Beyond the GDPR: A Look at China’s National Data Protection Standard
While the world was rushing to meet the EU’s General Data Protection Regulation (GDPR) 2018 deadline, China released the Cybersecurity Law (CSL) in June of 2017. This law laid out broad principles regarding China’s cyber governance but left key issues regarding implementation and scope rather vague. Over the past two years, China has issued follow-up measures and standards to address these inadequacies.
Most notably, in February 2019, China’s National Information Security Standardization Technical Committee (TC260) released a set of amendments to the Information Technology – Personal Information Security Specification (“Specification”) portion of the CSL. While the Specification is not legally binding, it is a respected national standard and used across the country to benchmark data protection efforts. In late May, the Cyberspace Administration of China also released draft Measures for Data Security Management, which are open for comment until the end of June 2019. If passed, these measures will share similar requirements with the Specification.
Companies with operations both inside and outside China are facing significant challenges, as they seek to implement processes, policies, and technologies that align with regulations like the GDPR but also meet the requirements of China’s data protection framework. In this post, we’ll take a closer look at China’s Specification, its recently proposed amendments, and how China’s Specification aligns with the new data protection gold standard: the GDPR.
How the CCPA Is Impacting State Data Protection Legislation in the U.S.
Updated January 2, 2019
Shortly after the EU implemented the General Data Protection Regulation (GDPR), California passed its own privacy legislation – the California Consumer Privacy Act (CCPA). This act went into effect in January 2020 (enforcement is slated for July) and is causing a national shift in the data privacy landscape of the United States. Recently, 14 states have introduced privacy regulations modeled after the CCPA.
If passed, these state laws will impose new privacy obligations on businesses to provide consumers with adequate transparency and control over their personal information. So far, many state legislators have embraced the structure and language found in the CCPA, and included similar individual rights. Like the CCPA, these laws broaden the definition of "consumer" and expand consumer rights through private right of action.
While all these laws seek to provide more data protection to consumers, their approaches vary. Six follow the full model established by the CCPA, two only tackle a handful of issues addressed in the CCPA, while one is shaped more by the GDPR. In this post, we’ll take a look at the requirements of these 14 bills, how they compare to the CCPA, and what these new regulations mean for the future of data privacy in the United States.