Blog, Insights & Analyses

China’s Data Privacy Balancing Act

The New York Times announced last week that China is implementing a mass DNA collection project in order to create a large-scale database that genetically maps the country’s entire male population. This news reignites concern over China’s mass surveillance system, especially as it made headlines last week for a litany of other news events that signal the government’s increasingly aggressive ambitions (see: escalating conflicts along the China-India border, Australian’s veiled accusations of a months-long series of cyberattacks from China, and the release of a blueprint for China’s new national security law for Hong Kong). But compared to China’s foreign policy ambitions, the government’s stance on surveillance is tempered by a key stakeholder—citizens—and a developing legal framework for data privacy.

Offline to Online Surveillance

Mass surveillance is nothing new for China. The country’s use of biometric data is well-regarded as one of, if not the, world’s most invasive. The developing Social Credit System (SCS) has also drawn raised eyebrows for its potential human rights abuses, although its deployment does not yet actually resemble an Orwellian dystopia (and some might argue that the U.S. also has its own form of a social credit system). 

On a micro scale, Chinese citizens are used to strict government oversight on their identities. For one, the hukou (household registry) serves as a mechanism for the police to track people’s movements; Chinese citizens are mandated to register with the local police station every time they change residences. Furthermore, pseudonymity is difficult on the Chinese Internet. China has a strong digital identity system, because the government has been promoting a real-name registration system for online activities, particularly for online payments. This means that Chinese citizens must often register for online services with their resident identity card, China’s main identity document, thereby establishing a strong link between real-world identity and online activities.

WeChat Pay and Alipay serve as obvious case studies. As online payment providers, they are subject to KYC, which may run the gamut of identity document verification, biometric matching (i.e. liveness detection), SMS verification, and the provision of further details, like bank card / bank account details. Together, they have about 92.7 percent market share of the Chinese payment market, which boasts an 86 percent penetration rate of the Chinese population. Since they are also part of a sprawling ecosystem of products and services of their parent companies—Tencent and Alibaba, respectively— that includes food delivery apps, ecommerce sites, gaming, entertainment, and more. Tencent and Alibaba have the potential to collect a massive amount of user details, all linked to any individual’s real-world identity. Projects like WeChat’s pilot programs for digital identity cards only stand to reinforce an already solid link between real identity and one’s digital identity.

And even if apps and services do not require or use extensive identity verification protocols, the mobile phone number is often required for use of services, such as social media platforms. The phone number in itself is a strong link to one’s real identity, because users must register for SIM cards with their identity cards or passports and must submit to facial recognition scans.  While the government’s use of digital identity is not well-advertised for obvious reasons, censorship on social media platforms and even private chats is a good starting point for understanding the insidious effects of a persuasive identity schema that lives no room for (pseudo)-anonymity, not even on the Internet. In seconds, technology can recognize a politically-sensitive post or text—and then identify the culprit with high assurance.

Progress Toward Data Privacy

China’s rapidly growing data economy and the pervasive use of the resident identity card number has caused data privacy to be of increasing concern. High-profile data leaks in the past few years include an unsecured database of personal identity information on nearly 2.6 million people in Xinjiang and hundreds of millions of exposed chats logs from popular social media services like WeChat and QQ. A 2018 report by the China Consumer Association finds that 85.2 percent of app users in China have experienced data leaks; the survey also finds 60 percent of respondents adopted some measures to protect their personal information, suggesting growing user awareness of data privacy.

The Chinese government has responded to these concerns by strengthening their data privacy legal framework. China has historically taken a fragmented approach to data protection, with legal regulations differing by market sector. The 2016 Internet Cybersecurity Law (Cybersecurity Law) marked a distinct shift toward a more consolidated approach. Considered a Basic Law that supersedes other data protection mandates, the law combines previous data protection mandates from disparate sectors and is essentially applicable to any businesses that handle data in China. Analysts state that the Cybersecurity Law, which takes cues from General Data Protection Regulation (GDPR) in its application of data minimization principles, falls somewhere between the U.S. and the E.U. in terms of offering a stringent national data privacy framework. Enforcement is patchy, as well as legal action against abuse of personal information, with only 23 cases between 2009 and 2020.

During their annual meeting this May, the National People’s Congress, China’s main legislative body, demonstrated continued commitment to improve data privacy by including an entire chapter (out of seven) dedicated to “personality rights” in its first civil code. These new provisions ensure that personal data—any information that would fall under the “personality rights” category, ranging from emails to biometrics—is subject to legal protection. Among other things, these provisions should strengthen citizens’ right to legal redress of personal information abuses. However, despite recognition from legal analysts that this is a significant milestone, some caution that these new provisions still fall short of the GDPR. 

The OWI Analyst Take

The Chinese government clearly subjects its citizens to an invasive surveillance and real-name registration system that leaves little room for user privacy online and offline. Yet, at the same time, the Chinese government remains sensitive to citizen sentiment. In addition to national cybersecurity concerns, China’s data protection laws must also be framed within the context of growing citizen awareness of and concern over personal privacy. By offering legal frameworks for data protection—that are more than likely applicable to private entities but not the government—the Chinese government appeals to citizen demands while quietly continuing to invade personal privacy themselves.

The announcement of China’s DNA surveillance program last week serves as an important reminder that even as China takes important steps toward protecting data online, Chinese citizens’ personal data are ultimately not within their control. In the eyes of Chinese government, they are the exception to data privacy rules. 

Looking for more OWI Analyst insights? Check back each Friday for fresh perspectives on the latest identity news and industry moves.