Why China’s strong data privacy laws should reassure TikTok, ByteDance sceptics

ByteDance is registered in Beijing and thus subject to Chinese law, giving those whose data privacy it violates the potential for redress through Chinese courts
China’s data security laws are on a par with the world’s strongest, and prosecutors have shown an appetite for pursuing violators

Chi YinandTonghui Zhu

Published: 1:00am, 18 Apr 2023

Why you can trust SCMP

In the ongoing uproar over TikTok’s perceived threat to the United States, we have lost sight of the issue most relevant to ordinary users of the platform – the vulnerability of their personal data. Two cases of data misuse have made headlines so far: TikTok’s Chinese parent company, ByteDance, admitted to inappropriately obtaining the data of two reporters, one from BuzzFeed and one from the Financial Times.

Disappointingly, there has been no discussion of the lawsuits those reporters could potentially file against ByteDance. Such a discussion would illuminate the legal protections available to the reporters and the other estimated 1 billion TikTok users worldwide.

ByteDance is officially registered in Beijing. Therefore, its behaviour – including its behaviour in processing users’ personal information – is governed by Chinese law. Given ByteDance’s admission of wrongdoing in the case of the two reporters, the reporters could file a suit with the Haidian District People’s Court. They could ask that the company be held liable for violations of China’s Personal Information Protection Law (PIPL).

There are two reasons we think they would win their case. First, China’s legal system gives significant protection to personal data. In the past few years, China has passed a set of data security laws, including three fundamental pieces of legislation – the PIPL, the Cybersecurity Law and the Data Security Law – as well as about a dozen rules for implementation.

How China’s new data laws will make cross-border business much harder

Data security experts both in and outside China note that the PIPL contains many concepts and definitions reminiscent of the European Union’s General Data Protection Regulation (GDPR), considered one of the world’s most stringent privacy and security laws.

In some ways, the PIPL is even stricter than the GDPR. For example, the GDPR provides “legitimate interest” as a legal basis for processing personal data without users’ consent. The PIPL does not. Only the PIPL requires users’ additional consent before processing sensitive data. The PIPL also goes further than the GDPR in regulating against automated decision-making.

It explicitly bans price-discriminating algorithms, such as those that increase prices incrementally for repeat customers. China has set limits on the “necessary personal information” that can be required before activating commonly used mobile phone apps. The US, by contrast, lacks these protections at the national level.

If ByteDance is sued in China, it will bear the burden of proof, meaning it is presumed responsible for data infringement until it proves otherwise. In this case, it has admitted to its wrongdoing and fired four employees for the incident. ByteDance could even be criminally prosecuted if it had an illegal gain exceeding 5,000 yuan (US$730) from processing the data.

02:32

US lawmakers grill TikTok CEO on app’s alleged ties to Chinese Communist Party

Our second reason for confidence in such a legal case is that China has a good track record of implementing data protection laws. In the short time since China ended its national zero-Covid policy, some provinces and cities have started to delete pandemic-related personal data collected from local health apps, pursuant to the PIPL.

The government of Wuxi, a city of 7.48 million people in Jiangsu province, recently deleted one billion pieces of data to better protect citizens’ privacy, prevent data leaks and free up data storage space.

In the past few years, China’s top prosecutor’s office has released a series of “typical cases” involving personal data protection as references for lower prosecutors’ offices across the country. Many of them were related to public interest litigation brought by local prosecutors against local government agencies for direct infringement of personal data or to request them to enforce laws in the private sector.

Earlier this year, China’s highest court and the top prosecutor’s office separately released several guiding cases, including cases against businesses for illegally harvesting and transferring personal data in social media accounts. These cases serve as quasi-precedents for all lower courts, requiring explanations from lower courts that rule differently. No court would be eager to explain a decision not to hold a business accountable for violations of data law.

US Representative Buddy Carter questions TikTok CEO Chew Shou Zi during a House Energy and Commerce Committee hearing on Capitol Hill in Washington on March 23. Photo: AFP

Sceptics will point out that, in matters of national security, laws on the books do little to control the behaviour of the Chinese state. That is true, but ByteDance is not the Chinese state. The subject at hand here is the data security of ordinary citizens – people whose value to China is greater as a target of advertising than as a target of espionage.

For such people, it should be reassuring that China has not only a relatively comprehensive law on personal data protection but also a proven appetite for prosecuting its violators. Adding that to China’s fervent desire to restart its economy after the setbacks of the past three years, it is clear that the data of ordinary users is at least as safe with TikTok as with any other social media company.

Chi Yin, a former judge in China, is now an operations manager and a research scholar at the US-Asia Law Institute of New York University School of Law

Tonghui Zhu is an associate professor of law at Nankai University School of Law and a director of the academic department of the Beijing CloudEvidence International Data Security Forensic Centre

Post