In land of big data, China sets individual privacy rights

China is poised to enshrine individuals’ rights to privacy and personal data for the first time, a symbolic first step as more of the country of 1.4 billion people becomes digitised – and more vulnerable to leaks and hacks.

The legislation is part of China’s first civil code, a sweeping package of laws that is being deliberated during the annual meeting of parliament, which began on Friday after a delay of more than two months due to the coronavirus.

According to a recent draft, an individual has the right to privacy and to have their personal information protected.

Data collectors have a duty to protect an individual’s personal information and cannot obtain, disclose or conduct transactions of such data without consent, according to the draft.

The push to shore up data privacy in China is widely seen as an effort to protect and legitimise the country’s fast-growing internet sector and place safeguards on the movement of valuable Chinese data overseas.

The legislation will need to be followed by detailed regulation spelling out how those rights would be protected, and gives no protection from increasingly pervasive surveillance by a government that wields total control over the country’s digital sphere.

Nevertheless, lawyers and legal experts say the recognition of digital privacy rights is an important first step to allowing individuals who suffer from leaks to seek redress.

“When the law hasn’t set a definition for personal information, then a lot of disputes are very hard to resolve because there’s no way to sue,” said Xu Ke, a professor at the University of International Business and Economics in Beijing.

The legislation places China among a minority of countries building legal frameworks governing individual data privacy, although individual protections currently in place are not as strong as Europe’s General Data Protection Regulations, said Chen Lei, a law professor at the City University of Hong Kong.

Legal experts say existing Chinese laws do not provide adequate protection for individuals because they do not impose significant punishment for companies responsible for breaches.

Chinese courts have been inconsistent on privacy cases, which some blamed on inadequate regulations and guidance for a rigid court system that limits a judge’s scope to make new interpretations in law.

In one high-profile case, a group of 42 people sued Amazon in 2017 for breach of their personal data by scammers.

Yanming, one of those who sued the US e-commerce giant, said he fell victim when a person called him with the exact order number for products he purchased. The person said there was a problem and offered a refund, luring Yanming to a phishing website planted within Amazon’s website that siphoned 247,000 yuan ($34,627) from Yanming’s account.

Chinese courts have ruled twice against Yanming – who requested his last name be withheld for privacy – and the other plaintiffs, however, stating that a criminal case must take place first before a civil case can start.

“The court’s decision is such that companies won’t value personal information protection, or digital safety practices,” said Wang Congwei, the victims’ lawyer.

Parliament plans to roll out separate legislation specifically on the protection of personal information later this year, and lawyers say Beijing needs to set stronger penalties for breaches or leaks in order to provide effective protection.

“(The civil code) will help, whether from the perspective of civil suits, or from the perspective of safeguarding rights for the victim, it’s more clear, and for the courts, this is a clearer standard,” said Wang.