Though the law provides an unprecedented level of broad-reaching protection for privacy and personal information in China, Gabriela pointed out that it only does so in broad strokes. She noted that the code “only sets out high-level obligations … it is short on details and leaves important issues unaddressed.” She argued that it lacks the specificity “found in more sophisticated data privacy regimes such as the GDPR… some of the data protection concepts used in these laws remain very generic and do not incorporate more nuanced distinctions and distillations of data privacy laws found elsewhere”. She added that until a comprehensive data protection law comes into force, businesses will have to continue to rely on the “various other non-binding national and local guidelines and specifications, as well as sector-specific regulations, in order to get some clarity on their compliance obligations”. Moreover, she mentioned the code does not:
- Distinguish between sensitive and general personal information,
- Define responsibilities for processors and controllers, or
- Set out requirements for automated decision-making, data transfers or data retention.
While the Personal Information Security Specification addresses these issues, Gabriela noted that it does not have the same legal firepower as the Civil Code or the Cybersecurity Law, and as such its rules are not mandatory.