In a brilliant piece from April 25th, VFTP Expert and CSIS Senior Fellow Samm Sacks takes a look at China;s first data protection regime.
Here is the full transcript of her article but please click here for the article itself and for access to many other pieces from Samm and the our friends at CSIS
As the United States debates the role of government in protecting privacy and whether there is a need for a national digital privacy law, policymakers in Beijing are moving forward with building China’s first data protection regime. The system is still in early stages, but the Chinese government has laid the groundwork for implementing concepts like user consent as well as other requirements for collecting, processing, and sharing of personal data. Even amid uncertainty around the practical effect of these rules, Beijing is ahead of Washington in articulating a modern national data policy with implications for Chinese internet users, companies, and the development of technologies like artificial intelligence (AI).
Our previous CSIS commentary analyzed the first milestone in China’s data protection system—a standard called the Personal Information Security Specification (the “Specification”) in late 2017. Drawing on exchanges with the lead drafter, we looked at how the drafters modeled the Specification on the European Union’s General Data Protection Regulation (GDPR) but sought to make a standard that was more business friendly, in part, so as not to inhibit the development of AI.
In China, the Facebook privacy scandal has reinforced the view that the government is on the right path by establishing regulations as cases of personal data intertwine with the deployment of AI, big data, and smart cities. But it also highlights that the meaning of data privacy in China is quite different from in the West since many users are not in a position to prevent government access to personal information and are more likely to express concerns about how private companies misuse their data.
Against this backdrop, it is not surprising that there are unresolved political and legal challenges in China’s data protection system. China’s lead cybersecurity standards body is preparing to issue implementation guidelines for when the Specification takes effect May 1. In this post, we identify some of the key issues to watch for as data governance takes shape in China.
What Does Data Privacy Mean in China?
The emergence of new rules governing the processing of personal data coincides with fierce debate in China over data privacy. The Facebook scandal has provided additional fuel to an increasingly public conversation about how companies handle personal data. Robin Li, CEO of Baidu, came under fire over his comment that Chinese users are not sensitive about privacy, stating “if they are able to exchange privacy for safety, convenience, or efficiency, in many cases they are willing to do that” and “we (Baidu) can make more use of that data.” Chinese internet users were outraged. Shortly after Li’s comments, Sina Weibo started a poll asking whether users agreed. Within hours, nearly 90 percent of the over 4,000 participants voted against Li, stating that their privacy should not be violated. When the poll closed, more than 10,000 people voted against Li (85.8 percent of total votes). In fact, rising public concerns over personal data go back to 2016, when a public outcry erupted over the leakage of personal information and a telecom scam that led to the death of an 18-year-old student, Xu Yuyu. Incidents like these indicate a significant shift in people’s attitude toward privacy.
Despite more visible demands by the public for personal data protection, it is not clear whether the new rules apply only to companies or also to the government. It appears that there are two distinct ways to interpret the emerging concept of data privacy in China. The Specification appears to focus on service providers’ protection of personal information. In the absence of a national privacy law, the drafters of the Specification attempted to create a personal information protection framework to address rising public concerns as highlighted by the Xu Yuyu case about misappropriation and criminal use of personal data by companies.
At the same time, the government appears to operate under a separate framework in which provisions under the Counterterrorism Law and the Cybersecurity Law expand access to personal data. This means that even as companies face greater restrictions for collection and sharing of personal data, the Chinese government has new authorities and tools to do so. For example, the Ministry of Public Security issued a draft regulation for comment called Provisions on Internet Security Supervision and Inspection by Public Security Organs. The document calls for random inspections of internet service providers and “network-using units” to check that “technical measures are taken to record and retain user registration information…” and to “provide technical support and assistance measures for public security organs...to safeguard national security….” This is just the latest written illustration of Chinese law enforcement’s wide access to personal data under the cybersecurity law. In practice, provincial and local police forces may even further pursue the use of personal data, all in the name of broadly defined national security concerns.
Given these dual tracks of Chinese data regulation, the term “data protection” or “personal information protection” may be more accurate characterizations than “data privacy” in the context of China. In Europe, the term “data protection” captures both security and privacy, but in China, there appears to be more emphasis on data security rather than a Western notion of privacy. While these concepts are still in early stages and vague in China, officials and commentators tend to use the term “personal information protection“ rather than privacy. Since Chinese users’ concerns over government access to personal data is muffled, private-sector fraud and abuse of data become the primary regulatory target of China’s data protection rules.
The reactions of Chinese officials and state-led media to the Facebook scandal is telling in this regard. Several reports treat the issue as more about data security than privacy, calling for stricter regulation and enforcement under China’s cybersecurity law. The view is that China has taken the correct approach by already pushing forward legislation that—at least as written—places checks on how companies handle user data and content.
The Limits of China’s Data Protection Regime
As Beijing moves forward with building China’s data governance system, there are several legal and political uncertainties that need to be addressed, particularly given rising user demands for privacy. Our previous piece examined enforcement challenges arising from the politics of China’s cyber interagency, as well as the boundaries that the drafters encountered trying to write a standard to fit China’s cybersecurity law—like “dancing with shackles.”
Additionally, below are five areas to watch as the story of data protection in China unfolds:
- Balancing demands for privacy with the development of AI. During his testimony before Congress, Facebook’s Mark Zuckerberg said “there’s a balance that’s extremely important to strike...where you obtain special consent for sensitive features like face recognition, but...we still need to make it so that American companies can innovate in those areas, or else we’re going to fall behind Chinese competitors.”
The implication is that Chinese companies will have an edge since they are not subject to privacy restrictions. Indeed, the drafters of the Specification aimed to make it more permissive for companies so as not to hinder the development of AI, but it is not clear how this will work in practice.
There is also a lot of debate in China about the concept of personal data ownership. For example, one article in a state-run media outlet argued that “if [we] strictly follow requirements to protect privacy, most data cannot be used, and this will limit the development of big data industry; however, a lack of data protection will cast a negative influence on society, like the Facebook scandal.” Another article states that emerging technologies have fundamentally changed individuals’ right to sole ownership of personal data because the process of generating and analyzing personal data involves multiple entities. It is becoming more difficult to interpret and enforce the General Provisions of the Civil Law of the People’s Republic of China, which stipulates that “natural persons’ personal information shall be protected by law.” Clearly, China is still grappling with how to strike this balance within the context of its own political system.
- Legislative gaps. Despite growing attention to the issue, China’s personal data protection system is still made up of a patchwork of laws and standards in which companies lack clear guidance. There is not even consensus on whether the Specification should be interpreted as mandatory or just one interpretation of how to comply with China’s cybersecurity law. As a director at a Chinese think tank told the People’s Daily, “although there is much legislation for personal information protection, relevant regulations are scattered, unsystematic and can hardly provide effective or substantial legal protection for personal information. New laws need to be made to specify principles and processes for internet providers in terms of collecting users’ information, clarify obligations in protecting collected information, and spell out how to assess personal information protection.”
The legal framework for China’s data protection regime consists of (1) the Cybersecurity Law and (2) the Explanation on Several Issues Concerning the Application of Law in Criminal Cases of Infringing on Citizens’ Personal Information—published by the Supreme People’s Court and the Supreme People’s Procuratorate (the Explanation). A legally binding document, the brief Explanation specifies criminal penalties for misuses of citizen’s personal information that meets one of the 10 criteria. Yet these two legal documents are ambiguous in several key areas, leaving space for interpretation without clarity on what companies must do to meet broad principles.
As a result, multiple officials, including those from the National People’s Congress and People’s Bank of China, are calling for the establishment of a Personal Information Protection Law. There are reports that this law is in early draft stages, but it will likely take several years before going into effect, if it does so at all.
- Personal information classification confusion. The Specification doesn’t delineate between the sensitive and nonsensitive personal information. Property information, health and physiological information, biometric information, and identity information are listed as examples of both sensitive and nonsensitive personal information. Moreover, the drafters took a consequence-based approach in differentiating the two categories: “Personal sensitive information refers to personal information whose leakage, illegal provision or abuse may endanger personal property safety and easily lead to damage of personal reputation and physical or mental health, or to discriminatory treatment.” In practice, it is often difficult for data controllers to evaluate the impact of data leakage before incidents happen.
There are also conflicts between the classifications in the Specification and in the Explanation. The Explanation categorizes personal information by three classificationsand assigns penalty thresholds for criminal cases involving each type of information: Sensitive information, important information, and ordinary information. Technically the Explanation is a legally binding document, while the Specification is a nonmandatory national standard; however, in practice there is a high likelihood that the Specification will be used as a benchmarking tool to evaluate corporate privacy practice and may set the de-facto mandatory requirements.
- Distinguishing “core business functions” from “additional functions.” The Specification requires data controllers to inform data subjects of the “core business functions” of the products or services and the personal sensitive information that has to be collected and used. If data controllers create or provide “additional functions,” data controllers must inform data subjects what personal sensitive information is required for fulfilling such additional functions. If the personal data subject declines additional functions, the data controllers should continue to provide the core business function without the additional functions.
These requirements are difficult to implement without defining “core business functions” and “additional functions.” According to Che Ning of the Agricultural Bank of China, it is increasingly challenging to distinguish “core business functions” from “additional functions” in the banking sector, since these concepts evolve quickly as financial technology disrupts traditional financial services. For example, mobile payments and mobile asset management have transformed from additional functions to core business functions within a couple years in China.
- Personal data localization requirements. According to the lead drafter’s blog, the Specification does not cover requirements for personal information data flows. However, Article 8.7 of the Specification reads:
“In the case where personal information collected and generated in the People’s Republic of China is transferred overseas, a personal data controller shall carry out security assessment in accordance with the measures and relevant standards formulated by Cyberspace Administration of China in coordination with relevant departments of the State Council, and comply with the requirements.”
This language subjects cross-border personal data transfer to “relevant departments” rather than listing scenarios and corresponding permissible thresholds for cross-border transfer, such as: with user consent, in emergency situations, and obligations under international treaties. Without a detailed list of tailored data transfer arrangements, the existing text defaults to the blanket data localization requirements designed for national security and critical information infrastructure data under China’s Cybersecurity Law and creates burden to cross-border personal data transfer and international commerce.
Chinese officials, companies, and internet users are grappling with the impact of emerging technologies on personal data ownership and protection. These issues are far from resolved in China. Yet, with the European Union’s GDPR set to take effect next month, and privacy legislation in the United States back on the agenda, China’s approach to data governance will play an important role shaping global markets, technology development, and policy.