Data Privacy under the PRC Network Security Law and the Draft PRC E-Commerce Law

First, here are some slides for quick reference if you are lazy and don’t want to read.



The PRC Network Security Law (“NS Law”) has come into force on June 1, 2017. This law provides certain provisions in relation to the data privacy. Some of them appear to be beneficial to the individual data owners, whilst some others may be counter-productive to the protection of data privacy.

In parallel, the legislative branch of the Chinese government has published a draft PRC E-Commerce Law (“Draft EC Law”) for public consultation in December 2016.  This draft law has not yet to be passed by the PRC National People’s Congress (NPC) to become effective. However, its provisions have reflected some basic attitudes of the Chinese authority towards the protection of data privacy.

This essay sets out and provides my comments on the key provisions with respect the data privacy under the NS Law and the Draft EC Law.  In order to make readers digesting these laws easily, I will apply Daniel J. Solove’s theory of categorization of the data privacy issues.

1. Data Collection and Aggregation

“Aggregation” means the gathering of a person’s data from different sources and then combining them to form a clearer image of the person.

  • Art. 22.3 of the NS Law: ISP cannot collect its users’ personal information without the expressive consent. Art. 41 of the NS Law: ISP shall publish the rules, purpose, method, and scope of collection of personal information. No collection without users’ consent.[Comments: (i) These provisions do not distinguish “collection” and “aggregation”.  (ii) As a result, although these provisions have clearly required an operator to obtain consent before collecting its users’ information, they did not address the issue whether a third party can search and aggregate personal information (either from the public domain or from the first-hand data collectors.)]

2. Surveillance

Surveillance means the act or system enabling the government or a company to monitor user’s activities (“Big brother is watching you”).

  • Art. 51 of the Draft EC Law obliges E-commerce business operators to provide data to government authority (although it also said that the government authority should adopt “necessary measures” to protect data security).
    [Comments: (i) This provision legitimized (rather than prohibited) the surveillance practice.]
  • Art. 21.3 of the NS Law: ISPs are obliged to monitor and record user’s activities and should keep records for no less than 6 months.
    [Comments: (i) this could be counter-productive to protecting privacy from the individual data owner’s perspective; (ii) the 6 months storage obligation is not new in China, but the NS Law makes the compliance to be a necessity (at least on paper). ]

3. Identification

Identification means to identify a particular person or a particular group of persons by data analysis.

  • Art. 42.1 of the NS Law: No sharing of identifiable personal data without consent. Art. 50 of the Draft EC Law: an E-commerce business entity is obliged to take protection measures to ensure anonymity before it shares the e-commerce data with another E-commerce business entity.[Comments: Article 42 of the NS Law first prohibits business operators from divulging personal information to a third party. Then it says that if the data cannot identify a particular person, then it is fine to transfer without the data owner’s consent. Article 50 of the Draft EC Law has generally kept consistency with the NS Law on this regard. ]
  • Art. 45 of the Draft EC Law confirms that the buyers have autonomy over their personal data; it also defines the personal data with a detailed list, such as name, ID certificates number, address, contact details, information of geographical location, bank card info, transaction records, payment records and records of accepting logistic services.[Comments: The Draft EC Law did not distinguish the “private personal data” and the “business personal data”.  In some countries, use and aggregation of the business contacts (e.g. office telephone numbers, office email address and other info shown on a business card) may enjoy certain exemptions.]
  • Art. 46 of the Draft EC Law first provides that collection of personal data requires user consent; then it prohibits the denial of service due to the user’s refusal of providing personal data.

4. Disclosure and Insecurity

Disclosure means the data holder’s own act of disclosing the private facts. Insecurity means the situation that the data is attacked and stolen.

  • Art. 21. 2 and 21.4 of the NS Law request ISP to take technical measures to protect its system from attack; ISP also needs to classify, backup and encrypt data.
  • Art. 22.1 and 22.2 of the NS Law request ISP to take remedial actions when its system is in risk; provide security maintenance during the term of service. These provisions also generally requested the producer of network security products or services to report the authority about the data breach.
  • Art. 27 of the NS Law generally prohibits hacking acts. It also prohibits the assistance of hacking practice, such as tech support, advertising, and settlement of payment.
    [Comments: The provision did not clarify if the “assistance” means knowingly assistance. It also did not clarify if “constructive knowledge” also applies to this provision.]
  • Art. 42.2 of the NS Law requests ISP to take technical measures to protect data from disclosure, damages or loss. It also mentioned that the data holder shall report the data breach to the relevant authority.
  • Art. 49 of the Draft EC Law provides that e-commerce business entities must establish rules and technologies to prevent disclosure of data. It also provides if there is a data breach, the e-commerce business entity is obliged to (i) take remedial measures, (ii) notify the users and (iii) report to government authorities.

5. Exclusion 

Exclusion means the act/rule disabling/excluding a user from maintenance and deletion of his personal data from the system. The reason for deletion can be either those data are objectively outdated or the data owner simply changed its mind of disclosing the data.

  • Art. 43 of the NS Law: User has right to request deletion if the service provider’s collection or use of personal information in breach of the law/agreement; or there are mistakes in the personal information.[Comments: According to this provision, if there is no mistake in the personal information and the service provider does not breach the contract, then the data owner will not have right to remove the data he/she has provided to the service provider. It is not clear whether “mistake” herein includes “outdated”.  However, it seems clear that data owner would have lost an absolute right of deletion.]
  • Art. 47 of the Draft EC Law: provides that when a user requests correction or supplement of his/her personal information, the E-commerce business entity should correct or supplement the information accordingly.
  • Art. 48(3) of the Draft EC Law: provides that a user has right to delete its personal information. However, such right of deletion only arises (and is only mentioned) upon lapse of agreed / statutory term of preservation of personal data.

6. Increased Accessibility

Increased accessibility means, without the consent of the personal data owner, making the information that is already available to the public EASIER for a wider scope of the audience to access.

E.g., a buyer’s review of a particular product is usually made available to the public.  However, the buyer might not want his friends or colleagues to know that he purchased such product.

Neither the Draft EC Law nor the NS Law has provision preventing increased accessibility of data.

7. Blackmail, which means using a person’s personal data to blackmail him/her.

In e-commerce scenarios, it is possible that an e-commerce vendor may blackmail a buyer with the buyer’s personal records when the vendor gives a negative review of the vendor’s product. The Draft EC Law has no provision preventing such blackmails.

8. Distortion

Distortion: means disseminating false and misleading information to manipulate the way a person is perceived and judged by others.

  • Art. 42.1 of the NS Law provides that service providers cannot distort personal information. But this appears to be too general.
  • Art. 52 of the Draft EC Law stipulates that the state should promote all e-commerce business entities to ensure that information is accurate and reliable etc.

9. Second Use

Second use means the use of data for purposes unrelated to the purposes for which the data was initially collected without the data subject’s consent.

  • Art. 52 of the Draft EC Law provides that the State shall establish public data sharing mechanism. Such mechanism necessarily involves the second use of data. However, no guidance or rules are provided in relation to second use except to the extent that the State should ensure e-commerce business entities shall protect the liability, security, and authenticity of aggregated data.


Important cases for lawyer-client privilege

Three Rivers DC v Bank of England (Disclosure) (No.3) [2003] EWCA Civ 474;

• the American case Upjohn Co v United States (1981) 449 U.S. 383 (Sup Ct (US));

• Judgment of the Honourable Mr Justice Barma, delivered on 19 August 2009, in James Daniel O’Donnell (directed by the SFC) v Lehman Brothers Asia Ltd (In Liq) (HCMP 1081/2009, unreported); and

• The judgment of the Honourable Mr Justice Wright, delivered on 18 March 2011, in CITIC Pacific Ltd v Secretary for Justice and Commissioner of Police [2011] HKCU 563 (CITIC).

Be As Smart As A Puppy – Fast Readings for AI

Kate Crawford & Ryan Calo, There is a blind spot in AI research , Nature

We believe that a fourth approach is needed. A practical and broadly applicable social-systems analysis thinks through all the possible effects of AI systems on all parties. It also engages with social impacts at every stage — conception, design, deployment and regulation.

researchers … need to start investigating how differences in communities’ access to information, wealth and basic services shape the data that AI systems train on.

Domingos, P. The Master Algorithm: How the Quest for the Ultimate Learning Machine Will Remake Our World (Allen Lane, 2015):

“People worry that computers will get too smart and take over the world, but the real problem is that they’re too stupid and they’ve already taken over the world.”

Is Artificial Intelligence Permanently Inscrutable?

The European Union recently proposed to establish a “right to explanation,” which allows citizens to demand transparency for algorithmic decisions.

… Even if it were possible to impose this kind of interpretability, it may not always be desirable. The requirement for interpretability can be seen as another set of constraints, preventing a model from a “pure” solution that pays attention only to the input and output data it is given, and potentially reducing accuracy.


… Yosinski, for example, says he is trying to understand deep networks “in the way we understand animals, or maybe even humans.”

… Thompson was surprised, however, to discover that the circuit used fewer components than any human engineer would have used—including several that were not physically connected to the rest, and yet were somehow still necessary for the circuit to work properly.

He took to dissecting the circuit. After several experiments, he learned that its success exploited subtle electromagnetic interference between adjacent components. The disconnected elements influenced the circuit by causing small fluctuations in local electrical fields. Human engineers usually guard against these interactions, because they are unpredictable. Sure enough, when Thompson copied the same circuit layout to another batch of components—or even changed the ambient temperature—it failed completely.

The circuit exhibited a hallmark feature of trained machines: They are as compact and simplified as they can be, exquisitely well suited to their environment—and ill-adapted to any other. They pick up on patterns invisible to their engineers; but can’t know which of those patterns exist nowhere else. Machine learning researchers go to great lengths to avoid this phenomenon, called “overfitting,” but as these algorithms are used in more and more dynamic situations, their brittleness will inevitably be exposed…

Be As Smart As A Puppy 

Non-human actors in our home, that we’ve selected personally and culturally. Designed and constructed but not finished. Learning and bonding. That intelligence can look as alien as staring into the eye of a bird (ever done that? Brrr.) or as warm as looking into the face of a puppy. New nature.

The smart bots are coming and this one is brilliant

The way Mortensen sees it, there will be two classes of digital assistants, the broad and the specific, or as it he calls it, “horizontal and vertical AI.”

The next hot job in Silicon Valley is for poets

As tech behemoths and a wave of start-ups double down on virtual assistants that can chat with human beings, writing for AI is becoming a hot job in Silicon Valley.

Why Do I Have to Call This App ‘Julie’?

And why does artificial intelligence need a gender at all?

Stanford AI 100 Report 2016

Contrary to the more fantastic predictions for AI in the popular press, the Study Panel found no cause for concern that AI is an imminent threat to humankind. No machines with self-sustaining long-term goals and intent have been developed, nor are they likely to be developed in the near future. Instead, increasingly useful applications of AI, with potentially profound positive impacts on our society and economy are likely to emerge between now and 2030, the period this report considers. At the same time, many of these developments will spur disruptions in Substantial increases in the future uses of AI applications, including more self-driving cars, healthcare diagnostics and targeted treatment, and physical assistance for elder care can be expected. 5 how human labor is augmented or replaced by AI, creating new challenges for the economy and society more broadly. Application design and policy decisions made in the near term are likely to have long-lasting influences on the nature and directions of such developments, making it important for AI researchers, developers, social scientists, and policymakers to balance the imperative to innovate with mechanisms to ensure that AI’s economic and social benefits are broadly shared across society. If society approaches these technologies primarily with fear and suspicion, missteps that slow AI’s development or drive it underground will result, impeding important work on ensuring the safety and reliability of AI technologies. On the other hand, if society approaches AI with a more open mind, the technologies emerging from the field could profoundly transform society for the better in the coming decades.

Tech TalkAt WorkTech Careers Computer Vision Leader Fei-Fei Li on Why AI Needs Diversity

“No matter what data we look at today, whether it’s from universities or companies, we lack diversity,”


中國互聯網絡信息中心國家頂級域名爭議解決辦法 (English version)


香港國際仲裁中心關於中國互聯網絡信息中心國家頂級域名爭議解決辦法補充規則 (English version)





金派腾影像数码公司诉泰尔斯特拉公司计算机网络域名纠纷案: 北京市第一中级人民法院民事判决书(2007)一中民初字第3424号