security and privacy outweighed by power and capital
A landmark Cybersecurity Law came into effect three years ago, on 1 Jun 2017. State sovereignty is now better protected; business lobbying has diluted or deferred rules that threaten its interests. A daunting task is now faced: settling the fine print of privacy provisions, cross-border data transfer and CII (critical information infrastructure). Concerns about privacy and information control grow, yet the value of opening up the data market, and the drive to 'modernise governance', promises a lax regulatory approach in laws due in 2020.
unclear goals mean unclear outcomes
Balancing ‘informatisation’ and cybersecurity has been a never-ending debate.
For Beijing governance is modernised by data. COVID-19 spurred local adoption of data-driven tech, notably with health-rating QR codes. Performance of lower tiers of government and their officials is best evaluated with access to better data, current thinking goes.
Encouraging public–private data sharing and trade are logical next steps. Data was hailed as a factor of production at the November 2019 Fourth Plenum; senior leaders want to build a market for it. Big data firms have assumed they can leverage user data as long as it is anonymised. Novel virus-driven industries (online and AI healthcare, etc.) want data collection and use to be routine. Limits on cross-border data exchange will deter both inbound and outbound foreign investment, argue multinationals.
The security establishment has different priorities. Personal data rights conform to national sovereignty and security frameworks, notes Du Yanyun 杜雁芸 National University of Defense Technology, unlike equivalent regulations in the West that put a premium on privacy. Data flows that threaten national security in any way, above all those that cross borders, face strict limits by State and public security authorities. Banning non-secure (non-Chinese) IT products is another priority. Cybersecurity laws seek to discipline local governments, often prime offenders against cyber and data security.
Better data protection is needed. Legal experts, legislators and the public decry privacy, algorithmic bias, government–industry data sharing, digital divide and data leaks. Online firms are the main villains, but (local) governments and public services are not immune.
progress vs. fine print
Fleshing out a regulatory framework needs to balance these interests. With clearer overall approaches, industrial planners (National Development and Reform Commission, Ministry of Industry and IT, etc.) and security agencies (Cyberspace Administration of China, Ministry of Public Security, etc.) are down to the fine print, not least laws on privacy and data security (click to expand table).
major components of the cybersecurity regulatory regime
to further analysis belowoutlook
Cybersecurity-related laws are on the agenda this year. The National People’s Congress is working to pass laws on privacy and data security, and State Council will regulate CII. A permissive approach is implied in the new Civil Code and draft management measures for data security. Data can be handed over to authorities on public interest grounds. The Civil Code offers individuals protection but not the right to control their personal information, a hard-fought win for e-commerce firms. Balancing protection and use, the draft measures clarified corporate obligations but remained vague on individual rights, clearly diverging from the priorities of GDPR in Europe.
Rendering state power and capital big data-capable outweighs security and privacy concerns—except when foreign interests are involved. Campaigns cracking down on overt privacy violations are ever more institutionalised, but no Chinese GDPR is to be expected.
what the experts are saying
Robin Li Yanhong 李彦宏 | Baidu CEO
Tech tycoon and CPPCC delegate since 2013, Li is a tech policy veteran, most notably in privacy and AI. His proposals include greater public sharing of state data, and private data exchange. Both Baidu and Li were reputed for dismissal of privacy; notoriously arguing in 2018 that Chinese people are willing to trade privacy for convenience, Li drew furious public and state media backlash. Now more circumspect, he joined legal experts in pushing to regulate epidemic-sensitive data during the 2020 Two Sessions.
Ding Yuxiang 丁宇翔 | Beijing First Intermediate People’s Court judge
Frequent People’s Daily columnist Ding weighs in on challenges to privacy that technology poses, as well as the need for legal remedies to protect reasonable expression of opinion on the internet. Abuse of user privacy by big data firms has become, he notes, a major civil rights scandal. Technology should be used as a weapon of legal regulation and control, safeguarding personal information ‘like the wings of birds and wheels of cars’. Make full use of existing legal resources to protect personal information, he advises the judiciary, in the absence of all-round internet privacy. State agencies, he insists, must pay as much attention to protecting privacy as they have to nurturing the IT industry.
Li Aijun 李爱君 | China University of Political Science and Law professor
Expert on regulating emerging technologies, Li lists national sovereignty, property and personality as the three dimensions of data rights. Think genetic resources when it comes to data over which individuals can exercise rights; but data on a national gene pool can be repurposed as a bio weapon. Proper boundaries must be in place to prevent the state infringing citizen rights, she suggests, demarcating rights of ‘ownership’ and ‘use’.
expanded table with links
grading scheme of cybersecurity sensitivity in effect December 2019
- major technical standards for MLPS 2.0 (Cybersecurity Multi-level Protection System) classify networks by sensitivity and outline responsibilities of different kinds of network infrastructure
- auxiliary regulations and guidelines roll out gradually
CII protection in draft; was expected 2019
- draft regulations, released for public consultation July 2017, were intended to be finalised by State Council in 2019
- CII has not been publicly defined, though cyberspace regulators advise major operators of key industries such as telecoms, radio, television, energy, finance, utilities, transportation, health and national defence to set up compliance teams\
product and service vetting in effect June 2020
- new regulations require network products and services used by (undefined) CII operators to counter national and supply-chain security threats via state-sanctioned cybersecurity review
privacy in draft; expected 2020
- the right to privacy is enshrined in the Civil Code, to take effect January 2021
- the Personal Information Protection Law is now in the pipeline; drafting began in 2003, the draft declared ready for review in May 2020
- advisory standards were also updated in March 2020; they may later become mandatory
- regulators currently rely on administrative campaigns to crack down on rampant privacy violations
data security in draft; expected 2020
- a designated Data Security Law is in the pipeline
- draft management measures, released for comment May 2019, balance protection and use of data resources
internet content control in effect March 2020
- obligations of online platforms and media were outlined in previous laws; these new regulations further clarify division of care between platforms and content creators and users, as well as what content is deemed good/bad/malicious
cross-border data transfer in draft
- two sets of draft measures for reviewing the security of data offshoring were released for comment in April 2017 and June 2019; both cover personal information; the former adds ‘important data’
- casting a wider net than provisions in the Cybersecurity Law, they apply not only to CII but to all network operators
- progress was reportedly delayed by US–China trade negotiations