Due to state surveillance and censorship, privacy and data protection rights in China are often assumed to be inexistent. But for private companies, privacy and data protection laws appear to be developing in the direction of European standards. It has taken correcting the worst of abuses to get where they are now, though.
Privacy and data protection in China are still at a relatively nascent stage. In 2018, a survey by the China Consumers Association found that 85% of consumers have experienced some kind of personal data leak. In some of the most deplorable of leaks, personal data is sold online for as cheap as a few cents per individual.
In one such case in 2016, an 18-year-old Chinese schoolgirl died of a cardiac arrest two days after she gave around US$1,400 to someone posing as a local education official. The scammer had purchased personal information of tens of thousands of high school graduates, including their names, phone numbers, addresses, and schools.
In 2017, 42 people sued Amazon for a similar breach of their personal data. One of those suing said he fell victim after he received a call from a scammer who had his order number. The scammer said there was an issue with his order and offered a refund, leading him to a phishing website which took nearly US$35,000 from his account. The victim’s case was ruled against twice. Altogether, the illegal trade of personal data is a multi-million dollar industry in China.
A patchwork of regulations
In China’s constitution, privacy is only referred to once concerning “the freedom and privacy of correspondence.” However, Chinese courts are not allowed to invalidate a statute because it violates the constitution, nor are they allowed to enforce its provisions; in fact, China’s constitution has been identified as “non-justiciable.”
Instead, personal data protection has come from the China Internet Security Law (also known as the Cybersecurity Law), a law enacted in 2016 which mainly covers relations between the government and private entities. Before the law, China did not have a single data protection framework, meaning rules were scattered across several laws and regulations.
Still, the Internet Security Law had vague information on implementation and scope. To resolve this, a set of amendments were released in 2019 to act as a national standard which should be taken into consideration during enforcement by authorities. The amendments were non-legally binding, though, leaving them open to interpretation.
This year, China released its first Civil Code, a package of laws covering almost every dimension of civil society. Most of the privacy and data protection-related articles are similar to the Internet Security Law. Still, the new articles introduce obligations for information processors, including requirements for collection, usage, and processing of personal information.
Now, as of June 2020, the principal privacy and data protection rules in China include:
- Companies must obtain consent for processing data, highlighting the purpose, method, and scope;
- Companies must not restrict a user’s functions if they refuse to provide consent;
- Users must have the option of non-personalised advertising;
- Users have the right to get a copy of their data and erase it;
- Companies must record the lifecycles of data;
- Companies must take responsibility for third-party plugins and their handling of data;
- Companies must appoint someone in the company responsible for data protection once they process a certain amount of data;
- Companies must take timely measures, including notifying affected individuals, when data leakages occur;
- Privacy and data protection can also be regarded as personal rights, so when breaches happen, users can raise claims for compensation from businesses.
Enforcement has not caught up yet
Prosecutions in China are still uncommon, considering the millions whose personal data is sold every year. Between January and October 2019, just 7,647 people were arrested for personal information leaks. There is currently no data protection authority to monitor the protection of personal data, which means enforcement is patchy at best and is more likely to be guided by government-led crackdowns. In turn, this weakens overall adherence to privacy and data protection laws.
Some landmark cases have been won, though. Last year, a man won a case of unjustified facial recognition use, leading to a zoo in Hangzhou withdrawing its use of facial recognition. Soon after this, a proposal was released by the National Information Security Standardisation Technical Committee, which requires consent or justification for the use of all facial recognition technology.
There are other signs that authorities are paying more attention to enforcement. Last year, the Ministry of Industry and Information Technology published a list of apps which had illicitly collected and used personal data, demanded unnecessary permissions from users, or hindered account cancellation. The apps named in the list included Tencent’s instant messenger QQ, the third most downloaded app in China, along with many of the most popular apps in the country.
By April last year, the Ministry found that 26% of apps did not have privacy provisions, 20% collected personal information that was not related to their business, and 19% gave user data away to third parties without their permission. Towards the end of its campaign, the Ministry said more than 8,000 apps had rectified their behaviour.
Distrust looms in society
Enforcement nonetheless remains porous, sustaining public distrust in China. In a recent survey, some 80% of respondents said they were concerned that facial recognition system operators had lax security measures. The survey was conducted by the Nandu Personal Information Protection Research Centre and has been described as being one of the first major studies of its kind into public opinion on the subject in China.
In April, a cybersecurity researcher showed that Xiaomi, a Chinese electronic giant, was collecting vast amounts of user data without authorisation. In response, Xiaomi defended its actions, saying that the data was anonymised and therefore could not be used to identify users. This points to a loophole in Chinese privacy laws, that data that is anonymised is no longer considered personal data and can be used and sold as one likes. As for the term “anonymised,” there remains no clear definition, leaving interpretation up to the courts.
The problem is, we know that “anonymised data” is not actually anonymous. A research paper published last year showed that it is possible to re-identify 99.98% of Americans in any available anonymised dataset by using just 15 characteristics, including age, gender, and marital status. Industry experts in China point out several other issues in the current laws and regulations, including vague instructions for companies and an unclear position on data sovereignty.
Is there political will for stronger rights?
Although China has seen a tightening grip on internet censorship under the rule of President Xi Jinping, the progress made with privacy and data protection rights over the past four years has shown that there is a political will to build consumer trust in China’s fast-growing internet sector. Building consumer trust maintains stability in the industry and improves products for expansion at home and abroad.
Likewise, promises to roll out more legislation on the protection of personal information later this year show that authorities acknowledge more regulation is still needed. For its efforts, the Financial Times previously named China: “a surprise leader in Asia on data privacy rules.”
The developments over the past few years could be the beginning of significant change for China. For a time, the US Embassy was one of the few organisations to post the daily air quality index in Beijing publicly. Within a few years, public attention grew, and now air quality apps are a staple on smartphones all over China – whether or not the data is always entirely accurate. Now in 2020, China is even a global leader on the climate emergency. For privacy and data protection too, we could soon see a meaningful change in private business practices if public awareness continues to grow.