From Lofty Guarantees to Basic Protections: Benchmarking Privacy and Data Protection Standards in Chinese Government Programs
22 Pages Posted: 19 Mar 2018 Last revised: 16 Aug 2018
Date Written: March 16, 2018
This paper examines the current status and emerging contours of a national regime for privacy and data protection in China. Specifically, it investigates the data collection, archiving and dissemination practices in a sample of poverty alleviation programs at the local government (provincial and prefecture) level and assesses their conformity to the new standards enunciated in China’s 2016 Cybersecurity Law and its implementation guidelines, the Personal Information Security Specifications, announced in December 2017 (General Administration of Quality Supervision, Inspection and Quarantine, & Standardization Administration, 2017). Historically, the public in China has had low awareness of privacy and attributed less salience to the protection of personal data. Consequently, there was no right to privacy in the Chinese system until recently (Wu, Lau, Atkin, & Lin, 2011). However, attitudes toward privacy began to change, paralleling the growing capability of both private companies and the government to collect and cross-tabulate ever-increasing amounts of data, compounded especially by frequent leaks of personal information (National Internet Emergency Center [CNCERT/CC], 2017). Particularly of concern were systems such as the Social Credit System, announced by the Chinese government in 2014, seeking to generate a single score for every citizen based on their electronic interactions including e-commerce, social media and broadband consumption (Botsman, 2017). Chinese citizens and consumer advocacy groups have recently demanded greater protections for personal data and individual privacy (Mozur, 2018; Tannam, 2018). Partially in response to these concerns, the Chinese government included for the first time systematic protections for privacy and personal data protection in the 2016 Cybersecurity Law. Broadly, the new regulations fall into three categories: personal information, data transfer, and data management/governance (Sacks, 2018). The implementation guidelines to the Law also include specifications on cross-border data transfer and data localization. Observers who have analyzed the law and its implementation standards have evaluated its privacy protections positively, claiming that the “language in the standard is comprehensive and contains more onerous requirements than even the European Union’s General Data Protection Regulation” (Sacks, 2018, online). In the context of the new legal guarantees embodied in the emerging national regime, the actual status of privacy and data protection in Chinese government programs has not been extensively studied. Most studies currently available examine the legal regime, or survey consumer perceptions of privacy: for example, Wu et al (2011) and Shen (2012) studied the legal regime for online privacy, while Yang and Liu (2014), Mou et al. (2013), Ji (2017) and Xu and Qi (2014) analyzed Chinese students’ perception of privacy protections on Chinese social media, and its impact on their patterns of use. But to the best of our knowledge, no study has examined the actual data collection, archiving and dissemination practices by government programs in China. Accordingly, this paper investigates the data collection, archiving and sharing practices in a sample of local government programs in China. We specifically choose poverty alleviation programs using big data methods, since they target the most vulnerable sections of society. For each program, we observe the types of data collected, user rights, and data sharing and transfer protocols included in the program guidelines. Our principal sources of information are publicly available program documents and databases. In addition, since data collection and dissemination practices are often implicit, we supplement documentary evidence with interviews of selected government officials in each program. The output of our analysis will provide a benchmark against which the implementation of the privacy protections in the new Cybersecurity Law may be measured, after its implementation. How China implements its cybersecurity and privacy standards is of interest not just to its own citizens, but also to the growing list of international technology businesses and manufacturing firms with a stake in this fast-emerging economic giant. It is also of interest from a policy perspective as an example of a dynamic environment in which social norms, business practices, legal provisions, and consumer expectations evolve interactively to fashion a new legal regime. References Botsman, R. (2017). Big data meets big brother as China moves to rate its citizens. Wired, online. Accessed March 15, 2018, at http://www.wired.co.uk/article/chinese-government-social-credit-score-privacy-invasion General Administration of Quality Supervision, Inspection and Quarantine, & Standardization Administration of the People's Republic of China. (2017). Information security technology—Personal information security specification (in Chinese). Accessed March 15, 2018, at http://www.gb688.cn/bzgk/gb/newGbInfo?hcno=4FFAA51D63BA21B9EE40C51DD3CC40BE Ji, Q. (2017). Social Media News Use and Political Discussion: A Focus on Chinese Users’ News Reception and Dissemination. Electronic News, 11(1), 3-19. Mou, Y., Atkin, D., Fu, H., Lin, C. A., & Lau, T. Y. (2013). The influence of online forum and SNS use on online political discussion in China: Assessing “spirals of trust”. Telematics and Informatics, 30(4), 359-369. Mozur, P. (2018, January 4). Internet users in China expect to be tracked. Now, they want privacy. New York Times, online. Accessed March 15, 2018, at https://www.nytimes.com/2018/01/04/business/china-alibaba-privacy.html National Internet Emergency Center [CNCERT/CC] (2017). 2016 Annual Internet Cybersecurity Report of China (in Chinese). Accessed March 15, 2018, at http://www.cert.org.cn/publish/main/upload/File/2016_cncert_report.pdf Sacks, S. (2018). New China data privacy standard looks more far-reaching than GDPR. Center for Strategic and International Studies. Washington, DC: CSIS. Accessed March 15, 2018, at https://www.csis.org/analysis/new-china-data-privacy-standard-looks-more-far-reaching-gdpr Shen, A. (2012). Policing and Legal Protection of Privacy in China and the UK: A Comparative Study. GSTF Journal of Law and Social Sciences (JLSS), 2(1), 1. Tannam, E. (2018, January 8). Privacy worries increasing among internet users in China. Silicon Republic, online. Accessed March 15, 2018, at https://www.siliconrepublic.com/enterprise/china-online-privacy-tencent-alibaba Wu, Y., Lau, T., Atkin, D. J., & Lin, C. A. (2011). A comparative study of online privacy regulations in the US and China. Telecommunications Policy, 35(7), 603-616. Xu, Q., & Qi, L. (2014). Use of SNSs, political efficacy, and civic engagement among Chinese college students: Effects of gratifications and network size. International Journal of Interactive Communication Systems and Technologies (IJICST), 4(1), 15-30. Yang, H., & Liu, H. (2014). Prior negative experience of online disclosure, privacy concerns, and regulatory support in Chinese social media. Chinese Journal of Communication, 7(1), 40-59.
Keywords: privacy, data protection, cybersecurity law, China
Suggested Citation: Suggested Citation