International observers often think of China as a place where privacy protections are thin or nonexistent. But a forthcoming law could arm Chinese consumers with offensive and defensive tools that web users in places like the United States could only dream of.
In late April, China unveiled the second draft of the country's privacy law, the Personal Information Protection Law, for public comment. The law is expected to pass by the end of the year, and would shield Chinese internet users from excessive data collection and misuse of personal data by tech companies — and even, to some extent, by the government.
The new law, similar to the European Union's General Data Protection Regulation, will give individuals the power to know how their personal data is being used and to consent to it.
"It's a good law," Jeremy Daum, a senior fellow of the Yale Law School Paul Tsai China Center, told Protocol. "We tend to think of China as not being overly concerned with privacy, and that's just wrong … There's a growing expectation of privacy in the Chinese public, and the government is responding to it by passing high-level authority to try and ensure some protections."
Several of the provisions in the draft could change the experience of Chinese web users nationwide.
Privacy committees come to China
One new provision requires big internet platforms — including WeChat, Douyin and Taobao — to each form a committee, staffed predominantly by non-company employees, that supervises the handling of personal information. Tech companies will have to stop providing services that misuse personal information. The big platforms are also required to publish periodic reports about information protection.
This is not a model new to the rest of the world. Facebook, for example, was required to form an independent privacy committee by the Federal Trade Commission in 2019. But Chinese tech companies will be required for the first time to establish an outside board to review the handling of consumer data, especially sensitive biometric data.
"It gives consumers an added level of protection," Daum said. "You're going to have somebody besides the government and besides the company itself looking at how the company is using personal information, making sure they're doing it as they said in their user agreements for the purposes that they state."
Personal information as inheritance
The law also adds novel protections for "post-mortem privacy." When a person passes, that person's family will inherit the rights to handling the decedent's personal information, which could include the power to delete their account.
Bye-bye, personalized recommendations
Under the new Personal Information Protection Law, users can elect to block algorithmically-curated information or personalized ads. This means that if Taobao or Douyin recommends merchants or video clips to users, by default the platforms must provide options that aren't tailored for the user based on past and present engagement. If companies want to serve ads based on personal information "with a major influence on the rights and interests of the individual," the app or the site must get affirmative user consent first.
Consent. Consent. Consent.
Other than the new changes, one big theme throughout the draft law is ensuring the consumer's right to consent and the right to know how their information is being used. They also have the right to withdraw that consent at any time, and service providers are required to make a streamlined withdrawal process by law.
The draft law stipulates the concrete applications of minimum necessary standards, meaning tech companies can only collect personal information when it's necessary for the services being provided.
But getting consent is tricky. Users don't always understand the terms and privacy notices to which they're agreeing. "It will be a really long process for consumers to get used to that, and it will also be work for the company themselves to figure out how they can streamline and make this notice easier for the consumer to read," Lee said. Otherwise, Lee said, the process will generate consent fatigue.
Limits on the state
The new law contains a whole chapter regulating the use of personal information by state organs, even though it has less teeth compared to protections against corporate abuse.
The draft law stipulates that when handling personal information, the state "may not exceed the scope or extent necessary to fulfill their statutory duties and responsibilities." And state organs, like corporations and individuals, have to inform individuals and get consent from them when handling their personal information. But there are broad exceptions. The government doesn't have to inform individuals about data collection when doing so would undermine the purpose of the collection — for example, in a criminal investigation.
"Of course, that can get abused," Daum said, "because how do you know to question their use if you don't even know that they're using it? But the fact that there is even a section on state organ use of personal information shows they're really considering who should be allowed to use this and when."