May 28, 2020
Two new laws that will govern data privacy, protection, and transfer in China pose tough challenges for their drafters, a key scholar and government adviser on cyberspace policy wrote in an essay translated below. The Personal Information Protection Law and the Data Security law, both slated to be submitted for deliberation during the National People’s Congress term ending in 2023, are to take up deeply interrelated issues from sometimes divergent perspectives.
The essay's author, Lu Chuanying, is a scholar with the Shanghai Institutes for International Studies who has advised Chinese government offices such as the Cyberspace Administration of China and the Ministry of Foreign Affairs on cyberspace governance and has been a visiting scholar at the Center for Strategic and International Studies in Washington.
Here, in an essay published in the Global Times Chinese-language edition on May 27, Lu outlines the stakes for what promise to be major additions to China’s digital economy and cybersecurity regulatory regime. He argues that the two efforts are motivated by different imperatives—personal privacy for one, and national and public security for the other—that could lead to complex trade-offs.
Lu calls for public participation, careful weighing of different actors’ interests, and a mentality that recognizes “information society” dynamics, rather than leaning on industrialization-era thinking. He suggests that existing regulatory work on personal data protection and data security following the Cybersecurity Law (effective three years ago next month) will feed this process, but he is clear that major challenges remain if the laws are to be formulated in a coherent manner.
Lu Chuanying: Data Security Legislation Must Balance the Needs of All Sides
This year's work report from the Standing Committee of the National People's Congress was submitted for consideration the other day, mentioning that the much-watched Personal Information Protection Law and Data Security Law are currently in the process of formulation. Following the Cybersecurity Law, these represent two important laws in the cybersecurity field.
The core propositions of these two laws revolve around issues of data security, and they seek to establish a system of basic principles for an information society. As the level of informatization and the number of Internet users continually rises, China has become a leading data power (数据大国) on a global scale. On one hand, data has driven economic development. A group of globally influential Chinese Internet businesses has therefore emerged. On the other hand, repeated personal privacy leaks and data security problems have not only caused major harm to users but also threatened social stability and national security.
Recently, countries all around the world have successively accelerated data security legislative work. For example, Europe formulated and implemented the extremely strict General Data Protection Regulation to protect personal information security within the European Union. China has also launched a series of efforts on protecting personal information security and data security, for example the Personal Information Security Specification formulated under the guidance of the Cyberspace Administration of China and the publication of the Data Security Management Measures (Draft for Comment), which have an important role in protecting China's data security.
With the launch of legislative work on the Personal Information Protection Law and the Data Security Law, what were originally technical standards and departmental regulations will rise to the level of law, making clear that the Chinese government is taking data protection increasingly seriously. At the same time, as data produces continually more value, controversy, and harm, it is necessary to respond at the level of the overall picture.
From an individual's perspective, data is personal information, pertaining to personal privacy and in need of strict protection. From an enterprise's perspective, data is an important resource, carrying major commercial value. From the government's perspective, it must both respond to the personal information protection needs of the public, while also ensuring space for enterprises to use data reasonably. At the same time, the government's efforts at social governance and safeguarding public security are inseparable from data use. When touching on international competition, data is also believed to be the "oil" of the information society, holding important strategic value.
Therefore, the problems these two laws must solve are extremely important, involving national, societal, and individual needs—an extremely complicated problem. In this author’s view:
First, to the greatest extent possible, it is necessary to let the public participate in the legislative process and to listen carefully to the public's voice on these two laws. Individuals are the most important data producers, and, at the same time, they face enormous risks from personal information abuse and privacy leaks. Guiding the public to fully participate in discussions around the legislative process not only helps cultivate consciousness of personal information protection among the public but also can help legislators better listen to the needs of the public, thereby making the laws' formulation more scientific and rational.
Second, formulating these two laws requires balancing the interests and needs of all sides. Although the relationship between the different actors is not zero-sum, law still must make certain choices. Therefore, how to balance personal privacy, enterprise development, and national security is a major task facing these two laws.
Third, the relationship between the two laws must be handled well. The Personal Information Protection law treats data security issues more from the perspective of protecting citizen privacy, while the Data Security Law sets out from the perspective of national security and public security. Because of this, differences may exist in their orientations. This requires integrated thinking in the legislative process, to make the two laws mutually compatible and effectively linked, and to collectively safeguard China's data security and data sovereignty.
Fourth, this legislation requires ample consideration of the overall backdrop of the information society and technological development, to avoid using thinking from the industrialization era to formulate laws for the information society. Legislators need a measure of farsighted understanding of the development of emerging technologies such as artificial intelligence, big data, and cloud computing. At the same time they also need to stress using emerging technologies to solve problems in the protection of personal information and in data security.
Lu Chuanying is Secretary General of the Cyberspace International Governance Research Center of the Shanghai Institutes for International Studies.