The fight over China's law to protect personal data

A man tries a new facial recognition with a mask feature during the World Internet Conference in Wuzhen, China on 23 Nov, 2020. PHOTO: EPA-EFE

BEIJING (CAIXIN GLOBAL) - After a year-long legal battle, 34-year-old law professor Guo Bing won a partial victory in China's first court challenge to the rapidly spreading use by businesses and governments of facial recognition technology.

A court in the eastern city of Hangzhou ruled Nov 20 that a local wildlife park breached a contract with Mr Guo by changing from a fingerprint-based entry system to facial recognition without his consent.

The professor sued in October 2019 when the park said he had to submit to facial recognition to keep his annual pass valid.

But the court upheld the park's right to use biometric technology in business operations. The case has been closely watched and has stirred heated debate as it addressed one of the biggest public concerns in modern Chinese society - the balance between rampant use of new data technology and protection of personal privacy.

A string of high-profile data breaches in recent years has strengthened public calls for the government to pass a unified law safeguarding the personal information of citizens. In the first seven months this year, more than 8,000 apps and 478 companies were penalised by regulators for violating data collection rules.

The state's use of the burgeoning new technology is also seen as a major problem. Earlier this month, internet regulators cited 35 mobile apps for violating personal data collection rules, including several operated by local government agencies.

In response, China's top lawmakers are reviewing a draft law on personal data protection. It would be the first such legislation in the country to regulate collection of personal data including online shopping records and biometric features.

The Standing Committee of the National People's Congress (NPC) released the draft Personal Information Protection Law Oct 21 seeking public comment after completing the first of the three reviews of the legislation.

The eight-chapter law would provide overarching protection for China's 940 million internet users, who are increasingly concerned about their data security as new technologies powered by big data continue penetrating every aspect of social life.

The draft law includes a section defining the state's role in personal data collection, requiring government agencies to follow the same consent principles as businesses, with exceptions for certain conditions specified by law and regulations.

China's State Council has been studying legal protection of personal information since 2003, but it wasn't until 2017 that work on a unified piece of legislation formally started. Currently, several statutes share responsibility for privacy protection, including an official Standing Committee decision on protecting online data, a Criminal Law amendment, the Cyber Security Law and the newly passed Civil Code.

The draft law defines personal information as that which is "recorded by electronic or other means in relation to identified or identifiable natural persons, not including anonymised information."

Significantly, it would enshrine the principle of informed consent, meaning that all entities that handle personal data would have to clearly inform individuals in advance of how they plan to use the information and request explicit consent of individuals or their legal guardians before doing so.

The document also sets severe penalties for violations that are comparable to those of the European Union's General Data Protection Regulation, which is seen as the toughest privacy and security law in the world.

Caixin learned that this sparked debate among companies in the tech and advertising sectors, which argued that strict rules will hurt business growth. Meanwhile, some legal experts expressed concern that the document still lacks specifics and details that may impede implementation.

A person close to the legislative work said there is still time for the new law to be revised and lawmakers are trying to strike a balance among protection of personal privacy, business growth and the public interest.

"In the future, data flow is not only an asset but also a responsibility in both business and legal aspects," said Deng Zhisong, a senior partner of Dacheng Law Offices in Beijing.

Balancing act

There have been cases showing that the issue can be a matter of life or death. In 2016, a high school student in Shandong province died of a heart attack after being swindled of nearly 10,000 yuan (S$2,036) by phone scammers who illegally obtained her personal information. The case exposed a failure by local educational authorities to protect personal information and sparked a public outcry for legal action.

Chinese net users have found that they are surrounded by expanding volumes of highly personalized online content. A brief search of certain products on major e-commerce sites may lead to a series of pop-up ads for similar goods.

"The one who knows me best is not myself but the internet giants," said one online shopper.

Behind the scenes is advanced data analysis technology that's widely used by internet companies to create a portrait of each user for highly targeted marketing.

By gathering vast amounts of user data, tech giants like Alibaba Group and Tencent Holdings can precisely profile users and predict their demands based on daily spending, travel and interests and use the information to direct users to goods and services they are more likely to buy.

The new data protection law may change that by setting stricter requirements on what information companies can collect from users and how they can use it, several industry sources said.

According to the draft law, data collectors must inform individuals about why their personal data would be collected and how the information would be used and obtain explicit consent in advance.

Individuals would have the right to request corrections or deletions under the draft measure, and entities handling personal information would not be allowed to collect more than they need to complete stated tasks or to refuse a product or service if an individual declines to give consent or later withdraws it.

Such requirements are "very tough" for companies, internet sector representatives argued at a November meeting to discuss the new law, Caixin learned. They said the requirements are difficult to implement and would add to companies' compliance costs, hurting their revenue from advertising.

The draft grants an exemption to the consent rules when data is anonymised, meaning identifying particulars are removed. However, internet company sources said it would still hurt their marketing operations as anonymised information will make it impossible for companies to target users with customised content.

"The days of easy access to vast user data are past," one industry expert said. With stricter rules on data collection to protect privacy, internet companies will face greater tests for their data analysis technology, the expert said.

An advertising industry source said the proposed rules are too strict and lack specifics.

"There are indeed messes in the industry as data usage has lacked regulations for a long time," he said. "But it won't be simply fixed by one general rule."

New business models backed by data technology have thrived in China partly due to the relatively loose regulatory environment. In 2019, the so-called new economy accounted for 16.3 per cent of the country's gross domestic product, official data showed.

Access to data is the backbone of emerging technologies such as facial recognition and autonomous driving, which are key areas where Chinese companies are racing for a competitive edge.

"Users want their privacy protected, while companies need profit," said Fang Yu, a law expert at China Academy of Information and Communications Technology. "There will be costs for privacy protection, and sometimes it is a zero-sum game."

Mr Fang said the proposed law should add more specifics on how the rules will be applied in different sectors to serve different needs.

For instance, "autonomous driving developers need to collect data on pedestrians to improve the algorithm," Mr Fang said. "But if they must get consent from each individual pedestrian, the technology will be impossible to develop."

He Yuan, a data legislation expert at Shanghai Jiaotong University, said the legislation needs to specify the legitimate rights of companies in data collection to leave room for businesses to grow.

"The whole new economy is built on the basis of data, and personal information is the most valuable part," He said. "The draft law emphasises privacy projection but without enough words on how the information can be used."

The state's role

"Government agencies managing public affairs and services collect a huge amount of personal data, but at the same time, they are rule makers and regulators," said Zhang Xinbao, a legal expert who participated in drafting the law. Mr Zhang said there still needs to be further detail on requirements for government bodies.

Several members of the NPC Standing Committee suggested further specifying rules on government departments, including clearer requirements on the scope of data collection, the procedures to follow and the period of data storage.

Wang Xixin, a law professor at Peking University, said the section on data collection by the state should be expanded into a stand-alone chapter to include more-detailed requirements.

Government agencies need to seek a balance between data management efficiency for the public interest and protection of individual's privacy, Mr Wang said.

The draft law also stipulates the use of surveillance systems and personal identification devices in public areas, requiring that such data be used only for public security purposes and not be shared with other parties without individuals' consent. The regulation is seen as a long-awaited response to the expanding use of facial recognition technology.

Hangzhou's Mr Guo said the draft legislation represents "an improvement" but needs to go further as the wording is vague enough to be manipulated. He suggested that lawmakers introduce a licensing system and more-detailed requirements on the use of facial recognition in public venues.

Regulatory debates

The draft law proposes to slap a maximum fine of 50 million yuan or the equivalent of as much as 5 per cent of revenue from the previous year on those that illegally handle personal information, among the toughest penalties in the world.

"The heavy penalty sends a signal of tough oversight and reflects the urgent needs of privacy protection," said Chen Yu, partner of King & Capital Law Firm.

However, the severe penalties drew objections from businesses as many said they worried that the draft may offer local authorities excessive room to impose punishment.

Some industry sources and legal experts said the draft document doesn't provide a clear explanation of which department should lead enforcement of the law.

According to the draft, oversight of privacy protection would be shared by several central government agencies as well as local government departments, which could lead to overlapping supervision, experts said.

Some experts said China should follow the EU in creating a single regulatory agency to take on overarching oversight. But others said the creation of a unified regulator would be difficult in practice as it would require a massive government reshuffle.

Mr Fang said a more feasible way for China would be to set up a regulatory body to take unified responsibility in setting rules and standards and to supervise local authorities in enforcement.

"There are over 20 central government agencies that have privacy protection duties, and each of them has local branches down to county level," said Wang Rong, a data policy expert at Tencent Research Institute. "Giving them great law enforcement power will create a battlefield of interests."

Matthew Walsh contributed to this story. This story was originally published by Caixin Global.

Join ST's Telegram channel and get the latest breaking news delivered to you.