China's draft civil code, which provides the overarching legal framework for non-criminal disputes, is now under deliberation at the annual session of the 13th National People's Congress (NPC). 

The draft regulates many aspects of life in China, including property, marriage and torts, to name a few. Among the provisions that attracted the most attention in the draft is a section on personality rights which details a legal framework for privacy rights and personal information protection.

For a long time, legal and regulatory control have lagged behind the pace of technology in China. New applications like deep fake and the increasingly wide use of facial recognition technology have forced our notion of privacy to collapse. "We have become transparent and there is no such thing as privacy and security," said Li Shufu, chairman of Geely Automobile, in a 2018 speech that echoes the thoughts of many in China.

What constitutes consent?

For the first time, privacy and private information are defined statutorily in the draft civil code. The draft says that private information is anything that an individual is "not willing to be made known to another person" and no one is permitted to access such information without obtaining the consent of the individual. 

Major tech platforms with highly sophisticated product development capabilities can fail the consent requirement on a mass scale. Ant Financial, the financial arm of Alibaba, once apologized for a default setting on its app that automatically enrolled users in its credit-scoring scheme. A popular face-swapping app, Zao, updated its user agreement after it emerged that it could retain users' facial images and sell them to third parties without users' consent.

But some say to design a mechanism so that genuine consent can be obtained from users is a high bar for developers, especially given that biometric information that powers facial recognition system is included in the definition of personal information in the draft civil code.

There are currently two main ways in which facial recognition is employed, for confirmation and for identification. The former refers to security measures such as unlocking one's iPhone – identifying yourself to your iPhone – while the latter is typically used for public security purposes, such as identifying jaywalkers from a crowd at a distance.

While it is easy to design the consent mechanism for unlocking an iPhone, it is hard to send notices and obtain consent from consumers in situations where facial data needs to be captured from large numbers of people in the public sphere, Shen Weiwei, associate professor of the China University of Political Science and Law, told CGTN late last year. 

Obligations that fall on companies and platforms 

While most people trade their personal information in exchange for services, what they are often not aware of is that their information is frequently gathered by data brokers, for credit, employment and insurance reasons. Personal data is also used by artificial intelligence companies to train their algorithms so that they can learn to "see" on their own.

Since the process of generating and analyzing personal information involves multiple entities – including tech platforms and third-party data brokers – the protection of personal information cannot rely solely on the capability of individual users to reach informed consent.

The draft civil code puts great emphasis on regulating tech companies when it comes to personal information protection. It states that personal information cannot be illegally provided to others without the consent of the person, and if a violation of rights is found, the person has the right to request the information be deleted.  

The coronavirus pandemic witnessed the collection of a vast amount of individual information for epidemic control and prevention efforts. One proposal from Lian Yuming, a CPPCC member, suggests that encryption and data masking methods should be employed to obscure the sensitive parts of the individual data, to prevent data breaches, loss or unauthorized uses.

This is not the first time that China has tightened regulations on companies and platforms over data collection, use and sharing. In 2016, the Cybersecurity Law was adopted. A standard called the Personal Information Security Specification took effect in May 2018, providing a guideline for data collection, transfer and use.

But while the Cybersecurity Law and the Personal Information Security Specification deal with relations between public authority and private entities, the Civil Code is a private law that governs the relationships between private entities, said Shen Weiwei, associate professor at China University of Political Science and Law.

The Civil Code, if adopted by the NPC, theoretically has higher legal authority than other laws and standards on data privacy passed by such legislative bodies as the NPC Standing Committee, he noted. 

A balance between industrial development and privacy protection

There is no denying that new tech developments powered by our personal information have brought ease and convenience to our lives. From smart city projects to face-scan payments, data and algorithms enabled the exponential growth in productivity in China.

China has made the development of tech-driven infrastructure a pillar to drive economic growth in the post-pandemic world. At a meeting of the Political Bureau of the CPC Central Committee in March, a commitment to investment in the building of new infrastructure projects encompassing a wide range of sectors, from 5G to data centers to AI, was made. 

But recent years have also witnessed a growing outcry from people in China for more privacy protection. In what is considered the first major survey on Chinese public opinion on facial recognition, Nandu Personal Information Protection Research found that around 80 percent of respondents said they were worried about facial data leaks and an overwhelming 83 percent said they hoped operators will provide a channel for them to check and request to delete the facial data.

"The regulation over biometric information in the draft civil code shows that legislators are trying to balance between security and innovation, taking a cautious approach to the application of facial recognition technology," Wu Shenkuo, assistant dean of the Internet Institute of Beijing Normal University, told CGTN.

The draft civil code provides an institutional basis for the protection of civil rights by offering legal remedies, and it helps raise people's awareness about their rights, it helps maintain social order and improves the rule of law, he added. 

The combination of increasing power of new technology, its omnipresent existence and its opaque, often inscrutable terms and agreement on privacy, give rise to ethical and legal concerns. A comprehensive legal framework for individual information rights and protection will get us closer to privacy in the digital age.