China’s Data Privacy Balancing Act

The New York Times announced last week that China is implementing a mass DNA collection project in order to create a large-scale database that genetically maps the country’s entire male population. This news reignites concern over China’s mass surveillance system, especially as it made headlines last week for a litany of other news events that signal the government’s increasingly aggressive ambitions (see: escalating conflicts along the China-India borderAustralian’s veiled accusations of a months-long series of cyberattacks from China, and the release of a blueprint for China’s new national security law for Hong Kong). But compared to China’s foreign policy ambitions, the government’s stance on surveillance is tempered by a key stakeholder—citizens—and a developing legal framework for data privacy.

Offline to Online Surveillance

Mass surveillance is nothing new for China. The country’s use of biometric data is well-regarded as one of, if not the, world’s most invasive. The developing Social Credit System (SCS) has also drawn raised eyebrows for its potential human rights abuses, although its deployment does not yet actually resemble an Orwellian dystopia (and some might argue that the U.S. also has its own form of a social credit system).

On a micro scale, Chinese citizens are used to strict government oversight on their identities. For one, the hukou (household registry) serves as a mechanism for the police to track people’s movements; Chinese citizens are mandated to register with the local police station every time they change residences. Furthermore, pseudonymity is difficult on the Chinese Internet. China has a strong digital identity system, because the government has been promoting a real-name registration system for online activities, particularly for online payments. This means that Chinese citizens must often register for online services with their resident identity card, China’s main identity document, thereby establishing a strong link between real-world identity and online activities.

WeChat Pay and Alipay serve as obvious case studies. As online payment providers, they are subject to KYC, which may run the gamut of identity document verification, biometric matching (i.e. liveness detection), SMS verification, and the provision of further details, like bank card / bank account details. Together, they have about 92.7 percent market share of the Chinese payment market, which boasts an 86 percent penetration rate of the Chinese population. Since they are also part of a sprawling ecosystem of products and services of their parent companies—Tencent and Alibaba, respectively— that includes food delivery apps, ecommerce sites, gaming, entertainment, and more. Tencent and Alibaba have the potential to collect a massive amount of user details, all linked to any individual’s real-world identity. Projects like WeChat’s pilot programs for digital identity cards only stand to reinforce an already solid link between real identity and one’s digital identity.

And even if apps and services do not require or use extensive identity verification protocols, the mobile phone number is often required for use of services, such as social media platforms. The phone number in itself is a strong link to one’s real identity, because users must register for SIM cards with their identity cards or passports and must submit to facial recognition scans.  While the government’s use of digital identity is not well-advertised for obvious reasons, censorship on social media platforms and even private chats is a good starting point for understanding the insidious effects of a persuasive identity schema that lives no room for (pseudo)-anonymity, not even on the Internet. In seconds, technology can recognize a politically-sensitive post or text—and then identify the culprit with high assurance.

Progress Toward Data Privacy

China’s rapidly growing data economy and the pervasive use of the resident identity card number has caused data privacy to be of increasing concern. High-profile data leaks in the past few years include an unsecured database of personal identity information on nearly 2.6 million people in Xinjiang and hundreds of millions of exposed chats logs from popular social media services like WeChat and QQ. A 2018 report by the China Consumer Association finds that 85.2 percent of app users in China have experienced data leaks; the survey also finds 60 percent of respondents adopted some measures to protect their personal information, suggesting growing user awareness of data privacy.

The Chinese government has responded to these concerns by strengthening their data privacy legal framework. China has historically taken a fragmented approach to data protection, with legal regulations differing by market sector. The 2016 Internet Cybersecurity Law (Cybersecurity Law) marked a distinct shift toward a more consolidated approach. Considered a Basic Law that supersedes other data protection mandates, the law combines previous data protection mandates from disparate sectors and is essentially applicable to any businesses that handle data in China. Analysts state that the Cybersecurity Law, which takes cues from General Data Protection Regulation (GDPR) in its application of data minimization principles, falls somewhere between the U.S. and the E.U. in terms of offering a stringent national data privacy framework. Enforcement is patchy, as well as legal action against abuse of personal information, with only 23 cases between 2009 and 2020.

During their annual meeting this May, the National People’s Congress, China’s main legislative body, demonstrated continued commitment to improve data privacy by including an entire chapter (out of seven) dedicated to “personality rights” in its first civil code. These new provisions ensure that personal data—any information that would fall under the “personality rights” category, ranging from emails to biometrics—is subject to legal protection. Among other things, these provisions should strengthen citizens’ right to legal redress of personal information abuses. However, despite recognition from legal analysts that this is a significant milestone, some caution that these new provisions still fall short of the GDPR.