Chinese netizens have long been seen as willing to give up personal data for conveniences, but rising concern over online fraud is changing their attitude towards data protection. In response, China has introduced a new law to protect the data of Internet users.
The rapid development of cloud computing, big data and artificial intelligence has turned data into one of the most valuable assets for companies. The value of this data has spurred growing collection and processing efforts, which can also lead to the abuse of that data.
Chinese netizens have long been seen as willing to give up personal data for conveniences, but rising concern over online fraud is changing their attitude towards data protection – hence a call for a specific law in this regard.
A response has been made. In March, the speaker of the Second Session of the 13th National People’s Congress said the enactment of the Personal Information Protection Law and the Data Security Law has been listed on the legislative schedule for 2019.
This is widely regarded as a milestone in China’s data protection landscape.
“This means that a specific data protection law, as well as a data security law, can be expected in the near future,” Bao Zhi, partner at Baker McKenzie Fenxun (FTZ) Joint Operation and Hu Xiang, associate at Fenxun Partners, tell ALB.
The promise of a specific law comes amid increasing efforts to protect personal data in recent years.
Currently, China’s legal regime for data protection is rather fragmented, with various laws and regulations here and there setting out general principles and rules that are in some ways applicable to data protection.
For example, the PRC Constitution, the General Provisions of the Civil Code of the PRC and the PRC Tort Liability Law contain general principles relating to rights to personal data.
Meanwhile, the Criminal Law proscribes certain serious acts of infringement of personal data. There are also consumer protection and industry- or sector-specific laws, regulations and rules that govern the telecommunications, internet, financial services, credit reference and healthcare sectors.
A turning point came when the Cybersecurity Law was introduced in June 2017, which has reshaped China’s data protection landscape.
The Cybersecurity Law is the fundamental law of network security and personal information security. In principle and in summary, it stipulates that “network operators shall abide by the lawful, justifiable and necessary principles to collect and use personal information” and specifies the administrative liabilities accordingly.
Over the last year and a half, from a legislative perspective, the Cybersecurity Law and its supporting rules and regulations have to some extent addressed certain data privacy issues, such as collection, processing and cross-border transfer of personal data.
To provide further guidance on the implementation of the Cybersecurity Law, the authorities enacted a recommendatory national standard, known as the Information Security Technology – Personal Information Security Specification.
Effective from May 2018, the document sets out requirements on the collection and processing of personal data.
REDOUBLING EFFORTS
Lawyers agree that a lot of actions have been taken by the authorities this year to step up personal data protection, even though this year has only gone half.
Bao and Hu say the Cyberspace Administration of China (CAC) and its local offices have taken various regulatory actions against companies for data protection lapses.
On January 25, the CAC, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation jointly published the Notice on the Special Governance of APPs Illegally Collecting and Using Personal Information. The four agencies then formed a cross-departmental special governance working group and have already conducted a series of enforcement activities.
Huang Jinpeng, partner at Deheng Shanghai Law Office, also talks of the latest measures by the Chinese regulators to move the country beyond the developing stage for the personal data protection.
“In March, governance working group issued the Self-assessment Guidelines for Illegal Collection and Use of Personal Information by Apps,” he says. The guidelines are for data controllers to assess their use of the personal data collected.
Huang continued to note that in April, the Cyber Security Bureau of the Ministry of Public Security, Beijing Network Industry Association and The Third Research Institute of Ministry of Public Security jointly released the Internet Personal Information Security Protection Guidelines.
“The Chinese regulators have been paying more attention to data protection issues. Various departments have enhanced law enforcement,” says Che Hu, a counsel at JunHe Law Office.
NEW DRAFT
On February 1, the National Information Security Standardization Technical Committee published a new draft of the Information Security Technology – Personal Information Security Specification – a little less than a year after the Specification came into the public eye last May.
One of the prominent steps taken by the regulators this year, this lays the foundation for the much-anticipated Personal Information Protection Law to cope with China’s fast-evolving tech landscape.
“Compared to the version published in May 2018, several additional requirements on personal data controllers have been incorporated into the amended version,” Bao and Hu explain. “These improvements focus on non-coercive collection, personalised display, third-party access management, and so forth.”
The new draft imposes specific requirements on data controllers to ensure that data controllers’ products or services that collect personal data do not violate the will of the data subjects and force them to agree to data collection requests to use the product or service.
As for personalised display, the new draft defines "personalised display", and requires data controllers to use noticeable marks indicating "personalised push" or "directional push" to remind data subjects of the existence of “personalised display” and to provide simple and direct paths to opt out.
Regarding third-party access management, the new draft imposes eight detailed requirements on data controllers, including enabling management towards third-party access, to pre-allocate security responsibilities by contract with third parties, and to supervise third-party practices in obtaining consent from data subjects.
“These amendments address some of the more pressing personal information concerns in the digital world, including over-collection of personal information, obtrusive personalised advertising, and third-party abuses. We believe that the amended Specification will introduce more of these enhanced protection measures, which have practical implications for companies,” say Bao and Hu.
Catherine Shen, partner of Commerce & Finance Law Offices, adds that one of the important changes is the prohibition of “bundled consent”.
“Article 5.3 stipulates that data controllers shall not force the data subjects to give one-off consent to personal data collection by different services through bundled products or services. If the data subjects stop using certain services, the data controllers may not suspend the other services that the data subjects are using or lower the service quality,” she explains.
The amendment also requires that consent must be given explicitly, while the previous version allows it to be an option depending on the sensitivity of the data.
“Regarding precision marketing, user profile and big data collection, the newly-added Article 7.5 also requires personal data security evaluation and protection to be in place if personal data comes from various sources,” Shen says, adding that more details are to come for this requirement.
Huang from Deheng adds that for personal data which the personalised display shows, the data controllers shall provide data subjects with a control mechanism to ensure that they can control how much they want to show their personalised display. Especially when opting out of the personalised display mode, the data subjects shall have the right to delete or anonymize their personal information.
“This amendment helps companies practice and implement data protection,” says Huang.
“We believe that such a quick draft to revise the Personal Information Security Specification is very forward-looking and the authorities have given a lot of thought in it,” he notes.
Huang points to its significance to China’s ever-evolving data protection landscape.
Firstly, the draft will push China's personal data protection to the era of standardisation. It outlines detailed operational guidelines for all aspects of personal data protection, with terms and principles in line with international standards.
Secondly, it sets out compliance standards for enterprises that have access to personal information and data when in combination with the Self-assessment Guidelines for Illegal Collection and Use of Personal Information by Apps.
Thirdly, it serves as objective criteria for government watchdogs and law enforcement agencies by establishing the underlying protection rules and norms.
Fourthly, it is introduced as a recommendatory national standard rather than a mandatory standard. In today’s data economy, data transfer has been easier, cheaper and more profitable by technology. Given that legislation lags behind the rapid development of business and industry, it is inevitable for China to introduce a recommendatory standard first then gradually make it mandatory or even a law.
Finally, it gives the entire industry and the industry players a reasonable transition period. Since it is not a mandatory standard, it avoids strangling economic development while trying to uphold personal data protection.
YEARS OF WORK
This series of steps taken this year is just a continuation of China’s efforts in improving data protection during the past few years.
“The progress of the legislation and regulation on personal information security protection has been prompt and outstanding,” says Huang from Deheng, pointing to a series of laws promulgated in recent years.
In 2014, China introduced the Provisions of the Supreme People's Court on Application of Laws to Cases Involving Civil Disputes over Infringement upon Personal Rights and Interests by Using Information Networks.
Then in 2017, there was the Interpretation of Several Issues regarding Application of Law to Criminal Cases of Infringement of Citizen's Personal Information Handled by the Supreme People's Court and the Supreme People's Procuratorate, and the Cybersecurity Law as mentioned earlier.
The following year saw the introduction of Information Security Technology – Personal Information Security Specification, the Guidelines on Data Governance of Banking Financial Institutions, and the E-commerce Law of the PRC.
“For the Guidelines on Data Governance of Banking Financial Institutions, it was the first time that China’s financial regulators released mandatory requirements to strengthen the compliance management of traditional financial institution on personal information collection and use,” says Huang.
He also notes that the E-commerce Law was formulated based on Cybersecurity Law. “[It] further clarifies the rights of the personal information subject and the e-commerce operators’ responsibilities to protect the users’ personal information,” he adds.
But lawyers also warn that although there were great legislative efforts in this area in 2018, most of the specific requirements on data protection are still scattered in low-level regulations or even non-binding national standards, which can cause discrepancies and confusion in application and enforcement.
Therefore, a specific law is necessary, and the timing seems ripe given the work done in recent years.
CHALLENGES AHEAD
Despite the anticipation of the Personal Information Protection Law and the Data Security Law this year, lawyers say there remain challenges in China in terms of data privacy.
One particular problem is that China does not have a unified authority charged with enforcing data protection compliance, all the lawyers point out.
“Multiple agencies currently share oversight and enforcement duties for data protection. Those agencies mainly include the CAC, the MPS and the MIIT, and sometimes even the SAMR,” note Bao and Hu.
Shen from Commerce & Finance echoes their view. “For example, the Ministry of Public Security manages the crackdown on criminal activities that infringe the citizens’ personal data, the Ministry of Industry and Information Technology handles personal data protection in the telecom and Internet space, and the People's Bank of China is responsible for data protection in the financial sector,” she adds.
Lawyers warn that this dispersed authority can result in unclear roles and responsibilities and can jeopardize transparency, consistency and predictability in enforcement.
In this regard, inadequate enforcement resource is also a challenge. Compared to China's large population base and innumerable websites and apps, enforcement resources are rather limited, according to Bao and Hu.
Another problem is that China lacks a well-established system to provide individual data subjects with legal assistance if they wish to take civil actions.
“In judicial practice, it is difficult for the plaintiffs to collect evidence,” Che from JunHe names an example. Today, there aren’t many cases where individual data subjects take civil actions.
Shen from Commerce & Finance attributes this to the weak public awareness of data privacy. She says Chinese netizens do not pay enough attention to whether their personal data is being collected and used illegally – a view shared by Bao and Hu, who call for education for consumers.
“A China-specific challenge is that data privacy is a modern concept derived from a modern economic activity without being a deeply rooted value in traditional Chinese culture. In other words, China has no tradition of protecting personal data. Thus, even as people learn about data privacy, it can quickly be outweighed by ingrained preferences for convenience and efficiency,” they say.
“Therefore, effective data protection measures may not always be understood or appreciated by consumers. For example, some consumers dislike pop-ups containing privacy terms and conditions because they lengthen transaction time and complicate the transaction.”
A third challenge raised by the lawyers is the weak participation by enterprises. Shen calls for the enterprises to come up with industry standards and to comply with them.
“In the process of promoting personal data protection, it is important to balance the rights of individuals and tech development. This can be achieved when industry players participate more actively,” she says.
ACTIVE ROLE
The legal professionals also note that there are a few things they can do to help perfect China’s legal regime on data protection.
“Legal professionals function as watchmen for their clients. Our practical experience allows us to help clients in identifying, assessing and mitigating potential legal risks in their daily operations and to help them cope with data breach incidents,” say Bao and Hu.
Shen agrees, adding that lawyers can help companies conduct due diligence and establish a data protection mechanism.
“On the other hand, we can give legal advice to the government to speed up enforcement and legislation. We can also help uphold the rights of the individual data subjects by seeking access to legal assistance,” she adds.
“After all, effective data protection needs the participation of individual data subjects, the regulators and the enterprises,” Shen points out.
To contact the editorial team, please email ALBEditor@thomsonreuters.com.
