Privacy and Cybersecurity Frameworks in China, Europe and the US

China, E-Commerce Law (effective Jan. 1, 2019) (see especially Art. 18 (transparency on profiling); Art. 22 (no abuse of dominant position); Art. 24 (right to delete); Art. 30 (duty to monitor); Arts. 33-34 (TOS transparency and amendment); Arts 38, 41-45 (platform liability and notice and takedown).

China, Cybersecurity Law (effective June 1, 2017), includes:

  • Privacy rules based on OECD/FIPPs principles (Arts. 41-43)
  • Data localization and limits on cross-border transfers for critical information infrastructure operators (Art. 37)
  • Real name identity for users (Art. 24)
  • Security certification for critical network equipment (Art. 23)

California Consumer Privacy Protection Act (operative Jan. 1, 2020)


Cybersecurity: Defining Reasonable Cybersecurity

China’s Cybersecurity Law One Year OnPaul Triolo, Samm Sacks, Graham Webster, and Rogier Creemers, (Nov 30, 2017)

China, Personal Information Security Specification (effective May 2018)

US NIST, Framework for Improving Critical Infrastructure Cybersecurity (Version 1.1, April 16, 2018)


Data Governance and Consumer Privacy under GDPR, APEC, China and US Frameworks

Francoise Gilbert, Fred E. Karlinsky, and Christian Brito, Corporate Governance in Insurance: The EU General Data Protection Regulation and Its Implications for United States Companies (Aug. 3, 2018)

Samm Sacks, New China Data Privacy Standard Looks More Far-Reaching than GDPR (Jan 2018)

Samm Sacks, China’s Emerging Data Privacy System and GDPR (March 9, 2018)

Samm Sacks and Lorand Laskai, China’s Privacy Conundrum, Slate (Feb. 7, 2019)

Lu Xiaomeng, Li Manyi and Samm Sacks, What the Facebook Scandal Means in a Land without Facebook: A Look at China’s Burgeoning Data Protection Regime, CSIS (April 25, 2018)

Freshfields, Where are we now with data protection law in China? (Sept. 13, 2018)

Paul Schwartz, Transatlantic Data Privacy Law, Georgetown Law Journal (2017)

Andrew Burt, Is there a “right to explanation” for machine learning in the GDPR? IAPP (June 1, 2017)

Brad Smith, Facial recognition: It’s time for action (Dec 6, 2018)

María Vasquez Callo-Müller, GDPR and [APEC’s] CBPR: Reconciling Personal Data Protection and Trade (October 2018)


Enforcement: The Emerging Practice

France, CNIL, Statement on fine against Google (Jan. 21, 2019)

Francoise Gilbert, Central Intelligence (Dec. 5, 2018)

Yan Luo, Raymond Lu, and Zhijing Yu, “China Privacy Developments in 2018,” Compliance and Enforcement, NYU (Jan. 4, 2019)