Chinese authorities, businesses, and consumers have long grappled with the impact of emerging technologies on the protection of personal data.

As the issue gains social traction, the government is breaking ground by advancing national regulations with major implications for consumer privacy and the international operability of firms both domestic and overseas.

The era of data collection without scrutiny in China is over, and consumers are vocally standing up for their rights in ways not seen before.

Rising Concerns About Privacy

The development of these regulations coincides with mounting concern surrounding data privacy rights among the Chinese public.

Media coverage of scandals overseas – coupled with rising anxiety surrounding data leaks – has provided the fuel for an increasingly volatile public debate about how companies are handling the personal data of Chinese citizens.

Last year, Baidu founder Robin Li found himself the subject of public outcry after suggesting in an interview that the Chinese people would trade their privacy for convenience. The comment incited uproar amongst Internet users, with thousands protesting Li’s attitude to user privacy.

This incident came just months after a government-backed consumer protection group sued the search engine for collecting user data without consent.

In truth, privacy and information security concerns have been plaguing the country for years.

Personal data regularly leak from businesses and government databases; surveys report that 85 per cent of Chinese consumers have been affected by data breaches – which include leaked bank account information, social media details, and illegally sold phone numbers.

But now policymakers in Beijing have moved forward in articulating a nationwide data protection scheme with implications for internet users, businesses, and the development of emerging technologies.

This approach to data governance will play an important role in shaping global markets and informing the development of privacy regulations across the region.

A New National Standard

China’s Cybersecurity Law (CSL), which came into effect in June 2017, is made up of six systems forming a framework that governs information and communication technology across the country.

This regulates how organisations should protect digital information, and outlines measures to safeguard Internet systems, products and services against cyberattacks.

May 2018 saw the implementation of a new national standard under the CSL’s fourth system.

Called the “Personal Information Security Specification” – or simply the “Specification” – it is the country’s most comprehensive document to date on the protection of personal data, effectively constituting a best practice guide for the collection, processing, and sharing of sensitive information.

It states that organisations must have valid grounds for collecting personal data, and must present a transparent privacy policy clarifying why and how this data will be used. Companies must collect only the minimum amount of data required, cannot use it for ancillary purposes without consent, and can only retain it – while encrypted – for the minimum time necessary.

Users must provide informed consent for all acts of sharing and processing, and will have full rights to their data including viewing, correction, and deletion.

Organisations must formulate a contingency plan for all security incidents involving personal information, and must meet additional requirements for access controls, third-party assessments, user breach notifications, and cross-border transfers.

In February 2019, officials issued a string of stronger amendments to the Specification to supplement and refine existing requirements, largely covering issues of personalised content, documentation, breach notification, consent, and third-party controls.

The proposed revisions mandate an opt-out for all personalised content, including news and targeted advertising.

Similar to Article 30 of the European Union’s General Data Protection Regulation (GDPR), the amendments obligate companies to record the lifecycle of all data, including processing activities, categories, and sources, as well as every organisation and individual involved with its processing.

Breach notification requirements have been narrowed, while definitions of “basic” and “extended” product features – for which entities must obtain separate consent – have been further refined.

Controllers are prohibited from repeatedly asking, suspending functions, or lowering their service level to encourage consent from users who have previously refused.

Expectations of control over third-parties that have access to such data have also been raised – requiring a full legal contract between the controller and processor, a full risk assessment, and constant monitoring. The controller is encouraged to complete regular audits of third-party code, scripts, or any other tool involved in data processing.

Finally, the revisions call for more robust privacy policies, obliging data controllers to disclose their collection practices, security controls and any information on cross-border data transfers.

Global Regulation Standards

While these amendments expand upon the rights granted to Chinese consumers, they actually also attempt to ease the burden of compliance placed on businesses. 

If adopted, the amendments will bring the Specification in line with some of the strictest privacy regulations in the world, including the GDPR and California’s Consumer Privacy Act (CCPA).

While the Specification relies heavily on the GDPR as a model, there is a clear attempt to localise the policy to the Chinese economy by blending concepts from other international regulations. The result is a uniquely Chinese approach to data privacy: Closer to the GDPR than policies in the US or APAC, but deliberately shaped to reduce impediments to certain industries.

These differences are most noticeable when comparing definitions of consent. Under European regulations, consent is explicit; in China it is looser and may even be “implied”. 

Though consent is a core principle behind the Chinese approach, drafters seem to have sought to moderate these rules to avoid undermining prospects in data-intensive developing fields like artificial intelligence (AI) and e-commerce, crucial sectors that will drive China’s economy.

Despite these concessions, the language used remains comprehensive, and contains more onerous requirements than certain aspects of the GDPR, including a more inclusive definition of sensitive information, more rigorous requirements for privacy notices, and more specific procedural obligations for enterprises.

Still, approaches to data protection in Europe and China are converging slowly. The way these two regimes intersect will be paramount for the global aspirations of Chinese companies, particularly as tech giants like Alibaba begin to set up data centres around Europe.

In all, once perceived as less litigious than Western countries, the data protection landscape in the Asia-Pacific region is maturing rapidly, with China taking the lead.

By contrast, the US has yet to institute a national data privacy policy and is still without a uniform concept of data ownership or consent. 

As global legislation begins to shape operations in major markets, US companies are becoming increasingly reactive in fashioning solutions for international compliance.

If federal inaction persists and Washington continues to debate the government’s role in protecting its citizens’ privacy, Chinese consumers will soon have greater protections from tech companies than their American counterparts.

Inconsistency And Enforcement

An assessment of China’s regulations must be made in the context of the political realities of operating in the country, including the practicality of their long-term enforcement.

Though a bold stride, China’s data protection regime is still made up of a patchwork of laws and standards, with no clarity as to which measures are mandatory and which are open to interpretation.

Despite this uncertainty, the Specification has functioned as China’s de facto cybersecurity law for some time, with auditors using it in various branches of enforcement to push companies into compliance.

Legal ramifications for violating the CSL can include rectification orders, fines of up to 1 million yuan, and the revocation of operational licenses. Those directly responsible for breaches or leaks above a certain threshold may face up to seven years imprisonment.

The main obstacle to Beijing’s regulatory aspirations may be the unresolved contradictions in how these rules will be implemented, given the conflicting guidelines laid out in existing law.

While the Specification requires organisations to obtain consent and delete user data upon request, existing cybersecurity law instructs them to retain this data to assist with investigations into national security, and allows government agencies access to user data without due legal process.

These ambiguities leave room for selective enforcement based on the whim of different actors within the Chinese system.

Setting A Precedent

Regardless of their motivations, it’s clear the Chinese government seeks to make companies more accountable for abuses of personal data in the private sector.

These regulations are likely to set a precedent that will shape international legislation in years to come, motivating governments around the world to further tighten the screws on their own protections.

As the processing of personal data skyrockets in line with the emergence of AI, big data, and smart cities, a stricter framework for data management can only be applauded.