China wants state of the art data protection legislation

The most recent amendments to China’s Cybersecurity Law became effective on June 1, 2017, but the Cyberspace Administration of China (CAC) is already working on a further uphaul of the Chinese data protection framework.

In that framework, ChinaEU supported CAC in arranging a fact-finding mission in the European Union on the recently adopted General Data Protection Regulation and its implementation in the Member States. As a matter of fact, CAC knows very well the basics of the EU regulations of privacy and GDPR. What CAC wanted to investigate is the relation between the sometimes diverging implementation by the independent data protection authorities at Member States level and the common EU legislation. For instance, the investigation of France’s data privacy watchdog against Google on grounds of violation of the EU privacy protection.

In June, a delegation of CAC, headed by Mr. Li Changxi, Deputy Director General of Policies and Regulations Bureau of CAC, therefore headed to Brussels and some EU Member State capitals to meet with the key people involved in the implementation of the EU data protection legislation. Together with Mr. Li Changxi were also Mr. Li Min, Deputy Director of Policies and Regulations Bureau of CAC, Ms. Ji Yu, International Cooperation Bureau of CAC and Mrs. Li Haiying, Director of Internet Law Research Center of Academy of Information and Communications Technology.

ChinaEU assisted the CAC delegation with the organization of the fact-finding visit. In addition, ChinaEU organized on 15 June a closed-door seminar at the Brussels Press Club for the Chinese delegation with high level legal experts and key stakeholders.

1

Mr. Cedric Burton, Avocat of Wilson Sonsini Goodrich & Rosati, moderating the closed-door seminar on European General Data Protection Regulation and its implementation in the Member States

The seminar was introduced by Christian Hocepied, who besides his participation in ChinaEU is also senior researcher at the university of Namur in Belgium.  Hocepied provided an overview of the recently adopted GDPR, the main changes it would bring about in comparison with the current rules and its most problematic provisions.  He stressed that the transfer of data ‘where technically possible’ could lead to endless litigation. He also wondered whether the level of fine – linked to the turnover of the companies involved, including parent companies, instead of the gravity of the breach – was the most appropriate approach.  He finally regretted that the GDPR hardly relied on self-enforcement and privacy by design, instead of the old style heavy penalty approach.

Former Member of the European Parliament and top lawyer at Covington & Burling in Brussels, Erika Mann also regretted that the GDPR is not in line with the most recent technological developments. On the other hand, she welcomed the move to coordinate the sometimes diverging approaches of the national data privacy bodies through the EDPB. On the other hand, the solution adopted falls short of a well-designed organization, and, even more, of a genuine common EU agency. The initiative will continue to rest with the national data protection authorities. They will guide future policies. Because of the high fines, the national DPAs have high incentives to investigate larger companies for failure of compliance, not necessarily those with the most damaging practices. Erika Mann invited CAC to learn from the shortcomings of the GDPR. Many Chinese companies in the Internet world are global companies, and they’re just at the beginning of their success. The Chinese legislation has to be future proof, so legislators have to be very cautious. Social media companies, VR companies, the drone environment, the health sector, all rely on data to run their business. Erika Mann says that legislators need to look long-term.

2

Ms. Erika Mann, Former Member of the European Parliament, answering questions from the CAC delegation,

Cedric Burton from the international law firm Wilson Sonsini Goodrich & Rosati agreed with the previous speakers that while the GDPR has very high level of detail, its provisions at the same time bring about a lot of legal uncertainty because no one really knows how the national data protection authorities will apply them. For example, data portability is very detailed, there is a clear mandate here. But the rule, is practically speaking almost impossible to apply.

The idea of the EDPD cooperation seems great, but practically speaking it doesn’t seem to be going very well. Data transfer is another point in case. GDPR is not creative here, it is the same system that worked 20 years ago. Now with the global digital economy, it becomes very problematic to apply.

The stakeholders were represented by Chris Gow (CISCO and DIGITAL EUROPE). Gow is more supportive of the GDPR.  Better one single even imperfect rulebook than a labyrinth of 28 divergent national legislations. GDPR isn’t really new. It builds on the previous rules and philosophy. As a company, when we look at what is needed to comply, we look at where the data is in the data life cycle. We look at what data we have, where it goes, who accesses it, what we do with data upon termination of contract. There is data that you touch only once. What changes on GDPR is not so much in the legally framework (it basically means that companies need to have a data protection officer in every business unit, that identify the data and determines how it threated). No major changes in the data transfer mechanism globally, but the level of attention/focus from the point of view of the customers is increased. Handling events is another important point. Data bridge is a new concept. The challenge here is to implement a data system that allows to track the user’s position.

In reply to the question of Mr. Li Changxi on whether the GDPR is harmful for the development of companies’ business in the EU, compared to looser regulation in the US, Chris Gow replied that every legislation reflects the culture of the country, and has a compliance cost.

The US is not operating in a vacuum either, many state legislatures have adopted data protection laws, which are complicating the provision of USA wide services.

Luigi Gambardella, Chairman of ChinaEU suggested that the list of concerns from companies would be collected.  Cedric Burton answered that the problem is that mostly smaller companies and startups are suffering from the data protection rule. If you do not have a legal department, how can you comply with such detailed rules?

By means of conclusion, Luigi Gambardella stressed the key responsibility of CAC, because of the size of the Chinese market and the growth of the Internet sector there. China has the advantage to legislate after the EU, and thus can learn from our mistakes and from our successes. Gambardella added that it would be Interesting to understand why Internet companies are so successful in China. Could this not be linked to a more relaxed Internet regulation environment? Legal uncertainty is bad for investments.