Blog 30 April 2020

China’s Lurch Toward Its Own Version of GDPR

  • Corporate affairs teams face a thicket of privacy norms, regulations and customer expectations in the world’s largest internet market
  • COVID-19 tracking apps add fresh urgency to increasing the safety of digitized personal data

The people of Wuhan, China suffered a second and unexpected indignity after enduring the outbreak of COVID-19. Several residents of the original epicenter of the virus found their names, addresses, daily movements and other personal data leaked online. It was an apparent attempt by vigilantes to protect the rest of the population from those presumed to carry the virus.

The personal data was leaked from one of over 100 quick response (QR) programs that city governments across China rolled out to track individuals considered high-risk. 

This episode added fresh urgency to the issue of digital privacy in China. A researcher from a think tank affiliated with the Chinese tech giant Tencent called China’s existing laws inadequate for protecting health data and proposed laws to minimize data collection and increase protections.

The Tencent researcher tapped into a growing vein of contention in Chinese society. A rash of phishing scams and leaked personal data has stoked concerns over companies’ responsibilities to safeguard digitized information. In response, a patchwork of official agencies, quasi-government bodies and private companies have put forward a number of initiatives to address these concerns.

This unstructured and fluid approach has created a confusing array of laws, regulatory imperatives, and expectations from the general public to protect personal information as more aspects of daily life – from banking and transportation to education and health care – move into the digital ether.

A growing scourge

Concerns about safeguarding digital privacy have skyrocketed among Chinese citizens in recent years. Many have posted public complaints on social media detailing accounts of phishing scams and marketing calls after their personal information leaked to unauthorized parties.

Although the wide-scale use of facial recognition technology in China has  faced little public resistance, it has nonetheless compounded privacy concerns. Last year, People’s Daily, the official newspaper of the Communist Party’s Central Committee, reported that facial data was available for sale on the internet. It called for a crackdown on “those who violate people’s rights with their own facial information.”

A legal case has sprung up that will test consumers’ rights to take action against companies. A Chinese professor sued a zoo in Hangzhou last year for breach of contract after it replaced its fingerprint-based entry system with one that requires facial recognition. The professor alleged that using facial scans violates China’s consumer protections,  taking legal action when the zoo refused to refund his membership. The outcome of the lawsuit, which underscores the rise of privacy concerns among ordinary citizens, could affect the regulation of biometric technology.


The winding road to national privacy regulation

Various government bodies have claimed a stake in regulating China’s cyberspace. Some have real teeth and can issue punishments including fines. Others are advisory, issuing recommendations for privacy protections. Their actions have been uncoordinated and are independent of each other.

Further complicating the landscape, private sector groups are advocating for their own approach to protecting privacy.

National data privacy laws are reportedly in the works. In April 2019, a spokesperson for the National People’s Congress said authorities were drafting a law to protect personal data.

It may be years before China establishes privacy laws and regulations akin to the European Union’s General Data Protection Regulation. Until then, corporate affairs teams of MNCs in China are best served by taking the following steps:

  • Apply practices and standards from other markets such as the EU or Hong Kong to protect data and prevent misuse of it by internal teams and business partners.
  • Track the policies and recommendations from various agencies and bodies (see table below), and find a way to accommodate them. Where possible, hew to more stringent standards.
  • Monitor the actions of domestic Chinese firms who have a better read on public sentiment and whose data privacy policies may set a de facto baseline standard that the public expects.
  • Track related announcements by the National People’s Congress and its affiliated media outlets.
Body Background Description Actions and Advocacy
China Consumers Association (CCA)
Established in 1984, the CCA is a national civic organization, sanctioned by the central government, with branches across the country that promote consumer education and advocate for consumer rights and protections. In 2019, CCA warned that a large number of smartphone apps – 91 out of 100 in one analysis – collect excessive amounts of personal data, including user location, contact lists and mobile numbers. The analysis covered companies from multiple sectors, including social media, online shopping, finance, travel booking, cloud storage and email. CCA has also issued a national mandate that internet companies strengthen protections of personal data to address concerns that some are stealing, trading or revealing personal information.
China Cybersecurity Center
The information arm of Cyberspace Administration of China (CAC). Responsible for announcing CAC policies and tracking trends in internet security. It published a report on companies that created 683 apps and that were punished in 2019 and said that China’s public security authorities will continue to crack down on violations of personal information.
Cyberspace Administration of China (CAC)
The regulator that is vested with the greatest authority over the country’s internet. In 2019, CAC issued guidelines for data protection that other government agencies must follow in regulating data in the industries they oversee. It also published draft measures to regulate the ability of domestic and international companies to transfer data collected in China across borders for storage or use on overseas information systems. This draft is still open to subject to public consultant.
Ministry of Commerce (MOFCOM)
A powerful agency responsible for policies on foreign trade, foreign direct investment and consumer protections, among other areas. It is a principal body for enforcing China’s anti-monopoly law. MOFCOM will presumably have jurisdiction over aspects of digital privacy if antitrust laws are used to regulate companies’ collection and use of consumer data.
Ministry of Industry and Information Technology (MIIT)
MIIT is responsible for regulation and development of the postal service, internet, wireless, broadcasting, communications and software industry, among other aspects of the “knowledge economy.” The MIIT issued one of the earliest frameworks for regulating the collection of data by websites and telecom firms. In 2013, it required information service providers to notify users about the collection of their personal information, maintain confidentiality of such information and stop illegal use of it. In December, it cited 41 apps including popular messaging and sports apps, for forcing users to provide access to excessive amounts of personal data and to allow an unnecessary level of authorization to access other data. It also cited some apps for making it inconvenient to deactivate an account. It ordered the app makers to rein in these practices and threatened to take further action “in accordance with relevant regulations and law” if they did not comply.
Ministry of Public Security
The main national-level law enforcement body, with oversight of police bureaus. The main national-level law enforcement body, with oversight of police bureaus.
National Internet Finance Association of China (NIFA)
iated by China’s central bank. It is responsible for implementing national policies related to online banking and finance, including safeguarding consumer protections as more financial services become digital. In 2019, NIFA conducted a nationwide assessment of online banking services, including security protocols. The review identified 35 “front-runners” among 772 banking institutions. It intends to carry out future assessments of internet banking services, including privacy policies. Also in 2019, it issued a statement emphasizing that “without consumer consent, member organizations should not collect, use or provide personal consumer information to third parties.”
National Standardization Group for Facial Recognition Technology
A government-initiated working group established in 2019 and led by the AI and facial recognition firm SenseTime. Other members include tech giant Tencent, insurer Ping An, Alibaba’s financial affiliate Ant Financial and the consumer electronics maker Xiaomi. The group is in the process of formulating a proposal for standards to ensure appropriate use of facial-recognition technology.
Next-Generation Artificial Intelligence Governance Committee
A professional committee under China’s Ministry of Science and Technology. Its duties pertain to research on AI governance and related policies and expanding international cooperation on AI ethics. In June 2019, the committee issued principles to coordinate the development and governance of AI, including provision that “personal information should be protected and privacy norms established in all segments of AI development, such as collection, storage, processing and use.”