Inside China’s unexpected quest to protect data privacy
Late in the summer of 2016, Xu Yuyu received a call that promised to change her life. Her college entrance examination scores, she was told, had won her admission to the English department of the Nanjing University of Posts and Telecommunications. Xu lived in the city of Linyi in Shandong, a coastal province in China, southeast of Beijing. She came from a poor family, singularly reliant on her father's meager income. But her parents had painstakingly saved for her tuition; very few of her relatives had ever been to college.
A few days later, Xu received another call telling her she had also been awarded a scholarship. To collect the 2,600 yuan ($370), she needed to first deposit a 9,900 yuan activation fee" into her university account. Having applied for financial aid only days before, she wired the money to the number the caller gave her. That night, the family rushed to the police to report that they had been defrauded. Xu's father later said his greatest regret was asking the officer whether they might still get their money back. The answer-Likely not"-only exacerbated Xu's devastation. On the way home she suffered a heart attack. She died in a hospital two days later.
An investigation determined that while the first call had been genuine, the second had come from scammers who'd paid a hacker for Xu's number, admissions status, and request for financial aid.
For Chinese consumers all too familiar with having their data stolen, Xu became an emblem. Her death sparked a national outcry for greater data privacy protections. Only months before, the European Union had adopted the General Data Protection Regulation (GDPR), an attempt to give European citizens control over how their personal data is used. Meanwhile, Donald Trump was about to win the American presidential election, fueled in part by a campaign that relied extensively on voter data. That data included details on 87 million Facebook accounts, illicitly obtained by the consulting firm Cambridge Analytica. Chinese regulators and legal scholars followed these events closely.
In the West, it's widely believed that neither the Chinese government nor Chinese people care about privacy. US tech giants wield this supposed indifference to argue that onerous privacy laws would put them at a competitive disadvantage to Chinese firms. In his 2018 Senate testimony after the Cambridge Analytica scandal, Facebook's CEO, Mark Zuckerberg, urged regulators not to clamp down too hard on technologies like face recognition. We still need to make it so that American companies can innovate in those areas," he said, or else we're going to fall behind Chinese competitors and others around the world."
In reality, this picture of Chinese attitudes to privacy is out of date. Over the last few years the Chinese government, seeking to strengthen consumers' trust and participation in the digital economy, has begun to implement privacy protections that in many respects resemble those in America and Europe today.
Even as the government has strengthened consumer privacy, however, it has ramped up state surveillance. It uses DNA samples and other biometrics, like face and fingerprint recognition, to monitor citizens throughout the country. It has tightened internet censorship and developed a social credit" system, which punishes behaviors the authorities say weaken social stability. During the pandemic, it deployed a system of health code" apps to dictate who could travel, based on their risk of carrying the coronavirus. And it has used a slew of invasive surveillance technologies in its harsh repression of Muslim Uighurs in the northwestern region of Xinjiang.
This paradox has become a defining feature of China's emerging data privacy regime. It raises a question: Can a system endure with strong protections for consumer privacy, but almost none against government snooping? The answer doesn't affect only China. Its technology companies have an increasingly global footprint, and regulators around the world are watching its policy decisions.
November 2000 arguably marks the birth of the modern Chinese surveillance state. That month, the Ministry of Public Security, the government agency that oversees daily law enforcement, announced a new project at a trade show in Beijing. The agency envisioned a centralized national system that would integrate both physical and digital surveillance using the latest technology. It was named Golden Shield.
Eager to cash in, Western companies including American conglomerate Cisco, Finnish telecom giant Nokia, and Canada's Nortel Networks worked with the agency on different parts of the project. They helped construct a nationwide database for storing information on all Chinese adults, and developed a sophisticated system for controlling information flow on the internet-what would eventually become the Great Firewall. Much of the equipment involved had in fact already been standardized to make surveillance easier in the US-a consequence of the Communications Assistance for Law Enforcement Act of 1994.
The Chinese government has begun to implement privacy protections that resemble those in America and Europe today.
Despite the standardized equipment, the Golden Shield project was hampered by data silos and turf wars within the Chinese government. Over time, the ministry's pursuit of a singular, unified system devolved into two separate operations: a surveillance and database system, devoted to gathering and storing information, and the social-credit system, which some 40 government departments participate in. When people repeatedly do things that aren't allowed-from jaywalking to engaging in business corruption-their social-credit score falls and they can be blocked from things like buying train and plane tickets or applying for a mortgage.
In the same year the Ministry of Public Security announced Golden Shield, Hong Yanqing entered the ministry's police university in Beijing. But after seven years of training, having received his bachelor's and master's degrees, Hong began to have second thoughts about becoming a policeman. He applied instead to study abroad. By the fall of 2007, he had moved to the Netherlands to begin a PhD in international human rights law, approved and subsidized by the Chinese government.
Over the next four years, he familiarized himself with the Western practice of law through his PhD research and a series of internships at international organizations. He worked at the International Labor Organization on global workplace discrimination law and the World Health Organization on road safety in China. It's a very legalistic culture in the West-that really strikes me. People seem to go to court a lot," he says. For example, for human rights law, most of the textbooks are about the significant cases in court resolving human rights issues."
Hong found this to be strangely inefficient. He saw going to court as a final resort for patching up the law's inadequacies, not a principal tool for establishing it in the first place. Legislation crafted more comprehensively and with greater forethought, he believed, would achieve better outcomes than a system patched together through a haphazard accumulation of case law, as in the US.
After graduating, he carried these ideas back to Beijing in 2012, on the eve of Xi Jinping's ascent to the presidency. Hong worked at the UN Development Program and then as a journalist for the People's Daily, the largest newspaper in China, which is owned by the government.
Xi began to rapidly expand the scope of government censorship. Influential commentators, or Big Vs"-named for their verified accounts on social media-had grown comfortable criticizing and ridiculing the Chinese Communist Party. In the fall of 2013, the party arrested hundreds of microbloggers for what it described as malicious rumor-mongering" and paraded a particularly influential one on national television to make an example of him.
The moment marked the beginning of a new era of censorship. The following year, the Cyberspace Administration of China was founded. The new central agency was responsible for everything involved in internet regulation, including national security, media and speech censorship, and data protection. Hong left the People's Daily and joined the agency's department of international affairs. He represented it at the UN and other global bodies and worked on cybersecurity cooperation with other governments.
By July 2015, the Cyberspace Administration had released a draft of its first law. The Cybersecurity Law, which entered into force in June of 2017, required that companies obtain consent from people to collect their personal information. At the same time, it tightened internet censorship by banning anonymous users-a provision enforced by regular government inspections of data from internet service providers.
In the spring of 2016, Hong sought to return to academia, but the agency asked him to stay. The Cybersecurity Law had purposely left the regulation of personal data protection vague, but consumer data breaches and theft had reached unbearable levels. A 2016 study by the Internet Society of China found that 84% of those surveyed had suffered some leak of their data, including phone numbers, addresses, and bank account details. This was spurring a growing distrust of digital service providers that required access to personal information, such as ride-hailing, food-delivery, and financial apps. Xu Yuyu's death poured oil on the flames.
The government worried that such sentiments would weaken participation in the digital economy, which had become a central part of its strategy for shoring up the country's slowing economic growth. The advent of GDPR also made the government realize that Chinese tech giants would need to meet global privacy norms in order to expand abroad.
Hong was put in charge of a new task force that would write a Personal Information Protection Specification (PIPS) to help solve these challenges. The document, though nonbinding, would tell companies how regulators intended to implement the Cybersecurity Law. In the process, the government hoped, it would nudge them to adopt new norms for data protection by themselves.
Hong's task force set about translating every relevant document they could find into Chinese. They translated the privacy guidelines put out by the Organization for Economic Cooperation and Development and by its counterpart, the Asia-Pacific Economic Cooperation; they translated GDPR and the California Consumer Privacy Act. They even translated the 2012 White House Consumer Privacy Bill of Rights, introduced by the Obama administration but never made into law. All the while, Hong met regularly with European and American data protection regulators and scholars.
Bit by bit, from the documents and consultations, a general choice emerged. People were saying, in very simplistic terms, We have a European model and the US model,'" Hong recalls. The two approaches diverged substantially in philosophy and implementation. Which one to follow became the task force's first debate.
At the core of the European model is the idea that people have a fundamental right to have their data protected. GDPR places the burden of proof on data collectors, such as companies, to demonstrate why they need the data. By contrast, the US model privileges industry over consumers. Businesses define for themselves what constitutes reasonable data collection; consumers only get to choose whether to use that business. The laws on data protection are also far more piecemeal than in Europe, divvied up among sectoral regulators and specific states.
An epidemic control worker checks thetemperatures of people waiting in line to be tested for covid-19 in the Xicheng district of central Beijing.KEVIN FRAYER/GETTY IMAGESAt the time, without a central law or single agency in charge of data protection, China's model more closely resembled the American one. The task force, however, found the European approach compelling. The European rule structure, the whole system, is more clear," Hong says.
But most of the task force members were representatives from Chinese tech giants, like Baidu, Alibaba, and Huawei, and they felt that GDPR was too restrictive. So they adopted its broad strokes-including its limits on data collection and its requirements on data storage and data deletion-and then loosened some of its language. GDPR's principle of data minimization, for example, maintains that only necessary data should be collected in exchange for a service. PIPS allows room for other data collection relevant to the service provided.
PIPS took effect in May 2018, the same month that GDPR finally took effect. But as Chinese officials watched the US upheaval over the Facebook and Cambridge Analytica scandal, they realized that a nonbinding agreement would not be enough. The Cybersecurity Law didn't have a strong mechanism for enforcing data protection. Regulators could only fine violators up to 1,000,000 yuan ($140,000), an inconsequential amount for large companies. Soon after, the National People's Congress, China's top legislative body, voted to begin drafting a Personal Information Protection Law within its current five-year legislative period, which ends in 2023. It would strengthen data protection provisions, provide for tougher penalties, and potentially create a new enforcement agency.
After Cambridge Analytica, says Hong, the government agency understood, Okay, if you don't really implement or enforce those privacy rules, then you could have a major scandal, even affecting political things.'"
The local police investigation of Xu Yuyu's death eventually identified the scammers who had called her. It had been a gang of seven who'd cheated many other victims out of more than 560,000 yuan using illegally obtained personal information. The court ruled that Xu's death had been a direct result of the stress of losing her family's savings. Because of this, and his role in orchestrating tens of thousands of other calls, the ringleader, Chen Wenhui, 22, was sentenced to life in prison. The others received sentences between three and 15 years.
Emboldened, Chinese media and consumers began more openly criticizing privacy violations. In March 2018, internet search giant Baidu's CEO, Robin Li, sparked social-media outrage after suggesting that Chinese consumers were willing to exchange privacy for safety, convenience, or efficiency." Nonsense," wrote a social-media user, later quoted by the People's Daily. It's more accurate to say [it is] impossible to defend [our privacy] effectively."
In late October 2019, social-media users once again expressed anger after photos began circulating of a school's students wearing brainwave-monitoring headbands, supposedly to improve their focus and learning. The local educational authority eventually stepped in and told the school to stop using the headbands because they violated students' privacy. A week later, a Chinese law professor sued a Hangzhou wildlife zoo for replacing its fingerprint-based entry system with face recognition, saying the zoo had failed to obtain his consent for storing his image.
But the public's growing sensitivity to infringements of consumer privacy has not led to many limits on state surveillance, nor even much scrutiny of it. As Maya Wang, a researcher at Human Rights Watch, points out, this is in part because most Chinese citizens don't know the scale or scope of the government's operations. In China, as in the US and Europe, there are broad public and national security exemptions to data privacy laws. The Cybersecurity Law, for example, allows the government to demand data from private actors to assist in criminal legal investigations. The Ministry of Public Security also accumulates massive amounts of data on individuals directly. As a result, data privacy in industry can be strengthened without significantly limiting the state's access to information.
The onset of the pandemic, however, has disturbed this uneasy balance.
On February 11, Ant Financial, a financial technology giant headquartered in Hangzhou, a city southwest of Shanghai, released an app-building platform called AliPay Health Code. The same day, the Hangzhou government released an app it had built using the platform. The Hangzhou app asked people to self-report their travel and health information, and then gave them a color code of red, yellow, or green. Suddenly Hangzhou's 10 million residents were all required to show a green code to take the subway, shop for groceries, or enter a mall. Within a week, local governments in over 100 cities had used AliPay Health Code to develop their own apps. Rival tech giant Tencent quickly followed with its own platform for building them.
The apps made visible a worrying level of state surveillance and sparked a new wave of public debate. In March, Hu Yong, a journalism professor at Beijing University and an influential blogger on Weibo, argued that the government's pandemic data collection had crossed a line. Not only had it led to instances of information being stolen, he wrote, but it had also opened the door to such data being used beyond its original purpose. Has history ever shown that once the government has surveillance tools, it will maintain modesty and caution when using them?" he asked.
Has history ever shown that once the government has surveillance tools, it will maintain modesty and caution when using them?"
Indeed, in late May, leaked documents revealed plans from the Hangzhou government to make a more permanent health-code app that would score citizens on behaviors like exercising, smoking, and sleeping. After a public outcry, city officials canceled the project. That state-run media had also published stories criticizing the app likely helped.
The debate quickly made its way to the central government. That month, the National People's Congress announced it intended to fast-track the Personal Information Protection Law. The scale of the data collected during the pandemic had made strong enforcement more urgent, delegates said, and highlighted the need to clarify the scope of the government's data collection and data deletion procedures during special emergencies. By July, the legislative body had proposed a new strict approval" process for government authorities to undergo before collecting data from private-sector platforms. The language again remains vague, to be fleshed out later-perhaps through another nonbinding document-but this move could mark a step toward limiting the broad scope" of existing government exemptions for national security, wrote China scholars at New America, a think tank in Washington, DC.
Hong similarly believes the discrepancy between rules governing industry and government data collection won't last, and the government will soon begin to limit its own scope. We cannot simply address one actor while leaving the other out," he says. That wouldn't be a very scientific approach."
Other observers disagree. The government could easily make superficial efforts to address public backlash against visible data collection without really touching the core of the Ministry of Public Security's national operations, says Wang, of Human Rights Watch. She adds that any laws would likely be enforced unevenly: In Xinjiang, Turkic Muslims have no say whatsoever in how they're treated."
Still, Hong remains an optimist. In July, he started a job teaching law at Beijing University, and he now maintains a blog on cybersecurity and data issues. Monthly, he meets with a budding community of data protection officers in China, who carefully watch how data governance is evolving around the world.