China working on data privacy law but enforcement is a stumbling block
- Biometric data in particular needs to be protected from abuse from the state and businesses, analysts say
- Country is expected to have 626 million surveillance cameras fitted with facial recognition software by 2020
In what is seen as a major step to protect citizens’ personal information, especially their biometric data, from abuse, China’s legislators are drafting a new law to safeguard data privacy, according to industry observers – but enforcement remains a major concern.
“China’s private data protection law will be released and implemented soon, because of the fast development of technology, and the huge demand in society,” Zeng Liaoyuan, associate professor at the University of Electronic Science and Technology of China, said in an interview .
Technology is rapidly changing life in China but relevant regulations had yet to catch up, Zeng said.
Artificial intelligence and its many applications constitute a major component of China’s national plan. In 2017, the “Next Generation Artificial Intelligence Development Plan” called for the country to become the world leader in AI innovation by 2030.
Biometrics authentication is used in computer science as an identification or access control. It includes fingerprinting, face recognition, DNA, iris recognition, palm prints and other methods.
In particular, the use of biometric data has grown exponentially in key areas: scanning users’ fingerprints or face to pay bills, to apply for social security qualification and even to repay loans. But the lack of an overarching law lets companies gain access to vast quantities of an individual’s personal data, a practice that has raised privacy concerns.
During the “two sessions” last month, National People’s Congress spokesman Zhang Yesui said the authorities had hastened the drafting of a law to protect personal data, but did not say when it would be completed or enacted.
One important focus, analysts say, is ensuring that the state does not abuse its power when collecting and using private data, considering the mass surveillance systems installed in China.
“This is a big problem in China,” said Liu Deliang, a law professor at Beijing Normal University. “Because it’s about regulating the government’s abuse of power, so it’s not only a law issue but a constitutional issue.”
The Chinese government is a major collector and user of privacy data. According to IHS Markit, a London-based market research firm, China had 176 million surveillance cameras in operation in 2016 and the number was set to reach 626 million by 2020.
In any proposed law, the misuse of data should be clearly defined and even the government should bear legal responsibility for its misuse, Liu said.
“We can have legislation to prevent the government from misusing private data but the hard thing is how to enforce it.”
Especially crucial, legal experts say, is privacy protection for biometric data.
“Compared with other private data, biometrics has its uniqueness. It could post long-term risk and seriousness of consequence,” said Wu Shenkuo, an associate law professor at Beijing Normal University.
“Therefore, we need to pay more attention to the scope and limitations of collecting and using biometrics.”
Yi Tong, a lawmaker from Beijing, filed a proposal concerning biometrics legislation at the National People’s Congress session last month.
“Once private biometric data is leaked, it’s a lifetime leak and it will put the users’ private data security into greater uncertainty, which might lead to a series of risks,” the proposal said.
Yi suggested clarifying the boundary between state power and private rights, and strengthening the management of companies.
In terms of governance, Wu said China should specify the qualifications entities must have before they can collect, use and process private biometric data. He also said the law should identify which regulatory agencies would certify companies’ information.
There was a need to restrict government behaviour when collecting private data, he said, and suggested some form of compensation for those whose data was misused.
“Private data collection at the government level might involve the need for the public interest,” he said. “In this case, in addition to ensuring the legal procedure, the damage to personal interests should be compensated.”
Still, data leaks, or overcollecting, is common in China.
A survey released by the China Consumers Association in August showed that more than 85 per cent of respondents had suffered some sort of data leak, such as their cellphone numbers being sold to spammers or their bank accounts being stolen.
Another report by the association in November found that of the 100 apps it investigated, 91 had problems with overcollecting private data.
One of them, MeituPic, an image editing software program, was criticised for collecting too much biometric data.
The report also cited Ant Financial Services, the operator of the Alipay online payments service, for the way it collects private data, which it said was incompatible with the national standard. Ant Financial is an affiliate of Alibaba Group, which owns the South China Morning Post.
In January last year, Ant Financial had to apologise publicly for automatically signing up users for a social credit programme without obtaining their consent.
“When a company asks for a user’s private data, it’s unscrupulous, because we don’t have a law to limit their behaviour,” Zeng said.
“Also it’s about business competition. Every company wants to hold its customers, and one way is to collect their information as much as possible.”
Tencent and Alibaba, China’s two largest internet companies, did not respond to requests for comment about the pending legislation.