Waiting for China’s Data Protection Law
The lack of a unified legal framework may hamper China’s ongoing digitalization drive.
Fourteen years ago, the Chinese government started to draft a bill to protect citizens’ information across the country. Earlier this year, China’s legislators were still striving to get China’s legislature to review the bill. In the wake of growing social concerns over large-scale misuse of citizens’ data, Yang Zhen, a delegate to the National People’s Congress (NPC), has continued to advocate the adoption of a specific bill on data protection over the past three years. Although some delegates espoused this proposal, it might take another “three to five years” to pass the law, said Yang.
Concomitant with their struggle was the “General Provisions of the Civil Law” passed on the final day of this year’s NPC in March. As the opening chapter of China’s first Civil Code, this law bans “illegal” sales or publication of personal information. Yet any clear liability for government bodies is missing, as is the case with the Cybersecurity Law enacted this June. Without further legal restraints on the inordinate power of the government to manage data, effective data protection will prove to be very difficult.
The protection of personal data is a core issue of China’s digital transformation. As life gets increasingly tied to computers and mobile devices, personal information is becoming more and more vulnerable to hackers and other third parties with malicious intent. Foreign companies, researchers, and also the Chinese government have suggested that Chinese citizens do not care about the protection of their personal data. The mobile habits of tech-savvy Chinese youths suggest as much. Online payment apps allow them to hook their bank and credit card information to their mobile phones, while cab-hailing apps such as Didi Chuxing require constant disclosure of their GPS locations. Convenience seems to trump privacy concerns.
In a 2014 survey conducted by the Boston Consulting Group, only 50 percent of surveyed Chinese consumers agreed that they have to be cautious about sharing personal information online. This number is 26 percentage points lower than the average of 10 other surveyed countries. In a breakdown of data type, Chinese citizens also appeared more cavalier toward data privacy. For example, only 63 percent of surveyed consumers regarded their credit card information as “moderately or extremely private,” compared with 87 percent in the United States and 93 percent in Germany.
The attitude of Chinese citizens toward personal information protection is indeed ambivalent. In popular online smear campaigns such as “human flesh searches,” netizens engage in a form of vigilante justice to punish people who are accused of wrongdoings often not punishable by the law. The exposure of private information of, for example, corrupt cadres, unfaithful actors, or unpatriotic students is used as a weapon against the alleged perpetrator of a “crime”: Started by one netizen, thousands join in to publish the target’s photos, phone numbers, and addresses online, paving the way for offline threats and abuse. In a highly publicized case, a Chinese student was abused online after giving a commencement speech at the University of Maryland in the United States. Speaking about the delights of fresh air and freedom in the United States, the student was met with extensive “human flesh search” attacks and discussions among Chinese netizens after the video of her speech went viral. The student ultimately apologized for her speech online.
However, Chinese citizens have demonstrated a growing awareness of the importance of protecting personal information in the last few years. The fact that data leakage is an almost daily occurrence has led to heightened awareness from most urban netizens. The latest data leakage in June this year concerned Apple users, who are mostly from China’s middle to upper class. An underground network across several provinces sold data worth $7.36 million.
If one were to turn to online discussions in internet forums catering to China’s urban middle class, such as Zhihu or Tianya, one would find numerous articles and tips about how to protect one’s information, and warnings against revealing any “real” information about themselves on the internet. Citizens have also demonstrated that they are highly concerned about personal information theft and leakage: in a forum thread discussing a case where a person’s bank account was hacked, people commented on how to prevent hackers and shared similar stories commiserating with the victim.
Chinese citizens currently face a slew of systematic challenges when it comes to protecting their own personal information. Innocuous acts such as buying a house, registering at a school, or visiting a hospital can potentially lead to unexpected disclosure of a person’s phone number, name, or their home address. Many Chinese citizens complain that once they have bought a house, they will receive unwanted calls trying to promote renovations, pipe repairs, or other housing-related issues.
People see business opportunities in the transaction of personal information almost everywhere. But in China, hackers and their clients can easily obtain personal information from government agencies, such as the local education bureaus. A girl in Shandong died of heart attack after her entire tuition fee was lost in a financial fraud. The hoax worked because it was based on her personal information, which hackers illegally acquired from the databank of local educational departments — together with some 600,000 other victims’ data.
The NPC’s current legislative agenda does not contain a uniform law that would prevent data leakage and protect citizen’s personal information. Instead, different ministries under the State Council have issued a bunch of sector-specific regulations, such as those for e-commerce, online banking, or information technology. Despite so many departments of the executive branch making efforts to “standardize” data protection, not a single national authority is specifically responsible for data protection.
It is often impossible to say no to government authorities when they ask for data to process public services. Once citizens’ personal information is leaked, they cannot turn to a prescribed agency for help. While individual government officials or company employees may be punished for obnoxious divulgence of data, government authorities cannot be held accountable under the current law.
There are signs that the government is taking steps to strengthen data protection. In late 2016, China’s National Information Security Standardization Technical Committee published a draft of legal standards for the protection of personal information. These standards apply to cloud computing, industrial control systems, e-government, and big data services. Recently, the committee worked out another proposal of guidelines on cross-border transfers that requires more control of risks in cross-border data transfer. But like the Cybersecurity Law, these regulations aim to hold internet companies rather than government bodies responsible for data protection.
Even Beijing’s goal of setting up a national data network to underpin the Social Credit System – a system envisioned to monitor and eventually reshape the behavior of citizens and companies – requires a unified, more consistent regulatory basis for the protection of personal information. The constant leakage of personal data betrays the low costs of breaking market rules and does not comport with credibility. But ultimately, the requisite step to surmount the challenges means withering the inexorable role of China’s government-centered data management system.
Want to read more?
Subscribe for full access.
SubscribeThe Authors
George G. Chen is a research associate at the Mercator Institute for China Studies (MERICS) and an expert on China’s judicial system and legal policies. He is the author of “Copyright and International Negotiations: An Engine of Free Expression in China?,” a monograph published in 2017 by Cambridge University Press.
Tiffany G. Wong is a research intern with MERICS from June to August 2017.