Safety First!
by Xena Vision
The world is growing by becoming digital, and we are undoubtedly lost in data. The data, called today’s oil, especially contributes to the development of technology. Just as any good thing has a downside, there are some downsides to having the data at hand. Especially, the acquisition of the data by third parties or the wrong and suspicious use of the data holders can have very negative consequences. That’s why tech companies have to be sensitive about data security. No matter how good a product is, if it does not provide security, it is not preferred. In fact, we can count this as one of the important reasons why companies prioritize security. For example, as a result of the applications of Whatsapp, the most used messaging application recently, a large group of people has been in search of a different application. As a result, Whatsapp had to take a step back.
There are regulations adopted by governments to protect the data privacy rights of users. We can give an example GDPR of one of these regulations.The General Data Protection Regulation (GDPR) is a regulation created across Europe to protect the personal data of EU citizens. The GDPR covers all businesses that hold the personal data of their citizens within the borders of the European Union. Even if the location of the company is not located within the borders of the European Union, it is held responsible for the regulation because it collects the data of these citizens.
No personal data can be processed unless it is done as specified in the regulation or has explicit consent from the data subject (personal data owner). The person concerned has the right to revoke this consent at any time. The GDPR also includes data stored in the past. Serious penalties and sanctions await businesses that do not comply with the General Data Protection Regulation, GDPR. These personal data are; name, address, identification number, location, IP address, cookie information etc. internet data, data on physical appearance and biometric data, race origin information, oolitical view such as medical data etc. If your business is found not compliant with the GDPR, you may be penalized for 20 million Euros or 4% of your global annual income, whichever is higher.
In addition to region-based regulations such as GDPR, countries also have regulations on data privacy across their own. For example, while Turkey is acting in accordance with the KVKK Regulation, China is acting in accordance with the China Data Protection Regulations (CDPR) that they have issued and accepted as a country. CDPR is the term used to represent China’s data protection regime. Under CDPR, there are multiple laws, measures, and standards: China Cybersecurity Law was implemented in 2017. Personal Information Security Specification was implemented in 2018 and was updated in Jan 2019. This Specification is not a law or regulation, but a standard used to determine if businesses are compliant to China’s data protection rules. Measures for Security Assessment of Cross-Border Transfer of Personal Information and Important Data & Guidelines for Data Cross-Border Transfer Security Assessment are still in the draft phase.
If we make a few comparisons between gdpr and cdpr, the following are the items that will catch our eye.
While the GDPR applies to specific types of data, “sensitive personal information” under the Chinese standard is more far-reaching. It extends to any personal data that would cause harm to persons, property, reputation, and mental and physical health if lost or abused.
The GDPR is more permissive about certain kinds of consent requirements for collection of personal information. It does not strictly require consent to share data. It allows for legitimate interests of a controller or third party not found in the Chinese standard.
The Chinese standard contains more rigorous requirements on what kinds of information must be included in privacy notices. In contrast to the GDPR, the standard does not clearly state information can be left out of notices if the individual has access to it from other sources. Instead privacy notices must be presented “one by one.”
The Chinese standard contains more specific requirements related to security testing and procedures for entities that process personal information. This is consistent with a broader difference: China’s data protection regime overall (not just the standard) deals with national security risk — giving it a much wider scope — while GDPR does not.
In conclusion, there are some key differences between CDPR and GDPR, mainly a focus on national security and a balancing act between data privacy and economic growth in AI and e-commerce.
Resources
https://thechinaacumen.wordpress.com/2018/05/22/china-data-protection-regulations-cdpr/
http://www.sitecorevarun.com/2019/07/chinas-cyber-security-law-csl-and-data.html
https://harrisbricken.com/chinalawblog/china-data-protection-regulations-cdpr/
