On December 29, 2017, the Standardization Administration of China, jointly with the PRC General Administration of Quality Supervision, Inspection and Quarantine, issued the Information Security Technology – Personal Information Security Specification (GB/T 35273-2017, “Specification”), which officially came into effect on May 1, 2018.
Although the Specification is only a recommended (as opposed to a mandatory) national standard, we have in the months since its introduction seen regulatory authorities in China point to the Standard as providing a more granular and specific treatment of the generally-worded data protection requirements set out in the PRC Cyber Security Law that came into effect on June 1, 2017 (“Cyber Security Law”). The Specification has, in very practical terms, become an important point of reference in evaluating the complex overlay of data protection compliance requirements found in the Cyber Security Law, the Law on the Protection of Consumer Rights and Interests, the e-Commerce Law, and other enactments and measures.
Organizations are increasingly taking the Specification into account in assessing compliance requirements on the ground in China. Given the current tensions in international trade, demonstrations of strict compliance in sensitive areas of Chinese regulations are as important now as they have ever been. The introduction of the Specification also comes at a time when public awareness of data protection appears to be on the rise in China, with consumers more likely to demand that their rights in personal data be respected.
In order to place the Specification in context internationally, we have drawn important points of comparison to the EU’s General Data Protection Regulation, a frame of reference which can be especially useful to organizations who have completed their GDPR implementation programs and now wish to develop an appropriate program for China.
Originally published as a client alert on November 6, 2018. To view our complete analysis, click here.