China’s Emerging Data Privacy System and GDPR
March 9, 2018
China’s main standards body recently issued a “specification” covering collection, storage, use, sharing, transfer, and disclosure of personal information. The Personal Information Security Specification (“the Standard”) is set to take effect May 1, 2018. I wrote an analysis of the standard, its place in the broader build out of China’s emerging data protection regime, and a brief comparison with approaches to data privacy under the European Union’s General Data Protection Regulation (GDPR) and in the United States here. Since publishing that piece, I have been in contact with the lead drafter of the standard, Dr. Hong Yanqing, who wrote a response to my post here (in Chinese).
Understanding drafter intent is a critical part of interpreting new policies, laws, regulations, and standards. As such, the first section of this piece provides an update to my initial assessment by discussing the thinking and approach behind the Standard based on feedback from Dr. Hong, as well as others involved in the drafting process. Based on these exchanges, it is clear that the drafters sought to make the Standard more permissive for companies than the GDPR.
While GDPR served as the primary model for the Standard, there are also important differences—particularly around what is meant by consent and other grounds for processing personal data outside of consent. The end result is a framework for personal data protection in China that looks more like GDPR than our approach in the United States or the Asia-Pacific Economic Cooperation (APEC) forum’s Cross Border Privacy Rules (CBPR), but it has a number of differences from GDPR intended to make it less rigid. This matters because the government does not want to undermine efforts for developing fields seen as crucial for China’s economy like artificial intelligence (AI), which relies on access to massive datasets.
At the same time, a close assessment of the written Standard, in the context of political realities of operating in China, also raise questions about how the Standard will be implemented and enforced. The written standard leaves space for interpretation by enforcement authorities whose interests and objectives may not align with the intent of the drafters. The process of gaining exemption to the more strict parts of the Standard is not clear. There is no single government authority responsible for data protection. More broadly, there is not yet consensus on how to balance ambitions around AI with rising data privacy concerns by the public. The second section discusses these potential challenges.
Through the build out of China’s data protection regime, the Chinese government seeks to make Chinese companies more accountable stewards of data given rising public concerns over fraud and misappropriation of personal information by private sector and criminal actors. As uses of personal data grow more complex with AI, big data, and smart cities, the government has moved to put in place a framework for how data is managed.
So far, China’s data protection regime consists of the Cybersecurity Law, a handful of accompanying measures, and at least 10 draft standards that deal with both data flows and protection of personal information. (For a deeper discussion of a thriving debate in China over data localization and rules for cross-border data transfer, please see here.) In addition, the government is working on a new law focused specifically on personal information protection.
The Personal Information Security Specification is the most extensive document to date on protection of personal information, which is one of six systems under the Cybersecurity Law. These six systems together form a framework governing information and communication technology (ICT) in China. This Standard belongs under the fourth system, called “personal information and important data protection system.”
The Standard drafters claim they sought to make it more permissive and “business friendly” than the GDPR. In large part, this reflects an effort not to hamper development of fields like AI. While the drafters relied heavily on GDPR as a model, they also attempted to provide more space and localize it to the China environment by blending concepts from other international best practices. The result is a Chinese approach to data privacy that looks more similar to GDPR than the approach in the United States or APEC’s CBPR, but deliberately includes a number of differences from GDPR with the intention of being less rigid for companies. The two main examples of this are evident in the definition of consent and the exemptions that allow for data processing outside consent, discussed below.
The concept of consent is one where the Standard appears to be less restrictive than the GDPR.
Under GDPR, there is only explicit consent but no implied consent. Consent must be a clear statement or other affirmative action (i.e., handwritten signature, checking a box, other behavior to show specific informed agreement beyond pre-checked boxes or inactivity).
In contrast, consent in the Chinese Standard appears to be less strict than what is required for explicit consent. According to Dr. Hong, the definition of consent is “looser than the EU and more in line with the United States” because it allows for “implied or silent” consent in certain instances. He acknowledges that the written standard does not specifically use the term “implied” consent, which may have led to some misunderstanding. But the language of the Standard supports his point. The Standard defines explicit consent as meaning a written statement or affirmative action. But the term is only used in certain instances. Sections 5.3 (Authorization for collection of personal information) and 5.4 (Exemptions to consent seeking) just use the word “consent,” while section 5.5 goes a step further by referring to “explicit consent” (Explicit consent for collection of personal sensitive information).
It is significant that the original draft of the Standard released for public comment required explicit consent for all instances, but this word was removed in sections of the final. Therefore, it is a reasonable interpretation that what is required for consent in the Standard is different and perhaps less than explicit consent.
Exemptions to consent
Under GDPR there are six grounds upon which data controllers can process personal data. The first is consent, as discussed previously. Yet consent as defined by GDPR is difficult and complex to attain for a variety of reasons (i.e., controller needing to demonstrate consent was informed, consent refusal or withdrawal, consent needing to be given for each purpose of processing, etc.). Under GDPR, companies seeking relief from the consent requirement are able to process data on five other grounds, which include “performance of a contract to which data subject is party” or certain kinds of “legitimate interests.”
One of the criticisms of China’s cybersecurity law framework and early versions of the Standard is that it bases use and collection of personal data entirely on consent without these additional grounds found in GDPR. This was the subject of intense debate during the drafting of the Standard, according to sources involved in this process.
Yet, according to Dr. Hong, the drafters used “exemptions to consent seeking” (5.4) as a way to provide more flexibility to companies. He explains: “A common question is why does [the Standard] not contain legitimate interests as a ground for dealing with personal information as the GDPR does. To be honest, it’s not about if we want to offer [legitimate interests] or not, it is what is required in the Cybersecurity Law. There were several rounds of discussion on this with companies. We can not write ‘legitimate interests’ in the standard because we are not legislators… We do not have ‘legitimate interests’ these words, but we tried our best to include it in the ‘exemptions to obtaining consent.’”
Indeed, the Cybersecurity Law does leave little room for maneuver because it makes consent the only legal ground for collection and use of personal information data. Article 41 of the law states network operators should: “Provide notice and obtain consent when collecting or using personal information of Chinese citizens.” Dr. Hong described trying to create a Standard within these boundaries to “dancing with shackles.” Yet, the exemptions he and the drafters came up with as listed under 5.4 for consent do provide relief to the more restrictive framework of the law. In particular, drafters added exemptions (f), (g), and (h) to later versions of the Standard in order to give more space for processing than allowed under the law. Exemptions (g) and (h) are especially important as they would allow for processing when:
(g) Necessary for contract signing and performance in accordance with the requirements of personal data subject;
(h) Necessary for maintaining a safe and stable operation of product and service provided, e.g. discovery or disposal of product or service faults.
Exemption (g) in the Chinese Standard appears modeled on article 6(1) of the GDPR, which allows for processing “necessary for performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” Under European law, contractual necessity appears to have a much more narrow scope than the Chinese Standard because it does not apply to services consumers receive as a result of product terms. By contrast, the Chinese Standard could be interpreted quite broadly, to not only refer to initiating a transaction, but also perhaps signing up for a service or completing an application.
Exemption (h) in the Chinese Standard appears to be aimed at companies’ needs to maintain and protect their networks. For example, activities such as patching and security updates. These types of activities are often critical for companies to operate and are not a major focus from a privacy perspective. It is possible that exemption (h) references provision (f) in GDPR that allows for “the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject…” Yet, there is no real equivalent to the Standard’s provision (h) under the GDPR, underscoring how the Standard truly is meant to be its own unique approach for the Chinese system, drawing on input from an array of international practices.
Are the exemptions under the Chinese Standard broader than the additional grounds for processing data outside consent under the GDPR? The intent of the Chinese Standard appears to be to make these more permissive than GDPR, although it is not entirely clear how this will be implemented in practice, leaving room for interpretation either way (discussed in more detail section two). Overall, the two provide slightly different channels through which companies can seek some relief from consent requirements.
Consent v. other grounds for processing
The Chinese and EU systems also appear to diverge in terms of the overall approach for having legal ground to process personal data. According to Dr. Hong, companies seeking “legitimate interest” as grounds for processing data under GDPR could face high costs and regulatory risks since they must justify compliance. He argues that consent as conceptualized under the Chinese framework (both the cybersecurity law and Standard) is actually lower cost and presents less compliance risk. Since the Chinese definition of consent could be interpreted as less than explicit consent in some cases, this argument appears reasonable.
His reasoning highlights an important difference between the Chinese and European systems. Although consent is a core principle behind the Chinese approach, it appears that the drafters sought to distinguish the concept from that in Europe so as to make it a more appealing pathway for companies. In contrast, according to legal experts in Europe, consent tends to be an impractical and difficult ground upon which to process data under GDPR. Reasons include: controller must demonstrate the data subject was given sufficient information before consenting; consent may be refused or withdrawn after being granted; consent may be considered invalid or tainted.
Overall, what this all tells us is that China’s emerging approach to data protection is different from the European model in important ways. As far as format, a single Chinese standard is in no way analogous to GDPR, which is an extensive legal document that underwent a long legislative process. When China releases a coming Personal Information Protection Law (likely to be completed in the coming two to five years), the new law could be a better basis for comparison.
The drafters did look to GDPR as a model for some of the core principles of the Chinese standard, resulting in similarities, particularly in terms of strengthening individuals’ control over their personal information. Yet, comparing important concepts such as consent and what is permissible outside of consent underscores that in the end, the drafters sought to outline a system that is unique to China and does not lend itself to a linear comparison.2. Questions over implementation and enforcement
Intent behind a policy or standard is fundamental to understanding its meaning. At the same time, it is also important to consider a number of questions regarding implementation and enforcement.
How will the concept of consent be enforced?
The written standard leaves space for interpretation by enforcement authorities whose interests and objectives may not align with the intent of the drafters. While we know that the intent was to use a definition of consent for some instances that is less than explicit consent, the Standard was not necessarily specific and clear on this point. An argument could be made (as discussed above) that the Standard is meant to allow for implied consent, but there is no written language that specifically says less than explicit consent is acceptable, so it is open to interpretation.
There are also inconsistencies between the cybersecurity law and the Standard on the definition of consent. These create regulatory uncertainty. The Standard calls for explicit consent to collect sensitive personal information. But the cybersecurity law does not say precisely what consent means, creating a gray area in relation to the Standard. If a company collects sensitive personal information without explicit consent is this ground for enforcement against the cybersecurity law? There is no answer to this question, leaving the issue subject to the interpretation by enforcement authorities from different parts of China’s political system, at both central and local levels.
What is the process for seeking exemptions to consent?
As discussed earlier, the intent behind the Standard was to use exemptions to give companies more space to maneuver outside of consent requirements. In the case of GDPR, grounds other than consent on which data controllers may base processing of personal data are important avenues for companies, particularly the concept of “legitimate interests,” which is meant to be a broad “catch all” when other grounds are not available. Clearly, the Chinese Standard referenced this concept, and in some cases, the argument could be made that the scope of the exemptions is more permissive than this comparable area of GDPR.
However, this raises questions regarding what will be the process through which companies in China qualify for these exemptions. Under European law, data controllers self-determine or assess the grounds on which the processing may be based without asking for authorization from a data protection authority. This is known as the “accountability principle” and means that companies conduct analysis at their own risk of steep penalty. We do not yet know what the specific process will be for exemption under the Chinese Standard. Given that the Chinese system is very different from that in Europe, the process is likely to be quite different—and likely not transparent. It is possible that companies could be audited against the Standard or have to seek approval from regulatory authorities to qualify. This is a reasonable expectation given that there are already multiple layers of certification and security reviews that exist under the framework of the cybersecurity law.
The process related to exemptions is further complicated by the fact that we do not know who in the Chinese government system will have authority for data protection; there is no China Data Protection Authority. This is another reason why interpreting the Standard in relation to GDPR is so challenging.
Moreover, exemptions exist in another legal gray zone: the cybersecurity law does not allow for collection of personal data outside consent, but the Standard does. Since it is not clear how the exemptions under the Standard will fit within the constructs of the cybersecurity law, we could see selective enforcement based on the whim of different enforcement actors in the Chinese system.
As a result of these factors, there are no assurances that companies will find relief in the exemptions despite the intent behind them.
What exactly will companies be required to do?
There are open questions regarding if the Standard will be required by companies since it is not a law or a regulation. However, the consensus among legal experts is that Chinese and foreign companies will need to comply. To date, the Standard provides the only detailed guidelines that spell out in concrete terms what the government expects when it comes to the vague two lines in the cybersecurity law on collection and use of personal data. We do not yet know how exactly this will play out after the Standard takes effect May 1, but early enforcement actions taken on the cybersecurity law since it took effect in June suggest that issues related to identification and personal information are already a focal point for authorities.
Of the enforcement actions against the cybersecurity law so far, a number of these focus on violations related to real name registration requirements. For example, one company failed to maintain access logs, while another provided services to users despite their failure to provide their true identification upon registration. These cases illustrate authorities cracking down on companies for not going far enough to provide personal identity information on users. How do we make sense of this trend in the context of a Standard that would place greater checks on the ability of companies to collect and use personal data? There is a tension in which companies may be caught between a rock and hard place: at once needing to follow vague consent rules, while also being penalized if personal identity data is not maintained for users.
This tension will be made worse by bureaucratic conficts in which it is not clear who in the government has control over data privacy. There is already much internal bureaucratic conflict on data protection, including the standards bodies—China Electronic Standards Institute (CESI) and China Academy of Information and Communications Technology (CAICT), the Cyberspace Administration of China, Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security and its local branches—as well as the legislature, which is involved in drafting the coming new law on personal information protection. These internal dynamics also must be taken into consideration in thinking about how the Standard will be implemented.
Even as the government pushes to put in place a new regulatory framework around how data is managed and shared, there does not yet appear to be a higher-level consensus around how to do this in practice. From issues around cross-border data flows and what constitutes “important data,” to how to balance development of emerging technologies like AI with growing demands by Chinese users for data privacy, there is still unresolved internal debate in China about what this all should look like. These debates will persist, even as new laws, measures, and standards related to data protection are issued, leading to inconsistent enforcement and varying interpretation by both authorities and companies. As such, intent behind the Standard is a key component of gauging what it will mean in practice, but it is not the entire picture.
We will only begin to have a fuller picture of how China’s evolving data protection regime will be implemented and enforced once other elements of the Personal and Important Data Protection System are drafted and finalized, an understanding of how they mesh together is gained, and what experience can be taken from how pieces like the specification are treated by the bureaucracy and companies. In addition, there is a larger edifice around this basket of the Cybersecurity Law that is not yet in place, much like the missing pieces of the Cybersecurity Review Regime (CRR) called for in Measures issued last year. The question of who will enforce compliance with the specifications and the new draft law remain unclear, and we assume that there is major jockeying behind the scenes on this and on issues like establishing an equivalent of a Chinese national data protection authority. The process of developing the regime is likely to take at least two to three years to come into better focus.
Appendix: What do “standards” mean in China’s system?
Within China, national standards function more as tools for implementing higher-level laws and measures. In this way they are better understood as a kind of policy guideline or regulation, rather than a technical specification meant to facilitate international interoperability, which is how we typically think about standards in the Western context. Adding to the confusion is the use of terms like 规范 or specification, which can also be translated as “standard,” and 标准 or standard in a more Western sense by Chinese standards developing bodies such as the Standardization Administration of China (SAC), and the very important National Information Security Standardization Committee (TC260), which is the lead organization for the bulk of standards coming out that are associated with the Cybersecurity Law (see China’s Cybersecurity Law One Year On).
There is debate about whether this specification is legally binding as a form of regulation that clarifies how to implement relevant parts of the cybersecurity law. According to Dr. Hong, the Personal Information Security Specification provides a guideline for organizational compliance with the law but may not be the only way to comply. What is clear, however, is that government authorities are likely to refer to it when conducting various reviews and approvals, creating strong incentive for foreign and domestic Chinese company compliance.
Samm Sacks is a senior fellow with the Technology Policy Program at the Center for Strategic and International Studies in Washington, D.C.
We thank Jim Lewis, Paul Triolo, and Graham Webster for providing feedback in the drafting process. Emmanuel Ronco, Jonathan Zhou, and Gareth Kristensen of Cleary Gottlieb Steen & Hamilton LLP contributed critical insights regarding GDPR and China’s cybersecurity legal framework.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2018 by the Center for Strategic and International Studies. All rights reserved.