The EU’s General Data Protection Regulation (the “GDPR”) will become effective on May 25th, 2018. Moreover, China’s Regulations on Information Safety Technology and Personal Information Safety (the “Regulations”) came into force from May 1st 2018.

Severe penalties are the defining feature of the GDPR. In addition to the expanded scope of protection of personal data and the empowerment of citizens with a robust set of legal rights, the GDPR has developed two powerful weapons: severe penalties and the principle of long-arm personal jurisdiction. The GDPR’s personal jurisdiction is broad because it combines the territorial principle with the nationality principle of legal jurisdiction, which can lead to extraterritorial application. First of all, if a data control or processing institution has been set up within the EU, any processing of personal data will be subject to the GDPR, regardless of whether the data processing took place  in the EU. Secondly, even if no data control or processing institution has been established in the EU, two types of data processing are still subject to the GDPR: (i) the free or paid provision of goods or services to data subjects in the EU; (ii) the monitoring of the conduct of data subjects in the EU.

(From: Caijing)