China is Full Steam Ahead on Data Privacy

On January 8th, just a week after China’s Civil Code went into effect, the Hangzhou Internet Court heard and ruled on its first data privacy case. In this case, Sun, the defendant, sold more than 40,000 personal information records to Liu, who used this data for advertising. The records contained people’s full names, email addresses, and social media IDs. The procurator (like a U.S. federal prosecutor) determined that this action constituted an offense against the new privacy protections codified in the Civil Code.

The Civil Code is a decades-long culmination of legal developments in China. It covers the full scope of civil law, such as property rights, contracts, and family law. But among these traditional pillars, the considerably large section reserved for the protection of personal information stands out. In Chapter Six of Part Four, the Civil Code defines privacy as “a natural person’s peace of life and the private space, private activities and private information which he/she is unwilling to divulge.” Essentially, individuals and organizations are prohibited from calling, texting, messaging, and emailing others without their consent. The Civil Code also grants individuals the right to request data deletion or correction from information processors (e.g., social media platforms). These rights and prescriptions build on earlier Chinese cyber-focused legislation, such as the landmark Cybersecurity Law of 2017. In contrast, the Civil Code takes a much more prescriptive approach and incentivizes private citizens to seek legal recourse against privacy incursions.

The codification of data protections in such a principal document marks China’s legislative willingness to adopt privacy as a core value, like the European Union’s General Data Protection Regulation (GDPR). By clearly defining what actions constitute as ‘data abuse,’ it limits the leverage of tech behemoths over individuals’ data. China’s meteoric rise in internet users—from 298 million in 2008 to 989 million in 2020—has necessitated guardrails on the digital economy. With personal data acting as a critical resource in the race to train artificial intelligence models, these new regulations are vital in ensuring that perverse economic incentives do not prevail.

That being said, China’s data regulation authorities have yet to fully mature (although in context, most national data protection structures are still nascent). On balance, China’s data protection framework leans towards national security, which may become a competing interest against “full privacy.” There are also several legal overlaps with previous data protection regulations. Without clear guidance from regulatory bodies, the legal ambiguity risks hindering innovation, as companies become wary of potential legal missteps. Further, it is unclear whether the protections laid out in the Civil Code supersede previous legislation or whether one should interpret them jointly.

To clear up some of these ambiguities, the Personal Information Protection Law (PIPL) is in the Chinese legislative pipeline. The current draft of the PIPL extends the information processor clauses in the Civil Code, proposing that processors must obtain individuals’ consent to share their data with 3rd parties. Almost any internet entity can fall under the “information processor” umbrella, so if this law is to be strictly enforced, it could create immense compliance burdens for technology companies. For example, many websites frequently contract with cloud providers to store and process data, which means they would have to redraft their terms and conditions and prompt users for renewed consent. But on the flip side, the PIPL disincentivizes the selling and reselling of personal data, which would strengthen privacy. Whichever side of the coin it lands on is still a long way’s off.

China’s commitment to fleshing out its data protection framework is evident. Its recent swift application points to an increase in welfare for China’s citizens. China’s convergence to the maturing GDPR framework signifies an eagerness to keep up with global privacy trends. Under the backdrop of increasing global scrutiny of large technology firms, it is worth paying attention to new data protection legislations. There are enough scarce resources in this world—privacy should not be one of them.


Tianjiu Zuo is from Hong Kong and is studying Public Policy and Economics.

Add a Comment

Your email address will not be published. Required fields are marked *