China has recently passed new data protection laws in 2021 and issued its comprehensive data protection law, the Personal Information Protection Law (“PIPL”), on August 20, 2021. Companies who have businesses in China, regardless of having an establishment in China or not, should be aware of the compliance risks.
In her latest Duet interview with China Expert Prof. Dr Rogier Creemers, Dr Caldarola, author of Big Data and Law, considers China’s new regulations with regard to data protection and cyber security.
Before beginning with more detailed questions, could you please provide our readers with a short introduction to the laws regarding China’s data protection and cyber security regulations1?
Prof. Dr Rogier Creemers: Until about the mid-2010s, cyber security was not really an integrated concept in China. There were different bureaucracies and different administrations- each pursuing their own security-related concerns. So, for this reason, the Ministry of Industry and Information Technology (MIIT) was there to deal with these issues and still exists today. They were really looking at things like computer viruses. But other content-controlling authorities also existed and exist who were looking at the topic from a more Russian-inspired version of information security.
It is important to remember that China was only slowly digitising itself- a latecomer to the digital world in many ways as a developing country. And what happened around that time was a number of developments took place which coincided with the idea that data protection and cyber security needed to be taken more seriously and needed to be better integrated. And part of these developments were technological evolutions: The smart phone arrived, and Chinese companies started making inexpensive smart phones which many Chinese people could afford. According to the latest figures, China has up to a billion people connected around China and they are mainly connected to the internet using their mobile devices. So that was the point where most Chinese had smart phones which, in turn, led to the emergence of a number of giant online companies. That was a time where a lot more data was being generated and IT became much more relevant.
Not surprisingly, that was also when data theft began to emerge. China had people, for example, who worked in a local department for motor vehicles and were selling information that belonged to car owners. There were cases where people were trying to get data bases of telephone numbers in order to engage in mobile phone-based fraud or trying to swindle people out of their money. There were a couple of famous cases, such as the case of a young schoolgirl who was swindled out of her college money by these kinds of telephone scams and then committed suicide. And that case served as a starting point.
But there were also foreign concerns: That was the time when there were the Snowden revelations. That served as a catalyst for concerns in China about the risk posed by the United States- meaning what the US might undertake to derail Chinese progress.
So, for all of these reasons, cyber security took on a new importance leading to China creating a new central coordinating body in 2014: the Central Leading Group for Cybersecurity and Informatisation which was chaired by Xi Jinping personally. The creation of this new body meant the central commission for cybersecurity and informatisation was being upgraded.
Consequently, one can observe a movement towards greater legislation leading to the publication of a cyber security law in 2016. This law was really sort of an omnibus that created mandates – a whole roster of specific regulatory regimes. Two of them are related to data protection. One on personal data and one on important data. The legislation of 2016 also became a mandate for online content control, because the Chinese government classified that as a risk factor. Therefore, controlling content is part of the Chinese definition of cyber security. But it also includes the cyber incidence response or the social security disclosure of digital products and services. So, all these elements are part of Chinese cyber security.
As I mentioned above, cyber security contains mandates on personal data protection and important data protection. However, the provisions of the law are quite vague. Vagueness is something that happens quite often in Chinese legislative documents, which tend to be abstract and open-ended. So, China really leaves it up to the individual ministries to come up with more specific regulations with regard to what is prohibited and what is allowed and what is obligatory.
What one can observe since then is that there are essentially two major regulators in the digital sphere: the Cyberspace Administration of China (CAC) and the Ministry of Public Security which oversee Chinese domestic security and police functions. Both regulators really have not gotten anywhere when it comes to regulating data protection. Part of the problem was that these two administrations do not see eye to eye at all. Another difficulty is also that it is and was really hard to regulate something that is developing so quickly and where enormous interests were at stake-both at the economic and social level.
And so, between 2016 – when the cyber security law was published – and let’s say 2019 – 2020, there were several draft regulations that were issued but none got adopted or enforced. Consequently, the Chinese government had begun recognising that data is a domain requiring specialised legislation. And from that point on, China started drafting the two pieces of legislation that form the core of Chinese data protection regime until today: The PIPL and the Data Security Law. They were drafted in tandem. Both came out earlier in 2021 within a few months of each other. And both are now in effect.
My opinion is:Prof. Dr Rogier Creemers
“Data is now a factor of production just like land, capital and labour. Being good Marxists, the Communist Party of China thus needs to control and regulate it”.
Is the concept of privacy and/or data protection the same for Europe and China? Or do differences only arise because the law reflects a different concept of ethics and governance model?
I think there are a couple of very important differences. It begins with the word “privacy” itself. I think we can safely say that here in Europe data protection and privacy tend to be overlapping concepts, meaning that in Europe we see privacy as a fundamental right, guaranteed to us constitutionally at EU level. So European residents have a fundamental right to privacy towards anyone or anything. They have it towards each other as private individuals, they have it towards companies which might want to process personal data and they have it with regard to the government.
Conversely, in China there are two different elements: The concept of a fundamental right doesn’t exist within the Chinese legal order. So, if the concept of a fundamental right doesn’t exist then the Chinese government is balancing competing objectives in a globally-oriented manner with regard to the topic of data protection. China wants the digital economy to grow but China also wants to ensure that people don’t get angry because their data is constantly being sold.
So, by analysing the new regulation regimes, one can see that authorities have tried to disaggregate all the different relationships between the different parties when personal information is involved and regulate those different relationships in specific ways.
Another difference with regard to China is the word privacy itself. It is a term of art in law and means something very specific. In Chinese law the word privacy refers to personal information about a private person that in some way might be embarrassing or shameful for that person. This draws back on earlier cultural notions that are very much associated with shameful or immoral elements. For this reason, privacy is protected under the Chinese Civil Code viewing an infringement of privacy as a civil wrongdoing. The Chinese Civil Code refers to a particular kind of information – personal information about a person which that person does not want disclosed because it is shameful. That can be naked pictures of that person, the interior of his or her house or the tracking of the person’s movements, but it needs to have a strong connotation of shame. Whereas what the PIPL tries to do is something different. And in China that isn’t regarded as privacy. Information protected under the PIPL is grouped by the extent to which it can identify a person. The Chinese legislator has determined that, for example, a person’s telephone number is not in and of itself shameful because if it is divulged, that act would not be embarrassing for that person. It is just a random sequence of numbers. But it can be used to identify that person and cause that person particular kinds of harm. So that is what the new legislation is focusing on.
The terms “privacy” and “data protection” (or “personal information”, as in the CSL) thus appear to have different meanings. The term privacy seems to be a term of art used in civil law but not in public law, targeting private confidential information that a data subject could find shameful and exposure of which would harm substantially. Privacy seems, therefore, to cover the reputation and good name of a person. Data protection instead seems to focus on information to identify a person, is business-related (for example, a person’s banking information) and would harm the person’s lawful rights and interests if misused. Only privacy seems to be mentioned in China’s constitution but not data protection. Is this a key difference to the GDPR? In fact, one or two things that bear mentioning is that Chinese regulatory authorities seem to have looked at the GDPR as a source of inspiration. What they did, in fact, was to take over all the key terminology, some key mechanisms- but then decoupled it from the European purpose of protection as a legal fundamental right. So, we have in the end similar mechanisms introduced into a Chinese legal order.
Regulations in China appear to look at different constellations, such as the individual, businesses, and the role of governmental institutions. Why are these constellations handled differently to Europe? Are there privileges for certain groups?
Part of the problem is that in China you have a core piece of legislation -but a lot of details are missing. Furthermore, since the PIPL just came into force in November 2021, there are some draft regulations on the cards, but none has been passed so far. Therefore, the comparison with the GDPR is difficult because the regulatory framework is not yet complete, a process which is meant to happen in about a year or so.
When we look at specific legal mechanisms, the PIPL provides very strong forms of protection, in some ways, and offers some forms of protection in ways that the GDPR does not necessarily have. There are strict rules regarding how regulations are to be implemented, for example, which companies must abide by when it comes to consent being required, or when a data controller has data from over a million users and/or has contacts abroad, then the data controller needs to go through a security review if data is being exported abroad. These are forms that do not exist in the GDPR. At that same time, however, there is a very broad margin for what is allowed. There is a short section in the PIPL that pertains to obligations of government bodies holding data- and those government bodies pretty much never need to obtain consent for collecting data as long as they do it for the purpose of realising their statutory goals. And essentially here is where the Chinese government is trying to lay the groundwork for a fairly difficult exercise by trying to disaggregate all these different components of the government. I suppose we can expect to see disciplinary internal regulations when dealing with these issues.
Earlier, I mentioned the example of the persons in the motor vehicle department who may have access to personal data and sell it to car insurance companies which is not something that the Chinese government wants to happen. Similarly, China does not want anyone in the administration having access to governmental data who might be a paedophile using that access to do horrible things to the target of their stalking. But, at the same time, China has these very powerful domestic security forces that are trying to prevent all kinds of protests and subversions. And obviously China does not want to curtail that kind of activity being carried out by domestic security forces. So, what we see happening is regulation in a very decentralised manner. In some cases, some distinction might be made between different data controllers. And this is something we are seeing China working on: Regulations that are not so different to the European Digital Service Act and Digital Market Act where large data controllers are going to come under greater scrutiny and they are going to have greater obligations than smaller service provider and gate-keepers.
The laws regarding cyber security and data protection are vaguely written- although they are meant to establish objectives and mandates for the government. Which areas permit far-reaching interference on the part of the government and how will this sort of activity be evaluated by western countries? Has this been established on purpose to give room for harmonisation of data protection and privacy rules since data is crossing borders as we speak by looking at the global or international context? Or has it been drafted to give courts and other authorities more room for interpretation and steering?
First of all, what we need to know about China is that courts play a minimal role in interpreting or shaping the law. It is not like the Court of Justice of the European Union which interprets the law and then these interpretations become authoritative. Chinese courts apply the law without a strict rule of precedence. Obviously, there are attempts on the part of the judiciary system to ensure there is a degree of consistency but a formalised rule of precedence does not exist.
This means it will be up to the individual ministries – and with regard to personal information protection most notably the Cyberspace Administration of China – to come up with rules.
And, already in terms of the drafts regulations, we can see a couple of trends both at the specific level where specific industries are targeted and at the general level. Already in November 2021, the CAC published a first draft on security protection rules that were mainly general guidelines which provide a lot of detail ‑and are pretty harsh, for example, the compliance and reporting requirements. Again, Chinese companies are primarily being targeted which have foreign listings, and the Chinese government is always very concerned with regard to foreign sources of power or authority or loyalty. For example, China does not like the Catholic Church because the Catholic Church would rather listen to Rome than to Beijing. So, for all these reasons, China is making it much more difficult for Chinese tech companies to list on foreign markets where these companies wish to raise funds.
At the same time, the Chinese government is clearly trying to have its piece of cake and eat it too: On the one hand, it wants to strictly protect its own domestic data sphere while, on the other hand, China wants to enable the economic value of data flows and wants to profit from those as well. And so, China has been very vocal about wanting to be part of the digital partnership arrangement which was concluded between New Zealand and Singapore in Chile. I expect that at some point China will make overtures to the EU essentially saying: Look we have a Personal Data Protection Law and look how similar it is in so many ways to the GDPR and the European Digital Service Act and Digital Market Act.
Obviously, there is a legal argument there- but also a political one. The legal argument is, in a way, very simple: Does Chinese legislation meet the requirements for adequacy that the EU has set? The political element involves the negotiations between the EU and the US and also ‑and one can imagine how difficult those negotiations might be- between the EU and China. Given the fact that any settlement needs to pass the European Parliament and that the EU has already demonstrated that they are very sceptical with regard to the US, I, in turn, would not terribly optimistic regarding the political chances of a big data flow deal with China- particularly given current tensions after the year the EU has had with mutual sanctions and investments essentially being put on ice. For all these reasons, I do not think a settlement of this kind is going to happen any time soon.
The one thing that companies need to remember is that the PIPL is only one half of Chinese data protection infrastructure. The other half is the Data Security Law. And this is the element with which we are not very familiar. Anyone with some exposure to GDPR will be able to look at the PIPL and will feel they are on familiar ground. But, in fact, the Data Security Law is something different: It is not about the protection of the individual arising from particular uses of data. The data security law is about protecting national security and public interests from harm enabled by the use of any data, not just by the use of personal information – i.e., data stemming from industrial control systems or infrastructure – really just any kind of data that could have a bearing on national security and public interest. And so, when Chinese companies plan their data protection strategy, they not only have to consider personal information, but need to consider a broader range.
If laws are vaguely written, does China reach precision through implementation, such as, of technical standards? Can you give our readers more insights into understanding better the mechanism involved?
Yes. So essentially three levels of regulations exist in China- no, actually four levels!
The top level is legislation called a law which has been drafted and passed by the National People’s Congress. Like I said, these tend to be vague. In general, the National People’s Congress sets principles and creates punitive standards and mandates for administrative bodies.
The second level is the regulatory level and here regulations are issued by a ministry or sometimes by multiple ministries working together. They will already contain a lot more detail.
The third level involves technical standards issued by a Technical Committee called Technical Committee 260 and this body issues standards once the Cyber Security Law had been passed. Many of them relate either to personal information protection or data security. They will often contain a more specific definition of terminology or very specific framework. They might contain standard contractual clauses that the CAC refers to when it comes to data export. And that is where one finds a lot of details. The problem is that there are so many of them! And we do not always have the resources to look through all of them in detail. So, this is where companies operating in China want to get input from local law firms who know what they are doing and who have gone through this enormous stack of paperwork.
And there is a fourth level of regulation. And this fourth level is one with which Europeans are not well acquainted: It is called “self-regulation”. This comes from sector associations which usually work very closely with regulatory authorities and the Communist Party. They come up with sectoral codes of conduct. It’s not really soft law or hard law, for that matter, but somewhere in the middle. Those regulations contain clear statements of expectations of how companies should behave if they don’t want to get in trouble either with administrative law enforcement or with courts. Many of those regulations are not formally binding in a legal sense. However, some of them are, while others are being incorporated into regulations. In any case, if you are ever dealing with a body of enforcement, such as administrative regulators and courts, these bodies usually view these standards as best practice or code of conduct. So, when someone wants to deviate from those standards, he or she had better have a very good explanation for why he or she did so.
Western countries talk about the three powers and they talk about checks and balances, so Western Countries are talking about a division of power. Conversely, China talks about a division of labour. So, China doesn’t see the role of courts and ministries as a legislature to check and balance each other. Rather, they see it as a more functional differentiation of labour, where the legislation has certain tasks, the ministries have certain other tasks, and the courts have other tasks. But those are not competitive. Rather, they are all supposed to work towards the same end in an, at least rhetorically, harmonious and cooperative manner.
Prof. Creemers, thank you for sharing your insights in China’s new regulations with regard to data protection and cyber security
Thank you, Dr Caldarola, and I look forward to reading your upcoming interviews with recognised experts, delving even deeper into this fascinating topic.
1 Translation of the law can be found Translation: Online Data Security Management Regulations (Draft for Comment) – Nov. 2021 (stanford.edu)