Old Version

Securing the System

China’s tighter data protection law will have short-term effect on data-driven industries. Meanwhile data security industry will benefit, say experts

By Xu Ming Updated Nov.1

David Yang, a 33-year-old working in Beijing, seldom answers calls from unknown numbers. Anxious about personal data leaks, he is prudent about even liking posts online. “Information, like your browsing history and how long you spent on it all are used for algorithm analysis that aims to feed you with the same type of information,” he said.  

But like every modern urbanite, he cannot get by without apps. He has dozens of apps on his cellphone to cover every aspect of life, from online shopping and travel to ride-hailing, to name a few. Most apps require him to authorize access to personal information, such as location or contact list, just to register. And just like everyone else, he ticks yes to the privacy policy without bothering to read it, knowing that rejection will deny him access to the app.  

While more personal data is being collected by service providers, apps, mini programs and facial recognition systems, illegitimate disclosure, misuse and illegal trading of personal info has become similarly rampant. A case disclosed in April shows that between 2016 and 2018, over 10,000 pieces of personal information of women, both pregnant and post-birth, had been leaked from hospitals to child photography and training companies in Wenzhou, Zhejiang Province. In August 2020, it was revealed that big delivery companies were involved in a scheme to sell customer data, including their names, addresses and phone numbers. Illegally obtained personal data is commonly bought by professional debt collectors hired by online lenders, a practice that sometimes leads to violence when they come to collect.  

In late 2020, a man was spotted wearing a helmet while visiting a real estate sales office to avoid being caught by the facial recognition system in the building. The company used facial recognition to analyze the customers and used the data to decide which prices to offer.  

On service platforms, personal data is used to push tailored advertising. “You don’t need to be very smart to notice your browsing history is tracked,” said Zhang Jing, a Beijing resident and a mother of a second grader, explaining that every time she opens a shopping app, she sees ads for similar items she browsed recently.  

The most complained about misuse of personal data is price discrimination across many platforms, which sees new users enjoy discounts and coupons while existing ones pay higher prices. In July Zhang asked a friend to buy her some eye cream from an online dutyfree store. She found that on her friend’s account, who often buys from the store, she needed to pay at least 30 yuan (US$4.6) more for each jar than if she registered a new account.  

A survey by the Beijing Consumer Association in 2019 showed that over 88 percent of those interviewed said price discrimination was common on shopping, travel and ride-hailing platforms and 57 percent had this experience. It is difficult for consumers to find proof to hold problematic platforms accountable so they would usually give up, the survey found.  

Timely Response 
In August, China released the highly anticipated Personal Information Protection Law (PIPL) in response to mounting worries over personal data infringement among its nearly 1 billion internet users. The law, scheduled to come into effect in November, lists the obligations of information processors, particularly large internet platforms and government organs.  

China has been stepping up supervision of data protection. In June, it passed the Data Security Law, following the Cybersecurity Law in 2016 and a series of related regulations. “Now with the PIPL, the three form the basic legal system to maintain information network security in the country,” noted Fu Wei, director of the digital development research center of Beijing-based Fuxi Institution, which focuses on internet research.  

The PIPL prohibits excessive collection of personal data, stipulating that processing personal information requires clear and reasonable purposes and should proceed in a way that affects personal interest the least. The law bans illegally obtaining, using, processing, transmitting and trading of personal information. Processing of personal data should be based on personal consent (except in emergency or certain law-regulated situations). Giving the users the right to say no, the law stipulates that personal information handlers should not refuse services to users who disagree or withdraw consent.  

The law differentiates general and sensitive personal information, such as biometrics, medical and health information and location data that causes severe consequences once leaked. Dealing with the latter requires gaining individual consent separately and strict protection measures. Zhao Zhanling, a lawyer with the Beijing-based Yunjia Law Firm, said that many companies package requirements regarding personal data in their user agreement or privacy policy and users just check a box when they register. “But it won’t apply anymore when it comes to sensitive information. They’ll have to get personal consent separately if they’re dealing with sensitive information.”  

Regarding data-enabled automated decision making, including tailored push notifications and advertisements, the law prohibits price discrimination and requires companies to provide non-personalized information. Installing devices for personal data collection and ID identification in public places should be for maintaining public security, and the data collected can only be used for public security purposes except in cases of individual consent, according to the PIPL. 
The law provides more assurance for users in safeguarding their rights, according to Zhao the lawyer. For example, it adopts presumption of defaults in data infringement cases, requiring information handlers to prove their innocence. “In the past, when individual users’ rights were infringed, it was hard for them to show evidence,” Zhao said.  

Besides, using public interest litigation to protect individuals’ rights is written into the law. “It will play an important role in the future. The majority of users will not use legal means to protect their rights due to the difficulty and high cost involved. Public interest litigation by prosecutors and social organizations will make up the deficiency and serve as a supervision power for companies,” Zhao said.  

“Following the implementation of the law and supportive policies, problems like excessive collection and misuse of personal information are expected to be effectively cracked down on,” said Fu Wei, also a postdoctoral fellow at Tsinghua University’s Center for Internet Governance. 

The law also endows individuals the right to check, copy and transfer their personal information, which Fu expects to help the country’s anti-monopoly efforts in the platform economy.  

What’s more, in regulating cross-border transmission of personal data, the law requires operators of key information infrastructure and personal information processors (PIP) that handle data reaching designated amounts regulated by internet and information departments to store collected personal data within the border. It is not clear yet what designated amount means. Information processors that need to transmit personal data cross-border have to pass a security evaluation from relevant departments and gaining individual consent, and they need to make sure the overseas information receiver abides by at least the same standards of data security as China.  

“Specific measures are expected to come out soon as important supporting rules to go with the law,” said Zhao, adding that these regulations are meant to protect public interest and also national security, as increasingly frequent cross-border flow of personal information has aggravated the risks.  

A toilet paper dispenser with a facial recognition scanner is installed in a public restroom, Beijing Olympic Park, April 6, 2019

For Better Use 
The announcement of the law was followed by a major slump in big tech stocks, fearing for the end of business that thrived on lax regulations.  

China has already taken measures to protect personal data. Departments led by the Cyberspace Administration of China (CAC) started to crack down on problematic apps in 2018. In the first half of 2021, more than 1,100 apps found to be illegally collecting personal information were removed from app stores.  

In July, days after Didi Chuxing, China’s biggest ride-hailing platform, listed on the New York Stock Exchange, the CAC removed its apps from app stores and demanded it to correct its problems, citing that it has “severely violated laws and regulations in collecting and using personal data.” In early July, Yunmanman and Huochebang, China’s two major freight transportation apps, and BOSS Zhipin, a recruiting app, that all listed in the US in June, were banned from registering new users for an evaluation of network security.  

“In the past, the protection of personal information was mainly based on piecemeal regulation. Now the law has gathered all the requirements and raises a higher standard for data protection, with more detailed supervision duties and clearer and harsher legal obligations. All this makes the law more executable,” Fu said.  

According to the PIPL, PIPs are obliged to take measures such as classifying the information, encryption and de-identification to ensure that the handling of information abides by the law. They are also required to regularly carry out compliance auditing. PIPs that provide important internet platform services and have large user bases are obliged to build an independent institution made up of external members to supervise personal information protection. Companies that fail to comply face fines of 50 million yuan (US$7.8m) or 5 percent of their annual revenue, says the law.  

Fu added that the entire digital economy will be affected, but industries that rely on personal information to develop products, such as big data, smart homes, smart media and AI driving will have to absorb a more direct blow. “Companies will face increasingly harsher compliance requirements,” Fu said.  

The law is anticipated to increase compliance costs in the short term since companies are required to blend technologies and management involving data security and personal privacy protection into their routine business processes, according to Liu Bo, a chief scientist with DAS-Security, a Hangzhou-based data security solution provider.  

However, a legal frame will lead to healthier development and help them go further in the long run, Fu said.  

The law does not mean to restrain the development of the internet industry or curb their data-enabled business, but rather draw a clear line so they no longer need to worry about the ambiguity in supervision, Liu noted. The Data Security Law even mentions the possibility for businesses to access government data.  

Fu said the law will create a big market for professional services related to data compliance and technology solution providers. “Personal information protection itself might become a promising commercial field,” Fu said.  

A 2020 report on data security by market research company LeadLeo showed that in 2023 the scale of data security market is expected to reach 9.75 billion yuan (US$1.5b), three times that of 2018.  

Liu said the demand for data security solutions is on the rise and the PIPL serves as a catalyst.