Jun 01, 2020 08:43 PM

Editorial: Pandemic Response Shows Need for Better Data Protection Laws

Students return to campus at Dezhou University, in East China's Shandong province, on May 20.
Students return to campus at Dezhou University, in East China's Shandong province, on May 20.

As preventing coronavirus flare-ups becomes the new normal, we as a society must directly confront a major challenge: how to protect personal information. At the recently concluded meetings of the National People’s Congress, China’s highest legislature, many delegates voiced deep concern about privacy issues and put forward various motions.

It has been in the public interest to collect and use large amounts of personal data during China’s coronavirus epidemic. However, even in these extraordinary times, these practices must be conducted with respect for the law. This is not purely a question of striking a balance between efficient social management and personal data security, but also of clearly demarcating public and private rights.

China must therefore speed up the progress of data protection legislation to respond to this pressing challenge.

Vast quantities of personal information were a boon when the virus was spreading rapidly in China. However, the last few months have given way to obvious signs that personal data collection is becoming excessive. All sorts of entities — including educational organizations, public security bodies, transportation networks, telecoms operators and internet companies — have gotten in on the act, while housing estates and work units everywhere are using QR codes and facial recognition technology.

There are obvious problems with the notion of collecting large amounts of data but managing it with a light touch. We don’t know how our information is stored or used. Data leaks happen with alarming frequency. Even worse, people returning home from Wuhan, the city at the center of China’s outbreak, have had their personal details spread widely in WeChat groups. There is also no clear plan for how to recall or delete the information that has been collected. No wonder the public is so perturbed by the news that some localities have proposed making so-called “health code” systems permanent.

Currently, people are most anxious that if the important information collected during the epidemic later leaks out, there may be no way to repair the damage. The facts prove that these concerns are hardly unfounded. However, a more pressing follow-up question is this: If we are able to adequately protect personal data, could its collection become open to abuse?

Multiple state departments aim to provide more accurate, more efficient governance. Could they demand that no constraints be placed on personal data in order to achieve that? The answer, of course, should be no. Protecting personal information is the bottom line for societies run according to the rule of law. Without legal permission, no government department or agency has the authority to snatch this right from citizens.

 Read More 
In Depth: Decoding China’s First Civil Code

But at present, China is doing a far better job of curbing the virus than of safeguarding its people’s personal information.

To protect personal data, we need to clarify the principles, procedures, confidentiality arrangements and obligations of the entities that collect and use it. We also need to know who bears legal responsibility when data is misused or insufficiently protected, as well as the regulators’ methods of supervision and means of punishment.

But for now, we need to get a grip on the sources of data collection. We must attach special importance to individual privacy. For example, facial recognition data is highly sensitive and has no basis in law, meaning nobody is allowed to touch it. On this issue, we should respect a widely received principle, namely, government mustn’t do anything if the law doesn’t expressly permit it.

In fact, China’s disease control and emergency response laws both contain provisions for the collection and use of personal data during public health crises. In February, the relevant central government departments issued a notice requiring big data-driven approaches to curbing the virus to adequately protect personal information.

However, we have still witnessed scenes of widespread chaos. In many cases, citizens have been forced to agree to have their data harvested. As disease control becomes normalized, we must correct this behavior as quickly as possible.

We must be adaptable, categorizing personal information into different levels of sensitivity and building the necessary systems to protect it. We might consider drawing up “whitelists” and “blacklists” to determine when it is permitted and not permitted to collect individual data. We also need to provide detailed, workable guidance and standards for its storage and use.

A clear issue at the moment is how to withdraw or delete information that has already been collected. Given that the current wave of data collection is premised on the need for disease control, it stands to reason that we should have a data disposal plan for when the danger has finally eased.

Right now, most people are only considering the collection issue, not the disposal issue. Although some data collectors promise to get rid of the data in the future, they do not lay out a clear plan for doing so. Some may target this information in order to misuse it. On this point, the relevant central government departments should, as soon as possible, release a clear roadmap for data disposal, clarify its position on the matter, dispel the mistaken attitudes of some people, and ease the minds of the public.

Everyone is waiting to see what the new civil code, and especially its chapter on privacy rights and personal data protection, will mean in practice. The code not only defines what is meant by “privacy,” but also lists specific actions that infringe the privacy rights of others and clarifies the principles and conditions under which personal data must be processed.

The draft code also left space to further develop personal data protection laws, which are currently being drawn up. They must directly address the real problem revealed by China’s pandemic-driven disease controls and throw up a cage around those entities most likely to violate personal data rights.

It must be admitted that there are social and cultural causes behind data abuse. Traditionally, China lacked the sacred concept of the right to privacy, and the notion remains weak today, even after more than 100 years of modernization.

But from the moment we stepped into the information age, these issues took on greater meaning. In recent years, the leakage and sale of personal information has triggered social issues that cannot be ignored — in some cases, they have even led to loss of life. This is not the price of development; it is the consequence of a social governance system that has failed to keep pace with economic growth. The coronavirus epidemic has further widened this imbalance.

Personal data protection is a thorny issue the whole world faces in the digital age. Due to China’s long-held cultural traditions and unique social governance structure, it must face certain extra challenges. Seeing personal information as purely a source of big data for the development of the digital economy is rather too utilitarian; we must consider the issue from the perspective of the rights of the individual and the group.

The coronavirus outbreak is not only a window onto the weaknesses in China’s personal data protections, but also a chance to set a future course for systemic improvements. In a certain sense, the problem is also where the solution lies.

Contact translator Matthew Walsh (

You've accessed an article available only to subscribers
Share this article
Open WeChat and scan the QR code