Hello, privacy pros! Greetings from Beijing! I hope you are enjoying a relaxing summer.
Despite the heat wave, the data space in Greater China remains dynamic and robust, keeping everyone on their toes. We have seen impressive strides in rulemaking, judicial practice and enforcement in artificial intelligence and across the broader field of data protection and privacy.
From a data privacy perspective, China recently introduced two significant guidelines. On 11 June, China's National Information Security Standardization Technical Committee issued draft guidelines on identifying sensitive personal data for public consultation. The guidelines provide some much-needed clarity and address some commonly raised industry questions. For example, the guidelines clarify that a picture or scanned copy of a personal ID card should be treated as sensitive personal data, while a pure personal ID number would not be regarded as sensitive. In relation to health data, general health data such as a person's height, weight and blood pressure is not classified as sensitive personal data unless it is related to medical or diagnostic purposes.
On 21 June, the committee released draft guidelines to halt the collection of off-vehicle data for public comment. The purpose of these guidelines is to reduce the risk of illegal collection of important data and sensitive personal information from the continuous camera and radar usage by vehicles, highlighting China's ongoing commitment to data security.
On the enforcement front, Chinese regulators are staying busy, cracking down on noncompliance with fines. A major Chinese commercial bank was recently fined RMB1.6 million, approximately USD220,000, for vulnerabilities in its data security infrastructure. In Shanghai, the Cyberspace Administration of China just completed an extensive investigation into 24 major global and national coffee shop chains. Some coffee chains were found to not abide by the data minimization principle and forced consumers to consent to the privacy policy and collection of personal data. The companies concerned were asked to rectify these defects within the prescribed grace period.
Investors, developers and businesses are doubling down on AI in China. Drafting China's comprehensive AI law has been listed in the 2024 work plan of the country's top legislative body. Meanwhile, Chinese courts, especially the internet courts in Beijing and Guangzhou have been leading the way to adjudicate some cutting-edge AI cases.
On 20 June, a landmark ruling on China's first AI deepfake case came down from the Beijing Internet Court. The defendant, who ran a face-swap app, used short videos of two famous internet celebrities without their consent. The app operator used the celebrities' facial information to make template videos that the app users could download and buy.
The court ruled the app operator violated China's Personal Information Protection Law by collecting and processing the celebrities' facial information without permission, even though it tweaked some of the features using face-swap technology. The court ordered the app operator to apologize and pay for the celebrities' mental and economic losses.
Moving south to Hong Kong, the Office of the Privacy Commissioner for Personal Data released the Artificial Intelligence Model Framework 20 June to provide organizations with guidance and recommendations on how to handle personal data in compliance with Hong Kong's Personal Data (Privacy) Ordinance when they procure, implement and use AI, including generative AI. This framework addresses AI systems used for content generation and autonomous decisions or recommendations, with the requirement for human involvement in certain specific scenarios. It introduces a risk-based approach to using and procuring AI systems, with recommendations for organizations to follow throughout the entire life cycle.
The IAPP Asia Privacy Forum in Singapore 17-18 July is quickly approaching. This is the annual signature data privacy event in Asia, and I am super excited about it. I'm looking forward to exchanging ideas and insights, catching up with old friends and making new ones!
Barbara Li is an advisory group member for China at the International Association of Privacy Professionals.