By means of the much-vaunted Social Credit System, the Chinese government seeks to motivate citizens to be more honest by using digital control and Big Data. Authors in Western countries, such as Kai Strittmatter and Shoshana Zuboff, label it a Surveillance State. What is the legal basis behind China’s Social Credit System?
In her Duet interview with Dr Thomas Pattloch, renowned legal expert for China, Dr Caldarola, author of the recent book Big Data and Law, discusses how China processes data and which data protection law regulates the data processing in question
China is racing towards the digital future and is seeking to become world market leader in matters regarding artificial intelligence (AI). Mobile phones organize lives completely in China. Cash payments are virtually unknown. Facial recognition is ubiquitous in the big cities. Medicine is at the cusp of a revolution, for many hospitals are already working with AI in order to recognize diseases faster and with greater precision. Metropoles like Shenzhen are turning into Smart Cities – urban sectors are receiving a sort of digital brain which has everything in its focus. By the end of 2021, China will have 600 million surveillance cameras operating in public spaces. Every step and movement is being recorded- and not just via these surveillance cameras. Everything is visible and accessible. People are being exposed at train stations by having highly sensitive information being made public, regarding payment of taxes, traffic infractions, observation of environmental regulations etc. Everything is being collected and evaluated in a Social Credit System – a data-based rating system, which is meant to influence how people behave. Kai Strittmatter, Ranga Yogeshwar as well as Shoshana Zuboff point to a picture of surveillance capitalism. What is the basis for the collection and evaluation of data?
Dr Thomas Pattloch: Legally speaking, the legal framework came after the technology. Nevertheless, the Social Credit System goes back to as early as 2013. A range of important political and legal documents issued then defined its starting point: The 18th National Congress of the Communist Party of China decided to “strengthen the construction of government integrity, business integrity, social integrity, and judicial credibility”, and the Third Plenary Session of the Party’s 18th Central Committee proposed to “establish and improve a social credit investigation system, praise integrity, and punish dishonesty.”
The “Opinions of the Central Committee of the Communist Party of China and the State Council on Strengthening and Innovating Social Management” then put forward the “establishment and improvement of a social integrity system” and the “Outline of the Twelfth Five-Year Plan for the National Economic and Social Development of the People’s Republic of China” set the overall requirements of “speeding up the construction of a social credit system”. The State Council on 14 June 2014 promulgated its “Planning Outline for the Construction of the Social Credit System” with the planning period being from 2014 to 2020 (“State Council Outline”).
The regulatory requirements related to personal credit reporting services are based on the “Regulations on the Administration of Credit Reporting Industry” promulgated by the State Council on January 21, 2013 and implemented on March 15, 2013, and the “Measures for the Administration of Credit Reporting Institutions,” issued by the People’s Bank of China on November 15, 2013 , implemented on 20 December 2013, followed by the “Administrative Measures for the Recordation of Corporate Credit Reporting Institutions”, issued on 20 September 2016 (“Regulations”). The SPC started a blacklisting system for non-compliance with court judgments under the Provisions of the Supreme People’s Court on Releasing the List of Judgment Defaulters in Enforcement Proceeding as far back as 1 October 2013.
It is important to understand that when talking about the “Social Credit” system, the term “credit” and what it implies is by no means clearly defined; the term used in Chinese relates to “examining the reliability”. The regulations themselves do not define what “credit information” is, while its Art. 2 defines the term “credit reporting business” as meaning “activities in which credit information on enterprises, public undertaking institutions and other entities as well as credit information on individuals are collected, sorted, stored, processed and provided to users”. In its Art. 4, the “Interim Measures for the Management of Basic Personal Credit Information Database” refer to “individual credit information” as “basic individual information, individual information on credit transactions and any other information that may reflect the individual credit status. The term “basic individual information” as mentioned in the preceding paragraph denotes such information as the “identity, career and residential address of a natural person.” The standard “Basic Terms of Credit (GB/T 22117 – 2018)” defines “credit information” with a narrow meaning in the sense of ability to pay back debt, and with a wider meaning in terms of integrity and law-abiding behaviour.
Data in practice is widely collected both by governmental organisations and private associations which are either officially licensed to do so or – in spite of a lack of clear authorisation – do collect data nonetheless.
The traditional credit information system is run by the People’s Bank of China and not yet interlinked with the new credit rating systems encouraged and set up by the government at all levels, in all industries and all regions in China. The credit information system in a broader sense also includes governmental credit information systems, such as the National Enterprise Credit Information System, social public credit information system and others, but also the “Enforcement Information Disclosure Network” operated by the Supreme People’s Court which provides information on persons subject to execution and untrustworthy persons subject to execution of court judgments (reportedly standing at more than 14 million people entered into the court’s blacklisting system by February 4, 2020).
This is complemented by organisations with a proclaimed industry self-discipline (meaning industry monitoring itself and curtailing deemed breaches of proper behaviour) , such as the China Internet Finance Association (set up in 2016) and the Network Financial Credit Reporting system both of which provide data sharing platforms for financial information involving risky ventures, a system which came into life to address the need for more reliable information on lenders in the booming online-lending sector in China. Others, like the Baixing Credit Reporting Co. Ltd., are jointly established by eight pilot institutions for personal credit reporting led by the China Internet Finance Association and have been licensed by the government since May 2019.
The State Council Outline states that “the modern market economy is a credit economy” and concludes that “advancing the construction of a social credit system is an effective means to enhance social credibility, promote social mutual trust, and reduce social conflicts.” It also adds that “improving the social credit system is a necessary condition for deepening international cooperation and exchanges, establishing an international brand and reputation, reducing external transaction costs, and enhancing the country’s soft power and international influence.”
The State Council Outline has planned that “by 2020, the basic social credit laws, regulations and standard system will be basically established, the credit information system covering the whole society based on the sharing of credit information resources will be basically completed, the credit supervision system will be basically sound, and credit. The service market system is relatively complete, and the trustworthy incentives and punishment mechanisms for dishonesty are fully functioning.” Yet the reality is still very different, and while there is a general perception of an all-powerful surveillance state, interconnection and sharing of the many different credit systems in China is still a work in progress.
Our own European GDPR is based on a variety of basic principles, such as (a) informational self-determination; (b) transparency: Which data are being processed for what purpose and by whom; (c
) Alert subjects to the possibility of authorisation in the form of legal grounds requiring it or consent; (d) the right to be forgotten and data minimisation etc. Do these basic principles exist in China as well? And if they do, to the same level or changed in some way? Meaning, have they been interpreted or applied differently? Or are different basic principles being applied? If so, which ones? What differences can be observed between Europe and China?
According to Article 2 of the Regulations on the Management of Credit Investigation Industry, “Credit Investigation Service” refers to “collecting, sorting, storing, and processing the credit information of enterprises, institutions and other organisations (hereinafter collectively referred to as enterprises) and personal credit information, and provide activities to users of information.”
At present, there are reportedly more than 2,000 companies in China engaged in services similar to personal credit reporting. They are involved in the collection, processing and sale of “basic personal information”, defined according to the Interim Measures for the Management of Basic Personal Credit Information Databases as name, certificate number, bank card number, mobile phone number. It is important to note that data collected in conjunction with Social Credit Ranking does not qualify as being subject to the various regulations on the Credit Reporting Industry: Art. 2(2) Administrative Regulations on the Credit Reporting Industry of 2013 explicitly states that “Where for the purpose of performing their duties, state organs, or entities which are authorised by laws and regulations and have functions of public administration, collect, sort out, store, process and release information on enterprises and individuals in accordance with laws, administrative regulations and relevant provisions of the State Council, these Regulations shall not apply.”
“Personal data” carries both personal rights and property features, and many of the principles of European data protection law have also been adopted in China to some extent, albeit not yet clearly declared in a law or regulation as under the GDPR, which may change with the advent of the Personal Information Protection Law, which is currently still being drafted and expected to be passed in 2021.
There is no right to “informational self-determination,” such as under German law, and privacy is often understood in a much more limited way.
In China, there are a large number of different laws and regulations governing and impacting cross-border transfer of personal data, such as the National People’s Congress on Strengthening the Network Information Protection, the new Civil Code in its Art. 990 to 1000 on “personality rights” and Art. 1032 to 1039, including draft laws and regulations such as the upcoming Private Information Protection Law, and the Cyberspace Affairs Commission CAC Draft Personal Information Export Security Assessment Measures of 13 June 2019, to name a few. Obligations stemming from these various laws and regulation also affect foreign organisations since they are then viewed as network operators and personal information recipients under Chinese law and – in accordance with the CAC draft measures – theoretically oblige contract partners to also bind them accordingly; reference to the GDPR is not sufficient. However, in practice it is still uncertain as to what failure to do so will result into what potential sanctions for foreign counterparties.
According to CAC draft measures, all contracts which concern cross-border export of PI should stipulate basic clauses such as purpose, type and overseas retention time for information export, PI subject, compensation obligations in case of damages suffered by data subjects, termination right/security assessment when information recipient has difficulties to perform these obligations under contract. Additional clauses should be added regarding obligations of PI providers (information rights etc.), PI recipients (access, deletion upon request, restricted use, notification obligations) and regarding Re-transfer of recipients of PI. Both PI provider and its recipients (data processing entities) bear joint and several liability.
It is important to note that interpreting the practical application of these requirements is constantly changing; in comparison with Europe, data is not only related to the private citizen, but also to censorship, political control, national sovereignty and a deep-running scepticism and reservation with respect to private control over the data in question.
My opinion is:
“Data may be the “oil of the future”, but how we deal with it will be the measure of our values and culture”.
Dr Thomas Pattloch, LL.M.Eur.
The state in China seems to be taking on a different role compared to that of European states. While European governments seem to fear that a power shift is occurring in favour of private economies, it appears that a different scenario is taking place in China with the state having a significant influence, if not a managing and steering role. The telecommunications firm Huawei, the internet trader Alibaba, the chat evaluator Tencent as well as Visionera which evaluates movement and facial profiles all take part in the Social Credit System and are subordinate to the Chinese Communist Party. What does subordinate mean in this context, what liberties do these companies enjoy or are they simply an extension of the various tools at the disposal of the Chinese state?
The State Council Outline of 2014 describes the role of the state in a very clear and straightforward manner: “The government promotes and the society builds together. Give full play to the government’s organization, guidance, promotion and demonstration role.” It also adds: “Each industry is responsible for the organization and release of credit information for the industry.” Finally, it also includes the goal of improving “the inter-ministerial joint conference system for the construction of the social credit system.”
Reportedly, in the past, Tencent and Alibaba/Ant Financial Group refused to cooperate with the People’s Bank to release and share their data on financial transactions, which is important to reduce reliance on the two dominant technology players in the market- at least from a governmental perspective. Recent actions against Ant Financial Group show that private companies have some freedom, but must adhere to government line and will be brought to heel if they do not follow Communist Party guidance. From a Western perspective, this clearly demonstrates the primacy of politics over company plans and commercial objectives.
European citizens would find it strange if certain information was made publicly known as part of a Social Credit System. How is this system perceived by Chinese citizens? Is it part of the daily routine, considered to be normal or is it even traditional? What is the basis for these differences with regard to Europe? Can we speak of another type of ethics? Another form of government? Or are there other reasons at work here?
The official goal of the Social Credit system was originally to address “serious production safety accidents, food and drug safety Incidents”, close the gap “between credibility of government affairs and judicial credibility and the expectations of the people”, to “reduce government administrative intervention in the economy and improve the socialist market.” Its “main content is to promote the construction of government integrity, business integrity, social integrity and judicial credibility, to promote the establishment of a culture of integrity, establish trustworthy incentives and punishment for dishonesty.”
It is undeniable that the system aims at complete (or at least better) control over the actions of its citizens (including state-owned companies) at all levels, to increase oversight, transparency and to influence behaviour. Many food and financial scandals, but also abuse of power, pose serious issues for Chinese citizens, which have little practical means to fight back. The system is thus overwhelmingly seen as positive, a step forward by using technology to – from a government perspective – promote the Chinese way of life and governance.
A key to why observers from outside of China perceive this system so differently lies in a completely contradictory system of values, such as participation by citizens regarding the powers to shape society, a very different understanding of the role and function of the courts and fundamental rights of its citizens, and a very different historical experience concerning chaos and abuse of power.
Has China‘s Social Credit System been successful in influencing how people behave? What success can be observed in China? Are Chinese citizens become better people?
“Control over people“ is difficult under any governmental system, and while stability and a harmonious socialist society are primary goals for Chinese leadership, the state remains highly suspicious that people would resort to amoral and harmful behaviour if left unsupervised. A technical system may make execution of power and “education of masses” more effective, but its stability and usefulness still remain to be judged in the future. The benchmark has been set by the State Council and CCP itself: “Carry out mass moral appraisal activities, analyse and appraise the phenomenon of lack of integrity and non-credit, and guide people to be honest and trustworthy, obey the morals and be respectful.” The “step by step” building process (State Council Outline) continues, but integrating China into a global system both with regard to cultural integration and political acceptance in the West has come to an abrupt halt. Whether such a system can be harmonised with a Western system based on individual rights and data protection remains highly doubtful.
It is supposedly possible to assign 5198 individual data elements to one citizen, which stem from a total of 97 authorities which are connected to one another. What is the legal basis of such networking at the state authority level?
The State Council Outline states that “All departments must follow the principles of data standardisation and application standardisation, relying on major national informatisation projects, integrate credit information resources in the industry, realize the electronic storage of credit records, accelerate the construction of credit information systems, and accelerate the advancement of inter-industry credit information interconnection intercommunication.” It also adds: “All regions and industries should be demand-oriented, under the premise of protecting privacy, clear responsibilities, and timely and accurate data, and in accordance with the principle of risk diversification, establish a credit information exchange and sharing mechanism, make overall use of the existing credit information system infrastructure, and advance in accordance with the law.” The right to put data into the various credit systems is nowadays always explicitly included into the Cyber Security Law, Personal Information Protection Law, Data Security Law and many other laws and regulations. Thus, legislation is catching up and creating the legal basis to store and share credit-related information.
Globalisation as well as the cross-border projects being carried out, such as Big Data, Industry 4.0, digital eco-systems and market places etc. require uniform processing of data yet data protection laws vary across the globe – as we have seen in an earlier interview with Prof. Dr Weber. Which ways of managing data will gain the upper hand? What is actively being done to come to a consensus regarding how data is handled? Is there a debate currently taking place between China and Europe concerning how data is being managed? Or are these disparities simply being ignored? What obstacles and differences would need to be overcome in order to harmonise the varying attitudes with regard to data and what could a compromise look like?
The EU Commission and the member states are in an active dialogue with the Chinese government, which also includes topics, such as the rule of law, data protection and data sovereignty. The control of data is being increasingly linked to the competitiveness of national industry, national security and innovative strength, but also to the underpinning and steering of social order and the way of life in the respective region. The debate about cross-border data traffic and the rights of data subjects abroad already exists and will become more explosive and problematic the more it is related to different ideological basic social orders. Therefore, harmonisation can only be expected with regard to basic principles, but the differences in practice and their interpretation are likely to increase.
China invests significantly more capital in digitalisation compared to other countries and, owing to its large population, has access to a tremendous amount of data which is a significant factor for the digital future. China is a trend-setter as far as the digital revolution is concerned. Are these the prerequisites towards deciding to manage data according to the Chinese model at the global level?
The Chinese model relies on central structures and – as can be seen in the oligopolies in China with Baidu, Tencent, Alibaba in the Internet and software sectors – is essentially driven by the idea of control (including full transparency for the state at all times) over data and content. This contradicts fundamentally “open” concepts, as characterized by Google and Facebook, or other concepts by Apple, which emphasize the control of the individual over his/her personal data. Technically speaking, paying with cell phones, ordering food and processing online transactions on the stock exchange may be seen as a revolution; the fundamental questions about the classification of the treatment of the underlying data are not answered by it, however, but only created.
If I have understood your answers correctly, the EU as well as China and 14 Asian-Pacific states recently concluded the largest free trade agreement in world. Can we expect these 14 countries to harmonise their data protection laws with China? If so, what shape could this uniformity take on in legal terms?
The Regional Comprehensive Economic Partnership RCEP hardly mentions the cross-border data flows or PI, and does not provide for a harmonized approach. While the RCEP may provide a new platform for trade talks outside of the WTO setting, doubts remain whether the highly diverse participants, each with their own very different levels of economic development, will prefer to push on and agree to further agreements under this umbrella organisation.
Thomas, thank you for sharing your insights on how China processes data and which data protection law regulates the data processing in question.
Thank you, Cristina, and I look forward to reading your upcoming interviews with recognized experts, delving even deeper into this fascinating topic.