China’s Hyperactive Debates on Private Knowledge Safety – The Diplomat


On October 21, 2020, a draft of the highly anticipated Chinese Personal Data Protection Act (PIPL) was released for public comment. Together with the Cybersecurity Act, implemented in 2017, and the Data Protection Act (the draft of which was also released for public comment in July 2020), the PIPL is considered an important milestone in China’s legislative efforts to establish comprehensive data regulations. In particular, the PIPL establishes legitimate rights in relation to personal data, as it is formulated to “protect rights and interests of personal data, standardize activities relating to the handling of personal data, ensure the lawful, orderly and free flow of personal data and a Promote appropriate use of personal data “(Article 1). The draft attracted intense media and public interest. Legal, academic and company representatives held discussions to reconcile the draft law with the General Data Protection Regulation of the European Union and other important data laws around the world compare and raise questions for clarification and improvement.

A month later, the verdict was announced in the first trial of a publicly known case using facial recognition technology that was touted as the “first face recognition lawsuit”. The victory of the plaintiff, who protested a safari park’s use of the technology, sparked another flurry of coverage and social media reactions.

Personal data protection has already become a hyperactive area in China, continuously stimulated not only by national legislation and policymaking, but also by the involvement of legal professionals, conscious action by citizens, as well as immense media attention and active public discourse.

China’s PIPL exposure is part of the legislative and regulatory efforts of the past few years to establish the legal framework, guidelines and standards for data management, of which the protection of personal data is an indispensable part. Contrary to popular belief that China’s data regulation is sloppy – which is often used by Silicon Valley entrepreneurs (like Facebook’s Mark Zuckerberg) to argue that regulating personal data would prevent data-driven innovation – the Chinese government is indeed Fast forward the last decade to enact hundreds of laws and rules for data security and protection. Before the PIPL was unveiled, various regulations and standards in the area of ​​data and technology were already enacted in order to introduce the protection of personal data in various areas, such as the Consumer Protection Act and its amendments (2014), Specification on the security of personal data (2018), Ordinance on Protecting Children’s Personal Data Online (2019), Technical Specification on Protecting Financial Information (2020), etc.

Diplomat letter

Weekly newsletter


Learn about the history of the week and develop stories to see in the Asia Pacific region.

Get the newsletter

While Western audiences may be more familiar with stories of the use of high-tech surveillance and the controversial social credit system that raise concerns about whether China’s data protection model would compromise the core values ​​of Western democracy, it is crucial to realize that China is so is coping with similar challenges arising from the rapid deployment of information and communication technology (ICT) and the need to control gigantic amounts of data generated from daily economic and social activities. As data is increasingly viewed as fundamental to the economies and economies of the region, governments around the world are striving to drive economic development with data-driven innovation. Unsurprisingly, the development of legal and regulatory foundations for privacy and security has also moved to the forefront of government agendas. Commentators were quick to notice that many of the provisions of the draft PIPL are similar to GDPR and other key data laws in other jurisdictions.

Do you enjoy this article? Click here to subscribe for full access. Only $ 5 a month.

However, it would be a mistake to see the central government and the legislature as a single actor in the field of personal data protection in China. The aforementioned lawsuit, filed by a law professor against the use of facial recognition when entering a Hangzhou safari park, began before the draft PIPL was published and was the result of increased public awareness and personal data protection measures. For example, the South Metropolis Daily Research Center for the Protection of Personal Information has actively conducted in-depth research on topics of public concern such as facial recognition and privacy policies of online apps, and publishes annual reports on the state of the art of protecting personal information security. Public accounts in WeChat and other social media, each with a large number of followers and subscriptions, regularly distribute updates on national and international data policy trends, research results, incidents of data leaks, etc.

Face recognition is a technology of particular interest because it is used not only in security surveillance systems at airports and other locations, but increasingly also in financial and banking systems for identity authentication and mobile payment. The lawsuit against Hangzhou Safari Park has attracted public attention as it addressed public concerns about the lack of regulation in the introduction of facial recognition. In media interviews, Guo, the plaintiff on this case, stated that while a personal data breach lawsuit could be burdensome to individual consumers, its aim is to learn practical lessons for establishing more effective legal rules and practices for the U.S. to protect personal data Data.

In September 2020, another law professor at Beijing Tsinghua University decided to sue the Homeowners Association for installing facial recognition at the entrance to the condominium, which is expected to spark another wave of media and public expressions of concern over the technology. These public feelings and fears led the relevant departments to prioritize the use of facial recognition in finance and other areas. Local governments also took the opportunity to enact regional regulations. Tianjin City passed an ordinance on December 1 that restricts the illegal collection and use of sensitive biometric information to identify authentication, including a ban on the use of facial recognition technology.


In addition to these highly visible facial recognition cases, there are two other cases that have been filed by individual consumers against large tech companies. In the Ling v. Douyin / Duoshan case, the plaintiff, Ling, was prompted with a list of “people you may know” in the apps when registering for the two social apps. He suspected that the app had read his phone contact list without consent, and sued Bytedance. In the Huang vs Tencent case, Ms. Huang found, while using the WeChat Reading app, that her reading information was shared with her “circle of friends” in the WeChat app without her knowledge, and brought the case against the parent company of the two apps.

In both cases, as in the two facial recognition cases mentioned above, the plaintiffs are people with a good knowledge of the legal provisions and institutions or with strong legal assistance in litigation. Ling is a Ph.D. Law student while Huang is reported as an employee of a law firm. For example, as a well-informed plaintiff who was likely familiar with the existing conventions on the protection of personal data in Europe and other countries, Ling tried to obtain evidence of the privacy settings of the apps, such as the length of time for the storage of cookies, the notice for Consent requests, service contracts, etc.

Although the issues they litigated appeared to be minor in the sense that “no actual harm” could be demonstrated, which was an argument often put forward by the defense attorney, their “low involvement” emphasized them symbolic meaning of the lawsuits. Interestingly, law students like this have been encouraged by their universities and professors to gain hands-on experience as part of their education. Litigation against large corporations and public institutions over the handling of personal data and their privacy policies has become more common among these future lawyers.

All of these examples show the hyperactive dynamics surrounding China’s personal data protection. A careful examination of the discussions surrounding the draft PIPL and the ruling by the courts in cases where citizens take action against personal data breaches would reveal that China’s privacy policy faces many similar challenges to those elsewhere in the data management space how to define the appropriate scope and use of “personal information” to balance individual rights with public interests and industrial development, and how to find a more effective mechanism to communicate through that accepted dilemma of consent as a prerequisite for data processing. With the growing global conflict over cross-border data flows and concerns about data sovereignty, it is imperative to have a full understanding of these dynamics in the area of ​​personal data protection in China and to seize opportunities for discussion in this area of ​​increasing importance.

Xiao Liu is a Wilson China Fellow and is currently working on a project on the governance of personal data in China. Liu teaches at McGill University and is the author of Information Fantasies: Precarious Mediation in Post-Socialist China (University of Minnesota Press, 2019).

Comments are closed.