
China’s stance on data protection is the source of a lot of fear, controversies and skepticism. Whereas the protection of personal information was indeed lacking until recently, the country is now building its framework at a rapid pace.
This post shows that China gradually builds a data privacy system through the legal transplantation of both the EU and the U.S. reference models. It started from a path resembling the U.S. minimalist approach and now shows significant signs of convergence with the more stringent and comprehensive EU model. There are high chances that this trend will continue, and the law dedicated to data privacy that is on China’s legislative agenda should be the next milestone in that direction.
China’s approach is not merely a transplantation of EU and U.S. rules. Cyber-sovereignty and the dichotomy between privacy from private actors and privacy from the state are the most salient elements of the model that China is building. Given the country’s economic and political ambitions related to its cyber strategy, China’s voice on data privacy will have an increasing impact.
Currently, China is also shaping the related artificial intelligence regulations that are intertwined with personal data usage. Unlike for personal data protection stricto sensu, China is not a latecomer here and will now be able to push its vision on AI rules, and participate with the EU and the U.S to the competition for global regulatory clout. China’s significant improvements concerning consumer privacy will, hopefully, infuse into China’s future AI regulations.
- In its Article 8, the Charter of Fundamental Rights in the European Union provides that everyone has the right to the protection of personal data, which should be processed on a legitimate legal basis such as consent, that everyone has the right of access to their personal data and the right to have it rectified, and that an independent authority shall control compliance with these rules; European Union, Charter of Fundamental Rights of the European Union, ratified December 7, 2000, Art. 8.
- Constitution of the People’s Republic of China, 4 December 1982
- General Principles of the Civil Law of the People’s Republic of China, promulgated on April 12, 1986 and came into force on January 1, 1987.
- For further discussion of the protection of privacy by the GPCL, see Graham Greenleaf, Asian data privacy laws : trade and human rights perspectives 200–201 (2014).
- Criminal Law of the People’s Republic of China, adopted on July 1, 1979 (Criminal Law) and Amendment Seven to the Criminal Law, adopted on February 28, 2009.
- As underlined by Graham Webster, in a lecture given at New York University, Shanghai campus, December 6, 2017.
- Decision on Amending the PRC Law on the Protection of Consumer Rights and Interests, adopted by the Standing Committee of the Twelfth National People’s Congress on October 25, 2013, and took effect on March 15, 2014. Here is a translation of the law.
- The “Information Security Technology – Personal Information Security Specification – (GB/T 35273-2017)” has been issued by the National Information Technology Standardization Technical Committee (the TC260) on December 29, 2017 and took effect on May 1, 2018. The TC260 is jointly supervised by the Standardization Administration of China and the Cyberspace Administration of China for the purpose of setting standards.
- 2018 Specification, Article 5.5.
- California S.B. 1386, effective on July 1, 2003 (California Data Security Breach Notification Law).
- E.g. in Colorado, where notification to the affected Colorado residents must be made within thirty days after the determination that a breach occurred, see Colorado Consumer Data Privacy Law at Sec. 3 (2).
- California Data Security Breach Notification Law, 1798.29.(a) and 1798.82.(a): “The disclosure shall be made in the most expedient time possible and without unreasonable delay.”
- GDPR, Article 33(1).
- Cybersecurity Law, art. 42: “When the leak, destruction or loss of personal information occur, or might occur, remedial measures shall be immediately taken, and provisions followed to promptly inform users and to make report to the competent departments in accordance with regulations.”
- Alan Charles Raul, Frances Faircloth & Vivek K Mohan, United States – The Privacy, Data Protection and Cybersecurity Law Review 269 (Edition 4 ed. 2017).
- Bo Zhao & G.P. (Jeanne) Mifsud Bonnici, Protecting EU citizens’ personal data in China: a reality or a fantasy?, 24 International Journal of Law and Information Technology 128–150, 135 (2016).
- 2018 Specification, art. 1.
- In October 2016, the Federal Communications Commission (FCC) approved new rules for enhancing customers’ privacy on the internet, forbidding internet providers from selling personal information such as browsing history, app usage or mobile location without the customers’ explicit consent to this purpose. However, as other Obama administration’s data protection initiatives, it has been repealed by the Republicans, in 2017. See Brian Fung, The House just voted to wipe away the FCC’s landmark Internet privacy protections, The Washington Post, March 28, 2017.
- 2018 Specification, Article 4(d): “Minimization Principle: Unless otherwise agreed by the data subject, only process the minimum types and quantity of personal information necessary for the purposes for which the authorized consent is obtained from the data subject. After the purposes have been achieved, the personal information should be deleted promptly according to the agreement.”
- GDPR, Articles 9 and 10.
- 2018 Specification, Article 3.2.
- Steven C. Bennett, The Right to Be Forgotten: Reconciling EU and US Perspectives, 30 Berkeley J. Int’l L. 161, 164–168. Most negative reactions revolved around supposed inconsistencies with the freedom of expression and interference with business demands for data.
- Cybersecurity Law, art. 43.
- 2018 Specifications art. 7.6.
- CCPA, § 1798.100.(d).
- GDPR, art. 20.
- 2018 Specifications art. 7(9).
- GDPR art. 22(1). This provision is subject to several exceptions, stated in art. 22(2).
- Graham Greenleaf, The influence of European data privacy standards outside Europe: implications for globalization of Convention 108, 2 Int’l Data Priv. L. 68, 74 (2012).
- Gabriela Bodea et al., Automated decision-making on the basis of personal data that has been transferred from the EU to companies certified under the EU-U.S. Privacy Shield (Fact-finding and assessment of safeguards provided by U.S. law), European Commission 40 (2018).
- 2018 Specification art. 3.7.
- 2018 Specification art. 7.10: “When a decision is made on the basis of information system automated decision-making and has significant impact on the data subject’s rights and interests (for example, when user profiling determines personal credit and loan amounts, or in user profiling for interview screening), the data controller should provide means for data subjects to lodge a complaint.”
- John Selby, Data localization laws: trade barriers or legitimate responses to cybersecurity risks, or both?, 25 Int’l J. L. and Info. Tech. 213 (2017).
- Schwartz, at 1977.
- Cybersecurity Law, art. 1: “This law is formulated in order to ensure cybersecurity; safeguard cyberspace sovereignty and national security, and social and public interests; protect the lawful rights and interests of citizens, legal persons and other organizations; and promote the healthy development of the informatization of the economy and society.”
- Cross-border data transfers rules were set to enter into force on December 31, 2018, whereas the Cybersecurity Law took effect June 1, 2017.
- James D. Fry, Privacy, predictability and internet surveillance in the US and China: Better the devil you know, 37 U. Pa. J. Int’l L. 419 (2015).
- Lee, Jyh-An Lee, Hacking into China’s Cybersecurity Law, 53 Wake Forest L. Rev. (2018), at 101. Lee further states that “While the government has endeavored to continuously enhance the human rights protection it offers, the actions of the state government itself is mostly unconstrained by fundamental human rights.” The lack of access to effective remedies goes against another fundamental right in the EU, the right to an effective remedy and to a fair trial, which, at a higher level, is also part of the EU approach on data protection.
- National Security Law, promulgated the Standing Committee of the National People’s Congress on July 1, 2015, effective on July 1, 2015.
- The Counterterrorism Law passed by the NPC on December 27, 2015 and came into effect on January 1, 2016.