In previous posts, we have explained what an ICP license is, along with why and how your company can get one before hosting in China.

This article we will take a high level look into other Chinese data privacy laws by comparing them with something you may already be familiar with. 


European Union Data Privacy Laws 


Companies doing business in Europe tend to be very familiar with the General Data Protection Regulation (GDPR).

The European Union (EU) implemented the GDPR in May 2018. Compliance is non-optional, with fines up to 20 million euros or 4% of global annual revenue. With such stiff penalties, it makes sense why companies may be hypersensitive to their privacy laws.

Although more lax than their counterparts in Europe, the Americans have a similar set of laws. So naturally, it makes sense for China also to have their own data privacy laws.  


China and European Union Data Privacy Laws Comparison


Lets look at the similarities and key differences between the European and Chinese privacy data laws. You may notice many similarities because the Chinese laws are modeled on the EU’s framework. However, we will highlight some key differences that may impact how you manage sensitive data in China.

Project managers and the technical team both need to be aware of the laws early in the life of their project if there is any concideration for collecting data. Similar to the EU’s penalties, China has stiff penalties for not closely following the law that you will want to avoid. 



Why Does Compliance Matter?


Didi (China’s Uber) learned how serious Chinese Cybersecurity officials are about adherence to their data privacy laws.

In 2021, days after Didi raised over $4.4 billion in a New York Initial public offering, Chinese cybersecurity officials ordered the removal of two dozen of Didi’s apps from the AppStore for illegally collecting personal data. 



 Diddi's Stock Price Since IPO
Diddi's Stock Price Since IPO

 
Didi’s breach of the laws contributed to their stock free-falling IPO launch.


General Similarities


Now that we understand the importance let us look at the similarities between the two data privacy frameworks.

Both the European and Chinese privacy laws state that companies must have valid grounds for collecting personal data. They must also have a transparent privacy policy explaining why the company collects the information and how it will be used. 

Additional Similarities:

  • Only take the minimum data required
  • Cannot use the data for any other purpose
  • Only retain it for minimum extent necessary
  • Individuals must provide their consent, have full rights to their data, ability to erase it


There are also similar requirements for security, breach notifications, data protection officers (DPO) and cross-border transfers.


Key Differences


Now, lets look at a couple of the important differences that you will want to keep in mind.

  • Under GDPR, consent is explicit; in China, it is looser, and may even be “implied”. This makes China’s notion of consent more like the Americans, and less like Europeans.  

  • China’s Cybersecurity Initiative Article 37 states: Chinese law requires the operator to store personal information and important data on servers within China. Cross-border transfers are allowed for valid business needs, as long as the data subjects have provided their consent, and the operator has passed a security assessment.

Yes, you read that right. A little different than you may be used to, China’s Cybersecurity law says that you must store all of the personal data that you collect on Chinese servers.  To avoid the negative impact that Didi experienced, it is important that you understand this fundamental difference early in the life of a web app project.


How to Stay Compliant


There are a couple of options that you can consider to stay compliant with Article 37.

The traditional approach. Hire an agency or utilize inhouse resources to setup and manage all maintenance and operations of your servers.

Alternatively, if you care about speed, ease, and cost, you can adopt a modern and agile approach by using 21YunBox.

21YunBox’s solutions empower your technical team a simple solution to keep you compliant with Article 37 by storing all personal and sensitive data collected in mainland China on trusted Chinese servers. This results in your technical team freeing up their time for more important tasks by offloading all server operations and maintenance to our platform. And most importantly, your company will be compliant.