Social Credit System – European Chinese Law Research Hub

The financial credit information system and China’s evolving data protection law

1. March 2021

A new paper by Lu Yu and Björn Ahl

The headquarters of the People’s Bank of China in Beijing, supervising entity of the financial credit information system

How is data protected in the evolving Social Credit System? Both, social credit and Chinese data protection law is diverse and fragmented, making the search for an answer to this question a complicated endeavour. Lu Yu and Björn Ahl dive into one arguably most sophisticated arm of the Social Credit System, that is, the financial credit information system (FCIS) in their new article “China’s evolving data protection law and the financial credit information system: court practice and suggestions for legislative reform” (free draft here).

The FCIS is not only one of the most mature parts of the overall SCS, as it regulates private entity’s data collection, it also features stricter and clearer data protection rules than those Social Credit subsystems that include data collection by state organs. Most importantly, Chinese data protection law requires data subjects’ consent to the collection and further transfer of personal data. The authors have found the consent requirement to be incompatible with the functions and purposes of the FCIS, with data subjects having no real choice, as consent is linked to obtaining the financial service in questions. Hence, future rounds of reform should establish exceptions to the consent requirement.

In their article “China’s evolving data protection law and the financial credit information system: court practice and suggestions for legislative reform” (free draft here) the authors investigate the limits that Chinese data protection law imposes on the FCIS. The FCIS receives both financial credit data from financial institutions and public data from public authorities. Yu and Ahl analyse the legal framework and how data protection rules are applied in court practice, including the preconditions for and levels of protection afforded data subjects’ rights and the legal consequences of any violations of those rights. Although the courts have adopted differing approaches to the interpretation of data protection law, the authors find that they have established consistent practice in protecting data subjects against the transfer of incorrect negative data. Chinese data protection law provides for neither an effective legal basis nor for limits on the collection and transfer of public data by public authorities. The Information Security Technology – Personal Information Security Specification (2020, hereafter: Specification) provides comprehensive protection for the personal data processed by all organisations, including public authorities, but it is only a recommended standard that lacks binding authority. Although the 2012 Regulations on the Administration of the Credit Investigation Industry grant data subjects a number of rights, the courts have difficulties applying the data protection rules in practice. In sum, there is a need in both the private and public sectors for nationally applicable, binding and more sophisticated data protection rules.

→ What is the FCIS? Different public authorities organise and maintain their own credit systems. The FCIS is one system at the national level that is supervised by the People’s Bank of China and functions as a public credit registry. It draws on financial credit data, the discredited judgment debtor list system operated by the SPC, which concerns individuals or entities refusing or failing to comply with an effective court judgement; and the information system operated by the China Securities Regulation Commission in relation to capital market activities. Founded in 2006, the FCIS is a predecessor of the Social Credit System: Pursuant to the Interim Measures for the Administration of the Basic Data of Individual Credit Information, the FCIS collects and stores individual credit data to provide inquiry services to commercial banks and individuals. It further offers information to be used for the formulation of currency policy, financial supervision and other purposes provided for by law. Hence, the purpose of the FCIS is twofold: to inform financial institutions for the purpose of reducing credit risks and to provide information to regulators to support policy making. At the end of 2018, the FCIS held personal data concerning 980 million natural persons.

Progress was recently made with the introduction of personal data protection to the new Civil Code, and a comprehensive data protection law is currently on the legislative agenda. Because the Specification has already established a sound model by providing very detailed data protection rules, the future comprehensive data protection law should address the processing of data by public authorities and further refine the already established data protection principles in the Cybersecurity Law and Specification. Improvements in data protection, in particular the regulation of data sharing between public authorities, could serve to balance social governance and individual rights and contribute to enhancing the legitimacy of the overall SCS.

Lu Yu is a research assistant at the chair of Chinese Legal Culture of Cologne University. She is about to submit her dissertation on European and Chinese data protection law to the Georg-August-Universität Göttingen where she has conducted research since October 2017, after working as a legal counsel with Rödl & Partner in Guangzhou. Reach out to her at yuluna5(at)gmail.com.

Björn Ahl is Professor and Chair of Cologne University’s Chinese Legal Culture. Before joining the University of Cologne in 2012, he was Visiting Professor of Chinese Law, Comparative Public Law and International Law in the China EU School of Law at the Chinese University of Political Science and Law in Beijing. Prior to that he held a position as Assistant Professor of Law in the City University of Hong Kong. He has also worked as Associate Director and Lecturer in the Sino German Institute of Legal Studies of Nanjing University and as a Researcher at the Max Planck Institute of Comparative Public Law and International Law in Heidelberg. Find him on LinkedIn.

How Comprehensive is Chinese Data Protection Law?

1. February 2021

A new paper by Anja Geller

When I told people that I am writing an article about Chinese data protection law, the most common reaction was the question “does that even exist?” The surprised and doubtful undertone motivated me to find a convincing answer. On my way, I encountered some obstacles. There is a plethora of regulations with different scopes, legislation bodies and legal effects. Even for specialised Chinese lawyers, it can be difficult to figure out which norms apply in a certain case. In the end, I chose to restrict my analysis to the 13 most important Chinese regulations with a nationwide scope of application.

Lacking a unified law, these norms have to be seen in combination to determine the comprehensiveness of Chinese data protection law. As the European General Data Protection Regulation (GDPR) is one of the most comprehensive and modern data protection regimes, I used it as a framework. When viewing the Chinese norms against this backdrop, it quickly becomes clear that especially the non-binding norms and drafted provisions are the most progressive and strict ones. They show that the Chinese legislators are moving towards the European system rather than the US or a taking a third way.

However, as is common for such cases of legal orientation, “Chinese characteristics” remain. For example, strong divergences exist in the area of administrative penalties. Instead of a focus on severe monetary penalties similar to the GDPR, there are many different sanctions. Starting with warnings and orders to correct, infringers may face a suspension or closure of their business, revocation of their business licences or even a definitive ban from the profession. Furthermore, measures of “naming and shaming” such as the publication of these sanctions in the “Social Credit Register” and other public announcements may be ordered. Compared to the European medieval equivalent of the pillory, such punishments have a long and living tradition in China. Especially the emerging “Social Credit System” relies on such punishments and is presented as a crucial tool for making citizens and companies comply with the law.

Another “Chinese characteristic” is the “real-name registration” requirement, which has already existed in many other fields for quite some time. Providers of network access and other digital services have to require users to provide true identity information before allowing access. Although this may help law enforcement in digital environments, there are well-founded fears concerning its negative implications on privacy and the freedom of speech.

Nevertheless, there are also a lot of positive developments from a European data protection perspective. The Chinese legislators have been very active in recent times and many new regulations and drafts appear on an annual basis. In fact, on 21 October 2020, one month after the online publication of my article, perhaps the most significant draft was published: the “Law of the People’s Republic of China on the Protection of Personal Information (Draft)” (中华人民共和国个人信息保护法（草案）). In the article, I covered an already very promising draft of the same name, which was proposed by several delegates of the National People’s Congress (NPC) in 2017. The 2020 draft, on the other side, was published by the Standing Committee of the NPC as a whole, which gives it much more weight. Both drafts intend to become the first national “laws” that aim to protect the right to personal information as a primary goal. All other regulations that share this as a central objective are on a lower level in the hierarchy of norms.

A quick comparison of their lengths and the amount of their articles – 70 compared to 44 – suggests that the 2020 draft is even more comprehensive. Among the most striking innovations is the broad extraterritorial applicability of the 2020 draft, which is relatively similar to the GDPR. One could say that reciprocity prevails here. As the introduction of the European rules have led to much discussion and controversy, it will be interesting to see what the international response will be as this draft becomes more widely known. Since a more detailed treatment of this new draft would go beyond the scope of this blog post, I refer to the comparisons here, here and here (all in Chinese), and a comprehensive analysis here (English). When and in which form this draft will be enacted is still unclear. Nonetheless, it shows yet again that the Chinese lawmakers are actively working to create an increasingly comprehensive data protection regime.

Therefore, to the question whether or not a Chinese data protection law exists, the short answer is: yes.

The paper “How Comprehensive Is Chinese Data Protection Law? A Systematisation of Chinese Data Protection Law from a European Perspective” appeared in GRUR International 2020, 1191-1203. It is available via open access here.

Anja Geller is a PhD candidate at the Ludwig-Maximilians-Universität and a junior research fellow at the Max Planck Institute for Innovation and Competition, Munich, Germany. Contact her via Anja.Geller@ip.mpg.de or via Linkedin.

How to Build Your Municipal Social Credit System

26. October 2020

‘The trustworthy shall roam everywhere under heaven, while those who breach trust shall not be able to move a single step’ is the underlying maxim of China’s Social Credit System (SCS) project. Taking a step closer to understand what is behind this rhetoric quickly reveals that the SCS is better to be spoken of in plural, and the initiatives proliferating under it include projects as various as commercial loyalty programs, market regulation measures, and judicial enforcement mechanisms. But what does the central government envision in terms of a comprehensive system? We may find answers by looking at how the central government organs in charge of SCS building regularly assess the progress of the pioneers, cities. This is done through quantified criteria, so called SCS Construction Assessment Indicators. They offer a rare comprehensive depiction of how the perfect municipal SCS looks like in the eyes of the central planners. Based on these criteria, Marianne von Blomberg lays out what it takes to build a municipal SCS.

The National Development and Reform Commission and the People’s Bank of China, two major players in SCS creation, annually issue assessment indicators to evaluate the progress cities make on that front. Those performing best are designated “SCS construction model cities” (社会信用体系建设示范城市). Each of the twelve indicators in every set deals with what may be understood as one construction site within the larger SCS project. This is how they work: For progress on each site, cities get points. Further, a set of “hard indicators” includes ten concrete goals “which all must be completed without exception”. They may be regarded as centrally designed manuals for municipal SCS building which are handed to local leaders.

Filling a gap between the broadly termed conceptual central documents and the orders, legislation and specifications scattered across localities and realms which each relate to one of the SCS’s many parts, they are a rare official depiction of the whole SCS which is, moreover, translated into concrete criteria.

Step 1: Build your infrastructure for credit information production & sharing

The code: Under the unified social credit code, the gathered credit information is allotted to the then credit subjects. Issuing this code to legal persons and other organizations is a first fundamental element in SCS construction that reappears in all sets of indicators with the bar to earn points being raised throughout the years.

The records: Credit information is stored in credit records (信用记录, sometimes: sincerity files 诚信档案) that are to be set up by departments in charge of more than 21 realms as various as tax collection, construction, transport, e-commerce, birth control, education and research, environmental protection, law firms and lawyers, notaries, and for civil servants. In addition, the judiciary and providers of public utilities such as water, electricity and telecommunication are to gather and share information. What amounts to credit information differs across localities and administrations, it is commonly stipulated in credit information catalogues (find an example of such a catalogue here). As of 2019, Hangzhou has collected 140 million pieces of credit information, Suzhou has collected 350 million pieces, and Nanjing 1,4 billion (Zhu Lili 祝丽丽 2019).

The platform: Such credit information, once gathered, is directly to be forwarded to the credit information sharing platform (信用信息共享平台). The indicators of 2016 were the last to ask for the creation of such a platform, it was in the following years treated as given prerequisite. Its vital role in the system is illustrated by the fact that approximately one fourth of all points can only be attained if the platform is constructed. One indicator reads: “0.5 points are deducted for every city-level unit that is not connected to the credit sharing platform and sharing their information”. However, the experience of SCS construction model city Zhengzhou shows that linking up the platform with the sources of information such as administrative departments and providers of public utilities is a significant challenge.

Step 2: Make trustworthiness records the basis for decision-making in public administration

Joint reward and punishment: Joint reward and punishment (联合奖惩) refers to the realization of punishments and rewards in one realm to those entities who have been enlisted for trust-breaking or exemplary trustworthy behaviour in another realm. The ban to book high-speed trains for those who have defaulted on court judgments is an example. Joint reward and punishment was, upon the announcement of the first batch of model cities described as the “ring in the bull’s nose” of SCS construction, that, if being taken care of, will “cause all smaller things to follow.” Correspondingly, it has steadily gained importance in the indicators: 11% of all points in 2017 are to be achieved by implementing joint reward and punishment, jumping to 21% in 2018, and to 22% in 2019. Cities can gain points for example for each case where joint punishment was meted out against a trust-breaking entity or where benefits materialized for the red-listed, as well as for institutionalization of joint reward and punishment, meaning its integration in information systems and work procedures. Hard indicator 11 requires that “the number of realms where the city implements joint reward and punishment is not less than the respective number of realms at national level”.

Regulation by credit classification (信用分级分类监管) refers to adjusting the intensity of market regulation measures, such as random inspections, to the credit status of the relevant subject. Regulation by credit classification is on the ascendant, with a rise in proportional value within the respective sets of indicators of 9%, to 17%, to 22% from 2017-2019. This “novel type of regulation” is not only overhauling traditional market regulation but increasingly a tool for administrative agencies concerned with other realms. Since 2017 it has been woven into other indicator groups such as commercial sincerity, social sincerity and judicial credibility construction.

Step 3: Foster a market for credit products for individuals that make use of public credit information

A score: A municipal social credit score is to be set up for the respective city’s residents using their social credit information (this is what in Hangzhou is called the Qian River Score, in Fuzhou the Jasmin Score, in Suzhou the Osmanthus Score, etc). Through the “credit+ programs” enumerated below, public credit information translated into the score indeed follows a subject into numerous areas in daily life- in a rewarding manner.

Credit+ programs: Integrating market forces has helped to develop credit products that are to be used by local administrations in their daily work so that social credit information directly impacts how convenient a citizen’s everyday life is. In the 2017 indicators still vaguely termed “sincerity conveniences in public service”, the concept has matured into fully-fledged programs such as “credit easing procedure” (信易批) in the course of which administrative agencies tolerate the lack of secondary documents when proceeding requests of high-scorers. Likewise, “internet+credit+medical treatment”, “internet+credit+elderly care”, “credit easing transport” and “credit easing loans”, to name just a few of those programs enumerated in the latest set of indicators, allow high-scoring subjects certain privileges such as fast track handling of paperwork at hospitals.

Step 4: Equip your SCS with remedial paths- or don’t

From a legal point of view it appears striking that the objection procedures laid out at some length in province-level social credit regulations and recently reemphasized by the latest central level SCS guideline are not mentioned throughout the indicators. A careful deduction we can draw from that and the fact that the author could not yet find legal cases involving relevant provisions is that the focus of municipal SCS building lies on pushing forward the system’s coverage first.

Credit Repair: Not strictly speaking a remedial measure, credit repair (信用修复) refers to a procedure with the help of which credit subjects can have unfavourable credit information deleted and relevant punishment halted. They are required to eliminate all damages caused by their “untrustworthy” behaviour, or where that is not applicable, undergo “credit repair trainings”. The indicators award points to cities for cases of successfully completed trainings (possible in online formats and without final exam, making them easily circumventable) and the de-blacklisting of entities as a result of such.

Step 5: Make sure your city has a sound financial environment

Interestingly, the indicator on constructing a trustworthy financial eco-system seems to be standing on its own- other than the other indicators, it makes no mention of the credit sharing platform, blacklists, credit records, regulation by credit classification or other central SCS tools. Instead, points are given to cities on the bases of whether normatively, the level of trustworthiness is high. For instance, where no significant regional financial risk has occurred, the 2019 Indicators award two points. While most of the indicators seek to have a system of dealing with specific trust-related problems set up, the indicator on the financial eco-system is less concerned with SCS infrastructure building, but with the greater goal to achieve a more trustworthy financial environment. Further, this indicator alone is to be evaluated not by the assessment groups that handle the other indicators but by the PBoC alone.

Extras

Political ideology: It is less helpful for municipal SCS designers aiming for the title of SCS model city to put much effort on living up to political rhetoric. While the indicators do mention the ubiquitous Xi Jinping Thought, implementing the CPCCC’s and the State Council’s directives on the SCS (all eleven of them which are enlisted, translations here), and Socialist Core Values- The relevance of these elements in relation to the other indicators shrank from 11% in 2017 to 8% in 2018 and 2019, the 2016 indicators and the hard Indicators do not mention them at all.

Innovations and making use of local specialities: Notably, not even this indicator that explicitly encourages experimentation and lists examples mentions the application of AI and other technology that is frequently associated with the SCS. Indeed, the most high-tech element the indicators lay down is the building of the information sharing platform and credit websites. Most technological innovation for municipal SCSs appears to happen within the private sector: Cities gain points for fostering a market of credit products. How such products may eventually be “incorporated” into the larger, centrally driven project was demonstrated in early 2018: The PRC’s first credit scoring services that were given licenses to experiment with their products did not get the license in the end but were made minority shareholders of one PBoC-lead Credit Scoring entity called Baihang Zhengxin (百行征信, the whole story).

Marianne von Blomberg is a PhD Candidate at Zhejiang University’s Law School and Cologne University’s Chair for Chinese Legal Culture and working as a Research Associate with the latter. She is particularly interested in the intersections of the law and social credit and recently focuses on reputational sanctions within the Social Credit System. Get in touch with her on LinkedIn or follow her on Twitter.

European Chinese Law Research Hub

Tag: Social Credit System