What’s Behind China’s Laws to Protect Privacy?

A Q&A with Mark Jia

In his article “Authoritarian Privacy” for the University of Chicago Law Review, Mark Jia writes: “Privacy laws are traditionally associated with democracy. Yet autocracies increasingly have them.” In this ChinaFile Q&A, Jia and Samm Sacks engage in an exchange about what has motivated the Chinese government to enact and enforce a range of laws on information privacy and the implications for understanding the role of privacy laws in non-democratic states.

Samm Sacks: Outside observers have commented that China appears to have a split identity when it comes to privacy: rules limit how firms handle citizens’ data, while the state has unchecked surveillance powers. Is this dichotomy accurate? What does privacy mean in China, particularly in the wake of COVID, when the scale and reach of government surveillance and the use of data-intensive technologies for tracking and monitoring appears to have intensified?

Mark Jia: I agree with the view that China’s privacy laws are meant to preserve a broad “exceptional zone” for state surveillance in areas like intelligence collection, law enforcement, and domestic stability maintenance. I agree too that a lot of the rules and their enforcement have focused on how companies handle citizens’ data. For example, the Personal Information Protection Law (PIPL for short), China’s first comprehensive privacy law enacted in 2021, establishes greater compliance obligations for major Internet platforms, such as a requirement to establish an independent body to “supervise” their privacy protection work.

But I think the reality is more complex than a private-public dichotomy would suggest. Most notably, the PIPL explicitly applies to state organs. The aim is not just to discipline firms but also lower-level bureaucratic entities that are abusing or misusing citizens’ data. To take one somewhat mundane example, my article discusses a case in which a local prosecutor discovers that a county-level agricultural bureau has been disclosing information on machinery purchase subsidies online without removing the personal information of over 1,000 farmers. The local procuratorate (prosecutor’s office) initiated a procedure that essentially asked the bureau to fix these violations, and the bureau complied.

The application of privacy law to state entities stems from a realization that some of the most egregious instances of data abuses in recent years, especially during COVID, emanated from state or quasi-state entities, not just private individuals or market actors. Most famously, perhaps, local officials in Henan once assigned red COVID health codes to a group of citizens to prevent them from traveling to protest the freezing of their bank deposits. Authorities have been sufficiently alarmed by these practices that as early as 2020, the Cyberspace Administration of China (CAC) issued a notice urging governments to follow personal information protection guidelines in their pandemic-control work. (At this point, the PIPL had not yet been enacted.)

I take this as supporting my general argument that China’s privacy laws were enacted in large part to highlight its responsive governance in the face of new vulnerabilities and dependencies that have arisen out of China’s data-driven society. If you look at how the national legislature and state media have framed China’s recent privacy laws, they have sought to position the central Party-state as a champion of individual privacy rights against incursion from various digital bad actors—individuals, firms, even local governments. Notably missing from this list of privacy intruders is the central Party-state itself, of course, despite its leading role as a surveillant. In this regard, privacy law may also be a means of distracting the population from the central Party-state’s own privacy incursions by redirecting attention to others.

You write that of the 130 countries that have enacted privacy laws, only about half are considered “free” by the nonprofit Freedom House. Why did you choose China as a case study for the role privacy laws play in these countries and to develop your theory of “authoritarian privacy”?

The most immediate aim of the piece is to explain China’s turn to privacy law. I do not claim that China’s situation is universal. But I do think that a close study of China’s privacy story can help draw out some hypotheses as to why authoritarian countries have been enacting privacy laws at their present speed and scale. In the article, I discuss four objectives that motivated the central government to enact privacy laws: to support its digital economy, to expand its geopolitical influence, to enhance its national security, and (most unappreciated in my view) to respond to data-related social grievances. Not all of these motivations apply to every authoritarian ruler. China’s geopolitical goals, for instance, are decidedly more ambitious than those of Saudi Arabia or Venezuela. But it’s also the case that at least some of these motivations likely present in other authoritarian examples. The government in Vietnam, for instance, has also been highly invested in growing its digital economy, deepening its surveillance state, protecting data security, and addressing digital abuses online. Vietnam is quite close, I believe, to enacting its own information privacy law.

Moreover, I think China is an interesting case because it is both the world’s leading surveillance state and a home to comprehensive personal data protections along lines inspired by the European Union’s Global Data Protection Regulation (GDPR), which is considered the gold standard in information privacy protection law today. Because China crystallizes that apparent paradox, I thought it could help suggest dynamics that might exist elsewhere.

We often talk about the Chinese government as a monolithic entity, especially when it comes to data. What are the ways in which Party-state actors at both central and local levels have responded to the so-called “datafication of China,” and what are some examples of their competing interests in datafication?

I draw on a definition of “datafication” as the process of “taking all aspects of life and turning them into data.” I think you’re absolutely right that central and local governments in China are not always 100 percent aligned in their data-related interests and priorities, including with respect to privacy. For example, some local governments that are highly invested in supporting local industry may be less willing to saddle those companies with the higher compliance costs associated with strict adherence to national data protection laws. On the other end of the spectrum, some localities may carry out central mandates more aggressively than central leaders might prefer. For example, a common pandemic-control measure implemented in residential communities required residents to use facial recognition to access their buildings. This became a sore spot for many. In 2021, the Supreme People’s Court included, in a legal notice clarifying the law on facial-recognition technology in civil cases, a provision explicitly calling on all people’s courts to “support” residents who request alternative methods of identification if their building managers mandate facial recognition technology for access. So here you see the center starting to reign in local practices that were initially implemented to carry out central mandates.

What has been the role of Chinese courts in enforcing privacy protections?

The PIPL provides for both administrative enforcement and judicial enforcement. The most prominent cases of enforcement, the ones we hear about in the news, tend to involve administrative processes. But courts have played an important role as well. It’s still early to draw general conclusions, as the PIPL is a relatively new law and legal disputes necessarily take time to work their way through the legal system. But early evidence on the ground suggests a few interesting trends.

First, in addition to what you might think of as ordinary civil suits against privacy violators or criminal prosecutions for data fraud and theft, we see a rise in public interest data protection suits brought by local prosecutors. In one Hangzhou case, for example, a local prosecutor brought a public interest suit against a short-video app for violating the privacy rights of minors. The court supervised a mediation agreement that required the firm to follow a compliance schedule, to pay out compensation to various children’s welfare groups, and to issue a public apology in a state-owned newspaper. Some of these prosecutor-initiated public interest suits have targeted state entities—usually for a failure to adequately supervise privacy rights protection in their jurisdictions, but sometimes for direct privacy violations too.

The second trend to note is more of a caveat. China’s law-enforcement apparatus may be mobilized now to carry out the privacy law’s socially protective mandate (and to boast about their success online), but these same agencies are also charged with balancing assertions of privacy rights against considerable state interests. In one case, for example, a Shandong court denied a plaintiff’s request for a pharmacy to delete her personal information because the pharmacy was not authorized to do so under local public health regulations devised for pandemic control. This shows that there are hard limits to how far law enforcers are willing to go.

Policymakers in Washington, D.C. have expressed concerns that Chinese-owned software applications threaten Americans’ data security and privacy—that Chinese laws compelling companies to cooperate with intelligence services mean Americans’ sensitive data could end up in Chinese government hands. Are Washington’s anxieties warranted based on your research into how Beijing has enacted privacy laws?

A key question for Chinese policymakers when drafting privacy legislation was how to further its various objectives (including predominantly domestic goals) while maintaining flexibility for state surveillance. It is well established that Chinese firms are required to share information with intelligence services under various laws, including the National Intelligence Law. The PIPL does not fundamentally alter these obligations, and I have seen no commentaries suggesting otherwise.

This replicates a broader pattern that fairly describes much of Chinese law generally: even as the Party-state has legislated in various areas to serve its national objectives, it has done so through a legal regime that is carefully crafted to keep its own hands untied in core areas of national interest, including state security. In other words, the Party-state has sought to extract the benefits of law while minimizing its costs. I would hypothesize that a similar calculus also helps explain the substance of privacy laws in other authoritarian settings.

It’s refreshing to hear a perspective focusing on domestic factors underpinning China’s privacy regime because so much discussion I hear about developments inside China look at everything through the lens of U.S. national security and great power competition. Why did you choose to frame your argument as a domestic legitimization story?

I do see this paper as offering a corrective to a troubling tendency now in our national discourse to understand China primarily through the lens of U.S.-China competition. This is evocative of the Cold War insofar as normative ideological and geopolitical frameworks are increasingly used to structure our descriptive understandings of reality.

Many analyses in the think tank literature frame the PIPL as a top-down effort to grow China’s digital economy, to enhance the country’s security, and to expand China’s data influence abroad. These explanations aren’t wrong for what they say, but they miss a critical part of the story: the Party-state’s perceived need to address data privacy incursions through socially protective legislation. This is how privacy law is discussed in Party reports, legislative documents, and state media, and it is how prosecutors, courts, and other agencies have framed their enforcement work as well. Party-state documents rarely shy away from boasting of geopolitical goals where they are relevant, and yet official PIPL-related documents scarcely mention them.

The reason why I think a lot of existing explanations miss or understate the domestic legitimation piece of the story is because those accounts tend to take a fairly reductionist view of China, either as a monolith that is locked in geopolitical competition with the West, or as featuring an all-powerful totalitarian government that can essentially impose its will upon its population. But not every major piece of legislation in China today is principally motivated by geopolitics, and despite Xi Jinping’s ascendance as paramount leader in China, his rule continues to require a high level of responsiveness. Consider, in this regard, Xi’s abrupt reversal of the country’s pandemic policies after the lockdown protests last fall.

How would you answer the question raised by Jamie Horsley (in a piece by this title): “How will China’s privacy law apply to the Chinese state?” How does the PIPL apply to state organs, and how does it apply to companies? Is it empowering security authorities to demand greater data access from the private sector because now they have a legal authority they can cite in making data requests?

While there is an entire section in Chapter II of the PIPL devoted to state organs, that section is fairly abstract. It states that the law generally applies to state organs’ handling of personal information, while enumerating several exceptions at fairly high levels of generality. The result is that much is left to implementation. From what I have seen so far, state organs in China have sometimes been disciplined for privacy violations, often for what you might think of as inadvertent publication of private information, rather than any sort of malicious abuse of personal data. I gave an example earlier from Jiangxi of an agricultural bureau that (accidentally, it seems) disclosed the personal information of farmers online in the course of reporting local subsidies. I’ve seen other cases where a government organ was disciplined for failing to remove identifying information from various documents posted in the “Government Information Disclosure” column of its website. I would guess that drafters of the PIPL envisioned enforcement of the law against state organs for more serious violations, given the kinds of national controversies discussed earlier that helped pave the way for the Law’s enactment. For now though, initial enforcement patterns as to state agencies seem to reflect a measure of institutional and political caution in the early days of the law’s implementation.

China’s technology firms have sometimes balked at sharing their data with government agencies, and have often cited a lack of legal basis as grounds for refusal. My impression is that this dynamic is beginning to change, not only because of the PIPL’s clearer specification of legal authorities, but because the state-led campaigns targeting the tech sector that started in late 2020 and 2021 have fundamentally shifted the relationship between the technology sector and the central Party-state. As Professor Angela Zhang has well documented, the Party-state had employed a relatively lax approach to tech regulation in the years before Jack Ma’s fateful address in late 2020. Now that the pendulum has swung the other direction, I would imagine technology firms are more willing to share data with central regulators when asked.

I agree that the space for companies to push back is shrinking as the Party institutionalizes its power over the private sector. I have wondered what this dynamic means for the longstanding push and pull between economic goals and national and domestic security goals of the leadership. Economic growth goals have long been a backstop against implementation of some of the worst or most hardline elements of China’s cybersecurity and data regulations because officials recognize pushing companies too hard could come at a cost to investment in their jurisdictions. We saw this with data localization, with data access requests, and other cybersecurity-related audits where companies sometimes had more space to maneuver. It sounds like you are somewhat pessimistic that this space will continue, but I do wonder about it given the economic pressure facing China’s leaders. How do economic imperatives impact the way China’s privacy law is implemented and enforced?

If China’s economic prospects worsen, it’s plausible to me that the center may decide to relax enforcement of not only its privacy standards, but other laws that create regulatory burdens for firms in areas like antitrust, consumer protection, and financial regulation. The costs to popular support associated with a deteriorating economy may be steeper than the legitimation and securitization benefits of a zealously enforced privacy law, especially at the margins. But I think the old days of completely lax regulations are over. Central leaders have come to appreciate more fully the political risks of overseeing unchecked technology firms helmed by ambitious entrepreneurs sitting atop mountains of sensitive data. They know too much now to turn back the clock completely.