A new paper by Lu Yu and Björn Ahl
How is data protected in the evolving Social Credit System? Both, social credit and Chinese data protection law is diverse and fragmented, making the search for an answer to this question a complicated endeavour. Lu Yu and Björn Ahl dive into one arguably most sophisticated arm of the Social Credit System, that is, the financial credit information system (FCIS) in their new article “China’s evolving data protection law and the financial credit information system: court practice and suggestions for legislative reform” (free draft here).
The FCIS is not only one of the most mature parts of the overall SCS, as it regulates private entity’s data collection, it also features stricter and clearer data protection rules than those Social Credit subsystems that include data collection by state organs. Most importantly, Chinese data protection law requires data subjects’ consent to the collection and further transfer of personal data. The authors have found the consent requirement to be incompatible with the functions and purposes of the FCIS, with data subjects having no real choice, as consent is linked to obtaining the financial service in questions. Hence, future rounds of reform should establish exceptions to the consent requirement.
In their article “China’s evolving data protection law and the financial credit information system: court practice and suggestions for legislative reform” (free draft here) the authors investigate the limits that Chinese data protection law imposes on the FCIS. The FCIS receives both financial credit data from financial institutions and public data from public authorities. Yu and Ahl analyse the legal framework and how data protection rules are applied in court practice, including the preconditions for and levels of protection afforded data subjects’ rights and the legal consequences of any violations of those rights. Although the courts have adopted differing approaches to the interpretation of data protection law, the authors find that they have established consistent practice in protecting data subjects against the transfer of incorrect negative data. Chinese data protection law provides for neither an effective legal basis nor for limits on the collection and transfer of public data by public authorities. The Information Security Technology – Personal Information Security Specification (2020, hereafter: Specification) provides comprehensive protection for the personal data processed by all organisations, including public authorities, but it is only a recommended standard that lacks binding authority. Although the 2012 Regulations on the Administration of the Credit Investigation Industry grant data subjects a number of rights, the courts have difficulties applying the data protection rules in practice. In sum, there is a need in both the private and public sectors for nationally applicable, binding and more sophisticated data protection rules.
→ What is the FCIS? Different public authorities organise and maintain their own credit systems. The FCIS is one system at the national level that is supervised by the People’s Bank of China and functions as a public credit registry. It draws on financial credit data, the discredited judgment debtor list system operated by the SPC, which concerns individuals or entities refusing or failing to comply with an effective court judgement; and the information system operated by the China Securities Regulation Commission in relation to capital market activities. Founded in 2006, the FCIS is a predecessor of the Social Credit System: Pursuant to the Interim Measures for the Administration of the Basic Data of Individual Credit Information, the FCIS collects and stores individual credit data to provide inquiry services to commercial banks and individuals. It further offers information to be used for the formulation of currency policy, financial supervision and other purposes provided for by law. Hence, the purpose of the FCIS is twofold: to inform financial institutions for the purpose of reducing credit risks and to provide information to regulators to support policy making. At the end of 2018, the FCIS held personal data concerning 980 million natural persons.
Progress was recently made with the introduction of personal data protection to the new Civil Code, and a comprehensive data protection law is currently on the legislative agenda. Because the Specification has already established a sound model by providing very detailed data protection rules, the future comprehensive data protection law should address the processing of data by public authorities and further refine the already established data protection principles in the Cybersecurity Law and Specification. Improvements in data protection, in particular the regulation of data sharing between public authorities, could serve to balance social governance and individual rights and contribute to enhancing the legitimacy of the overall SCS.
Lu Yu is a research assistant at the chair of Chinese Legal Culture of Cologne University. She is about to submit her dissertation on European and Chinese data protection law to the Georg-August-Universität Göttingen where she has conducted research since October 2017, after working as a legal counsel with Rödl & Partner in Guangzhou. Reach out to her at yuluna5(at)gmail.com.
Björn Ahl is Professor and Chair of Cologne University’s Chinese Legal Culture. Before joining the University of Cologne in 2012, he was Visiting Professor of Chinese Law, Comparative Public Law and International Law in the China EU School of Law at the Chinese University of Political Science and Law in Beijing. Prior to that he held a position as Assistant Professor of Law in the City University of Hong Kong. He has also worked as Associate Director and Lecturer in the Sino German Institute of Legal Studies of Nanjing University and as a Researcher at the Max Planck Institute of Comparative Public Law and International Law in Heidelberg. Find him on LinkedIn.