On October 21, 2020, a draft of China’s much-anticipated Personal Information Protection Law (PIPL) was released for public comments. Along with the Cybersecurity Law implemented in 2017 and the Data Security Law (a draft of which was also released for public comments in July 2020), the PIPL is regarded as a major milestone in China’s legislative efforts to establish a set of comprehensive regulations around data. Particularly, the PIPL establishes lawful rights around personal information, as it is formulated to “protect personal information rights and interests, standardize personal information handling activities, safeguard the lawful, orderly, and free flow of personal information, and stimulate reasonable uses of personal information”(Article 1). The draft drew intensive media and public interest. Legal professionals, academics, and business representatives held discussion sessions to compare the draft law with the European Union’s General Data Protection Regulation and other major data laws around the world, and raise issues for clarification and improvement.
One month later, the ruling in the first trial of a highly publicized case involving the use of facial recognition technology, touted as the “first lawsuit against facial recognition,” was announced. The victory of the plaintiff, who had objected to use of the technology by a safari park, generated another flurry of coverage and social media responses.
Personal information protection has already become a hyperactive field in China, which is continuously energized not only by national legislation and policymaking, but also by the participation of legal professionals, conscious actions taken by common citizens, as well as immense media attention and active public discourses.
China’s unveiling of the PIPL is part of legislative and regulatory moves in recent years to establish the legal foundations, guidelines, and standards for data governance, of which personal data protection is an indispensable component. In contrast to the common perception of China’s data regulation being lax – which is often leveraged by Silicon Valley entrepreneurs (like Mark Zuckerberg of Facebook) to argue that regulating personal data would prevent data-driven innovations – the Chinese government in fact has moved fast in the past decade to make hundreds of laws and rules on data security and protection. Before the unveiling of the PIPL, a variety of regulations and standards in the area of data and technology had already been issued to introduce personal data protection in different realms, such as the Consumer Protection Law and its Amendments (2014), Personal Information Security Specification (2018), Regulation on the Protection of Children’s Personal Information Online (2019), Financial Information Protection Technical Specification (2020), etc.
While Western audiences may be more familiar with stories of the use of high-tech surveillance and the controversial social credit system, which raise worries over whether China’s data privacy model would threaten the core values of Western democracy, it is crucial to recognize that China is tackling similar challenges arising from the rapid deployment of information and communication technology (ICT) and the necessity of governing gigantic amounts of data generated from daily economic and social activities. As data is increasingly seen as fundamental to national and area economies, governments around the world are striving to boost economic development with data-driven innovations. Unsurprisingly, the development of legal and regulatory foundations for data protection and security has also ascended to the top of government agendas. Commentators have quickly noticed that many provisions of the draft PIPL resemble the GDPR and other major data legislation in other jurisdictions.
Yet it would be a mistake to see the central government and legislative body as the single player in the field of China’s personal data protection. The aforementioned lawsuit, brought by a law professor against the use of facial recognition at the entry of a safari park in Hangzhou, started even before the public release of the PIPL draft, and emerged from increasing public awareness and actions around personal data protection. For example, the Personal Information Protection Research Center of the South Metropolis Daily has been actively conducting in-depth investigations into topics of public concern such as facial recognition and the privacy terms of online apps, and releases yearly reports on the state of personal information protection security. Public accounts on WeChat and other social media, each with large numbers of followers and subscriptions, also distribute regular updates on national and international data policy trends, research, data leaking incidents, etc.
Facial recognition is a technology of particular concern, as it is not only adopted in security surveillance systems in airports and other places, but also more and more in financial and banking systems for identity authentication and mobile payment. The lawsuit against Hangzhou Safari Park has galvanized immense public attention as it acted on public concerns over the lack of regulation in the adoption of facial recognition. In media interviews, Guo, the plaintiff of this case, declared that, although a lawsuit against personal information violation could be burdensome to individual consumers, it was his goal that this lawsuit could provide practical lessons to establish more effective legal rules and practices for the protection of personal information.
In September 2020, another law professor at Tsinghua University in Beijing also decided to sue her home owners’ association for installing facial recognition at the gated community entrance, which, as expected, stirred up another wave of media and public expression of concerns over the controversial technology. These public sentiments and anxieties prompted relevant departments to prioritize making standards for the use of facial recognition in finance and other areas. Local governments were also taking opportunities to make regional regulations. The city of Tianjin on December 1 just passed a regulation that restricts the illegal collection and use of sensitive biometric information for identify authentication, which includes a ban on the use of facial recognition technology.
Besides these highly visible cases involving facial recognition, two other cases brought by individual consumers against big tech companies are worth mentioning. In the Ling vs Douyin/Duoshan case, the plaintiff, named Ling, when registering for the two social apps, was prompted with a list of “people whom you might know” on the apps. Suspecting the app had read his phone contacts list without consent, he sued the company Bytedance. In the Huang vs Tencent case, Ms. Huang, in using the app WeChat Reading, found her reading information was shared with her “friends circle” in the WeChat app without her knowledge, and she brought the case against the parent company of the two apps.
In both cases, as in the two aforementioned facial recognition cases, the plaintiffs are individuals with a good knowledge of legal statues and institutions, or with strong legal assistance to litigate the cases. Ling is a Ph.D. student in law, while Huang is reported to be a staff member at a law firm. As a well-informed plaintiff who was likely familiar with existing personal data protection conventions in Europe and other places, Ling, for instance, took pains to obtain evidence regarding the privacy settings of the apps, such as the time length for the storage of cookies, the notice for consent requests, service agreements, etc.
Although the issues they litigated against seemed to be minor in the sense that “no actual harm” could be proved, which was an argument often put forward by the defender’s side, their “low-stake” nature highlighted the symbolic significance of the lawsuits. Interestingly, such low-stake litigations have been encouraged among law school students by their universities and professors to gain practical experience as part of their education. Litigating against big companies and public institutes for their handling of personal information and their privacy policies has become more and more common among these future legal professionals.
All these examples show the hyperactive dynamics around China’s personal information protection. A careful review of the discussions around the PIPL draft and the courts’ ruling in the cases brought by citizens against personal information violations would reveal that China’s data protection is faced with many similar challenges shared elsewhere in the area of data governance, such as how to define the proper scope and reasonable uses of “personal information” in order to balance individual rights with public interests and industrial development, and how to find a more effective mechanism beyond the recognized dilemma of consent as the condition for data processing. In view of the growing global conflicts over cross-border data flows and concerns over data sovereignty, it is imperative to have a comprehensive understanding of these dynamics around personal data protection in China and seize opportunities for conversations in this area of mounting importance.
Xiao Liu is a Wilson China Fellow, and currently working on a project on the governance space of personal data in China. Liu teaches at McGill and is the author of “Information Fantasies: Precarious Mediation in Postsocialist China” (University of Minnesota Press, 2019).