On June 29, the Standing Committee of Shenzhen Municipal People’s Congress passed the Data Regulations of Shenzhen Special Economic Zone (hereafter referred to as “the Data Regulations”) (深圳经济特区数据条例, link in Chinese). The rules will take effect on January 1, 2022. Shenzhen is the home of more than 300 (link in Chinese) companies that have access to big data, including Huawei, Tencent and DJI. Hence, even though the Data Regulations are municipal legislation, it has a broad scope of application and will have an impact on the practice of many major tech companies.
In recent years, China has promulgated a series of data-related laws and regulations, including its Data Security Law, and is in the process of formulating or revising other legislation, such as the Personal Information Protection Law. Shenzhen’s Data Regulations are the first to incorporate all data-related rules, including personal data, public data, data trading and security, in a comprehensive and connected way. “The biggest challenge” is to “strike a balance between personal data protection and data development and utilization,” said (link in Chinese) Li Aijun of China University of Political Science and Law, and the Data Regulations strive to stimulate the economic value of data while ensuring data security and personal data protection. Some Chinese lawyers believe (link in Chinese) that the Data Regulations could provide a model for other municipal-level and even state-level data-related legislation.
The Deputy Director of the Legal Work Committee of the Standing Committee of Shenzhen’s People’s Congress, Lin Zhengmao, said (link in Chinese) that the lack of laws and regulations on personal data protection has led to common practices such as collecting personal data without consent, requesting user authorization to an extent that goes beyond what is necessary, illegally trading personal data, and misusing personal data. These practices have seriously affected people’s lives, and sometimes seriously damaged people’s reputation, as well as personal and property safety. In order to effectively curb personal data infringements and protect individuals’ legitimate rights and interests, Lin said, it is necessary to pass the special economic zone’s own legislation: the Data Regulations.
Personal information has been the subject of a fair amount of recent litigation. There had been 103 cases (link in Chinese) involving personal information protection by June of 2021, including one case in which a Chinese law professor challenged a Hangzhou zoo for requiring facial scans to enter the zoo. Last month, China’s Supreme Court issued some rules (link in Chinese) on the use of facial recognition technology, requiring businesses to obtain consent from consumers before collecting or using their facial information. At the same time that China is formulating its Personal Information Protection Law, the Data Regulations are a local attempt to set out rules governing personal information including biometric data.
Discrimination is another major problem (link in Chinese) that has attracted a lot of attention. The term “killing the acquaintance” (杀熟) refers to a scenario in which service providers discriminate against recurring consumers using user profiling. The State Administration for Market Regulation already categorized such unfair pricing as abuse of market dominance in a recent antitrust guideline (link in Chinese) that applies to e-commerce platforms. The Data Regulations set forth specific rules on such discrimination as well as punishment for any violation.
China is also trying to strengthen the protection of minors’ rights. In 2019, the Cyberspace Administration of China (CAC) issued regulations (link in Chinese) to protect cyber information of minors and recently Beijing prosecutors initiated a lawsuit against tech company Tencent over its service for minors. The Data Regulations have some specific rules for minors, reflecting the overall trend of stronger protection for the group.
At the same time, Lin acknowledged (link in Chinese) that public data has not been exploited properly and efficiently and “it is necessary to pass legislation.” Lin said that “[we should] strive to solve the bottleneck problem of existing public data sharing and openness, and make full use of public data resources, accelerate the construction of smart cities and digital government, and enhance government capabilities of data governance.”
Overview of the new rules
The Data Regulations have 100 provisions in 7 chapters, and have rules governing personal data processing, protection and use of public data, data trading market, data security, and legal responsibilities.
The Data Regulations provide definitions for some key terms, such as data, personal data, sensitive personal data, biometric data, public data, data processing, anonymization, user profiling, public management and service agencies. (Article 2) Some of the key definitions include:
- Data refers to any information recorded electronically or in other ways.
- Personal data refers to data containing information that can identify a specific natural person. It does not include anonymized data.
- Sensitive personal data refers to personal data that, once leaked, illegally used or misused, may lead to discrimination against natural persons or serious harm to personal and property safety. The specific scope shall be determined in accordance with the specific provisions of laws and administrative regulations.
- Biometric data refers to the personal data that can identify a natural person, obtained by processing the biological characteristics of a natural person's body, physiology, behavior, etc., including the natural person's genes, fingerprints, voice prints, palm prints, auricles of ears, iris, facial recognition features and others.
- Public data refers to the data generated and processed by public management and service agencies in the process of performing public duties or providing public services in accordance with the law.
- Data processing refers to data collection, storage, use, alteration, transmission, provision, publishing and others.
- Public management and service agencies refer to the city’s state agencies, public institutions and other organizations that administer public affairs according to law, as well as provide education, health, social welfare, water supply, power supply, gas supply, environmental protection, public transportation and other public services.
Personal data processing
While China’s Personal Information Protection Law is still under development, the Shenzhen Data Regulations offer basic principles on processing personal data, including reasonable purposes and legal methods, the minimum principle, notification and consent. (Article 10)
There are five aspects of the minimum principle, including
- The type and scope of data processing shall be directly related to the purpose.
- The quantity of data shall be the minimum necessary.
- The frequency of data processing shall be the lowest frequency necessary.
- The storage period shall be the shortest necessary, and personal data shall be deleted or anonymized beyond the necessary storage period, unless regulated by other laws and regulations, or consent by the individual.
- Establish a minimum level of authorized access to personal data. (Article 11)
With regard to the principle of notification and consent, with some exceptions (Article 15), data processors shall notify natural persons of following information related to data processing:
- The name and contact information of data processors;
- The type and scope of the data collected;
- The purpose and method for data processing;
- Time frame for data storage;
- Possible security risks associated with data processing and employed security measures;
- Legal rights of the natural persons and methods of exercising these rights;
- Other issues regulated by laws and regulations. (Article 14)
The notification related to sensitive personal data shall come with a more pronounced format and explanations of the necessity of such data processing and possible impact on such a person. (Article 14)
Consent of the individual is required to process any personal data, unless exempted according to laws and regulations. (Article 16-18) Article 21 illustrates six scenarios in which consent is not required, including processing previously published data and for the purposes of public service.
If consumers do not consent to any personal data handling, data processors, including service providers and apps, cannot refuse to provide core services, unless the data is required for such service. (Article 12)
Similar rules apply to user profiling. Companies have used user profiles to create personalized recommendations of products and services. Any user profiling must notify the users, and users may reject any user profiling or promotion of personalized products or service based on user profiles. (Article 29)
The Data Regulations have stricter rules for biometrics data because it is “unique, permanent and unchangeable” (link in Chinese). The rules require explicit consent from the individual whose data is used, and options to use non-biometric data unless necessary. (Article 19)
The Data Regulations also establish special protection for minors under the age of fourteen. The Data Regulations have some rules similar to the CAC regulations. For instance, Article 20 states that information of minors can only be processed after guardians' explicit consent. But the Data Regulations also have rules that were not covered by the CAC regulations. For example, Article 30 states that data processors shall not advertise any personalized products or services to minors based on user profiles, unless approved by guardians and for the purpose of protecting minors’ legal interests. This provision targets apps, especially online education apps, that sometimes make recommendations to minor users.
Individuals can revoke previous consents (Article 22) and refuse personalized advertisements. (Article 29)
Data processors shall anonymize personal data when transmitting the data to a third party, unless in four scenarios illustrated in the Data Regulations. (Articles 26, 27)
The Data Regulations provide for the establishment of a municipal management system and catalogs for public data. (Articles 33-36) It also regulates rules on public data collection, which shall be necessary for public management or service purposes and pursuant to laws and regulations. (Article 37)
Public data shall be in principle shared among public and service agencies (Articles 41-42), and the Data Regulations set forth the requirements and procedure for data sharing. (Articles 43-44)
Public data shall also be made available to the public and free of charge, at the maximum level allowed by security considerations as well as laws and regulations. (Articles 46-47) There are three levels of public data: Unconditionally available, conditionally available, and non-available, The non-available category means data related to national security, business secrets, personal privacy as well as others regulated by laws and regulations. (Article 48)
Data trading market
The Chinese government has announced data as a “factor of production” along with land, labor, capital and technology in a 2020 State Council guideline titled Opinion on Establishing a Better Market-Based Allocation Mechanism (关于构建更加完善的要素市场化配置体制机制的意见). Compared to the other factors, data has been under regulated in China, which leads to many grey areas and misconduct. The Data Regulations, for the first time in China, set forth “creative” (link in Chinese) rules for fair competition in the data market, according to Lin.
The Data Regulations provide for new mechanisms for data trading in efforts to “promote the establishment of a data market such as data collection, processing, sharing, openness, trading, and application, and promote the orderly and efficient flow and utilization of data resources.”(Article 56)
To better regulate the data market, the Data Regulations require the municipal government to formulate local standards for a series of data-related activities, such as data product and services, data processing activities, data security, data quality, value assessment, and data governance. (Article 61)
The Data Regulations also require the municipal government to promote the establishment of data trading platforms. (Articles 65, 66) While traders are encouraged to use the data trading platforms, they are also allowed to conduct transactions in other ways according to law. (Articles 65, 67)
Data products and services can be traded, if the data is legally collected and processed. They cannot be traded if they contain unauthorized data or unpublished public data. (Article 67) Any violation of Article 67 will face a fine of up to 1 million yuan as well as other administrative punishment. (Article 94)
More importantly, the Data Regulations sets forth rules on fair competition in the data market (Article 68). It prohibits using data analysis and user profiles to discriminate during a transaction, if there is no substantial difference in costs, safety level, credit level of transactions. (Article 69) In other words, it is prohibited to charge consumers different prices for the same product and services, which has been a big issue (link in Chinese). Violations of Article 68 and 69 will face a fine of up to 5% of turnover and 50 million yuan, along with other administrative punishment. (Article 95)
It also bars any monopolistic activities, including monopolistic agreements and abuse of dominance in the data market. (Article 70)
The data security chapter mostly echoes existing rules in national laws and regulations, including the Data Security Law. In particular, it:
- reinforces the risk-based classification and management,
- implements national rules on data anonymization and encryption, as well as other protection of sensitive personal data and state-designated important data;
- requires regular security assessment for sensitive personal data and important data, as well as national security review for out-flows of personal data and important data;
- requires data processing to be clear and traceable.
With regard to national security review for outflows of data, the Data Regulations refer to “relevant rules.” Right now, the Data Security Law creates a national security review mechanism and China is still in the process of formulating rules for security reviews of personal data and other key data flows.
Civil public-interest lawsuit
One of the challenges in protecting personal data is that it is difficult for consumers to bring data infringement cases because they either are not aware of their rights being infringed, or have no capacity to collect evidence. As a result, there is a push in China to support prosecutor-led civil public-interest lawsuits. In September of 2020, Supreme People’s Procuratorate issued the Guiding Opinions on Actively and Steadily Expanding the Scope of Civil Public-Interest Litigations (link in Chinese), highlighting the procuratorate’s role in protecting personal data. In April, Supreme People’s Procuratorate issued 11 (link in Chinese) typical civil public interest cases regarding personal data infringement.
The Data Regulations echo this trend by setting out rules on civil-public interests lawsuits brought by eligible entities, and state that prosecutors can bring such lawsuits on their own, or support such lawsuits brought by other entities, if “data processing violates the Data Regulations, resulting in damage to national or public interests.” (Article 98)