n November 27, China’s Ministry of Industry and Information Technology (MIIT) presided over the National Regulatory Conference on App Personal Information Protection in Beijing. The MIIT announced that in the course of inspections it conducted in the past year, 1,336 apps that violated regulations were ordered to redress transgressions, 377 apps that failed to do so were publicly warned, and 94 apps that refused to rectify them were removed from app stores.
During the conference, the MIIT said it has instructed the Internet Society of China to organize 133 telecommunication and internet companies to sign up to a discipline convention on the protection of personal information. Representatives of 11 of China’s biggest internet companies including Alibaba, Baidu and Sina made a public promise that they would strictly implement all necessary measures as directed by the MIIT.
But few believe these measures will be adequate to address the widespread infringement of users’ rights to their personal information. There is consensus among experts that the personal information violations the MIIT uncovered are only the tip of the iceberg. According to a recent survey conducted by the China Consumers Association, 85.2 percent of consumers said they have experienced unauthorized use of their personal information, which involves some of China’s largest internet companies, such as Alibaba, ByteDance and Tencent. To a large extent, these violations are so common that it has become a norm for China’s internet industries.
The persistence of the problem partially derives from the lack of effective regulation in past years. As the internet industry is considered a driving force of the economy and a major source of innovation, authorities have allowed a hands-off policy when it comes to the protection of personal information.
However, as small companies developed into internet giants, often with monopoly power, it is time for authorities to take a serious stance on the issue of personal information protection.
In October, the National People’s Congress (NPC) released its first draft of the Personal Information Protection Law, which stipulates that serious violations of China’s personal information protection regulations could lead to a fine of 50 million yuan (US$7.6m) or 5 percent of a company’s annual revenue. This is major progress in the right direction. But the key is how the law is implemented.
In the past few years, China released legislation to regulate the internet. For example, the Cyber Security Law, effective in 2017, was the first national law to include a set of data protection provisions. The 2018 E-commerce Law included data privacy protection for consumers. In May 2020, China passed a Civil Code, which formulates a legal framework governing individual data privacy.
While these laws outline the legal principles of data and privacy protection, they lack strong implementation mechanisms. The result is that when internet companies transgress the rules, there are no serious consequences
As both public awareness and complaints about personal information protection are rising rapidly, the government needs to be proactive. Rather than relying on internet firms monitoring and disciplining themselves, it needs to drastically increase the financial costs and legal consequences for violations. This is the only way the issue will be taken seriously.