Data privacy laws start to bite as traders scramble to comply

A Chinese jewelry brand closed its online inquiry system recently after fans and netizens discovered that a dozen pop stars had bought engagement rings at the company.

The brand markets itself as a "true love identifier," and requires male customers to provide their ID number when buying an engagement ring so that they can only buy it once. Netizens recently discovered that its online inquiry system "true love verifier" only required the ID number, not a photocopy, meaning anyone who had the number could check.

What's more interesting is the response from one of the boyband pop star members involved, claiming in a statement he had been a victim of identity theft and had not bought the ring.

The "true love verifier" system was subsequently shut down for upgrading, and is still not active.

The jewelry company is just one of many which has been "upgrading" its systems, as China's over 1 billion Internet users become increasingly more aware and concerned about data breaches while new laws have been implemented in recent years.

The Personal Information Protection Law (PIPL) went into effect on November 1, and completes the three pillars of China's over-arching legal framework for data protection. The Cybersecurity Law and Data Security Law were implemented in 2017 and this September.

More detailed measures are also expected soon. Last week, the Cyberspace Administration of China issued a set of draft management regulations to solicit opinions from the public.

On Thursday, Shanghai regulators released a guideline on algorithms for online trading platforms to regulate the market. The guideline bans improper pricing on e-commerce platforms via algorithms which include fabrication of original prices and fake discounts, differential or discriminatory pricing treatments, among others.

Earlier this month, Shanghai's Xuhui District made its first ruling on a privacy breach since the new law had been implemented. A man surnamed Cao who sold homeowners' information linked to more than 30 residential buildings was sentenced to 42 months in jail, in addition to a fine and public apology.

"Protection of private information could be found in several laws before, and such cases could be pursued before the new law was implemented, but PIPL is the first comprehensive legislation on personal data protection," Zhou Jiayi, a lawyer from Shanghai Zhongda Law Firm, told Shanghai Daily.

"It reflects that authorities are serious about data protection amidst rapid digitalization, and the law covers many hot issues that raised concern in recent years.

"The law provides systematic legal bases for relevant issues, more protection for individuals, and it defines and clarifies new issues such as processing of sensitive personal information or cross-border data transfer."

Like the European Union's General Data Protection Regulation, considered the most stringent and sophisticated, China's PIPL includes a broad definition of personal information, covering basically anything that can be traced to an individual. For example, a mobile phone number is required to be registered in China and hence, as it can be tied to an individual, it is private information.

The provisions for cross-border transfer of data will affect companies who operate outside of the Chinese mainland if they are handling information involving Chinese citizens for purposes listed in the PIPL.

Those individualized push-out ads that annoy so many people are also regulated. The law states that "those conducting information push delivery or commercial sales to individuals through automated decision-making methods shall simultaneously provide the option to not target an individual's characteristics, or provide the individual with a convenient method to refuse."

"Users have the right to refuse enforced push delivery," said Zhou. "You can also file reports with relevant authorities such as police, cyberspace administration, industry management departments, etc. For cases involving privacy breach, you can also pursue in civil court."

The law also requires companies to obtain consent from individuals before collecting data. Many companies, especially the tech giants, have been scrambling to comply with the law since it was passed in August, if not before.

Many people have found new consents to click for agreement when returning to a site or mobile app.

WeChat's latest update simplified procedures to turn off personalized ads. When it is turned off, it doesn't mean they are receiving fewer ads in total, just no individualized ones. The option in previous versions was buried behind a lot of clicks and many users were not even aware of it.

The Shanghai Consumer Council acknowledged the update but challenged it on one issue, questioning whether WeChat would still collect data after consumers opted to turn off individualized ads, and if yes, on what basis?

According to the 2021 EY Global Information Security Survey released in September, three quarters of Chinese companies can't fully handle cybersecurity challenges, with evolving threats such as increasing online attacks, changes due to the pandemic and new requirements for law and regulation compliance. The survey included experts and senior officials from 1,010 companies from March to May.

"We had specific meetings about complying with the laws very early on, especially on cross-border data transfer. We are still waiting for more details on that from the cybersecurity administration's upcoming regulation," an angel investor in technology companies identifying himself as Bell told Shanghai Daily.

"Some tech companies sort of played dumb before since data collection was part of their business model, and it was costly and time-consuming for an individual to pursue such cases," he said.

"That is not just China, but globally true, and you can see increasingly more countries drafting data protection regulations but China's, very similar to the EU's, are among the most well-rounded. Data breaches often lead to Internet fraud cases, which were getting more diversified in methods and more difficult for individuals to detect."

Joyce Zhang, 36, is a victim of a privacy breach, and almost fell for an Internet fraud in August. The cautious Shanghai white collar often alerts friends and family about frauds, but when she got a call asking her to return some facial masks she bought online, Zhang fell for it at first.

"I wasn't initially suspicious, because I really did buy those masks, and just received them," she recalled. "How would anyone other than those people from the shop know?"

The caller knew the exact price and offered a higher refund if she agreed to return "the masks that failed a quality test and were accidentally sent out." Zhang offered her Alipay number and the caller "transferred" the amount immediately, even before giving a return address for the masks.

When Zhang told him she did not receive the money, the caller claimed because she didn't turn on a new service on Alipay and offered to guide her.

"That's when I got alerted," Zhang said. "And I immediately called him out but he kept on with his 'script'."

Zhang later called the police, who told her that many people had reported similar cases.

"I still can't figure out how they knew exactly what I bought and that I received it," she said. "Someone must have sold that information."

Authorities have been cracking down on such frauds. At a forum in October, Zhu Zongyao, chairman of the Shanghai Big Data Center, revealed that Shanghai police have dealt with 998,000 cyber virus cases so far this year and solved over 9,100 Internet crimes.