Complaints about data abuses by businesses are increasingly driven by consumers in China

Every year in China on World Consumer Rights Day, state broadcaster CCTV features a show that includes segments in which undercover journalists expose malpractices by businesses in sectors that are closely related to the lives of ordinary citizens. Increasingly, data protection and privacy have emerged as hot topics on the show, catapulting them into mainstream television — and generating outrage.

That trend highlights how public opinion in China is becoming a major focal point for issues of privacy and data security.

The annual show, which falls on March 15, is typically followed by heated discussions on social media, announcements of follow-up investigations by regulators, and apologies by companies being named and shamed in an effort at damage control.

In recent years, issues related to data protection and privacy have become a recurring subject, alongside fake advertising, restaurants using expired food ingredients, flawed auto parts from famous brands, substandard adult diapers, and drugstores without a licensed pharmacist.

Growing public awareness

China promulgated a Cybersecurity Law in June 2017, which was the country's first comprehensive legislation to regulate the Internet. While two data-protection laws the government has proposed are still in the making, the government’s enforcement and advocacy efforts have elevated public awareness of data security to such an extent that it is now considered by many Chinese as an important part of their everyday lives.

In the most recent show last week, for example, companies including plumbing products maker Kohler Co., carmaker BMW, and fashion brand Max Mara were named for using surveillance cameras with facial-recognition functions in their stores.

It was also revealed that several Chinese job-hunting websites — Zhaopin.com, 51Job.com and Liepin.com — allowed users to download resumes uploaded by job hunters for a small fee. The downloaded resumes were subsequently sold without the owners’ approval.

In 2019, the show featured Wi-Fi probing devices that can detect phones within a certain range and access the phone numbers, which were later sold illegally to marketing companies. In 2020, the show accused some developers of software development kits, or SDKs — a third-party software-development tool commonly used by mobile-app developers — of secretly collecting and storing private information, including the content of phone conversations.

In early 2019, four major Chinese regulators launched a campaign targeting the handling of personal data by mobile apps, as apps became an important part of the smartphone-equipped population. That campaign is still going on today and apps with problematic practices are being exposed and penalized on a regular basis.

China has also held an annual Cybersecurity Week since 2014, during which new security technologies are exhibited by major tech companies and education sessions on privacy are conducted for the general public.

Government support plays a role

In China’s public discourse, it is rarely mentioned that the government itself has been accused of state-level mass surveillance, but the government seems more than willing and comfortable to push data-protection rhetoric on behalf of the general public. In doing so, it has trained the population to be alert to intrusion by businesses and encouraged individuals to take up legal battles against Internet giants.

One of the most high-profile cases so far is a lawsuit filed by a man over the use of a facial recognition-based entrance system at the Hangzhou Safari Park, which is widely described as the first ever lawsuit that touched on the use of the controversial technology.

Companies including video-streaming site iQiyi, WeChat operator Tencent, online search engine Baidu and TikTok owner ByteDance have all been hit by lawsuits filed by consumers in the past two years.

In four cases involving professional network Maimai, Tencent’s short-video platform Weishi, ByteDance’s Douyin, and WeChat Reading, the app users’ grievances were triggered by the apps’ algorithm-based function of recommending potential friends to users for new services based on their existing social-media contacts.

In three of the cases, the courts sided with the individual plaintiff and agreed that prior consent was needed. But in the lawsuit against Weshi, the court said contacts on messaging apps such as WeChat did not necessarily fall into the category of sensitive private information.

In another two cases involving Baidu and Qi Xin Bao — an app providing search services for business credit — individuals accused the two companies of spreading personal data against the will of individuals. Rulings in both cases said platforms should stop actively spreading personal data such as photos and records of litigation, when an individual asked the platforms to stop doing so, even if the information was already public.

Defending consumer rights

Apart from advocacy campaigns, the state's approval of public concerns about data protection and privacy has also led to the creation of new avenues that empower consumers to defend their rights.

China promulgated a Civil Code this year, the first in the country’s history. The law, which combines several previous laws into one, recognizes the rights of individuals to privacy and to protection of personal data under the category of "personality rights."

Shortly after the law took effect, the Supreme People’s Court announced it had made revisions to current rules to make it easier to file lawsuits over causes including protection of personal data and privacy intrusion, bringing them into line with the Civil Code.

The draft Personal Information Protection Law also stipulates lawsuits can be filed by authorities against data processors if their activities cause harm of a certain scale.

In most of these cases, individuals were only asking for a token amount of compensation, correction of practices, or a public apology, causing seemingly no real harm for companies. And the absence of class-action lawsuits in China may make it easy for companies to brush such cases aside.

Prosecutors step into the breach

But the country’s prosecutorial authorities, which can file public-interest lawsuits on behalf of a group of victims, have been actively filing lawsuits over personal-data abuse.

Just this year, the prosecutorial authority in the city of Hangzhou announced it had filed the first public-interest lawsuit after the Civil Code took effect, in which a Chinese man was ordered to pay 34,000 yuan ($5,300) in damages and issue an apology by the Hangzhou Internet Court for illegally selling personal data to be used for marketing illegal forex services.

Prosecutorial authorities in the same city announced another lawsuit recently that accused an unnamed popular short-video platform of unclear privacy terms concerning teenage users. The company settled the lawsuit by agreeing to corrective requirements raised by the authorities.

But the regulatory regime continues to evolve. Liu Hui, a professor from China’s National Prosecutors College, was quoted by state-backed newspaper Legal Daily this week saying that public-interest lawsuits could become an effective tool to crack down on infringements of laws against data abuse.

Liu said, however, laws need to be improved and further clarification is needed on issues including how to define harm, whether monetary damages can be claimed, and the effect of remedies.