Author: Winston Ma, NYU
At the US House Judiciary Committee hearing on 29 July, Amazon, Apple, Facebook and Google CEOs sent a clear message: don’t regulate us or we can’t compete with China. When Facebook CEO Mark Zuckerberg testified before Congress in early 2018 on Facebook’s data practices, he warned that regulating the platform’s use of personal data would cause the United States to fall behind China when it comes to data-intensive innovation, such as artificial intelligence (AI).
Zuckerberg’s argument reflects the conventional wisdom that the Chinese internet industry has accumulated a tremendous amount of user data for AI research thanks to China’s lax regulation on data collection. In other words, so the argument goes, Chinese companies have an edge if US companies like Facebook are constrained by data protection regulation. To some extent, Zuckerberg is correct. But personal information and data breaches are becoming hot-button issues in China.
The critical advantage China has in AI research is its data resources, as the density of people is proportional to the density of data. With over 900 million internet users, along with the widespread adoption of mobile applications during the mobile economy boom, there has been a surge in data growth in China’s consumer market. In this ‘mobile first’ and ‘mobile only’ environment, people use their mobile phones heavily to shop for consumer goods, order meal deliveries, buy tickets and pay for almost all daily activities, leaving vast amounts of data on digital platforms.
2018 could be hailed as the year when the Chinese public started awakening to privacy concerns. As if echoing Zuckerberg’s testimony, China’s leading search engine Baidu’s founder Robin Li commented in a 2018 interview that if Chinese people ‘are able to exchange privacy for safety, convenience or efficiency, in many cases they are willing to do that, then we can make more use of that data’.
Ironically, Li’s remark was not accepted by the Chinese public. Baidu was sued that year by a consumer rights protection group in Jiangsu province for collecting user data without consent. The lawsuit was later withdrawn after Baidu removed the function to monitor users’ contacts and activities.
Chinese consumers are increasingly standing up to internet giants for their digital privacy in an unprecedented way. China is in the early stages of setting up a data protection regulatory system. The Cyber Security Law, effective 1 June 2017, included for the first time a set of data protection provisions in the form of national-level legislation. The 2018 e-Commerce Law incorporated data privacy protections for consumers such as the ‘right to be forgotten’, similar to the EU’s General Data Protection Regulation.
China passed a new Civil Code in May 2020 and it will take effect in January 2021. It marks a key step forward in developing a legal framework governing individual data privacy. Among a sweeping package of numerous civil laws, for the first time, privacy is defined statutorily as a personality right. The Code devotes an entire chapter to addressing personality rights — covering people’s rights to control the commercial use of their name, title, portrait, reputation and privacy, while adding new articles on protecting personal information.
There are also compromises in the Code’s efforts to protect privacy. Although the Code protects personal information under personality rights, it does not recognise personal information as an inherent right for everyone. This implies that an individual will only have an economic interest in their personal information rather than a personality right, which probably reflects resistance from the e-commerce industry. Some provisions lack details such as how long data collectors can keep people’s information and under what circumstances they must delete it.
The ongoing pandemic creates novel data and privacy controversies. For epidemic control and prevention efforts, governments collect a vast amount of individual information to keep close tabs on population health and location data. Under ordinary circumstances, sensitive patient-linked medical records should be kept private, but during the extraordinary crisis governments must constantly collect such data, often through private internet platforms, raising concerns about data breach, loss or unauthorised use.
China’s forthcoming Personal Information Protection Law and Data Security Law is expected to address these complex issues in more detail. The drafters face tough challenges in balancing the considerations of individuals’ personal privacy, enterprises’ business development, and national and public security.
Since these two laws are already in the process of formulation in the National People’s Congress, they may become effective as early as 2021 — a major step towards regularising this patchwork affair of personal information protection into an integrated, comprehensive framework. Contrary to Zuckerberg’s characterisation, China no longer provides him with a convenient counterargument against privacy rules.
Winston Wenyan Ma CFA is a tech investor and Adjunct Professor at the New York University School of Law. He is author of China’s Mobile Economy (Wiley, 2016) and its sequel The Digital War (Wiley, forthcoming).