China’s Privacy Conundrum

When Mark Zuckerberg testified before Congress last spring, he argued that regulating Facebook’s use of personal data would cause the United States to fall behind Chinese companies when it comes data-intensive innovation like artificial intelligence. The implication was that Chinese companies are not constrained by privacy norms and will have an edge if U.S. companies like Facebook are hamstrung by data protection regulation.

But China may not provide Zuckerberg with a convenient counterargument against privacy rules for much longer. Contrary to Zuckerberg’s characterization, China is in the early stages of setting up a data protection regulatory system to police Facebook’s Chinese counterparts. Chinese companies are increasingly finding that the days of collecting data without public scrutiny are over—and Chinese consumers are vocally standing up for their own privacy in ways not seen before. For this reason, a number of scholars hailed 2018 as the year when the Chinese public awakened to privacy.

These developments are in striking contrast with the widespread perception of China as a surveillance state. That perception isn’t wrong: The government is using facial recognition and big data to control and monitor its citizens. Under recent legislation, authorities have enshrined the right to law enforcement access to data without due process. But what’s been easy to miss is that China’s embrace of high-tech government surveillance coincides with increased privacy protections for consumers. This strange dynamic means that, given federal inaction in the United States on consumer data protection, on paper, at least, Chinese consumers might soon have greater privacy from tech companies that American consumers, even as they are exposed to increasingly intrusive government surveillance.

China is no stranger to tidal shifts in public opinion leading to changes in government policy. In 2009, few people in China were worried about air pollution or much less aware of the public health risks. For a time, the U.S. Embassy was one of the few organizations that bothered publicly posting the daily air quality index in cities like Beijing. Fast forward 10 years: Air pollution is among Chinese people’s foremost concerns, and officials in major cities are in a frenzy to meet people’s demand for clean skies.

Something similar is happening with online privacy today. After years of Chinese internet companies building business models around Chinese people’s lack of awareness about privacy, users are getting angry about companies abusing their personal information. This growing privacy awareness emanates from people’s concern over data leaks, which often help scammers and criminals take advantage of unwitting Chinese individuals. The Financial Times reported that in a survey by the China Consumer Association, 85 percent of respondents said that their data had been leaked, including phone numbers sold illegally or bank account information hacked.

In a sign of changing attitudes, Robin Li, the once-revered founder of Baidu, China’s largest search engine, found himself on the defensive in March after he suggested in an interview that Chinese people would trade privacy for convenience. The remark inflamed simmering discontent among internet users upset with the Chinese search giant’s invasive data collection practices. Chinese state media reported on the outrage users expressed online, citing comments like, “Who told you we are willing to give up our data?”

The government is also in the early stages of building out a framework with rules for consent; personal data collection, use, and sharing; and user-requested deletion of data. The first milestone in China’s data protection system, a standard called the Personal Information Security Specification, took effect in May. Although the specification is not legally binding, government regulators have begun using various tools to persuade companies to comply. In early January, an auditor linked with the powerful Ministry of Industry and Information Technology published a list of 14 mobile apps that had “excessively collected sensitive personal data” without user consent. Inspectors put these companies (including the popular Chinese travel company Ctrip and the Tencent-owned music streaming service QQ Music) on a blacklist. These companies now face public pressure to change the way they handle user data. Then, less than three weeks later, the four top internet regulators issued a joint announcement stating that they would evaluate 1,000 mobile apps from online payment to food delivery services to assess how they collect personal data.* Those with unsatisfactory results will have their business licenses revoked.

These actions on privacy issues have turned China into “a surprise leader in Asia on data privacy rules,” according to the Financial Times, showing an acute disjuncture between privacy from commercial surveillance and privacy from government surveillance. While Chinese citizens will soon have broad protections from commercial data collection, they’ll likely continue to experience growing, perhaps total government surveillance. Indeed, even as the Chinese government grows increasingly willing to scold tech companies for overstepping the bounds of reasonable data collection, it has indicated no willingness to curb its own surveillance capabilities for the sake of individual privacy.

The split identity of China’s privacy push was on display at a recent gathering in Beijing hosted by a mainstream state-owned media outlet called Southern Metropolis Daily that honored pioneers in the field of data privacy. “Privacy is engraved deeply in our genes,” one of the award recipients, Yang Geng, said in his speech. Previously the chief security officer at Amazon China and Xiaomi (a top Chinese consumer electronics company), Geng is passionate about building technology to protect privacy and recently founded a startup that has developed privacy tools. Only a few years ago, the prospect that such an event would take place would have been nearly unthinkable. Geng described the situation frankly: “Many Chinese friends [said], ‘Chinese people don’t care about privacy. Your products won’t be demanded by the market. … And what Chinese person in their right mind would fucking dare use privacy protection tools made by a Chinese company?’ ”

He persisted and developed a search engine called LeakZero that does not track users. LeakZero even has an encryption tool that can be used inside apps like WeChat (China’s “super app,” which offers group texts, payments, games, news, and dozens of other embedded services to about 1 billion monthly users). However, the primary hurdle Geng faces is not consumer trends but the disposition of the Chinese government. Unlike in other countries, no major app in China, with the exception of Apple’s iMessage, offers encryption. It is not clear, however, whether Geng will be permitted to offer these tools in China since they could hinder the government’s surveillance capabilities. In the end, he may have to shut down his app or provide a backdoor giving the government access.

But the Chinese government isn’t letting the lack of resolution on these questions stand in the way of its big plans for consumer privacy. Just six months after the Personal Information Security Specification took force, the standard’s drafters are discussing revising it to close loopholes that allow companies to comply while continuing excessive collection of personal data.

The hope is to build a Chinese data protection regime that is uniquely suited to China: one that builds consumer trust in a thriving digital economy but does not undermine the government’s ability to maintain control. The drafters of the specification drew on concepts from the European Union’s General Data Protection Regulation but sought to make it fit China’s system. The idea of China looking to the strictest privacy legislation in the world seems counterintuitive, if not downright strange. But with U.S. inaction on federal data privacy and consumer rights, China and Europe now stand as the only two models out there offering guardrails against invasive data collection.

China is not the only country with a split personality when it comes to privacy: In the United States, the Supreme Court provides fairly strong privacy protections against government data collection, but the country still lacks a comprehensive consumer privacy law. In Europe, the focus is flipped, with strong controls on businesses and relatively high trust in government data collection practices. The seeming contradiction in China is actually consistent with its internet governance model over the past decade: build consumer confidence and internet usage while also maintaining government control.

The main hurdle to Beijing’s ambitions to shape global privacy standards may be the unresolved contradiction in how the new rules play out in practice. This manifests in the conflicting guidance within Chinese law. For example, China’s e-commerce law requires companies to delete user data but also mandates that companies retain data to assist with government investigations for national security. China’s cybersecurity law requires consent to collect personal information, but it also grants the government new powers to demand that companies turn over more information on users through random inspections of internet service providers, making it increasingly difficult for users to be anonymous online.

Enforcement is also an open question. In China, there are many rules on the books that are ignored in practice, except when officials choose to make an example of someone. However, cyberspace is one area in which the government does often flex its muscles, as evident in the recent sweeping crackdowns on Chinese internet platforms for content violations.

Chinese tech companies are sometimes caught in the middle. Didi, the country’s main ride-sharing company, resisted turning over data to law enforcement authorities after two users of the app were recently murdered; the company cited privacy as a justification. Didi had not been in compliance with a requirement to connect its online service database (which included information about users, drivers, vehicles, routes, etc.) with a government supervisory platform. The spat stirred up debate among Chinese scholars about whether real-time data access violated consent requirements in China’s cybersecurity law.

Yang Geng is breaking new ground by giving Chinese users a way to encrypt texts on their mobile apps. But he is clear-eyed about the challenges ahead. Geng noted to his WeChat followers: “Nothing is absolute. [It is] true there is more surveillance [in China], but that does not mean there is no privacy.”