The intuitive conception about China is that it is a privacy-vacuum state where no data protection rules apply. However, this is no longer the case. Despite there being no comprehensive legislation on data protection, the newly released national rules on data security could be seen as a minimum data protection framework in China. This report takes a close look on the content of the new regulations and examines similarities and differences between China’s data protection framework and the world most stringent data protection law, the EU’s GDPR. With the comparative analysis, it should be clarified how organisations can get prepared in China before the finalisation of data protection law, especially with the growing business and trade activities between the EU and China.

The history of Chinese cybersecurity law begins relatively late in comparison to developments in many other countries and has been triggered by tragic events. In August 2016, Xu Yuyu, a poor collegebound student who had been cheated of her tuition fee by telecom fraudsters, died of a heart attack apparently affected by the fraud and its impacts. In the same month, another college student died undersimilar circumstances¹. Although these were two different cases, a striking similarity appears where both the students’ personal information were compromised before their death and misused by the fraudsters. Public outrage sparked, despite the fact that people had for a long time not been paying the necessary attention to privacy issues. The Chinese Government started to realize that privacy protection and misuse of personal information is not a trifling matter anymore; its circumstances and impacts could even have a significant influence on peoples’ lives. Those students’ tragedies at some point pushed the Chinese Government to move forward on data protection legislation and to pass the Cyber Security Law² (CSL) in the same year. Drafted in June 2015, the CSL was finally passed in November 2016 after three readings. It came into force on 1 June 2017. It is the first time in the history of national law, China acknowledges that personal information is so important that it deserves a stand-alone chapter.