Oct 12, 2020 03:53 PM

Editorial: Data Protection Law Should Put Citizens Ahead of Business

A tourist is told to submit his personal information in WeChat to get into a scenic spot in Nanjing, East China’s Jiangsu province, on Feb. 23.
A tourist is told to submit his personal information in WeChat to get into a scenic spot in Nanjing, East China’s Jiangsu province, on Feb. 23.

China is fast-tracking legislation for the protection of personal information. At the 22nd meeting of the Standing Committee of the 13th National People’s Congress (NPC), which will be held from Tuesday to Saturday, the much-anticipated draft of the Personal Information Protection Law will be unveiled.

People from all walks of life have called for this important law for many years. The litmus test for its quality lies in whether it can meet public expectations, strictly protect personal information and reduce data violations.

For many years, constrained by cultural traditions, social concepts, and the progress of the rule of law, China has not done enough to protect personal information. The ascendant digital economy has brought new challenges. Personal data now has huge market value — not just basic information like names and identities, but also our transaction data and online footprints. New technologies like big data, artificial intelligence, cloud computing, and the internet of things have unprecedentedly increased the risk of personal data leakage and abuse, and complicated efforts to investigate violations.

A series of breaches have made personal data protection a hot topic in China in recent years. No wonder, then, that people have high hopes for the new law. Currently, the country’s regulations on personal information protection are laid out in a decision by the NPC Standing Committee, a criminal law amendment on the infringement of citizens’ personal data, the internet security law and the civil code, among other statutes. But it is imperative that we formulate a unified and specialized law for safeguarding personal data, which is already common practice worldwide.

A popular catchphrase in China at the moment holds that we must balance the development of the digital economy and the protection of personal information. This is a misnomer, because it regards industrial development and data protection as two opposing forces when they actually complement each other. Our main problem is not that we excessively protect personal data, but that we don’t protect it anywhere near well enough. In the end, this law will exist to defend citizens’ rights, not boost industry.

There is no tightrope to walk when it comes to protecting personal information. Instead, it’s a serious governance issue that concerns social justice and civil rights. If the new law does not start from the perspective of rights, but tries to strike a utilitarian balance, civil rights will inevitably be sacrificed for short-term business interests and the industry will never secure long-term development.

For instance, a variety of widely used apps in China obtain personal data that has nothing to do with their services, collect information without notifying users, or exploit loopholes in the rules to force individuals to hand over their data. Although such behavior may not be legal or necessary, it remains rampant. Many business owners force people to trade privacy for convenience, and care little about the resultant damage to citizens’ rights.

The main task of the new law is to establish definitions and stop conflict. It must not only clarify the rights and privileges of all parties, but also resolve disputes. Only when the rules are clear can industry enter a virtuous circle of development, stabilize business expectations, and prevent “bad” money from driving out the “good” or competing in a race to the bottom.

The law therefore clarifies the powers and responsibilities for its specific implementation and enforcement, sets limits on its scope, and provides a basis for judicial discretion. Without clear authorization and restrictions, regulators and law enforcement can easily fall into vicious circles of inaction or overreach, raising business costs and affecting long-term industrial development.

The maturity of the law depends firstly on whether it is strong enough to deter offenders and hinges on providing channels for victims to seek financial redress and bring lawbreakers to justice in a timely and convenient manner.

Opinions abound on the law’s positioning, systems and content. For example, some scholars once strongly recommended that the phrase “personal information rights” be included in the provisions of the Civil Code, but this expression was not adopted later. Others continue to argue over whether data protection should fall under the rubric of public or private law. Still more scholars firmly argue that the control of personal data represents a new type of public legal right.

These disputes are not purely academic, but may have profound practical impacts on the responsibilities of regulators and judicial organs. It should be noted that officials have landed on the current version of the law by focusing on urgent practicalities ahead of controversial issues, a pragmatic and understandable attitude.

Personal data issues do not stop at the protection of civil rights, but must also strengthen the government’s supervision and law enforcement. China urgently needs to improve its provision of more so-called public goods as part of efforts to protect personal information. The absence of government oversight will undoubtedly spark data violations. In the future, we should consider strengthening coordination or establishing special law enforcement mechanisms to fix our current enforcement model, which is spread too diffusely across multiple government bodies.

State agencies at all levels and institutions with public roles also collect personal information. Although we might assume they are more ethical than commercial enterprises, such agencies are still composed of people with various interests who may not necessarily always serve the public.

Therefore, we must make sure these bodies comply with the principles of proportionality, due process and minimal intervention when collecting, processing and using personal data, as well as abide by strict regulations that clarify their rights, responsibilities and obligations. Currently, scholars are mostly focusing on how state organs might compensate individuals for personal data violations. In fact, the accountability of specific personnel is far more important.

Some people worry that strict personal data protection will frustrate companies, hinder their ability to accumulate information resources, and impact the global competitiveness of China’s digital economy. Given the country’s vast population and huge market, these concerns are unfounded.

We are full of confidence about the prospects for China’s digital economy. At the same time, we look forward to Chinese citizens enjoying better personal data protections than they do currently — an arena where China can catch up with developed economies in Europe and the United States, which have already established such rules and regulations.

Contact translator Matthew Walsh ( and editor Michael Bellart (

Download our app to receive breaking news alerts and read the news on the go.

You've accessed an article available only to subscribers
Share this article
Open WeChat and scan the QR code