In September 2019, China had its own version of the FaceApp privacy storm. Using artificial intelligence and machine-learning techniques, the Zao app allowed users to swap faces with celebrities in movies or TV shows. It went viral as a tool for creating deepfakes, but concerns soon arose as people noticed that Zao’s user agreement gave the app the global rights to use any image or video created on the platform for free.

After a public outcry regarding these controversial user privacy terms and questions over data safety, the company clarified that the app would not store any users’ facial information. Under pressure, the company also declared that once a user uninstalls Zao or deletes their account, the app would remove related information as required by regulations and “ensure the safety of personal information and data in every possible way”.

When Mark Zuckerberg testified before Congress in early 2018 on Facebook’s data practice, he warned that regulating the platform’s use of personal data would cause the US to fall behind Chinese companies when it comes to data-intensive innovation, such as AI. His argument reflected the conventional wisdom that the Chinese internet industry has a tremendous amount of user data accumulated for AI research thanks to lax regulation on data collection in China.

But 2018-2019 could be viewed as the time when the Chinese public woke up to privacy. When Robin Li, founder of Baidu, made the “trading privacy for convenience” comment in early 2018, his remark incited uproar amongst internet users. As luck would have it, Baidu was sued in the same year by a consumer rights protection group in Jiangsu province for collecting user data without consent (the lawsuit was later withdrawn, after the company removed the function to monitor users' contacts and activities).

Chinese users recently challenged another internet giant, Alibaba, on personal data privacy. Ant Financial, Alibaba’s financial arm has launched Zhima (Sesame) Credit, an online credit scoring service which offers loans based on users’ digital activities, transaction records and social media presence. Users discovered that they had been enrolled in the credit scoring system by default and without consent. Under pressure, Alibaba apologized.

Increasingly, Chinese consumers are vocally standing up for their privacy in front of internet giants. Meanwhile, the late-2018 China’s People’s Congress announced that China’s personal data protection law was officially on the agenda of the current term of legislature. Together with the 2017 cybersecurity law and relevant parts of the 2018 e-commerce law, China’s personal data protection law will lead to a comprehensive framework for individual data rights and protection.

While the new law is being drafted, the Cyberspace Administration of China (CAC), the highest administrative internet regulator, issued the Data Protection Regulatory Guideline in June 2019. It lays out specific rules regarding the dos and don’ts for how internet companies collect and use customer data, effectively setting personal data protection standards in China. For the market, it provides a reference for the future direction of the national law.

The CAC Guideline, for example, focuses in particular on how users can get more control of their data in mobile apps. It sets out the following as situations that involve illegal or excessive collection of user information by mobile apps:

No publicly available user data rules;

No explicit statement of the purpose, method or scope of collecting user information;

Information collection without consent;

Collecting personal information unrelated to the service provided;

Failure to delete or correct personal information as required by law;

Bundling the main service with extended functions to force the user to provide personal data for all services.

In parallel, the CAC together with the Ministry of Public Security, the Ministry of Industry and Information Technology and the State Administration for Market Regulation, have launched a national campaign to inspect smartphone apps to determine if they illegally or excessively collect users' information. By July 2019, a group of widely used apps had been ordered to correct their data collection practices as a result and 10 apps, including from the Bank of China, were found to have no user privacy rules. Another 40 apps, including those from many online financial platforms, were highlighted for “serious issues” in their data collection.

Despite the strides made under the CAC’s rules, important questions remain about how authorities will audit companies against the new standards and what their effect on business operations will be. How will these standards fit into the emerging regulatory process? On the one hand, China’s framework is similar to GDPR in many ways. For example, the “right to be forgotten” provision in China’s e-commerce law imitates the right to access, correct, and erase data provided in GDPR; on the other, it has very Chinese characteristics (the concept of “data sovereignty”, for example), while GDPR is not explicitly tied to more far-reaching national security and social stability goals.

As the largest mobile internet user market and data economy, China’s individual data rights framework has profound global implications. It may stimulate the US, which still has no national-level position on data protection, to expedite relevant legal measures. It may also provide a reference point for major emerging economies such as India, Brazil and the ASEAN countries when they look to regulate cyberspace activities and emerging technologies.