I. Introduction
On 10 September 2018, the Standing Committee of the 13th National People’s Congress (NPCSC) of China updated its legislative plan. This new plan, for the first time, put the Personal Data Protection Law onto the first of its three lists that await drafting and deliberation. The draft laws on this list 『should be submitted to the NPCSC for deliberation by the end of this session (March 2022) when the conditions are ripe』.[1] This new NPCSC legislative agenda suggests that enacting a comprehensive law in the area of data protection has become a consensus among Chinese leadership. Accordingly, this new agenda ends the longstanding speculation among Chinese scholars and foreign observers about the direction of the development of China’s data protection regime.[2]The new agenda also represents a significant victory for the advocates of the global development of comprehensive data protection law.[3] Now, the only country with global political and economic power, which has no plan to enacta comprehensive data protection law at the national level, is the United States.[4]
The new hopes bring new challenges. Listing the data protection law within the NPCSC’s legislative plan does not necessarily mean such a law will be implemented in the due time. This study found that only less than half of the draft laws in the NPCSC’s legislative plan finally become laws.[5] More importantly, even after such a law has been created, whether it can effectively protect citizen’s privacy is questionable. Thus, a new fundamental question for Chinese lawmakers and academics is: What are the challenges for creating a workable data protection law in China? Given that the drafting of such a law is in the initial stage, a more specific question to address is: What policy and legal recommendations Chinese lawmakers should refer to when attempting to overcome these challenges?
The existing research has provided little help for addressing the aforementioned questions. Some Chinese scholars started to pay attention to data protection in the early 2000s.[6]In more recent years, the discussion on data protection law in Chinese law journals has been increasing. However, the current discussion only focuses on guiding principles and spirits of China’s future data protection law and has yet to provide details.[7] The discussion in the English academic literature has also been limited. The works of Graham Greenleaf had, for many years, served as the main source of knowledge on the development of China’s data protection regime in English academia.[8] In recent years, other scholars outside of mainland China have written in-depth academic articles on some specific topics, such as China’s Great Firewall, the real-name registration system, and the Cybersecurity Law (網絡安全法).[9] Nevertheless, the questions regarding the future of China’s data protection law remain largely underexplored.
This article examines the current obstacles to the creation of a workable data protection law in China. This article’s discussion is based on Cooter’s theory of market modernisation of law.[10] According to this theory, various forces are the impetus for the law reform. Among these forces, most noticeable is the State, market (industry), and the public. Lawmaking processes driven by different forces reveal different features and lead to different outcomes.[11] Accordingly, the questions of this study are approached by examining the challenges resulting from these three major elements: information and communications technology (ICT) development strategies, existing legal framework, and public demand for data protection.In this article, data protection refers to the fair and proper use of an individual’s information, and right to privacy refers to the right to protect an individual’s private life from unwanted scrutiny. In the concluding section of this article, I argue that State-driven development and industry-driven development are still the main force for shaping future data protection law. The dominance of a top-down approach poses serious challenges for creating a law that can offer meaningful protection for individual privacy. Therefore, more balanced development is desirable. Fourbasic policy and legal recommendations are provided at the end.
II. ICT development strategies and their challenges for China’s data protection
The challenges to the creation of China’s future data protection law are rooted in the existing legal regime andare also from the spectacular development of the ICT industries, which are strongly supported by an array of national development strategies. Unlike the right to privacy, which does not expressly have constitutional protection, the policy support for industrial development has a solid constitutional basis. Chapter I of the current Chinese Constitution is entitled 『General Principle』. Article 14 of this chapter provides that the State has a duty to promote and popularise advanced science and technology to 『continuously improve labour productivity and overall economic performance』.[12] WhenChina decided to carry out an informatisation strategy in the late 1990s, it was unlikely that Jiang Zemin, Zhu Rongji, or anyone else in the leadership at that time could have imagined how significant this reform would be two decades later for reshaping China’s economy and society.[13]ICT, which was initially considered a tool to enhance traditional manufacturing industries, has become one of China’s most crucial industries and has been an essential component in the transformationof China into an industrial superpower in the near future.[14]These strategies are significant for economic development and have a profound impact on the protection of ordinary Chinese citizens』 basic rights and interests. This section examines China’s ICT development policies and analyses their impact on data protection. It argues that the new wave of ICT development strategies tends to erect serious barriers to the creation of an able data protection law.
A. Overview of new ICT development strategies
In 1997, the Chinese leadership began to display a welcoming attitude towardsthe emergence of ICT when the 15th National Congress of the Chinese Communist Party called for 『promoting the informatisation of the national economy』.[15]In 2006, the State Council issued the 『State Informatization Development Strategy 2006–2020』(2006 Informatization Strategy).[16] This Strategy outlines nine strategic focuses and six action plans.[17] It highlights the importance of data and defines it as an important production factor, a virtual asset, and the wealth of society.In 2015, the Chinese government reinforced its policy support for informatisation with the issuance ofdevelopment strategies. Among these strategies, the most noticeable is 『Made in China 2025』 (MIC 2025) issued in May 2015. The MIC 2025 targets a wide range of key areas: high-end computerised machines and robots, space and aviation, maritime equipment and high-tech ships, to name a few, are on its development list. The MIC 2025 is intended to transform China from a large manufacturer (in terms of quantity) into a strong manufacturer (in terms of quality) by 2025.[18] The 2055 deadline for MIC 2025 is only intermediate, and the ultimate goal is far bolder—the transformation of China into one of the most advanced and competitive manufacturers in the world by 2049.[19]
The ICT industry gained important policy support in March 2016 with the passage of the comprehensive 13th Five-year Plan for Economic and Social Development of the People’s Republic of China (13th FYP) by the Fourth Plenary Session of the 12th National People’s Congress (NPC).[20]According to this Plan, ICT is the highest priority sector under development. Shortly after the passage of the 13th FYP, the State Council issued an informatisation-specific 13th FYP.[21] This specific plan declares itself to be 『the Guide for Action on the development of informatisation in various regions and various circles』and has the stated goal of achieving significant progress in the construction of 『Digital China』 (數字中國)by 2020.In addition to outlining ten key development areas and specifying 12 accompanying priority tasks, this Plan designates 74 major projects and determines relevant ministries and committees as responsible bodies for the implementation of these projects.[22]
In August 2015, the State Council issued 『the Outline of Action Plan for Promoting Big Data Development』.[23]One year later, the Ministry of Industry and Information Technology issued the Plan for Big Data Development.[24]According to these two strategies, big data is 『an important and fundamental strategic state resource』, which is 『a new engine that will accelerate economic transformation and reshape the State’s competitiveness』 and 『a new path for enhancing the government’s governance capacity』.[25]The 13th FYP calls for the establishment of a 『unified and open government data platform』 and encourages technological development in data collection, storage, analysis, visualisation, and protection.[26]The goal of this Strategy is to fuel the development of new data-consuming ICT industries, such as cloud computing, the Internet of things, 3D printing, and artificial intelligence (AI).[27]
『The Guiding Opinions on Actively Promoting Internet Plus』, issued by the State Council in July 2015, is an important step for accelerating the development of newgeneration ICT.[28]This Strategy is intended to promote the use of the Internet for sharing production factors and to improve the efficiency of resource allocation. This Internet Plus strategy covers a wide range of areas, including entrepreneurial ventures, manufacturing, agriculture, energy, finance, public welfare provision, logistics, commerce, traffic, the environment, and AI.The chief goal of this Strategy is to significantly enhance China’s overall manufacturing competitiveness in the world by 2025.[29]
Probably the most far-reaching policy development in the area of ICT industries came in July 2017, when the State Council issued the Development Plan for New Generation AI.[30]According to this Plan, AI is a major impetus for industrial transformation and a new engine for China’s economic growth. The goal of this Strategy is to transform China into a world centre for AI research and development by 2030.This Plan also stresses the importance of AI for social transformation, deeming it a powerful tool for overcoming long-term social challenges, such aselderly support, healthcare, and the environment.[31] A substantive step forward in implementing the AIstrategy came in November 2017, when the Ministry of Technology designated four Open and Innovative AI Platforms. Each platform has a private technology company as its chief development supporter.[32]
B. Challenges of the new ICT development strategies on data protection legislation
How significant the new wave of ICT development strategies will influence China’s social and economic development is a topic under serious dispute. However, even the most cautious foreign observers admit that China is likely to succeed in elevating some key manufacturers to fierce competitors in the global market.[33] While applausive from the perspective of economic and social development, these strategies tend to pose serious challenges to the development of data protection law. Three main challenges are discussed in detail below.
First, technological development resulting from the implementation of these strategies tends to increase the threats to individual data privacy.[34] A wide range of researchers has warned that the advance in ICT technology tends to providethe government and technology companies unprecedented powers to track and profile ordinary individuals on a large scale.[35]Chinese security agencies do not hesitate to use new ICT technologies to facilitate the exercise of their functions and powers. Technology companies have helped public security agencies develop various surveillance systems by using big data and cutting-edge voice and face recognition technologies.[36]Facial recognition glasses and AI-powered cameras have been used in Chinese cities, such as in the cities of Beijing, Zhengzhou, Qingdao, and Wuhan.[37] Because of the adoption of more active and stricter monitoring measures in the Xinjiang Uyghur Autonomous Region, this subnational unit in China was described by foreign observers as 『hi-tech surveillance laboratory』.[38]Probably the most far-reaching use of ICT technologies is the Social Credit System (社會信用體系). After its completion, by 2020, this Systemwill rate the trustworthiness of 1.4 billion citizens by analysing their social behaviours and collecting fiscal and government data.[39]The advance in technology has imposed serious threats to the protection of citizens』 data privacy and, accordingly, has been increasing the challenges for lawmakers because they must figure out better legislative solutions to handle these threats when drafting the data protection law.[40]
Second, thesestrategies do not pay adequate attention to data protection. Although these strategies do incorporate requirements on data security, these requirements are generally short and ambiguous, which is in sharp contrast to the comprehensive and detailed requirements on technological development. The 2006 Informatisation Strategy, for example, calls for acceleration of the legislation on informatisation.[41] This general legislative requirement appears in the 『safeguard measures』 section, rather than the 『strategic objective』 or 『key task』 section, suggesting that this requirement plays a merely subordinate role in this strategy.[42] The 2015 Outline of Action Plan for Promoting Big Data Development promotes theimmediate acceleration of the drafting of laws and regulations on big data. This Outline provides some legislative requirements, including promoting the legislative work on the ownership of data resources and enacting the Management Measures for the Information Resources of the Government. Until now, neither of the aforementioned legislative plans has been completed at the central level. Relevant innovative legislation on big data at various local levels is also scarce.
Third, the ambitious development objectives coupled with relatively limited time for completion tends to further upset the balance between industrial development and data protection. These development strategies set specific dates for completion and provide concrete development objectives. For example, only seven years remain to achieve the comprehensive development objectives set by the MIC 2025.[43] Another example is the 2016 Plan for the Development of Big Data, which requires that seamless data flow between various governmental agencies be achieved by the end of 2017, and that a 『unified open platform for nationwide government data』 be established by the end of 2018.[44] Such limited time for completion would inevitably lead to the hasty implementation of relevant strategies, which would increase the pressure on Chinese lawmakers who may not have a sufficient amount of time to react to the new legal challenges arising from the accelerated development of the industry. Even more serious is that such hasty implementation has the potential to achieve great leaps in industrial development at the expense of network security and data privacy.
III. Current legal framework on data protection remains very weak
Despite consistent legislative efforts, the legal development in the area of data protection in China remains in the early stage. Unlike the sectoral laws in the United States, which are more focused on the public sector, Chinese laws provide citizens with some basic protection against private network operators but leave data processing in the public sector largely unregulated.[45]The legal rules on data protection are scattered within various types of law, including national laws (promulgated by the NPC), administrative regulations and rules (promulgated by the State Council and its ministerial bodies), and local regulations and rules (promulgated by local people’s congresses and governments). Although the promulgation of the Cybersecurity Law in 2016 puts China onto a path in line with global trends in data protection law, the current legal protection remains weak. This section examines China’s existing data protection regime by mainly focusing on four laws, including the Chinese Constitution, the civil law, the criminal law, and the Cybersecurity Law. This section concludes that the current data protection regime reveals some inherent limitations that impose serious obstacles for China to immediately create a workable data protection law in the near future.
A. Unpreparedconstitution and underused civil law
The current Chinese Constitution, promulgated in 1982, does not expressly recognise the right to privacy. Nevertheless, two relevant constitutional provisions are notable. Articles 39 and 40 protect citizens』 residences against unlawful search and their freedom and confidentiality, respectively. Such constitutional protection makes China analogous to the United States, whose constitution does not expressly mention privacy as a right either.[46]The constitutional protection of privacy in the United States was developed later through case law during the 20th century. In the landmark 1967 case, Katz v United States, the United States Supreme Court ruled that privacy can be protected under the Fourth Amendment, which concerns protection against unreasonable searches and seizures.[47] Can China, similar to the United States, take the case law approach to create a constitutionally protected right to privacy? The answer would have to be 『No』.The main reason for this answer is that China does nothave similar judicial mechanisms for the application and broad interpretation of the Constitution.[48]
The 1986 General Principle of Civil Law (民法通則), China’s de facto civil code, does not recognise the right to privacy. Nevertheless, the subsequent judicial practice has created a private cause of action for unlawful disclosure of a citizen’s private information. Such disclosure, according to the courts, has infringed on a citizen’s right to a reputation or personality.[49] The right to privacy as a separate civil right was formally recognised in 2009 with the promulgation of the Tort Liability Law. Since then, the right to privacy has a legal status equivalent to the rights of reputation and personality.[50]The latest development was in 2017, with the promulgation of the General Provisions of Civil Law (民法總則). Article 111 of this Law claims to protect citizens』 personal information—『Any organization or individual who needs to obtain another’s personal information should obtain it lawfully and ensure its security』.[51] The statement under Article 111 suggests that Chinese lawmakers tend to expand the scope of protection on data privacy. Compared with the tort privacy protection, this new data protection under the General Provisions of Civil Law is broader in scope. For example, the failure to correct personal information in a timely manner is not actionable under the tort privacy remedy because the data subject’s privacy is not compromised. However, this failure might be actionable under the new tort data remedy because it weakens data integrity.
The continuous development of civil law for data protectionis not parallel to the increase in judicial cases. Relevant legal provisions have proven to be largely underused by the court. A 2016 empirical study on privacy-related cases in China found that at that time, the total number of privacy-related cases adjudicatedby Chinese courts was only 313.[52]Although the social media occasionally reported the cases, in which the courts ruled for the plaintiffs, such court rulingsshould not be regarded as the norm. The author’s interviews with judges in several local courts have demonstrated that cases concerning privacy invasion handled annually by these courts are rare.[53] The scarcity of cases shows that the utility of a tort remedy for privacy invasion is severely limited.[54]One main reason for the scarcity is that the judicial proceedings are costly while the possible compensation for victims is relatively low. A more fundamental reason is related to value conflicts. The tort remedy for privacy invasion hardly prevails when it encounters conflicts with longstanding social values. The following three cases illustrate such conflicts: (1) The husbandcirculated the phones of his wife and her lover in their workplaces to humiliate the latter two; (2) a high school showed video clips of two students kissing each other at the back of the classroom; (3) a social media outlet published a lengthy article about a young woman’s adulatory activities with a movie star, which lead to the suicide of her father, who suffered financial and psychological pressure from his daughter’s adulation.[55] The victims whose privacy was invaded in the aforementioned three cases, namely, the wife, the two students, and the young woman, filedlawsuits in the local courts. But none of the court rulings supported their claims.
The main reason for losing courts』 support for the claims of these three victims is that their previous so-called immoral behaviours challenged the common values of the collective, which are rooted in traditional Confucian heritage and socialist ideologies.[56] These collectivist values in the aforementioned cases refer to marital loyalty, expectations of behaviour, and filial piety, respectively.[57] The courts do not want to satisfy plaintiffs』 demands for privacy protection at the expense of collectivist values because the courts might cause wide public dissatisfaction and instability, which would contrast with the longstanding policy of the Supreme People’s Court that 『the satisfaction of the people is the benchmark for determining the success of judicial reform』.[58] The three cases illustrate that although traditional collectivist values have been senescing and the right to privacy is being increasingly respected, the Chinese court still hesitates to offer a civil remedy for the invasion of privacy for avoiding conflicts with collectivist values. This phenomenon can to some extent explain why relevant legal provisions in Chinese civil law are underused in practice.
B. Criminal law: low thresholds and selective enforcement
The original Criminal Code, promulgated in 1997, did not offer protection for personal data. The criminal law protection on data is created by law amendments and the interpretations of the Supreme People’s Court.[59]The 2009 Seventh Amendment of the Criminal Codeforbids the theft, sale, or provisions of the personal data of citizens obtained during the provision of services or the performance of duties by public service providers. According to this Amendment, an offender, if the circumstances are serious, could be sentenced to imprisonment or criminal detention of no more than three years and/or a fine.[60] The Ninth Amendment, promulgated in 2015, expands the scope of protection to all public and private sectors and provides for an increase in the maximum penalty to seven years if 『the circumstances are extremely serious』. The latest development in criminal law for data protection was in 2017, when the Supreme People’s Court and the Supreme People’s Procuratorate jointly issued 『the Interpretation of the Application of Law to Handle Criminal Cases regarding the Misuse of the Personal Information of Citizens』 (IALHCC). This judicial interpretation provides detailed rules for determining what could constitute a serious circumstance.
A notable feature of China’s criminal law protection on data is its low thresholds for criminalising data abuse. According to the IALHCC, Stealing more than 50 items of sensitive personal data is sufficient to constitute the 『serious circumstance』. These data include those about citizens』 whereabouts, communication contents, credit, and property. For less important but sensitive data, such as data about citizens』 accommodation, communication records, health status, and transaction, the minimum quantity of data involved for incurring criminal punishment is 500 items. For other ordinary personal data, the minimum number is 5000 items. If the offender is a staff member of a government agency or a public service provider, the threshold is even lower; for them, the minimum quantity of data for incurring criminal punishment is half the aforementioned minimum quantities.
Given the low threshold for incurring criminal punishment, data abuse in China shouldhave been significantly curbed,but the reality tends to reveal a different story: data abuse has been increasingly rampant in recent years. Business operators in many sectors have an open secret that they use myriads of unlawfully obtained personal data to satisfy their commercial needs. Ordinary Chinese individuals receive unwanted sale emails, calls, and messages on a daily basis.[61] The data abuse is often associated with crimes, in particular, financial fraud. A 2016 survey report of the Internet Society of China estimated that the total financial loss caused by the data misuse reached RMB 91.5 billion, averaging RMB133 per Netizen.[62] The rampant data abuse indicates that the enforcement of punitive provisions in criminal law is far from adequate. One main reason is that due to the lack of human and financial resources, enforcement agencies only select the most serious offences to investigate and prosecute. The detected cases usually involve hundreds of thousands of pieces of personal data. Less serious but criminally punishable cases, which account for the vast majority of total offences, have escaped from criminal punishment. Such a selective approach for enforcing criminal law is probably a major reason for the low arrest and prosecution rates.[63]
C. Cybersecurity Law: A turning point towards widely accepted international standards
A notable legal development for data protection came in 2016, with the promulgation of the Cybersecurity Law. This Law represents the latest efforts of Chinese lawmakers to systematically curb the increasing wrongdoings in cyberspace and improve the overall level of network security. Chapter 4 of this Law, entitled 『Network Information security』, contains ten provisions. These provisions set out an array of protection rules, which can be categorised into eight general requirements for network operators: (1) notice and consent; (2) purpose limitation; (3) data quality; (4) transparency; (5) security; (6) correction; (7) data localisation and restrictions on data exports; and (8) accountability. Among these requirements, the strict data localisation requirement can best reflect the feature of China’s Cybersecurity Law because it is based on the national government’s claim to cyberspace sovereignty and security. The incorporation of this requirement into the Cybersecurity Law has caused wide concerns among foreign and domestic companies. The adoption of these data localisation requirements tends to facilitate government surveillance and law enforcement and to hinder the expansion of business activities.[64]The chilling effect on the activities of foreign Internet companies has been observable because some companies had decided to withdraw their cloud service from China.[65]
Given that the main objective of the Cybersecurity Law is network security, and only a part of this Law deals with data protection, it is difficult to regard this Law as China’s first data protection law. Nevertheless, this Law suggests a milestone for China’s data protection in the sense that its data protection requirements are more comprehensive and broader than those in any previous laws and regulations. Compared with common elements found in other jurisdictions』 data protection laws, the Cybersecurity Law does not incorporate the right of access to an individual’s own personal data. Nevertheless, these requirements under the Cybersecurity Law are generally in line with the widely accepted requirements of the Privacy Guidelines issued by the Organisation for Economic Co-operation and Development (OECD) in 1980 (1980 OECD Guidelines) and the 1981 Council of Europe Data Protection Convention (CoE Convention). Given that these two early international agreements have become the essential elements of data protection legislation of the European Union (EU)and many other countries, the Cybersecurity Law leads China towards a path in line with global trends of data protection law.[66]
From a comparative perspective, the significance of the Cybersecurity Law for the creation of future data protection law should not be overestimated. The 1980 OECD Guidelines and the CoE Convention present an early attempt to provide basic data protection rules, mainly for the purpose of levelling the regulatory playing field for cross-border data flow at the global level.[67]Subsequently, in the last four decades, the global overall level of protection has undergone consistent development, and more than 120 countries have promulgated their data protection laws.[68] These laws generally incorporate higher requirements, which were first introduced by the 1995 EU Directive.[69] It is predictable that the General Data Protection Regulation (GDPR), which replaced the 1995 EU Directive in May 2018, would exert even greater influence on enhancing the overall level of data protection globally.[70] Compared with the significant global development, the level of protection set by the Cybersecurity Law is too low. China’s current level of protection is slightly lower than the 『global standards』of the early 1980s and much lower than the 『European standards』of the mid-1990s. The promulgation of the GDPR further enlarges the regulatory gap between China and the EUin the area of data protection. Such a low starting point means that China’s future data protection legislation must 『run』 faster to catch up with the global trends. This increased speed tends to increase the challenges to the creation of future data protection law.
D. Standing on the shoulder or in the mud? Limitations of the current data protection regime
The consistent development of China’s data protection regime in the last two decades has been achieved by adopting a sectoral approach.[71]As a result, relevant laws, regulations, and ministerial rules have been promulgated. These legal documents have a cumulative effect andhave built the legal framework in an incremental manner. Most notable is the enactment of the Cybersecurity Law, which turns China towards a path in line with global trends in data protection law.As aforementioned, the NPC has proclaimed to enact a comprehensive data protection law. Chinese lawmakers hope such a law would automatically provide protection for personal data in newly emerging areas, avoid an unequal imposition of burdens in closely related areas, and improve the image of data protection in the international community. One question that should be answered is: Have the cumulative effects from twodecades of legislation been sufficient such that this legislation could immediately lead to the enactment of a data protection law in China? The enactment of such a law must overcome at least four main obstacles as follows.
First, the commitment to uphold the primacy of public security tends to pose serious threats to an individual’s data privacy. Security has long been an overarching value in China’s legislation.[72]This value has three main manifestations: Cybersecurity, public security, and national security. The title of the Cybersecurity Law illustrates the commitment to uphold Cybersecurity. Aiming to curb unlawful online activities, China has implemented comprehensive real-name registration rules since 2003.[73] Such implementation tends to significantly undermine online anonymity and, therefore, poses a serious threat to data privacy. The commitment to uphold public security and national security is observable in the area of criminal law. The Criminal Procedural Law, the Counter-espionage Law, and the Counter-terrorism Law grant broad investigatory powers to public security agencies, allowing them to collect and use personal data for the purpose of detecting and investigating criminal suspects. All three laws incorporate prohibitive provisions on the collection and usage of data and state that the data collection and usage should be 『in line with relevant State rules』 and should go through 『strict approval procedures』. However, by far, these 『State rules』and 『strict approval procedures』 have not been in place. The absence of meaningful legal control over public security agencies』 collection of personal data is probably intentional—it could leave the Chinese government unfettered in the development and usage of surveillance technologies, which have proven to be effective regulatory tools in criminal investigations.[74]The general empowerment of investigatory powers, combined with the lack of relevant meaningful legal control, tends to make ordinary citizens subject to excessive government data mining and profiling on a large scale.[75]
Second, the legal provisions on data protection are ineffective in general. In December 2017, six months after the Cybersecurity Law went into effect, the NPCSC conducted an investigation on the implementation of this Law. The Report of the NPCSC admits, 『the work of personal information protection encounters was severely difficult』. According to this Report, 52.1 per cent of the total randomly interviewed 10,370 citizens held that the compliance of website operators with data protection requirements was not satisfying.[76] The author’s recent empirical findings are in line with that of this Report. The author finds that 69.6 per cent (348) of the 500 most popular Chinese websites have disclosed their privacy policies. In these privacy policies, purpose limitation has the highest compliance—325 privacy policies have claimed compliance, accounting for 63.4 per cent of the 348 privacy policies. The compliance with the other seven requirements of privacy policies is much lower, ranging from 48 per cent to 63.5 per cent.[77] The official NPCSC Report combined with the author’s empirical findings suggest a significant gap between data protection requirements on paper and the protection in practice. Chinese lawmakers call for hastening the implementation of data protection legislation and hope a sweeping new law could overcome the effectiveness problem. However, if the existing legal provisions in various laws remain ineffective and such ineffectiveness has been a longstanding problem in the rights-protection legislation, how could a new omnibus data protection law be expected to make a significant difference?
Third, a unified supervisory system has not been created. At present, the responsibility of supervising data protection in China is divided into various government agencies. The People’s Bank of China (China’s central bank), for example, is responsible for data protection in the financial industry. The lack of a united supervisory authority significantly affects the enforcement of data protection legislation. In the EU, an independent Data Protection Authority is deemed to be the key element of the enforcement regime.[78]Unified oversight for data protection would level the regulatory playing field, whereas the currently scattered supervisory system tends to cause inconsistent implementation of legal requirements and impose an unequal burden of compliance across different sectors.[79]Because none of the existing supervisory authorities regard data protection as part of their main responsibilities, they do not pay adequate attention to data protection work. For example, although the People’s Bank of China bears the exclusive responsibility for data protection in the financial industry, its primary mandate is 『formulating and enforcing monetary policies, preventing and addressing financial risks, and maintaining financial stability』. If China’s future data protection law does not create an able supervisory authority exclusively in charge of overall data protection work, the legal requirements in that law would be difficult to enforce.
Drawing on the aforementioned analysis on the existing data protection regime, it seems that whether a comprehensive data protection law can be enacted in less than five years as the NPCSC planned is questionable. The key reason is that the three aforementioned longstanding legal obstacles might be difficult to resolve in such a short time. The ineffectiveness of the existing legal provisions remains unsolved. An independent supervisory authority is a fundamental element of most data protection laws worldwide and has not yet been established in China. The greatest obstacle is probably the conflicts between privacy protection and public security preservation. If China’s future data privacy law fails to provide meaningful legal control over data collection for the purpose of criminal investigation, such a law is a cosmetic measure for boasting about human rights development in China at best, and a new instrument to facilitate government surveillance at worst.
IV. Scholars, the public, and lawmakers: still wandering at the crossroads
The Chinese national government, for the first time, considered enacting an omnibus data protection law in the early 2000s. The responsible drafting body at that time was the Informatisation Working Office (IWO) of the State Council (國務院信息化化辦公室). The drafting work started in 2004 but suddenly came to an end in 2008, when the IWO was disbanded.The only major legacyof that timewas two expert-suggestion draft laws funded by the IWO. These two law drafts were drafted, respectively, by Qi Aimin from Guangxi University and Zhou Hanhua from the Chinese Academy of Social Science.[80] Both law drafts were largely modelledafter the EU regulatory model. Thus, the level of protection offered by these two law drafts was fairly high. Graham Greenleaf concluded that the principles in the laws went beyond what was required by the 1980 OECD Guidelines and, in principle, met what was required by the 1995 EU Directive.[81]
In recent years, an increasing number of Chinese scholars have joined in the discussion on how to build a workable data protection law in the Chinese context. Nevertheless, the current scholarly discussion is in an initial stage. Unlike the aforementioned early research that resulted in two comprehensive EU-style law drafts, nowadays, scholars move forward more carefully. They focus more on fundamental questions like what guiding principles for data protection legislation should China adopt. The emphasis of the current scholarly discussion is data flow and data usage. In his 2015 article, Zhang Xinbao suggests enhancing the protection of personal sensitive information and relaxing the restrictions on the use of less-sensitive information.[82] With respect to data usage, GaoFuping’s suggestion is even bolder. In his 2018 article, Gao asserts that personal data is associated with the interests of other citizens and society as a whole; therefore, its use should not solely be determined by data subjects.[83] Another recent suggestion was made by Zhou Hanhua in 2018. In his article, Zhou argues that the prohibitive rules in the existing legal regime cannot adequately prevent data abuse, and the future data protection law should pay attention to providing sufficient incentives of protection for data controllers.[84]
The consciousness of data protection in China has been increasing over time. Although difficult to measure, such an increase is supported by evidence from two areas. Frist, the Chinese government intentionally holds propaganda and education work on network security through various means, such as newspapers, government websites, microblogs, radio, and television. The official report states that during every awareness week, which is usually in September, more than 10,000 lectures and exhibitions are held, covering approximately 200 million persons annually.[85] The second area of evidence reflecting the development of popular awareness is data abuse. The rampant data abuse causes huge financial and emotional losses and creates distrust in society.[86] Nevertheless, such rampancy, if its lessons are summarised and learnt properly, can also be helpful for the development of the public consciousness of the right to privacy. Chinese media has revealed a series of major incidents about data abuse. These incidents shocked the whole country, and serve as lessons showing the importance of data security, and therefore play an important educational role in data protection. Two recent incidents are provided for illustration as follows.
A. Xu Yuyu case:
On 19 August 2016, a phone call reached Xu Yuyu, an eighteen-year-old high school graduate in Shandong, instructing her to deposit RMB 9,900 in a bank account as tuition fees for college. Xu followed the instruction. Two days later, having realised that she had been the victim of a fraud, Xu became very depressed and died as a result of sudden cardiac arrest.[87]One month after the death of Xu, the suspects were detected and arrested. The suspects confessed that they had obtained a large number of students』 personal information by hacking into the database of the local education bureau. The key reason for the quick detection and prosecution of the suspects should be attributed to the nationwide outcry following Xu’s death.
B. Alipay Incident:
On 3 January 2018, Alipay, the largest third-party mobile and online payment platform in China, released a user’s 2017 annual bill.[88]The social media revealed that by using a very small font, the bill provided a checked-by-default option that allowed its credit scoring system to access user data. This incident raised widespread public concern about excessive data collection by technology companies. Two days after the incident, the Director of the Bureau of Coordination for the Network Security of the Cyberspace Administration formally talked to one of Alipay’s executives.[89]Four months later, the Hangzhou Branch of the People’s Bank of China imposed a fine of RMB 180,000 on Alipay for excessively collecting consumers』 financial information and inappropriately using consumers』 financial information.[90]The Alipay executive responded with a very cooperative attitude and promised that the company had 『learnt a profound lesson』 and would 『conduct a comprehensive rectification』.[91]It is predictable that without the increase in wide public concern, the Cyberspace Administration and the People’s Bank of China would be unlikely to take punitive actions in such a prompt manner. Alipay showed a good attitude and not because it feared the imposition of fines—the total revenue of this super unicorn in 2017 reached USD 8.9 billion.[92] Such a good attitude is likely more attributable to the fear of damaging Alipay’s image and losing its consumers. In this sense, the development of a consciousness for data privacy was keyin correcting Alipay’s wrongdoings.
In the long run, the increase in public consciousness for privacy protection hasa profound impact on the development of China’s data protection law. Chinese law does not provide its citizens a right to directly air their legislative demand to the NPC.[93] The public’s legislative demand can only be formally voiced by its representatives in the NPC.According to the Law on Legislation, a group of NPC deputies may jointly submit legislative bills and written suggestions to the NPC or its Standing Committee for deliberation and voting.[94] In March 2009, during the Second Plenary Session of the Chinese People’s Political Consultative Conference, some deputies, for the first time, suggested restarting the research and drafting work of data protection law.[95] A recent effort was made in March 2018,when many deputies jointly submitted a written suggestion regarding enacting data protection law to the First Plenary Session of the 13th NPC.[96] Among these aforementioned suggestions, the most detailed was submitted by Sun Xianzhong. Sun is an NPC deputy and a civil law professor at the Chinese Academy of Social Science. Compared with the EU-style draft laws of Qi and Zhou, Sun’s suggestion is more practical. In his suggestion, Sun argues that the current legal protection on personal data is inadequate because these laws merely offer 『protection for the downstream stage』, namely, providing remedies for injured victims. The legal control over various aspects of data processing, namely, collection and storage, is largely inadequate.[97] Therefore, he suggests enacting a comprehensive law to provide systematic protection.[98]
Although NPC deputies are increasingly active in submitting legislative suggestions, the utility of such submission is very limited. Until now, no legislative suggestion submitted by ordinary deputies has been successfully entered into the NPC’s meeting agenda for deliberation and voting. Accordingly, none of the existing national laws were drafted and brought to the NPC by deputies. The main drafters were various ministerial bodies of the State Council. The main reason for limited utility of NPC deputies』 legislative proposition is because the exiting institutional setting does not support the submission of qualified legislative suggestions. A NPC deputy is not a full-time job and has extremely limited resources to conduct law-drafting work. For this reason, the legislative suggestions submitted by NPC deputies usually do not contain comprehensive and detailed provisions and, therefore, cannot be used as basis for deliberation and voting.[99] More serious is the structural problems of the NPC. Because of the large size, short meeting duration, and perfunctory legislative procedures of the NPC and the NPCSC, conducting meaningful deliberation work is difficult.[100] This reflects that in the legislative arena, the public and ordinary NPC deputies are still not able players such asthe central Communist Party organs, State Council, key NPC officials, and NPC’s subcommittees.[101]
Neither scholars, the public, nor lawmakers have been able to figure out a feasible path leading to the creation of a comprehensive data protection law. Although data protection has become a hot research topic, the current scholarly discussion is limited to an exploration of the basic values and principles. These discussions are more speculative and have not moved forward toconcrete rule-making recommendations. Empirical studies on the efficacy of protection rules have been scarce. In the long run, the increasing public demand is helpful to create a favourable social and political environment for the development of data protection law, but its direct influence on the current drafting processes is very limited. The performance of lawmakers has not improvedeither. Lawmakers have not reached any consensus on virtually all the basics of data protection law, such as the guiding drafting principle, the level of protection, designation of independent supervision authority, cross-border data flow rules, and accountability of data controllers. With respect to this, the drafting of E-Commerce Law serves as a salient example. The first draft of this Law, released by the NPCSC to solicit public comments in December 2016, expressly declares, 『a user of E-commerce enjoys the right to self-determine her personal data』.[102] The second draft lawwas released 11 months later and deleted these requirements.[103] The final version of this Law, promulgated by the NPCSC in August 2018, removes all the data protection rules for E-commerce operators. The removal suggests that a consensus on some fundamental elements of data protection law hasnot been reached among lawmakers.
V. Conclusion: possible future of China’s data protection law
The promulgation of the 2016 Cybersecurity Law, for the first time, places China in the place where many countries have started in their regulation of data protection since the early 1980s. Although enacting a comprehensive data protection law has been listed on the NPCSC’s new legislative agenda, it remains uncertain whether such a law will ever be enacted and what its contents would be. This article identifies and examines three main obstacles to the creation of a workable data protection law. Thefirst obstacle is from the implementation of ICT development strategies. The spectacular development of the ICT industry, driven by relevant national strategies, tends to significantly increase the threat to individual privacy and, therefore, impose serious challenges on the regulation on data protection. The second obstacle is rooted in the current legal framework. The current data protection regime is characterised by the low level of protection and the commitment to upholding the primacy of security. These two features suggest that the existing legal infrastructure is not conducive to achieving meaningful protection of an individual’s right to privacy. The third obstacle is the limited voices of scholars, the public,and ordinary lawmakers. The current evidence has demonstrated that these three types of parties have been ill-prepared for the drafting of the data protection law.
Given thesethree obstacles, the enactment of a comprehensive data protection law by March 2022 is not an easy task. The legislative process tends to be arduous, and the Chinese and foreign observers should not be surprised if they find that the drafting is delayed or suspended.Even if this law is finally passed and goes into effect, it is likely that this lawwould be unable to remove the three obstacles, andthereforeit would be a failure, namely, there would be no provision for meaningful protection for individual privacy against unreasonable data usage either by the industry or by the government. Perhaps a worse possibility is that such a hasty enactment of an omnibus law would stop the ongoing process towards consistency in data protection legislation, making the latter improvement extremely difficult.
The aforementioned discussion on the difficulty in creating China’s omnibus data protection law does not necessarily suggest that the future of this law is all dark. Creating a workable law is a worthwhile expectation. The main reason for that expectation is that Chinese legal system, as a whole, has been becoming more liberal and consultative after the reform and opening in 1978. The protection of rights is being more focused on than ever before. The NPCis more independent and has been deemed a principal proponent for rights protection.[104]The judiciary and the legal profession have developed rapidly in terms of the number of judges and lawyers, and their professionalism and independence.[105] Such developments have increased access, which enables Chinese citizens to seek judicial remedies when their rights are infringed upon. All these developments might serve as a basic foundation for the emergence of a workable data protection law in the near future.
What concrete steps China should take to create a workable data protection law? Among a number of recommendations, fourshould receive attention. First, lawmakers should pay more attention to protecting individuals』 data privacy. The key to the success of a data protection law is to achieve a balanced development among public security, technological development, and individual privacy. Given the dominance of the State and industry, it is necessary to enhance the importance of privacy protection. The future law should create more flexible mechanisms to provide space that allows regulatory protection to evolve efficiently by institutionalising innovative rules from the bottom. Given the rapid development of civil society and public awareness in the long run, China should gradually adopt bottom-up norms, which result from increasingly frequent interactions among citizens, other private parties, courts, enforcement agencies, and legislatures. By doing so, the data protection regime would lean towards a more balanced position.
Second, lawmakers should cautiously learn from the legislative experience of Western countries. Mainly driven by EU countries, the international data protection standards have come an extraordinary distance since the early 1980s.The ample foreign legislative experience is a notable reference for China’s legislation. However, the goal of China’s data protection law should not aim to enhance the level of protection to catch up with that of Western countries. Such an unrealistic 『great leap』 is likely to prove a failure. A safe step is to incorporate the fundamental elements commonly found in other jurisdictions』 data protection laws.These elements can serve as an important basis for expanding international communication in the area of data protection between China and other countries.
Third,Chinese lawmakers, enforcement agencies, and academics need to pay more attention to explore the best practices under the Chinese contexts. National and local lawmaking bodies must be more willing to explore data protection rules. National policy- and lawmakers should create a more tolerant policy and legislative environment for such legislative experimentation. The model of policy and legislative pilotswidely used in the last four decades in China are helpful in accelerating such local experimentation. The national government might consider designating special data protection zones in certain cities (the most suitable cities are Shenzhen and Hangzhou), where more flexible policies and greater legislative powers would be granted.[106] The legislative experimentation may consider the key elements of a data protection law, including the incorporation of higher protection requirements, the designation of independent supervision authority, and innovative rules on cross-border data flow.
Fourth, the protection rules should be enforced in a more meaningful manner. To enhance enforceability, a more centralised government oversight process for data protection must be created. A key reform measure to enhance government oversight is to allow at least one national agency to have data protection as its main mandate. The Cyberspace Administration is best suited to assume this task. Detailed regulatory rules should be formulated for implementing statutory requirements. National policy- and lawmakers should generate a more tolerant policy and legislative environment for the formulation of these lower-level regulations and rules. The purpose for doing so is to give full play of local legislative initiatives. Additionally, the restrictive rules on government data collection for criminalinvestigationpurposes should be activated and enforced in a meaningful manner.
REFERENCES
[1] The Standing Committee of the National People’s Congress, The Legislative Plan of the 13th Standing Committee of the National People’s Congress (全國人民代表大會常務委員會,《十三屆全國人大常委會立法規劃》) (2018年) .
[2] China started to build its data protection regime in the early 2000s. Nevertheless, before the updating of the NPCSC’s legislative agenda, whether China would enact an omnibus data protection law had remained unknown. See Graham Greenleaf, 『The Influence of European Data Privacy Standards outside Europe: Implications for Globalization of Convention 108』 (2012) 2 International Data Privacy Law 68, 72.
[3] By 2017, more than 120 countries had comprehensive data protection laws. See Graham Greenleaf, 『Global Data Privacy Laws 2017: 120 National Data Privacy Laws Now Include Indonesia and Turkey』 (2017) 145 Privacy Law & Business International Report 14, 14–17.
[4] For a scholarly explanation of why the United States should not enact a comprehensive data protection law, see Paul M. Schwartz, 『Preemption and Privacy』 (2008) 118 Yale Law Journal 902, 922–929
[5] See Liu Songshan, 『Reflection on Legislative Planning』 (『立法規劃之淡化與反思』) (2014) 12 Political Science and Law (《政治與法律》) 91–92.
[6] For the early works on China’s Data Protection Law, see Qi Aimin, 『Expert-suggestion Draft Law on Personal Information Protection of the People’s Republic of China』 (『中華人民共和國個人信息保護示範法草案學者建議稿』) (2005) Hebei Law Science (《河北法學》) 2–5; for the text of Zhou’s draft, see Zhou Hanhua, Expert-suggestion Draft Law on Personal Information Protection of the People’s Republic of China and the Research Report(Falü Chubanshe, Beijing, 2006) (《中華人民共和國個人信息保護法專家建議稿及立法研究報告》(北京:法律出版社,2006年).
[7] Recent discussions include Zhang Xinbao, 『From Privacy to Personal Information, the Theory of Interest Re-balance and Regulatory Framework』 (『從隱私到個人信息:利益再衡量的理論與制度安排』) (2015) China Legal Science (《中國法學》) 38–59; GaoFuping, 『Personal Information Protection: From Individual Control to Social Control』 (『個人信息保護:從個人控制到社會控制』) (2018) Chinese Journal of Law (《法學研究》) 84–101; Zhou Hanhua, 『Exploring The Personal Data Governance that Achieve Incentive Compatibility —China’s Personal Information Protection』 (『探索激勵相容的個人數據治理之道—中國個人信息保護』) (2018) Chinese Journal of Law(《法學研究》)3–23.
[8] See Greenleaf (n 2); Graham Greenleaf, Asian Data Privacy Laws: Trade and Human Rights Perspectives (Oxford University Press,Oxford 2017) (hereafter 『Greenleaf, Asian Data Privacy Laws』); Graham Greenleaf, 『China’s Internet Data Privacy Regulations 2012: 80% of a Great Leap Forward?』 (2012) 116 Privacy Laws & Business International Report 1, 1–5.
[9] See Jyh-An Lee &Ching-Yi Liu, 『Real-name Registration Rules and the Fading Digital Anonymity in China』 (2016) 25 Washington International Law Journal 1, 1–34; Max Parasol, 『The Impact of China’s 2016 Cyber Security Law on Foreign Technology Firms, and on China’s Big Data and Smart City Dreams』 (2018) 34 Computer Law & Security Review 67, 67–98.
[10]Robert D. Cooter, 『Market Modernization of Law: Economic Development through Decentralized Law』in Jageep S. Bhandari and Alan O. Sykes (eds), Economic Dimensions in International Law: Comparative and Empirical Perspectives (Cambridge University Press, Cambridge 1997)275–314.
[11]Ibid.
[12] The Constitution of the People’s Republic of China, art 14 (《中華人民共和國憲法》,第14條).
[13] At that time, Jiang Zemin (江澤民) was the President of the People’s Republic of China and Zhu Rongji (朱鎔基) was the Prime Minister of the State Council.
[14] Over the past two decades, China has become a leading global player in developing and adopting ICT in several areas. In E-commerce, for example, China’s share of worldwide transactions increased from less than 1% a decade ago to now more than 40%. See Mckinsey Global Institute, 『China’s Digital Economy, A Leading Global Force』 (2017) <https://www.mckinsey.com/global-themes/china>.
[15] The 15th National Congress of the Chinese Communist Party, 『Upholding the Great Banner of Deng Xiaoping Theory and Advancing the Cause of Building Socialism with Chinese Characteristics into the 21st Century』(中國共產黨第十五次全國代表大會,『高舉鄧小平理論偉大旗幟,把建設有中國特色社會主義事業推向二十一世紀』) (1997) <http://cpc.people.com.cn/GB/64162/64168/64568/65445/4526285.html>.
[16] General Office of the State Council, State Informatization Development Strategy 2006-2020 (國務院辦公廳,《2006-2020年國家信息化發展戰略》) (2006).
[17] For the details of the nine strategic focuses, see ibid.
[18] For the relevance between Germany’s Industry 4.0 Strategy and Made in China 2025, see JostWübbeke and others, 『Made in China 2025: The Making of a High-tech Superpower and Consequences for Industrial Countries』 (Mercator Institute for China Studies, 2 December 2016)6. <https://www.merics.org/en/merics-analysis/papers-on-china/made-in-china-2025/>.
[19]Ibid.
[20] See National People’s Congress, The Five-year Plan for Economic and Social Development of the People’s Republic of China (全國人民代表大會,《中華人民共和國國民經濟和社會發展第十三個五年規劃》) (2016).
[21] See State Council, The 13th Five-year Informatization Plan (國務院, 《十三五國家信息化規劃》) (2016).
[22]Ibid.
[23] The State Council, The Outline of Action Plan for Promoting the Development of Big Data(2015) (國務院, 《促進大數據發展行動綱要》(2015年)).
[24] Ministry of Industry and Information Technology, The Plan for the Big Data Industry (工業與信息化部,《大數據產業發展規劃》) (2017).
[25]Ibid.
[26]The State Council (n 21).
[27]Ibid.
[28] The State Council, 『State Council’s Guiding Opinions on Actively Promoting Internet Plus Action』 (國務院,『國務院關於積極推進網際網路+行動的指導意見』) (2015).
[29] Ibid.
[30] The State Council, The Development Plan of the New Generation Artificial Intelligence (國務院,《新一代人工智慧發展規劃》) (2017).
[31]Ibid.
[32] The platforms and supporters are: (1) autonomous driving supported by Baidu; (2) smart urban traffic management supported by Alibaba; (3) medical imaging supported by Tencent; and (4) autonomous language translation supported by Iflyteck. The designation implies that these State-led ICT development policies will also provide space for private enterprises with cutting-edge technologies to survive and thrive. See She Huiming and Sheying, 『The National Government Designated Four AI Platforms』 People’s Daily (Beijing 17 November 2017) (佘慧敏、佘穎,『國家公佈人工智慧四大平臺』,《人民日報》,2017年4月28日) .
[33] See JostWübbeke (n 18).
[34] See Xavier Caron, et al, 『The Internet of Things (IoT) and Its Impact on Individual Privacy: An Australian Perspective』 (2016) 32 Computer Law & Security Review 4, 9.
[35] For the increasing concern over tracking and profiling driven by big data, see Kate Crawford and Jason Schultz, 『Big Data and Due Process: toward a Framework to Redress Predictive Privacy Harms』 (2014) 93 Boston College Law Review 93, 99–110. For an extensive discussion on the failure of anonymization and its impact on privacy law, see Paul Ohm, 『Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization』 (2010) 57 UCLA Law Review 1703, 1703–1706.
[36]Paul Mozur& Keith Bradsher, 『Pushing Al, Boundaries in China』 New York Times(4 December 2017) B1.
[37] Paul Mozur, 『With Cameras and A.I. China Closes Its Grip』 New York Times(9 July 2018) A1.
[38] Zak Doffman, 『Why We Should fear China’s Emerging High-tech Surveillance State』 Forbes (28 October 2018).
[39] Pete Hunt, 『China’s Great Social Credit Leap Forward』 The Diplomat (4 December 2018).
[40] An important perspective to assess the General Data Protection Regulation (GDPR) of the European Union (EU) is whether this law successfully addresses the challenges of new technology. See Ira S. Rubinstein, 『Big Data: The End of Privacy or a New Beginning?』 (2013) 3 International Data Privacy Law 76, 78–81.
[41] See General Office of the State Council (n 16).
[42]Ibid.
[43] The State Council, Made in China 2025 (國務院,《中國製造2025》) (2015).
[44]The State Council (n 23); Ministry of Industry and Information Technology (n 24).
[45] For the sectoral characteristics of data protection law in the United States, see Paul M. Schwartz, 『The EU-US Privacy Collision: A Turn to Institutions and Procedures』 (2013) 126 Harvard Law Review 1966, 1974–1978. For the adoption of sectoral approach in building data protection regime in China, see Greenleaf, Asian Data Privacy Laws (n 8) 221–225.
[46] See James Q. Whitman, 『The Two Western Cultures of Privacy: Dignity versus Liberty』 (2004) 113 Yale Law Journal 1151, 1212–1214.
[47]Katz v United States (1967) 389 U.S. 347, and Olmstead v United States (1928) 277 U.S. 438.
[48] Qianfan Zhang, 『Constitution without Constitutionalism? The Path of Constitutional Development in China』 (2010) 8 International Journal of Constitutional Law 950, 951–952; Keith Hand, 『Resolving Constitutional Disputes in Contemporary China』 (2012) 7 University of Pennsylvania East Asia law Review 51, 83–85.
[49] See Supreme People’s Court, 『Interpretation of Several Questions on Handing Cases concerning Rights of Reputation』, art 8. (最高人民法院,《關於審理名譽權案件若干問題的解釋》,第8條).
[50] See Greenleaf (n 8) 202–203.
[51] The General Provisions of Civil Law is deemed, by the NPC, as an important part of China’s proposed Civil Code.
[52]Li Xujian, 『On Classification of Privacy Infringement Action: An Empirical Analysis of Privacy Cases in China』 (『隱私權侵害行為分級研究—基於我國隱私案例的實證分析』) (2016) Journal of Central Southern University (《中南大學學報》) 61.
[53]Interviews with judges in Chengdu, Hangzhou, Suzhou and Beijing from March to October 2018.
[54] See Greenleaf (n 8) 203–204.
[55] For the details of these cases, see [2000]Yang Xianhong v Li Guoqiong (《楊先洪訴李國瓊等名譽權案》(2002) (大邑民初字第27號); [2004]Two High School Students v Fuxing High School (2004) (滬二中民一(民)終字第2106號); [2008]Yang Lijuan v South Weekly (2004) (越法民一初字第598號).
[56] See SnejinaMichailova and Kate Hutchings, 『National Cultural Influences on Knowledge Sharing: A Comparison of China and Russia』 (2006) 43 Journal of Management Studies 383, 392–394; also see Cathy Silber, 『Privacy in Dream of the Red Chamber』 in Bonnie S. McDougall & Anders Hansson (eds), Chinese Concepts of Privacy (Brill Academic Pub, Leiden 2002)55–56.
[57]For example, the young woman’s violation of filial piety. Under Confucianism, filial piety means that adult children should provide physical and emotional support to their elder parents. The emotional support is particularly stressed by Confucians. The young woman’s adulatory activities made her father unhappy and finally led to his death. This contravenes the requirements of filial piety.
[58] See Zhou Qiang, 『The Report of the Supreme People’s Court on Matters regarding Comprehensively Deepening the Judicial Reform』 (『最高人民法院關於人民法院全面深化司法改革情況報告』) (2017) <http://www.court.gov.cn/zixun-xiangqing-66802.html>.
[59] For more details, see Marissa Dong, 『China』 in Alan Charles Raul (ed),Privacy, Data Protection and Cybersecurity Law Review (Law Reviews, London 2017)108.
[60] Criminal Code of the People’s Republic of China, art 253(1) and (3) (《中華人民共和國刑法》,第253條第1款和第3款).
[61] Take spam as an example. In the late 2015, an e-mail user received on average 17 pieces of spam per day, accounting for 49.4% of the total e-mails received. See Internet Society of China, 『Investigation Report on Anti-spam in China in the Second half of 2015』 (2016) 21 (中國網際網路協會,『2015年下半年中國反垃圾郵件狀況調查報告』 (2016), 第21頁), <http://www.isc.org.cn/zxzx/hlwzl/listinfo-33411.html>.
[62] Internet Society of China, 『Protection of Chinese Netizens』 Interests and Rights』 (2016) 15 (中國網際網路協會,『中國線民權益保護調查報告』 (2016), 第15頁, <http://www.isc.org.cn/zxzx/xhdt/listinfo-33759.html>.
[63] The low arrest and prosecution rates for identity theft seem to be a common phenomenon. Some observers have discussed the technical and cultural reasons for this phenomenon. See Chris Jayhoofnagle, 『Identity Theft: Making the Known Unknowns Known』 (2007) 21 Harvard Journal of Law & Technology 98, 104–107.
[64]Jyh An Lee, 『Hacking into China’s Cybersecurity Law』 (2018) 53 Wake Forest Law Review 57, 78–83.
[65] Ibid.
[66] Graham Greenleaf, 『China’s Personal Information Standards: the Long March to a Privacy Law』 (2017) 150 Privacy Laws Business Report 25, 25–28.
[67] William J. Kambas, 『A Safety Net in the E-Marketplace: the Safe Harbor Principles Offer Comprehensive Privacy Protection without Stopping Data Flow』 (2003) 9 ILSA Journal of International & Comparative Law 150, 157–159.
[68] See Greenleaf (n 3) 14–17).
[69] See Greenleaf (n 2) 68.
[70] See Paul de Hert&VagelisPapaknstantinou, 『The New General Data Protection Regulation: Still A Sound System for the Protection of Individual』 (2016) 32 Computer Law & Security Review 179, 179–180; Christina Tikkinen-Piri, Anna Rohunen and JouniMarkkula, 『EU General Data Protection Regulation: Changes and Implications for Personal Data Colleting Companies』 (2018) 34 Computer Law & Security Review 134, 135–137.
[71] Paul de Hert and VagelisPapakonstantinou, for example, asserts that the public sector should generally be perceived as exempted from all data protection legislation. See Paul de Hert&VagelisPapakonstantinou, 『The Data Protection Regime in China』 (2016) 1 Brussels Privacy Hub Working Paper 1, 20–22.
[72] See Ann Bartow, 『Privacy Laws and Privacy Levers: Online Surveillance Versus Economic Development in the People’s Republic of China』 (2013) 6 Ohio State Law Journal 853, 866–869; Pitman B. Potter, 『The Chinese Legal System: Continuing Commitment to the Primacy of State Power』 (1999) 159 The China Quarterly 673, 673–674.
[73] See Lee and Liu (n 9) 17–21.
[74] For an extensive discussion on the application of network technologies in government surveillance in China, see Jyh-An Lee &Ching-Yi Liu, 『Forbidden City Enclosed by the Great Firewall: the Law and Power of Internet Filtering in China』 (2012) 13 Minnesota Journal of Law, Science & Technology 125, 129–135.
[75] Since China has neither meaningful check and balances nor judicial independence, the courts play no role in ensuring that administrative authorities will not abuse their powers during the collection and usage of personal data. See Lee (n 64) 101–102.
[76] See NPCSC Investigation Team, The Report on Investigating the Enforcement of the Cybersecurity Law of the People’s Republic of China and the Decision on Strengthening Information Protection on Networks (全國人大常委會執法檢查組,《關於檢查<中華人民共和國網路安全法>、<全國人民代表大會常務委員會關於加強網路信息保護的決定>實施情況的彙報》) (2017).
[77] Yang Feng, 『Personal Information Protection in Chinese Websites From the Perspective of the Disclosure of Privacy Policies』 (『從隱私政策披露看我國個人信息保護』) (2019) Modern Law Study (《當代法學》), 135.
[78] See Greenleaf (n 2) 73.
[79] For the advantage of a unified oversight system on data protection, see Schwartz (n 4) 922–929.
[80] For the text of Qi’s draft, see Qi (n 6) 2–5; for the text of Zhou’s draft, see Zhou (n 6) 1–33.
[81] See Graham Greenleaf, 『China’s Proposed Personal Information Protection Act』 (2008) 91 Privacy Laws & Business International Newsletter 1, 11–12.
[82] Zhang (n 7) 38–44.
[83]Gao, (n 7) 84–86.
[84] See Zhou (n 7) 3–4.
[85] See NPCSC Investigation Team (n 72).
[86]Hao Wang, Protecting Privacy in China (Springer, Heidelberg2011)24–28.
[87][2009]Fraud case of ZhengWenqiang and Chen Fang (《鄭文強、陳訪詐騙案》)(2017) (魯1311刑初333號).
[88] 『What does the apology of Alipay Mean?』 People’s Daily (Beijing 5 January 2018) (『支付寶認錯說明瞭什麼?』,《人民日報》,2018年1月5日).
[89] China Cyberspace Administration, 『China Cyberspace Administration talked to the Responsible Persons concerning the Incident of Alipay Annual Bill』 (10 January 2018) (國家網際網路資訊辦公室,『國家網際網路資訊辦公室網路安全協調局約談「支付寶年度帳單」當事企業負責人』(2018年1月10日))<http://www.cac.gov.cn/2018-01/10/c_1122234687.htm>.
[90] For the punishment decision, see Hangzhou Branch of the People’s Bank of China, <http://hangzhou.pbc.gov.cn/hangzhou/125268/125286/125293/index.html>.
[91]Ibid.
[92]Qianzhan Industrial Research Institute, <https://www.qianzhan.com/analyst/detail/220/180511-a7e9a9ea.html>.
[93] Daniel A. Bell, China’s New Confucianism: Politics and Everyday Life in A Changing Society (Princeton University Press, Princeton2008)13–16.
[94] Under the Law on Legislation, a group of 30 or above deputies may jointed submit a legislative bill to the plenary session of the NPC, and the Presidium will decide whether or not to put it on the agenda of this session; a group of 10 or above NPCSC members may submit a legislative bill to the plenary session of the NPCSC and the Chairmen’s Counsel will decide whether or not to put it on the agenda of the session.
[95] 『Enacting the Personal Data Protection Law as Soon as Possible』 Hunan Daily (Changsha 3 March 2009) (『儘快制定個人信息保護法』, 《湖南日報》,2009年3月3日).
[96]Wu Chunyang, 『NPC Deputies Pay Close Attention to the Safety of Citizens』 Personal Data』 China Police Daily (Beijing 21 March 2018), (『人大代表關注公民個人信息安全』, 《中國公安報》,2018年3月21日).
[97] Sun Xianzhong, 『Suggestions concerning Enacting the Personal Information Protection Law』, Chinese Law Forum (『關於儘快制定我國個人信息保護法的建議』, 《法學論壇》, 2017年10月16日) <http://www.iolaw.org.cn/showNews.aspx?id=60931>.
[98] Ibid.
[99] Kevin J. O』Brien, Reform Without Liberalization: China’s National People’s Congress and the Politics of Institutional Change (Cambridge University Press, New York 2008) 135–139.
[100]Tony Saich, Governance and Politics of China (Palgrave Macmillan, New York2011)125.
[101] See Murray Scot Tanner, The Politics of Lawmaking in Post-Mao China, Institutions, Processes and Democratic Prospects (Clarendon Press, Oxford1999) 48–49.
[102]Ibid.
[103] The Standing Committee of the National People’s Congress, 『Soliciting Public Comments for the E-Commerce Law (Draft Version for the Second Deliberation』 (2017) (全國人大常委會,『電子商務法(草案第二次審議)徵求意見』 (2017年). <http://www.npc.gov.cn/npc/flcazqyj/2017-11/06/content_2033046.htm>.
[104] For a detailed discussion on the development of China’s legislature, see O』Brien (n 99) ; Young Nam Cho, Local People’s Congresses in China: Development and Transition (Cambridge University Press, Cambridge2010).
[105] See Bin Liang, The Changing Chinese Legal System 1978–present, Centralization of Power and Rationalization of the Legal System (Routledge, New York2007) 171–172; Sida Liu, 『Lawyers, State Officials and Significant Others: Symbiotic Exchange in the Chinese Legal Services Market』 (2011) 206 The China Quarterly 276, 276–277.
[106] Shenzhen (with a population of 12 million) is a major city in the south of Guangdong province, and one of the most important manufacturing and high-tech research and development bases in China. Hangzhou (with a population of 10 million) is the capital city of Zhejiang province, and its high-tech and software sector have sprung up in recent years. Hangzhou has many internationally successful high-tech companies, and the most notable is Alibaba.