Written by Michael Caster, Asia Digital Programme Manager at ARTICLE 19.
This article originally appeared on Thomson Reuters Foundation News.
What does China’s new data protection law mean for users’ privacy?
Last week China’s National People’s Congress passed its long-awaited data protection law, which applies broadly to “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons.”
The Personal Information Protection Law (henceforth the Law), ostensibly promoting transparency and consent, introduces a number of welcome privacy protections. Nonetheless, it is written to ensure that any advancements in data protection rights are in lockstep with the needs of a 21st-century police state and China’s ambition to influence global digital governance.
Chapter IV, which outlines individuals’ rights, ensures the right to access and copy personal data, and in line with the robust EU Global Data Protection Regulations (GDPR), guarantees data portability and the right to be forgotten.
In a positive development for privacy rights, the Law regulates “automated decision-making,” which includes guaranteeing a right to opt out of algorithmic-targeting based on the collection of personal data.
Chapter V outlines the duties for those handling personal data, including a requirement to conduct “personal information protection impact assessments” when using personal information for algorithmic-targeting or handling sensitive data, among others. Sensitive data covers information about one’s religion, medical health, financial records, as well as location tracking and biometric data, and requires a separate round of consent.
However, such gains for privacy protection do not extend to reigning in the State.
Digital sovereignty over data protection
Chapter II sets out some limitations for State authorities, requiring officials to notify individuals and obtain their consent before handling their personal information. However, of most concern, it also introduces overbroad and vague exceptions to this requirement “where laws or administrative regulations provide that secrecy shall be preserved” or “where notification will impede State organs’ fulfilment of their statutory duties and responsibilities.”
For example, the Law requires that facial recognition systems or other identity recognition equipment may only be used for “safeguarding public security.” It is admirable that the Law seeks to limit the private use of surveillance technology, which has recently come under fire in China, but clear that there is no room in the Law for limitations on the security sector.
Requiring clear indication when facial recognition equipment is in use, for example, may seem like a step toward public transparency and obtaining consent. In reality, when there is no effective means of opting out because it is ubiquitous in daily life, one cannot consent to being subjected to facial recognition technology merely by being informed of its presence.
Biometric data is rightly treated as sensitive personal information requiring strict protection measures under the Law. However, while appearing to create limits, the parameter that biometric data may only be collected under a “specific purpose” is overbroad and vague, ripe for State abuse. For example, this will not limit the mass forced collection of biometric data from Uyghurs, and related human rights abuses.
Arguably, in an effort to defend its digital sovereignty and promote its particular vision of digital governance around the world, the Law also has extraterritorial features.
Foreign entities accused of violating the rights and interests of Chinese citizens or harming China’s national security or “public interest” may be blacklisted or sanctioned. Foreign entities are also required to establish a dedicated representative in China. Such overly broad and vague terms make it impossible to regulate conduct, which raises the risk of arbitrary reprisals.
China claims the right to seek retaliatory measures against any country or region that adopts vaguely defined “discriminatory prohibitions, limitations or other similar measures” against China relating to personal information. In the context of China’s Digital Silk Road, this provision could be read as a threat of retaliatory action should partners enact limitations against Chinese technologies that handle personal data within Smart City or related programs.
While the Law introduces welcome provisions that will protect individual’s data privacy, in the end it will do nothing to meaningfully limit the human rights abuses of China’s security sector.
The Law should also be understood in the context of China’s global ambitions to reshape international norms in line with its own techno-authoritarian vision.