The EU’s newly enforced General Data Protection Regulation and China’s recent Cybersecurity Law are both landmarks of legislation intended to prepare the cyber landscapes of their respective jurisdictions for the 21st century.
Both are somewhat open-ended in application and enforcement, with GDPR’s “legitimate interest” data processing requirement leaving many scratching their heads, while the same could be said of China’s classification of “network operators,” which could be applied to practically any business in China administering or owning its networks.
However, Cori Lable, a Hong Kong-based partner at Kirkland & Ellis, contrasts them, saying the GDPR “is a very rights-based code to provide every individual protection,” while the Chinese law places some individual protections on personal data, but instead is tied to larger national security requirements.