Chinese scholars, journalists, and policy practitioners hailed 2018 as a pivotal year in data protection, not only around the world but also in China. China’s first personal data protection standard, called the “Personal Information Security Specification” (the “Specification,” translated by DigiChina here) entered force in May, the same month as the European Union’s General Data Protection Regulation (GDPR). Over the next three months, California passed its Consumer Privacy Act, a Personal Data Protection Law was introduced in India, and Brazil’s General Data Privacy Law was signed into law.
As governments around the world grapple with how to regulate data collection, use, and processing, Chinese policymakers have accelerated efforts to build China’s first cohesive data governance regime. The system is still in early stages, amid much debate and discussion inside China, but a framework is emerging for how different kinds of data should be collected, used, and shared.
So far, despite of the fact that China has not yet established a comprehensive legal regime around data, interagency government moves already restrict how the private sector collects and processes personal information, with legal authority based on the Cybersecurity Law and the Consumer Protection Law and greater detail laid out in the Specification.
The emerging data governance efforts, however, reach well beyond privacy protection and personal information handling. Especially since the 2017 Cybersecurity Law, data governance in China has distinguished two broad categories of data: “personal information” and “important data.”
The two concepts were neatly delineated in an essay on the Cyberspace Administration of China (CAC) website by Dr. Hong Yangqing, the lead drafter of the Specification. Hong wrote that protection of personal data refers to having “autonomy and control over one’s data,” aligning with the general understanding privacy in Western legal traditions. Distinct from individual concerns, he wrote, are interests “at the national level” that concern “important data affecting national security, the national economy, and people’s livelihood.”
In a sense, “personal information” governance is primarily a function of the interests of the individual, while “important data” governance touches on issues ranging from everyday cybersecurity needs to broader concerns about national security and prosperity. According to the Cybersecurity Law, both personal data and important data produced by “critical information infrastructure” (CII) operators must be stored within mainland China.
Timeline of Chinese Data Governance
The Chinese government’s formal documents governing data and personal information collection, processing, use, and handling have evolved over more than 15 years, but as the timeline below illustrates, a much more robust regime has come to fruition over the last few years. This timeline is a selection of key developments with specific attention to personal information.
