New legislation may curtail corporate data collection, but state-led collection will likely persist.
On October 20, the Chinese government unveiled for public consultation the draft of the Personal Information Protection Law (PDPL), designed ostensibly to protect the private data of Chinese citizens.
– The proposed law shares many similarities with the EU’s GDPR, but it is unique in its enshrinement of cyber sovereignty
– Chinese citizens often face having their data been collected without their consent by private businesses, but an increasing number of lawsuits are being brought against these companies
– The new law is part of a trend of government action designed to bring order to Chinese cyberspace and push back against Western perceptions of a free and borderless cyberspace
SHINY NEW CYBER LAWS
The Personal Information Protection Law (PDPL) is China’s first comprehensive law on the protection of online personal data. Containing 70 articles and proposing hefty fines for violations, it is designed to created protections for the information rights and interests of individuals. The draft articles outline various legal principles regarding data protection, including transparency, fairness, purpose limitation, data minimisation, limited retention, data accuracy and accountability. It is mainly concerned with the processing of individual user’s personal data that takes place in China, regardless of the user’s nationality.
The PDPL shares many similarities with the EU’s General Data Protection Regulation (GDPR), which was adopted in 2016 and has the same primary goal of protecting individual data. However, the GDPR differs from the PDPL by not distinguishing between a data controller (a person or organisation that dictates how and why personal data is going to be used) and a data processor (someone who simply processes the data). GDPR considers them both as a singular identity — a personal data processor — making them both liable under the law. The PDPL also differs from the GDPR by what it classifies as sensitive information. Both laws treat race, ethnicity, religion, and health as sensitive, however, the GDPR also considers trade union status, political opinions, sexual orientation and genetic and biometric data as sensitive information, while the PDPL does not. Beyond these definitions differences, the key article that distinguishes the PDPL from the GDPR is that all of its legal rulings only apply in matters of commerce; it has no restrictions on data collection by the state.
The PDPL is unique in its legal enshrinement of “cyber sovereignty”, a concept that contends that cyberspace is subordinate to the interests and values of a country within its borders. To ensure cyber sovereignty, a state may exert control over the architecture, content and flow of data in cyberspace. The PDPL enables Beijing to secure these requirements via Article 37, which stipulates that ‘critical information infrastructure operators’ that gather or produce personal or important data are required to store said data in China. If foreign entities want to transfer data to nations outside of China, they must first pass a state security assessment. Under the PDPL, organisations outside of China will need to appoint a representative in China and report relevant information to Chinese regulators. The PDPL also grants the government powers to deploy countermeasures against foreign businesses that are seen as violating the law, including being blocked from operating in China.
CHINESE NETIZENS FIGHT BACK AGAINST CYBERCRIME
Corporate infringement on individual privacy is a major issue in China, as public apathy and lack of awareness mean that Chinese mobile apps are often carrying hidden tracking software. According to the state-run China Internet Network Information Center, 77.7% of Chinese netizens in 2019 faced some kind of information security breach. On Chinese websites such as the online shopping site Taobao, there is a sizeable black market for leaking users’ personal information without their consent.
Earlier this year, a landmark lawsuit case resulted in the Fuyang District People’s Court in Zhejiang Province ordering Hangzhou Safari Park to delete the facial recognition data of a visitor to the park and pay him ¥1038 in compensation. In the first case of its kind in China, the visitor — Guo Bing, a law professor at Zhejiang Sci-Tech University — took umbrage with facial recognition software as it can collect data without a person’s consent. Another law professor at Tsinghua University in Beijing filed a similar suit in September against her homeowner organisation for installing facial recognition software at the entrance of her gated community. Such technology is widely used in China, including being used when people click in and out of work, or when entering or exiting campuses, residential buildings and subway stations. These lawsuits and their success indicate a mounting backlash to facial recognition technology and creeping corporate infringement on online privacy.
BRAVE NEW CYBERWORLD
The PDPL represents a growing push in Chinese society to wrangle control of cyberspace from private corporations and create greater protections for Chinese netizens. Already, local provisions are being made to curtail collections of personal data. On December 1, the city of Tianjin passed its Municipal Social Credit Regulation, which prohibits private and state-owned companies, industry associations, and chambers of commerce from collecting biometric data such as facial recognition information and using it as social credit information without the individual’s consent. In Nanjing, a similar ordinance now requires real estate offices to remove their facial recognition systems. In both cases, there was a background of heated debate online concerning the role of digital privacy. Creating better regulations for the Chinese internet is a way to establish order online, improving both the experience and the perception of Chinese cyberspace. It also helps impose the pecking order of who is in charge online. Only the Chinese government has the right to monitor and collect data.
In the long term, the PDPL is another step in the Chinese government’s pursuit of establishing “sovereignty in cyberspace”. In 2015, President Xi Jinping described the goal of cybersecurity as ensuring China’s ability to “choose its own internet development path” and to resist the “cyber hegemony” of other countries — Xi’s way of describing the Western view of cyberspace as being a free and open platform for all, composed of multiple different stakeholders. In this version of cyberspace, regulation is maintained by the private sector that runs the internet architecture, a private sector that China notes is predominantly US-based. The PDPL pushes back against multistakeholderism by regulating the physical storage of data in China and requiring a representative to report to Chinese authorities. By requiring cyberspace companies to have a physical presence within Chinese borders, they also become more beholden to Chinese domestic law.
The PDPL is first and foremost an attempt by the Chinese government to create a more benign cyberspace. Serving to further entrench government control within it, the law also establishes Chinese cyberspace as a distinctly different area of the World Wide Web. The PDPL law is likely to be enacted in a piecemeal fashion, with different restrictions applied haphazardly as non-state actors become accustomed to its provisions. Once enacted, private use of data collection technology is likely to either decrease or become much more controlled. Foreign businesses attempting to branch into the burgeoning market of Chinese cyberspace will find themselves facing the same draconian regulations as they would have if they operated in person. The Great Firewall of China has now become harder to penetrate.