by Mark MacCarthy

China and the West are converging on consumer data protection policy

May 24, 2018
Data ManagementGovernmentPrivacy

As the EU’s General Data Protection Regulation comes into force on May 25, China is also wrestling with the complex consumer protection issues that bedevil all digital economies.

CSO slideshow - Insider Security Breaches - Flag of China, binary code
Credit: BirgitKorber / Getty Images

The escalating economic and political tensions between China and the U.S have obscured a surprising and largely unrecognized area of convergence.  China is moving toward the West on consumer data protection policy.

A recent op ed piece in FT summed up the prevalent, but mistaken, idea that “privacy simply isn’t an issue in China.” Baidu’s Robin Li also reflected this erroneous view with his recent comment that “the Chinese people are more open or less sensitive about the privacy issue.” This cultural difference is supposed to give China an advantage over more privacy-protective regimes in developing cutting edge technologies like artificial intelligence.

But this bit of received wisdom just isn’t so. As the Economist and the New York Times reported earlier this year, increased abuse of consumer data by Chinese companies has prompted government measures at the local and national level to protect consumers.  A thorough paper from the Center for Strategic and International Studies lays out the details of China’s expanding data protection regime.

How does China’s consumer data protection system work?

Data protection was a requirement in China’s 2014 proposal for social credit systems to assess people’s trustworthiness.  Critics complained that this system could lead to an intrusive society resembling the Black Mirror episode Nosedive

But critics missed the proposal’s explicit data protection requirements. The systems could be developed only on the basis of the “protection of personal privacy.” The “infringement of personal privacy” by credit service organizations was “unlawful” and would be subject to “prosecution.”

These were not just empty words. Pursuant to this national data protection requirement, the Beijing Municipal Government recently released regulations for its public credit scores that banned the use of irrelevant private information including religious belief, genetic details, fingerprint, blood type and medical history.

The separate private credit scoring systems developed by Chinese companies also protect consumers by eschewing the use of irrelevant user data. For instance, Alibaba’s Sesame Credit says it tracks the “financial and consumption activities of our users” but “materials published on social media platforms do not affect our users’ personal Sesame Credit score.”

To enforces these rules, Chinese agencies oversee commercial data practices and order companies to correct abuses. For instance, in January 2018, the Cyberspace Administration of China required Ant Financial to adjust a default setting on its Alipay wallet, which granted its commercial partners automatic access to users’ credit records.

Most importantly, China’s new Cybersecurity Law provides a national legal framework for consumer data protection. Companies must “strictly maintain the confidentiality of user information they collect”; they must explicitly state “the purposes, means, and scope for collecting or using information, and obtain the consent of the person whose data is gathered.” They are strictly forbidden from extraneous data collection “unrelated to the services they provide.” 

Data protection is a technological and policy challenge shared by all digital economies

These Chinese data protection measures mirror requirements in Europe’s tough new General Data Protection Regulation that goes into effect on May 25. In fact, China’s new law is even more stringent in that it “makes consent the only legal ground for collection and use of personal information data,” while Europe’s regulation allows multiple other legal bases for data processing.

All modern digital economies face the challenge of how to protect consumers from harm while allowing valuable data uses. Some commentators think Europe’s regulation is too stringent, a triumph of process over genuine data protection, and they prefer the U.S system which allows greater freedom to use data for valuable purposes.

China is wrestling with the same dilemma.  Its specification implementing the Cybersecurity Law creates more flexibility than is in the law itself by allowing companies to collect information without consent when it is needed to complete a transaction or to protect their service or network.

The European, U.S. and Chinese data protection regimes might differ in their details but they share a family resemblance that reflects their origin in this common technological challenge.

Convergence on consumer data protection policy is an important but limited development

China’s law enforcement and security agencies will continue to monitor online activities to ensure political stability. Its developing public credit systems will enforce social control. It will maintain its successful but unorthodox industrial policy in its “Made in China 2025” initiative to foster domestic high-tech industries. And its governance structures will continue to rely on meritocratic methods of training and selecting its ruling elite.

Some commentators predict more macro convergence as “the new technologies of the knowledge society both require and enable more intelligent structures of governance.”  Indeed, shared technological imperatives could foster a broader synthesis that embodies the best in our differing political and philosophical traditions. 

But such a synthesis is for the middle-distance future. We need not wait for the convergence of larger political institutions to recognize that on specific policy problems like data protection we have already come closer together than we had imagined and might have something to learn from each other.