Last week I was in San Francisco attending a privacy conference co-hosted by Berkeley Law and Peking University Law School. Having attended many privacy events, I still felt fresh this time seeing so many privacy scholars, experts and professionals from China, US and Europe together sitting in the same room to discuss their regional perspectives about privacy and cybersecurity, and I absorbed valuable insight into the future development of China’s privacy law.
The fundamental rational of China’s personal information protection was one focus of the event. As I wrote before, China’s personal information is currently regulated under a bigger framework of national security that takes cybersecurity as a necessary part thereof, which indicates that China’s approach of personal information protection is more to serve the national purpose, rather than to protect individual rights. Now I better understand why, from a Chinese scholar’s explanation of the legislative context of China’s Cybersecurity Law (the most authoritative law now in China regulating the collection and processing of personal information). The scholar revealed that due to some historical reasons, the legislation of the Cybersecurity Law was led by public law experts (focus on legal relationships between government and individuals as seen in administrative law and criminal law) rather than those in the area of private law (focus on legal relationships between individuals as seen in torts law and contracts law).
This explanation may sound baffling, particularly to people in the West. Why protecting personal information as an individual right cannot be done properly in China under the framework of administrative law or criminal law?
A simplified version of the reason is that, in China, public interests are prioritized over personal interests, and personal interests are subordinate to public interests. So in the area of public law where government is deemed as the avatar representing public interests, individual rights are significantly downplayed. Accordingly, the positioning of personal information regulation in China – that is to say, being channeled under administrative law, criminal law, or civil law – would be a critical indicator telling us how seriously the government treats its people’s privacy. China is fastening its pace in legislating two other important data laws: Personal Information Protection Law and Data Security Law, which are supposedly to come out in five years, with the former on the track of civil law while the latter more focused on public interests like cyber and national security. However, since under China’s legislative hierarchy, these two laws would parallel to the Cybersecurity Law at the same level in respect of the force of law, how to harmonize them to ensure their consistency and compatibility with each other would be tough.
Another related point worth noting is that “data” and “personal information” are two distinct concepts under Chinese law. Its General Rules (or Provisions) of the Civil Law (official Chinese text is here) regulates the practices related to “personal information” under Article 111, and then separately addresses “data” under Article 127 alongside of cyber virtual properties, which seems to indicate that “data” is treated more like an asset. How this may impact the legal issues of “personal data” is unclear under the existing Chinese law. In general, the protection would be weakened if personal data is taken more as an asset rather than an element indispensable to a right of personality.
Law enforcement was another heavily-discussed topic in the event. Professor Xue Jun, the vice dean of Peking University Law School, predicted that China would continue to mainly rely on administrative tools (in contrast of granting private rights of action). The reason is that, according to Xue, the causation and harm of privacy violations are hard to define, and China has this long tradition of relying on powerful government agency to enforce law.
When asked about which government agency may lead the future privacy law enforcement in China, Xue said that it should be the State Administration for Market Regulation (equivalent to the FTC in the US), following the high-level policy guidance by the Cyberspace Administration of China (also known as the Office of the Central Cyberspace Affairs Commission).
In closing of this note, while China is still at an early stage of establishing its privacy law regime, it is moving fast. A repeatedly asked question I heard in the event is which country will first pass its overarching privacy law, China or US. I personally don’t like this question since the legislative procedures of China and US are noncomparable and more importantly, having a law passed does not necessarily equal to a solid legal protection system established. Actually, I detected an air of frustration due to the foreseeable regulatory inconsistency between China and the West, which can become trade barriers impeding the profitability of the West from China’s still lucrative market. So another repeated topic I heard in San Francisco is calling for the adoption of industrial norms of behaviors, which probably is more promising than counting on legislatures of various countries to converge their privacy law with each other.
Thanks for this post. I concur especially in two of your assessments: “A repeatedly asked question I heard in the event is which country will first pass its overarching privacy law, China or US. I personally don’t like this question since the legislative procedures of China and US are non-comparable and more importantly, having a law passed does not necessarily equal to a solid legal protection system established ” and “the legislation of the Cybersecurity Law was led by public law experts (focus on legal relationships between government and individuals as seen in administrative law and criminal law) rather than those in the area of private law (focus on legal relationships between individuals as seen in torts law and contracts law).” I would take the issue a bit further, since even in intellectual property which China is obliged to treat as a private right (TRIPS Agreement, preamble – as an example), the heavy hand of public interest/public management/state assets/state intervention has led many academics to view IP as a quasi-public right. Furthermore, How much more can we expect of privacy? Moreover, I don’t think these issues are easy to bridge culturally – the terminology around what law provides for a civil remedy is often unclear (e.g., the E-Commerce law, which bundles admin and civil remedies, or the Anti Unfair Competition Law which leaves out employer trade secrets and lets the general civil code take over, but at the same time enhances administrative remedies over all). I am interested in knowing how much privacy will be pick up where IP has left over – and possibly not learn from its mistakes. This seems unlikely because of the clearer government interest in issues such as cybersecurity, national patrimony over personal data/genetic information, etc. In this sense, privacy also shares a common heritage with other quasi-IP issues (traditional knowledge/folklore/cultural expressions/geographical indications/genetic resources) where the government has a a more dominant role and the individual owner a more limited one.
Hi Professor Cohen. Thanks for your comment. That’s very insightful and informative. I feel the same as you that China government tightens the control in IP area and others. On the other side, I think, or expect the China government to think, that privacy is somehow different from IP, because privacy is more sensitive and has broader influences touching every person living there. And I believe a social/legal environment giving more protections to personal information – at least in private sector – can help China’s local business to grow and prosper in both domestic and international markets, which is another rationale distinguishing privacy from IP regulation. Anyhow, it should be interesting to see how China will explore this area and balance the need to control and develop in the near future.