I am most grateful to Dr Gregg Li, co-author of “Understanding Corporate Governance in China” for sending me the Penn State Journal’s review of data privacy in China. This long and thorough analysis is not for the faint-hearted, bristling as it is with legal and academic references. Volume 8, issue 1 throws new light in China’s steps to protect its citizens’ data privacy. I am not a lawyer and have no legal training. What follows is my attempt to interpret this scholarly review in lay language.
Western observers often believe that data privacy in China is non-existent. True, the country regulates privacy of the state differently from privacy of individuals and private companies.
The Penn State article compares China’s data privacy laws (most notably the Cybersecurity Law and its implementation guidelines) to the approaches of the EU and the U.S. Does China’s direction take account of their rules? What makes China’s approach different from Western models?
China initially followed a path similar to the USA. It has recently changed direction and now converges with the more stringent EU rules on the Cybersecurity Law and the Personal Information Security. China now has a comprehensive data protection law and encourages privacy protection for consumers that sometimes surpasses USA rules.
“Data privacy with Chinese characteristics” will figure in the country’s forthcoming regulations on artificial intelligence and may affect future policy developments in the EU and the USA.
The Penn State Article is the first substantial effort to compare Chinese laws on data privacy with those of the EU and USA. It also seeks to determine their direction and underline the details that constitute China’s emerging approach.
USA and EU models
The EU and USA models are well established and yet different from each other. In the EU, the rights to privacy and to the protection of personal data are fundamental rights protected by comprehensive laws. The laws have a wide scope; they apply to all organizations collecting and processing personal data. Personal data is broadly defined to cover all information relating to an individual. The laws provide strong guarantees for individuals. The General Data Protection Regulation (“GDPR”) confirms the EU direction.
In the USA, there is no federal law covering all aspects of data privacy. Any provisions are scattered among many laws regulating different topics and sectors. They have a wide scope. They may concern government agencies, data on children, health data, focus on data breaches and being a federal law or a state law. They typically have fewer requirements and offer less protection than in the EU.
The EU model influences third-countries’ laws. China now seems to be converging with the EU model. This would leave the USA isolated with its minimalist approach.
Differences between USA and EU approaches started to appear when the European Commission asked EU Member States to bring into their laws more stringent protections than that recommended by the OECD Privacy Guidelines.
This led to a great divergence between the two sides of the Atlantic.
In the EU, abuses on privacy and personal information during and after World War II justified strong protections, as exemplified by early German and French rules. Privacy and personal information protection are now fundamental rights in the EU. In the USA, data privacy rights are balanced with other interests such as commerce and state security agencies. Moreover, data privacy finds itself facing the right to free speech as protected by the First Amendment of the USA constitution.
Among countries that built a legal framework for the protection of personal information, the USA remains the exception to that trend. Laws are much more fragmented. Privacy is protected by a patchwork of common law, federal legislation, state law, and certain state constitutions. Scholars have found that the USA Constitution and its supporting body of jurisprudence do not provide adequate privacy protection.
Data privacy in China
China started work on data privacy much later than the EU and the USA. Before any data protection rule could exist in China, the country had to establish the right to privacy. In China, as in other countries earlier, the idea of privacy was under-developed. Societies then included strict moral and behavioural social norms. Important rural communities with deep social ties did not require privacy protection.
During the nineteenth century, the development of urban life provided relative anonymity among people. This, coupled with new liberal ideas and individual rights, led to the concept of the right to privacy. One of the first mentions of this appeared in the USA in 1890. Scholarly discussions continued during the beginning of the twentieth century, but the right to privacy did not flourish until after the Second World War. Then the individual became more important in democratic legal systems.
This explains why China was not part of this movement. The right to data protection appeared elsewhere in the 1970s, when the USA and several European states moved beyond privacy protection and issued their first laws on personal data protection.
In the regulation of businesses’ use of personal data, the first Chinese efforts were more concerned with public security than personal privacy. The emergence of innovations such as cloud computing and big data analytics convinced China to regulate privacy more vigorously. This trend became more pronounced after Edward Snowden’s revelations and the related fear over foreign spying.
China nearly chose to follow the EU path initially when considering a personal data protection law between 2005 and 2008. This law would have been a significant step in China in the direction of the Western practice of personal data privacy. But the project stalled, and the text remained a draft.
The most important milestone in China’s data protection legal landscape is the Cybersecurity Law enacted on November 7, 2016 by the Standing Committee of the National People’s Congress and which came into force on June 1, 2017.
Generality and vagueness are typical traits of Chinese law. To reduce the shortcomings of vague binding laws, China uses non-binding texts to provide details and to guide the laws’ implementation. A parallel here is the use of guidelines in the EU system. These guidelines seek to explain and illustrate a particular point of the data protection rules in a great detail. Their format is however different. Whereas a guideline in the EU is an actual explanatory text, sometimes close to an instruction manual, Chinese guidance texts are organized by articles in the manner of binding laws, reinforcing their quasi-implementing character.
The lead drafter of the 2018 Specification, argues that these rules are “stricter than the USA, but not as much as the EU.” Study of data protection principles and requirements in the newest Chinese rules show that they keep some similarity with the USA approach. But the more recent specifications also feature important signs of convergence with EU law. This demonstrates a significant change in China’s direction, in favour of stronger data protection requirements than the USA but without going as far as the EU.
Another area where China follows the EU in enhancing individuals’ rights, is the restrictions on automated decision-making, including profiling. In the EU, a “data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling.”
What is striking in China’s system is the difference between the strengthening of protection against private entities and the parallel increase of government’s access to personal data. There is still no significant privacy protection against government intrusion. Rights to privacy and data protection evolved favourably for the individuals/consumers in their relations with the private sector. However, considerable doubt still exists when those rights are examined between the citizen and the government, particularly over surveillance issues.
In Western countries human rights protect the individual from state power. But human rights in China are derived from the state itself, meaning that the state’s interests remain above the individual’s.
Finally, China outlined its strategy to become the leading AI power by 2030, through the Next Generation Artificial Intelligence Development Plan that the State Council released in July 2017. The plan outlines the need to “develop laws and regulations and ethical norms that promote the development of AI.” Privacy is explicitly mentioned as the first of six supporting measures.
China’s stance on data protection is the source of fear, controversies and scepticism in the West. Sceptics assume that the use of personal data in China is unrestricted, causing a lack of privacy protection and giving an edge to Chinese companies in the field of innovation. While the protection of personal information was indeed lacking until recently, the country is now building its framework rapidly. Scholarly literature on the topic is still relatively scarce.
This Article has demonstrated that China is gradually building a data privacy system through reference to both the EU and the USA models. It originally resembled the USA minimalist approach. It now shows signs of convergence with the more stringent and comprehensive EU model. It is likely that this trend will continue. The law dedicated to data privacy that is on China’s legislative agenda should be the next milestone in that direction.
This study has also underlined that China’s approach is not merely between the EU and the USA. It features important specificities that will make China’s approach, once the framework becomes more mature, a model itself that third countries sharing the same rationale may choose to transplant.
Cyber-sovereignty and the dichotomy between privacy from private actors and privacy from the state are the most salient elements of the model that China is building. Given the country’s economic and political ambitions related to its cyber strategy, China’s voice on data privacy will have an increasing impact.
To further build up this finding, China shapes the related AI regulations that are intertwined with personal data usage. China is not a latecomer here and will now be able to push its vision on AI rules, and participate with the EU and the USA in the competition for global regulatory influence. The significant improvements identified in this study concerning consumer privacy will, hopefully, merge into China’s future AI regulations.