One year after GDPR, China strengthens personal data regulations, welcoming dedicated law

7 min read

Three years ago, when an 18-year-old Chinese schoolgirl died as a result of a telephone scam, it sparked a heated discussion about personal information protection on the internet.

Xu Yuyu, a high school graduate from east China’s Shandong province, died of cardiac arrest on August 19, 2016, two days after she gave nearly RMB 10,000 (around $1,400) to someone posing as a local education official. The fraudster had told Xu to transfer the money, which her family had planned to use for her university tuition fees, so that she could access her financial aid.

Chinese media reported that Xu received the scam call within days of applying for financial aid at the local education bureau. In September 2016, an investigation (in Chinese) by state broadcaster China Central Television revealed that the scammer, named Chen Wenhui, had purchased online the personal information of tens of thousands of high school graduates, including their names, phone numbers, home addresses, and schools.

Xu’s case coincided with a whirl of other telephone scams that happened in the same month. Another incident, in which a lecturer at Beijing’s prestigious Tsinghua University was swindled out of more than RMB 17 million by fraudsters, led to a nationwide outcry over the country’s lack of personal information protection.

China has since accelerated legislation on the issue, with more than 200 laws, rules, and national standards being brought up by the country’s legislative bodies, government agencies, and cyberspace watchdogs. A dedicated law that emulates the General Data Protection Regulation (GDPR) of the European Union, which will potentially bring tech companies in line with stringent personal data regulations, is also in the works.

GDPR one year on

May 25 marked the first anniversary of the GDPR, Europe’s strict data protection rules. In a statement, Andrus Ansip, vice-president of the European Commission’s Digital Single Market strategy, and Věra Jourová, Commissioner for Justice, Consumers and Gender Equality of the European Commission, said the game-changing rules had not only made Europe fit for the digital age, but also become a global reference point.

The GDPR allows people to request access to their personal data as stored by online service providers and restricts how those companies obtain and handle the information. When the law took effect one year ago, it was considered the world’s toughest framework to protect people’s online privacy.

Bjørn Stormorken, CFO of Sweden-based social networking platform Idka AB, told TechNode that the GDPR had created a whole new industry, in which law firms, auditors, and software consultancies offer compliance advice pertaining to the new rules.

The reason for the rapid growth of this “compliance” industry was not to promote privacy and protect fundamental rights, Stormorken notes. “Rather, it was: How can you, with minimum costs, become GDPR-compliant in your business?”

In the first 12 months of implementing the GDPR, the European Commission has fined more than 90 companies a total of more than 56 million euros (around $62.5 million).

The process of compliance may cost a lot in the beginning, but in the long run, it will become “business as usual” with a slight operational cost increase, said Stormorken. “The development of systems and technologies that support and uphold democratic values and respect of basic human rights have proven to be most resilient and valuable.”

“The principles of the GDPR are also radiating beyond Europe,” said Ansip and Jourová in the European Commission statement. “From Chile to Japan, from Brazil to South Korea, from Argentina to Kenya, we are seeing new privacy laws emerge.”

China, which has the most internet users in the world, does not yet have a privacy law, but the country’s top legislative body has put one on its agenda. Ahead of that, various legislative attempts were made to establish norms for personal information protection, including a national standard that is similar to GDPR.

China’s road to data privacy

“China can learn a lot from GDPR, including conditions of user consent, the formulation of an enterprise’s privacy policy, the establishment of the right to be forgotten, and punitive measures against violations,” Qi Aimin, a professor at Chongqing University’s School of Law, told TechNode.

China’s legislative process on the protection of personal information began in November 2016, when the Cybersecurity Law was adopted by the Standing Committee of China’s top legislature, the National People’s Congress (NPC). The law, which took effect on June 1, 2017, banned online service providers from collecting and selling users’ personal information without user consent.

The law establishes basic privacy requirements: It bans network operators from gathering data that is relevant to their services, bans sharing identifiable data without consent, and requires companies to safeguard personal data.

The law does not spell out what companies need to do to comply with key requirements involving consent, anonymization, and securing personal information. But these questions are addressed in a document published by China’s National Information Security Standardization Technical Committee (TC260), the country’s main standards body.

In March 2018, the TC260 issued a national standard, the Personal Information Security Specification, which covers the collection, storage, use, sharing, transfer, and disclosure of personal information.

This specification is considered one of the most similar to the GDPR. While the Cybersecurity Law summarizes fundamental principles of personal information, the TC260 specification provides detailed guidance for compliance in information processing.

This standard was followed by strengthened regulations on businesses’ collection and use of personal information.

According to a report by the China Internet Network Information Center, an administrative agency responsible for internet affairs supervised by the Cyberspace Administration of China (CAC), the number of internet users in China reached 829 million by the end of 2018, among which 817 million people used mobile phones to access the internet.

With nearly 99% of netizens surfing the internet via mobile phones, regulators in China have launched a campaign that focuses on the illegal collection and use of personal information by smartphone applications.

In January 2019, internet watchdogs began to inspect popular smartphone apps to determine whether they engage in illegal or excessive collection of user information.

Apps offering ordering food, navigation, and car-hailing services were the primary targets in the campaign, which will last through December 2019, according to a statement by the CAC, the Ministry of Public Security, the Ministry of Industry and Information Technology (MIIT), and the State Administration for Market Regulation.

January also marked the establishment (in Chinese) of a special administration working group dedicated to apps by the TC260 and the Internet Society of China, a nongovernmental organization supported by the MIIT, to promote closer evaluation of illegal collection and use of personal data by mobile apps.

In order to develop online privacy protection norms for mobile apps, the CAC released a new set of draft privacy guidelines for app operators on May 5. They outline seven situations that constitute the illegal collection and use of personal data, including the collection and use of users’ personal information or the provision of personal information to third parties without the consent of the user.

In the latest move, on May 28, the CAC introduced a new data security regulation, stating that customized content using recommendation algorithms driven by personal information, including news feeds and advertising, should be explicitly labeled.

According to Qi, there are currently over 200 Chinese laws, rules, and related normative documents covering the protection of personal information, both in civil and criminal aspects. However, he believes that they are still inadequate to protecting the personal information of netizens.

Compliance

The Personal Information Security Specification only provides guidelines for enterprises when they are dealing with personal information; it cannot be invoked in court, nor by administrative agencies to levy administrative punishments, said Fang Chaoqiang, a lawyer at Beijing Yingke Law Firm.

Fang said that national standards in China usually help law-enforcing departments implement higher-level laws and rules. “When it comes to administrative penalties and civil lawsuit procedures, national standards can provide better criteria,” he said.

In a commentary published last year, Samm Sacks, a cybersecurity policy and China digital economy fellow at the New America think tank, opined that national standards in China are better understood as a kind of policy guideline or regulation, and that government authorities are likely to refer to the specification when conducting various reviews and approvals.

Like the GDPR, China’s Personal Information Security Specification includes guidance on user consent, data protection, data access, the obligation of disclosure, and the evaluation of data security, but overall it is more permissive. For instance, the GDPR has provided six lawful bases that allow data controllers to process personal data, such as user consent, legal obligation, and vital interests, but the specification only lists four circumstances where data controllers are not allowed to process personal data.

Fang said the specification would also act as a guideline for legislators making related laws. Thus, the upcoming personal information protection law will probably contain most of the personal data protection elements featured in the GDPR, though it might show more tolerance.

As part of European Union law, the GDPR has created several rights for EU citizens to protect their privacy, including rights to be forgotten, to object to the use of their personal data, and to access their data.

The current Personal Information Security Specification does not give Chinese citizens any right to protect their privacy because it is not a law. But legal experts expect that a dedicated personal information law may achieve the goal.

“Without a unified personal information protection law, the right to personal information cannot be established in the civil law system,” said Qi, adding that China’s protection of personal information should be promoted.

Qi himself has advocated for legal protections of personal information in China. In 2005, he drafted an advisory version of the Personal Protection Law (in Chinese).

“I have been pushing the legislation of personal information protection law for a long time, and it was successfully brought into the legislative plan of the current term of the NPC,” said Qi. “We will see the Personal Information Protection Law be introduced and implemented in the next five years.”

Qi also says that China’s legislators should not “copy” the GDPR because China has a large number of internet users and a booming e-commerce economy.

“China’s legislation on personal information protection should balance the interests of individuals, enterprises, and governments, but this should be based on the establishment of citizens’ privacy rights,” he said.

Fang hopes that the forthcoming Personal Information Protection Law will be as transparent as EU’s GDPR.

“It’s a fact that Chinese people are not as sensitive as people in Western countries when it comes to personal information and privacy. As a result, our country’s legislative process on personal information protection started well later than those in Western countries,” said Fang.

“Laws are dynamic. In the future, China’s laws and rules on personal information protection are very likely to become as unified and clear as the GDPR,” he added.