Note: I wrote this piece in May 2022 as part of a comprehensive CAC report by DigiChina project. Unfortunately, the report did not progress as planned, so I am now sharing my writing here. I would like to thank Johanna Costigan and Graham Webster for editing it.
In China’s personal data regulation regime, quite a few government authorities have been playing a role, and the Cyberspace Administration of China (the CAC) appears to be center stage. China’s overarching privacy law, the Personal Information Protection Law, mentions the CAC 13 times—a striking comparison to other authorities that are brought up once at most.
The CAC already projects a key role in China’s data regulation ecosystem, including the oversight of personal data protection. Considering its clear central status, is the CAC becoming China’s leading privacy regulator, equal to other countries’ data protection authorities such as the Information Commissioner’s Office (ICO) in the United Kingdom or the Commission nationale de l’informatique et des libertés (CNIL) in France? Probably not. As analyzed below, because of its obscure position in China’s political structure and its lack of authority and autonomy, the role of the CAC seems to be more of a makeshift solution within the patchwork reality of China’s cyber regulation apparatus, rather than a proficient government attempt to make an effective personal information protection leader.
The CAC’s Duality
The predecessor of the CAC was established in 2011 by China’s State Council 国务院, its chief administrative authority, tasked primarily with regulating online content. The CAC wears two hats— following a uniquely Chinese administrative structure known as “one institution with two names (一个机构,两块牌子).” The first is the CAC and the other is the Office of the Central Cyberspace Affairs Commission 中央网络安全和信息化委员会办公室 (the CCA Commission). The CAC (and the Office of the CCA Commission) report to the CCA Commission, a Party-affiliated policy institution initially formed in 2014 under President Xi. It is worth noting that the CCA Commission was created for the purpose of cleaning up the then chaotic cyberspace regulations, with a mission to make China a “cyber superpower.” The frequently cited quote by President Xi, “Without cybersecurity, there is no national security; without informatization, there is no modernization 没有网络安全,就没有国家安全;没有信息化,就没有现代化,” was originally from this group’s founding meeting. The CCA Commission reports to the Central Committee of the Party.
The current administrative structure of China’s government shows that the CAC is merely a “business institution of the State Council 国务院办事机构,” a type of office not granted independent administrative powers, whereas the Ministry of Industry and Information Technology (the MIIT) and the Ministry of Public Security (the MPS), two other authorities also active in China’s data governance regime, are listed as the “constituent departments of the State Council 国务院组成部门,” empowered with administrative functions. This indicates that the CAC, unlike the MIIT and the MPS, is not established as a full-fledged administrative branch to take charge of a whole section of state affairs. And according to the report chain, the CAC is directly affiliated with the Party’s central organization.
The UK’s ICO, France’s CNIL, and many other countries’ data protection authorities are independent government agencies established and authorized by data protection laws with broad administrative powers to protect individual privacy rights. The CAC, on the other hand, was born an online content regulator with a strong state-party duality, guided by party-driven interests.
The CAC’s Limited PIPL Powers
The Personal Information Protection Law (the PIPL) grants the CAC overall coordination authority and certain regulatory power, but implementation and enforcement powers are largely left to departments under the State Council.
The PIPL does not give the CAC broad rulemaking authority to act on its own. Under the law, the CAC is authorized to coordinate related government entities to push rulemaking on personal data-related implementation rules and standards, as well as specific rules for sensitive data, facial recognition, AI, and other emerging technologies (PIPL Art. 62). For example, in January 2022, China issued a regulation on algorithms (the Internet Information Service Algorithmic Recommendation Management Provisions), where we see the MIIT, the MPS and China’s FTC-equivalent the State Administration of Market Regulation (the SAMR) are all listed in the signature block, in addition to the CAC.
The CAC is also tasked to work with other authorities to roll out regulatory programs such as digital identity verification, personal data protection assessment and certification, and a complaints lodging mechanism (PIPL Art. 62).
In contrast, the PIPL gives the CAC solo regulatory power in providing tools that facilitate outbound transfer of personal data, such as organizing security reviews and providing standard contractual clauses (PIPL Art. 38). Last October, the CAC alone issued the draft regulation on the security review of outbound data transfer. But this draft regulation also covers non-personal data. According to China’s Data Security Law (the DSL), if the outbound data transfer involves critical information infrastructure operators or “important data,” additional government authorities should be involved in setting up the rules (DSL Art. 31).
And unlike other countries’ data protection authorities, the CAC is not expressly given enforcement powers by the PIPL. Rather, according to the law, sectoral and local government administrative agencies play the primary role of enforcing the PIPL, to work on matters like privacy education, supervision, complaints, investigation, and penalties (PIPL Art. 60 & 61).
Other powers the PIPL grants to the CAC include a capacity to determine which organizations can bring “class-action” suits on behalf of impacted individuals, which companies need to appoint a data protection officer, and which law-violating foreign organizations should be blacklisted.
Peeking Into China’s Personal Data Regulatory Environment
In the near decade since the CCA Commission was founded, the chaotic nature of cyberspace administration persists in China. If anything, it has been exacerbated by the increasingly complicated environment, with rapid technologies and internet development triggering an unprecedented volume of new challenges.
Take a look at one of the most active fields of China’s privacy enforcement so far: data collection by mobile apps. Both the MIIT and the CAC, as well as other authorities, have demonstrated aggressive regulatory passion. The MIIT is the sectoral authority of industry and information technology. According to a MIIT official, the MIIT in 2021 tested the data practices of over two million mobile apps, finding that 1549 apps violated China’s data protection law and ordering 514 apps to be taken down. Not to be outdone, the CAC together with its regional branches also launched many rounds of enforcement actions targeting mobile apps’ data activities. For instance, the CAC required app stores to take down Didi-related apps in July 2021. Also, since 2016 when the CAC issued China’s first mobile app regulation (the Provisions on the Administration of Mobile Internet Applications Information Services), which impose privacy requirements on mobile apps, the CAC and the MIIT have both issued several related rules and proposed rules.
Meanwhile, the SAMR has been upgrading its efforts to punish personal data mishandling, with offline businesses’ activities that violate China’s consumer protection laws as a primary target. The MPS handles criminal cases relating to personal data and cyberspace. Reportedly, in 2021 the agency solved almost ten thousand cases about personal data mishandling. That said, neither the SAMR nor the MPS has been absent from the regulatory arena of mobile apps’ data mishandling. Both participated in a 2019 special work group targeting this particular area, and both have authored related rules or proposed rules (for example, the Basic Requirements for Collecting Personal Information in Mobile Internet Applications and the Provisions on the Scope of Necessary Personal Information for Common Used Mobile Internet). Other industrial regulators kept themselves busy too. In one recent example, the Bank of East Asia was fined over 2.5 million US dollars by the People’s Bank of China (China’s financial industry regulator) for misusing credit information.
The CAC’s roots are in online content regulation. This is still the case today. Interestingly, quite a few of the content-focused regulations recently issued by the CAC contain personal data protection requirements. One example is a recently released draft of the Provisions on the Administration of Deep Synthesis Internet Information Services, which requires service providers to notify their users to deploy privacy notice-and-consent if the services allow them to significantly edit individuals’ biometric data, like facial or voice data. In another rule-making proposal about the online protection of children, among the provisions that largely address online content issues to protect children is a chapter focused on the protection of children’s data.
In November 2021, the CAC independently released the draft Measures of Cyber Data Security Management. This lengthy document will supposedly be a major implementation regulation for both the DSL and the PIPL. This proposed rule clarifies some additional functionalities for the CAC, including receiving data incident reports and hosting records relating to “important data” processing. It also empowers the CAC to review cross-border data transfer even for “important data” and the data generated by Critical Information Infrastructure operators that is currently widely recognized as regulated primarily by the MPS.
Unless the CAC is given concrete investigative, regulatory, and enforcement powers—or some powers are stripped from other regulators—the CAC is not placed to lead China’s personal data regulation, nor is it capable of efficiently facilitating interdepartmental collaboration (as authorized by the PIPL). Consequently, regulatory uncertainties and inconsistencies will continue to create extra burdens on compliance work. With China’s personal data protection governance further unfolding, we hope to have a better understanding of the roles of the CAC and China’s other authorities, and that their relationships can be better aligned.
