Chinese official says data security law process must speed up

A political adviser in Beijing has urged fellow politicians to quicken the evolution of data security laws in China.

The call came from Lian Yumin, head of the Global City Development Corporation Council in the Chinese capital. Mr Lian, who is also on the board at the 13th National Committee of the Chinese People’s Political Consultative Conference (CPPCC), sent his proposal to the Global Times website.

Citing the 62nd position of the data security law within the Standing Committee of the 13th National People’s Congress (NCP), he highlighted a mismatch between the significance of the issue at hand and the time it was taking for it to come to the attention of the Chinese legislature.

“It is not compatible with the importance and urgency of the data security issue,” he wrote.

China has brought in a number of new measures to tighten cyber security in recent times, such as the Cyber Security Law and Criminal Law, but the nation needs more specific legislation to gain real focus on data ownership and privacy rights, and must create a solid offering of principles for cross-border jurisdictions, experts say.

Mr Lian pointed out the EU’s General Data Protection Regulation (GDPR) as a major influencer in global data security practices, which stands as a benchmark for Chinese legislative processes to aspire to within the international community.

According to a report from the Internet Society of China, 688 million Chinese citizens suffered financial loss due to leaks of personal information in 2016.

A dynamic data protection landscape

China’s drive to catch up with the GDPR comes against a revolutionary global backdrop in data protection where new laws have power to hold the world’s biggest organisations to account for lapses in data processing standards.

In January, news broke of the €50 million fine issued to Google by CNIL, for failing to comply with GDPR obligations. The record-breaking fine came because the tech giant had not given users enough information regarding data consent policies, and that user control was severely lacking as a result, the French regulator said.

Under the terms of the GDPR, organisations must obtain users’ explicit and genuine consent before collecting their data through a clear opt-in process from which users can easily withdraw should they wish.

In September 2018, Facebook reported its heaviest ever intrusion after hackers obtained access tokens to compromise the account security of over 50 million user accounts. Already hit by a £500,000 fine for its part in the Cambridge Analytica scandal, the beleaguered social network is currently under no fewer than ten investigations, leveraged by the Irish Data Protection Commission.

At the end of November 2018, Marriott International reported a data breach on the chain’s Starwood division guest reservation database which impacted upon around 500 million people – the largest data breach ever recorded.

The incident has already cost Marriott $28 million in expenses for Q4 of 2018 alone. While the incident remains under investigation, if the GDPR is applied in its strictest terms, an eventual EU fine could reach up to $915 million, reports suggest.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.