Better than the EU’s GDPR? China’s new privacy law includes a rule for handling personal information after death

Posted on May 20, 2021 by Glyn Moody

Back in January, Privacy News Online wrote about China’s important new privacy legislation, the Personal Information Protection Law. That post concentrated on the law’s extraterritorial reach, and its likely impact on non-Chinese companies, and referred to the first draft of the law. The second version has just been released, and an article on the Protocol site has taken a look, concentrating on how the new law will impact Chinese citizens. Those in the West used to tales of China’s oppressive government surveillance systems may be surprised to read the following view, quoted in the article:

“It’s a good law,” Jeremy Daum, a senior fellow of the Yale Law School Paul Tsai China Center, told Protocol. “We tend to think of China as not being overly concerned with privacy, and that’s just wrong … There’s a growing expectation of privacy in the Chinese public, and the government is responding to it by passing high-level authority to try and ensure some protections.”

The title of the Protocol analysis is “China could soon have stronger privacy laws than the U.S.”; in some respects, the proposed Personal Information Protection Law, likely to pass by the end of the year, even surpasses the EU’s General Data Protection Regulation (GDPR), often regarded as the benchmark in this area. A good example of how the second draft has strengthened privacy protection for users is the new Article 57, which reads as follows in a translation by the Stanford DigiChina Cyber Policy Center:

Personal information handlers providing basic Internet platform services, who have a large number of users, and whose business models are complex shall fulfill the following obligations:

1. Establish an independent body composed mainly of outside members to supervise personal information handling activities;

2. Stop providing services to products or service providers on the platform that seriously violate laws or administrative regulations in handling personal information;

3. Regularly release personal information protection social responsibility reports, and accept society’s supervision.”

As the Protocol article notes, that’s remarkably similar to the independent privacy committee that Facebook was required to set up as part of its $5 billion settlement with the FTC, agreed in July 2019. There, Facebook agreed to establish an independent privacy committee of Facebook’s board of directors, removing full control by Mark Zuckerberg over decisions affecting user privacy. Members of the privacy committee have to be independent and are appointed by an independent nominating committee. China’s new Personal Information Protection Law is particularly strong on ensuring that the increasing use of algorithms does not adversely impact people’s privacy. Article 25 reads:

Those conducting commercial sales or information push delivery through automated decision making methods, shall simultaneously provide the option to not target an individual’s characteristics, or provide the individual with a method to refuse.

When the use of automated decision-making produces decisions with a major influence on the rights and interests of the individual, they have the right to require personal information handlers to explain the matter, and they have the right to refuse that personal information handlers make decisions solely through automated decision making methods.

That’s close to Article 22 of the EU’s GDPR, which states: “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” But in one respect, China’s draft law goes beyond the GDPR by including the following clause:

When a natural person is deceased, the rights of the individual as to personal information handling activities according to the provisions of this Chapter shall be exercised by the next of kin.

Although death is naturally something that many are reluctant to discuss or even think about, what happens to people’s personal data after they die is becoming a pressing matter. In the US, the Fiduciary Access to Digital Assets Act governs access to a person’s online accounts when the owner dies. This law essentially extends the traditional power of a fiduciary to manage tangible property to include digital assets. It does not permit a fiduciary to access email, texts and social media accounts unless the original user consented to this in a will or similar. It also allows people to use online tools provided by digital services to specify how they want their digital assets handled after their death. In the EU, neither primary nor secondary law (such as the GDPR) provides for post-mortem data protection. Companies holding personal data of deceased users have therefore come up with ad hoc solutions for what happens to that data, and who – relatives, for example – can access it after someone’s death.

The lack of clear legal frameworks around the world has led some to call for a formal recognition of post-mortem privacy, and the right of people to control their personal data after death. However, as the researcher Edina Harbinja notes in her 2017 review of post-mortem privacy, this needs to be done in a way that balances the privacy and free speech interests of others. As more people currently using the Internet die, this issue will become something that legislators around the world will need to address. It’s interesting that China looks likely to become the first to do so – a sign that it is no longer simply following the West as far as privacy is concerned, but sometimes taking the lead.

Featured image by Peter Griffin.