The increasing digitalization of life in China has increased the need for the security of personal data. To ensure effective data protection, the party-state would have to create a unified legal framework and to subject itself to supervision.
Fourteen years ago, the Chinese government started to draft a bill to protect citizens’ information across the country. Earlier this year, China’s legislators were still striving to get China’s legislature to review this bill. In the wake of growing social concerns over large-scale misuse of citizens’ data, Yang Zhen, a delegate to the National People’s Congress (NPC), has continued to advocate the adoption of a specific bill on data protection over the past three years. Although some delegates espoused this proposal, it might take another “three to five years” to pass the law, said Yang.
Concomitant with their struggle was the “General Provisions of the Civil Law” passed on the final day of this year’s NPC in March. As the opening chapter of China’s first Civil Code, this law bans “illegal” sales or publication of personal information. Yet any clear liability for government bodies is missing, as is the case with the Cybersecurity Law enacted this June. Without further legal restraints on the inordinate power of the government to manage data, effective data protection will prove to be very difficult.
The protection of personal data is a core issue of China’s digital transformation. As life gets increasingly tied to computers and mobile devices, personal information is becoming more and more vulnerable to hackers and other third parties with malicious intent. Foreign companies, researchers, and also the Chinese government have suggested that Chinese citizens do not care about the protection of their personal data. The mobile habits of tech-savvy Chinese youths suggest as much. Online payment apps allow them to hook their bank and credit card information to their mobile phones, while cab-hailing apps such as Didi Chuxing require constant disclosure of their GPS locations. Convenience seems to trump privacy concerns.
In a 2014 survey conducted by the Boston Consulting Group, only 50 percent of surveyed Chinese consumers agreed that they have to be cautious about sharing personal information online. This number is 26 percentage point lower than the average of 10 other surveyed countries. In a breakdown of data type, Chinese citizens appeared to have a more cavalier attitude toward data privacy. For example, only 63 percent of surveyed consumers regarded their credit card information “moderately or extremely private,” compared with 87 percent in the United States and 93 percent in Germany.
The attitude of Chinese citizens toward personal information protection is indeed ambivalent. In popular online smear campaigns such as “human flesh searches,” netizens engage in a form of vigilante justice to punish people who are accused of wrongdoings often not punishable by the law. The exposure of private information of, for example, corrupt cadres, unfaithful actors, or unpatriotic students is used as a weapon against the alleged perpetrator of a “crime”: started by one netizen, thousands join in to publish the target’s photos, phone numbers, and addresses online, paving the way for offline threats and abuse. In a highly publicized case, a Chinese student was abused online after giving a commencement speech at the University of Maryland in the United States. Speaking about the delights of fresh air and freedom in the United States, the student was met with extensive “human flesh search” attacks and discussions from Chinese netizens after the video of her speech went viral. The student ultimately apologized for her speech online.
Data leakage has raised risk awareness
However, Chinese citizens have demonstrated a growing awareness of the importance of protecting personal information in the last few years. The fact that data leakage is an almost daily occurrence has led to heightened awareness from most urban netizens. The latest data leakage in June this year concerned Apple users, who are mostly from China’s middle to upper class. An underground network across several provinces sold data worth $7.36 million.
If one were to turn to online discussions in internet forums catering to China’s urban middle class such as Zhihu or Tianya, one would find numerous articles and tips about how to protect one’s information, and warnings against revealing any “real” information about themselves on the internet. Citizens have also demonstrated that they are highly concerned about personal information theft and leakage: in a forum thread discussing a case where a person’s bank account was hacked, people commented on how to prevent hackers and shared similar stories commiserating with the victim.
Chinese citizens currently face a slew of systematic challenges when it comes to protecting their own personal information. Innocuous acts such as buying a house, registering at a school, or visiting a hospital can potentially lead to unexpected disclosure of a person’s phone number, name, or even their home address. Many Chinese citizens complain that once they have bought a house, they will receive unwanted calls trying to promote renovations, pipe repairs, or other housing-related issues.
People see business opportunities in the transaction of personal information almost everywhere. But in China, hackers and their clients can easily obtain personal information from government agencies, such as the local education bureaus. A girl in Shandong died of heart attack after her entire tuition fee was lost in a financial fraud. The hoax worked because it was based on her personal information, which hackers illegally acquired from the data bank of local educational departments — together with some 600,000 other victims’ data.
Lack of government accountability
The NPC’s current legislative agenda does not contain a uniform law that would prevent data leakage and protect citizen’s personal information. Instead, different ministries under the State Council have issued a bunch of sector-specific regulations, such as those for e-commerce, online banking, or information technology. Despite so many departments of the executive branch making efforts to “standardize” data protection, not a single national authority is specifically responsible for data protection.
It is often impossible to say no to government authorities when they ask for data to process public services. Once citizens’ personal information is leaked, they cannot turn to a prescribed agency for help. While individual government officials or company employees may be punished for obnoxious divulgence of data, government authorities cannot be held accountable under the current law.
There are signs that the government is taking steps to strengthen data protection. In late 2016, China’s National Information Security Standardization Technical Committee published a draft of legal standards for the protection of personal information. These standards apply to cloud computing, industrial control systems, e-government, and big data services. Recently, the committee worked out another proposal of guidelines on cross-border transfers that requires more control of risks in cross-border data transfer. But like the Cybersecurity Law, these regulations aim to hold internet companies rather than government bodies responsible for data protection.
Even Beijing’s goal of setting up a national data network to underpin the Social Credit System – an authoritarian system envisioned to monitor and eventually reshape the behavior of citizens and companies – requires a unified, more consistent regulatory basis for the protection of personal information. In the end, effective protection of personal data will only be possible if the government agrees to share the responsibility – and to subject itself to some form of independent supervision.
Tiffany G. Wong is an MA Candidate at Johns Hopkins School of Advanced International Studies. She was a research intern with MERICS from June to August 2017.
A slightly different version of this article was first published in The Diplomat on August 12, 2017.