The New Chinese Data Protection Law and the European GDPR – A Legal Comparison

Abstract

Together with the Cybersecurity Law, the Data Security Law, and the 4th Part of the Civil Code, the Personal Data Protection Law of the People’s Republic of China (GSPD), which took effect on November 1, 2021, provides the legal basis for data protection in China. Although the GSPD shares many similarities with the EU’s GDPR, it contains a range of differences that personal data processors, including foreign companies and their subsidiaries in China, must take into consideration. Particularly with the GSPD’s differences, data processors in Europe and their subsidiaries in China need to adapt their data protection programs and take appropriate measures to ensure compliance, as merely transplanting their data protection programs from the EU to China will not suffice to ensure compliance. The article gives an overview of data processors’ main obligations and provides a table clearly outlining the chief differences between the GSPD and the EU’s GDPR. Finally, the authors recommend ways to ascertain how much action is required as well as how to implement technical and organizational measures.