China creates privacy codes with biometric data protections, but is it just for show?

China’s first civil code — ever — is scheduled to go live January 1. It will pay particular attention to the digital privacy rights of citizens and the responsibilities of organizations using the data, including biometrics.

China’s new civil code governs civilian life and business, including property rights, contracts and family matters. In an analysis of the development, Samuel Yang, a partner with the Anjie Law Firm in Beijing, writes that Chinese national governments going back to the mid-1600s have tried and failed to fashion a civil code.

It is too early to tell what the overall impact of the civil code will be, writes Yang. In terms of digital rights, it appears that the government consolidated three miniature codes covering network information protection, cybersecurity and the protection of consumer rights and interests.

Those freestanding areas in China’s online law were deliberately drafted in many cases to be vague, inviting much interpretation. And so does the new civil code, according to Yang.

One area that is now better defined centers on consumer privacy breaches. Consumers will now be able to sue in court over data thefts.

The code addresses three areas of privacy and personal information, he writes. First is “personality rights” that include a citizen’s right to privacy. Then there are laws designed to stop “spying, eavesdropping, photographing or filming private body parts or spaces, and sending uninvited messages. The third section is all about processing personal information, and notes biometric data as included, as well as location and biographic information.

Among the new directives states that processing personal data “must be lawful, justified, necessary and not excessive.” This one will be aimed almost entirely at businesses, as the government operates on the assumption that it is always lawful and its actions justified.

Personal data cannot be collected unless an individual gives express consent “or as required by law.” Two exceptions are noted: if someone volunteers disclosure and does not object; and if the collection is in the public’s interest.

People can access their data held by a “processor,” and can correct mistakes.

If data was collected illegally or in a way that breached a contract, a person can have the information deleted.

Directives gradually become advice and urgings from the state to processors.

Why it is happening now is hard to tell. It was the authoritarian government of Xi Jinping that finally forced the issue, but China almost always has been run by authoritarians. And it is certainly true that Xi wants to create at least the appearance of legitimacy through laws.

It could also be that Xi and his fellow Communist party leaders feel that the nation’s economic ascendency has so much momentum that they can cut back on the use of chiseling contracts and off-the-books tools to stimulate technology development and innovation.

Or the national government might be bending to growing discontent about privacy among citizens who have listened to one too many corporate leader tell them to get over it, as has Geely Automobile’s chairman, Li Shufu.

Article Topics

biometric data  |  biometrics  |  China  |  commercial applications  |  cybersecurity  |  data collection  |  data protection  |  digital identity  |  privacy