Ricky (Ziqi) Xing

China has developed one of the largest and robust digital economies in the world, with a tremendous amount of data being processed every second. A company should fully explore and understand the value of the data it possesses, bearing in mind the same data may also be traded for various purposes, including advertising, crime prevention, and forecasting.

In the face of its fast-growing digital economy, the Chinese government has, through legislation, promulgated a set of laws and regulations relating to the protection and exploration of the value of data. The court system is also currently balancing the rights of parties in the absence of statutes. China’s data protection law is unlike that of many other jurisdictions around the world, including the Europe Union and the United States. It is therefore helpful for brand owners and professionals to understand some basic aspects of the data protection laws and practices in China.

This article consists of two parts. The first half introduces the current data protection framework, including statues and some leading case law. The second half outlines new policies in this field and forecasts the legislative trends moving forward.

Different bodies of law of the People’s Republic of China (PRC) protect individuals’ and enterprises’ rights to data:

• Personal Data or Personal Information: These two terms are typically used interchangeably. Pursuant to the Personal Information Protection Law of the PRC (PIPL), personal information is defined as all kinds of information related to identified individuals or identifiable individuals that is recorded in electronic or other ways, but excludes information being anonymized or otherwise regulated by other laws or regulations. The PIPL borrowed heavily from the General Data Protection Regulation of the European Union (GDPR), but it does distinguish the data controller and processor by statute.

• State Core Data and Important Data: State core data is defined as data relating to national security, which includes data related to the state economy, important employment information, and information of significant public interest. Important data includes data that if it were tampered with, damaged, leaked, or illegally possessed or used, would threaten national security, economic operations, social stability, or public health and security.

•Public Data: This normally refers to the data collected by the different divisions of government during routine administrative work. The Chinese government is committed to publishing this type of data to facilitate the training of neural networks in furtherance of the development of artificial intelligence. Data-driven companies are able to then download such data free of charge in order to forecast future outcomes—such as traffic flow—based on historical data.

• User-Generated Data or User-Generated Content: These two terms are used interchangeably in this article. These are industry-generated terms rather than egal terms which Copyright Law can protect as literary, artistic, or photographic works, depending on the nature of the work. Typically, the authorship of such work belongs to the network user; therefore, the platform cannot claim independent copyright to those types of works without due authorization from the author.

• Platform-Generated Data and User-Derivative Data: Article 2 of the Anti-Unfair Competition Law (Competition Law) provides a remedy for a platform against unfair practice. Cause of action relying on Article 2 usually occurs when the data being scraped is neither confidential nor proprietary. Since Article 2 is the last line of defense in the intellectual property (IP) law regime, cause of action invoking Article 2 means the plaintiff practically has no other choice, which will be further discussed at length later in this article.

• Trade Secrets: Article 9 of the Competition Law provides a legal remedy against unauthorized disclosure and use of others’ trade secrets.

• Computer Software: The source code, object code, and relevant documentation of computer software (covering programs running on PC and smartphones) qualify for protection under the Copyright Law. If the program is used in conjunction with memory devices and other computer hardware, along with operational processes, it might fall into patentable subject matter. Strong protection under the Patent Law is available if that is the case.

If the data concerned does not fall into the categories mentioned above, it can flow freely.
Although nationwide legislation on rights to data has not been enacted yet, different regions have attempted to create civil interests for owners of derivative data in general. Shenzhen, one of the most developed cities in China, released its own Data Regulation of the Shenzhen Special Economic Zone (Shenzhen Data Legislation) in June 2021, which stipulates that “individual, legal persons and other organizations enjoy proprietary interests in the data products and services generated in lawful processing, pursuant to the laws, administrative regulations and this regulation.” Under Chinese law, rights are either stipulated by laws or regulations, but interests are typically confirmed by courts in judicial proceedings on a case-by-case basis.
 
Under Chinese law, rights are either stipulated by laws or regulations, but interests are typically confirmed by courts in judicial proceedings on a case-by-case basis.

Legal Remedies

Anyone who invades, sabotages, or obtains unauthorized access to the digital data of others is subject to different layers of criminal and civil liability:

Criminal Liability

The crimes of invasion, sabotage, and unauthorized access to digital data include the following:

• Illegally intruding into a computer information system;
• Illegally obtaining the data of a computer information system;
• Sabotaging a computer information system;
• Infringing personal information;
• Infringing copyrights; and
• Infringing trade secrets.

Committing a prohibited act per se does not always trigger criminal charges, as each crime has different thresholds relating to:

• The amount of illegal profits earned;
• The number of the copies reproduced, or the information illegally traded; or
• The consequences resulting from the crime.

Civil Liability
The causes of action invoked in civil litigation for the protection of digital data include unfair competition, copyright infringement, and trade secret theft. Of these, unfair competition is the most frequently chosen legal relief.

Unfair Competition
The Competition Law, which supplements specific IP laws (i.e., trademark, patent, and copyright laws), prohibits certain acts, including misleading conduct causing market confusion (Article 6), commercial bribery (Article 7), false representation/false advertising (Article 8), and trade secret theft (Article 9).

Absent specified behaviors as laid out above, Article 2 articulates that the business operator is obligated to obey the laws and commercial ethics in business and industrial activities: “business operators shall follow the principles of voluntariness, equality, fairness and good faith, obey the laws and commercial ethics in production and business activities.” In the newly amended judicial interpretation, China’s Supreme People’s Court (SPC) stipulated that “the code of conduct generally observed and recognized in specific commercial fields may be deemed by the People’s Court as ‘commercial ethics’ as stipulated in Article 2.”

Legal Test of Article 2
Article 2’s nonspecific language is aimed at encompassing any new unfair practices that do not conform with the Competition Law. This allows judges to set precedents in case law, as in the description below, where the judgment suggests a basic three-factor test:

In its judgment in Shandong Foods Imports & Exports Co. vs. Qingdao Shengkedacheng Trading Co. (Seaweed Quota Case, 2009 Min Shen Zi No. 1065) the SPC shed some light on this point by allowing the independent application of the “general clause” in Article 2 under the following three conditions: first, the Competition Law does not set forth specific provisions for the particular type of unfair competition at issue; second, the legitimate interests of other operators are actually damaged due to such competition; third, this kind of competitive behavior is indeed illegitimate because it violates the principle of honest practices in industrial or commercial matters.

Additionally, in an online environment, a court would also consider the “Internet three-factor” test raised in Sina v. Momo (2016 Jing 73 Min Zhong No. 588), which is described as follows:

• Whether the technical measure employed in the competitive behavior damages the interests of consumers, such as the restriction of consumers’ right to freely choose products, failure of protection of consumers’ right to information and infringement of consumers’ privacy rights;

•Whether the competitive behavior undermines the order of openness, fairness and justice of the market competition in the internet environment, thereby triggering vicious competition or having the possibility of such a situation; and

• For the competitive behavior employing new technological measures or new business models on the internet, it should first be presumed to be justified, and its illegitimacy needs to be proved by presenting evidence.

Assuming that both the basic three-factor test and the Internet three-factor test are satisfied, then the court will conclude that the competitive behavior being alleged violates Article 2 of Competition Law and will ban it.

From a commercial perspective, the key factor in finding the “damage” in the test is, de facto, the question of whether the goods or services of the defendant substantially substitute the plaintiff’s services and attract traffic from the plaintiff’s platform.
 
The causes of action invoked in civil litigation for the protection of digital data include unfair competition, copyright infringement, and trade secret theft.

Data Accuracy
Another new type of dispute concerns the accuracy of data. A leading case of this type is Ant Financial Services v. Suzhou Langdong (2020 Zhe 01Min Zhong No. 4847), which is not only the first case relating to data accuracy, but it is where the court tried to define the boundary for the use of public data.

The plaintiff, Suzhou Langdong, operates a big data platform called Qi Cha Cha, which archives the registered information and other business information of the companies registered with the Official Registrar.

In May and June 2019, Qi Cha Cha suddenly pushed out a warning message to all subscribers that Ant Financial Services was in liquidation, causing immediate damage to Ant Financial Services’ standing in the market and its reputation. It was later found that a bug in Qi Cha Cha’s algorithm had led to the erroneous warning message. In fact, the piece of information was historic, whereas the message suggested that it was new.

In its decision, the court admitted that Suzhou Langdong could use historical information about Ant Financial Services for its own business purposes. On the one hand, a data processor should exert the appropriate level of duty of care to ensure its use of public data does not damage the legitimate interests of the data subject. On the other hand, the big data enterprises using public data have a basic duty of care, especially when it comes to broadcasting negative or sensitive information. Data should be filtered and cross-checked to ensure data quality and prevent the release of inappropriate information that could mislead the relevant public and damage the interests of the data subject.
 
Copyright is not frequently chosen as a cause of action for digital assets, as the plaintiff in copyright litigation must produce the chain of evidence to prove its title in the copyrighted work.

Copyright Infringement
Copyright is not frequently chosen as a cause of action for digital assets, as the plaintiff in copyright litigation must produce the chain of evidence to prove its title in the copyrighted work. This creates two insurmountable difficulties for the plaintiff. On the one hand, the particular data set asserted by the plaintiff may not necessarily be copyrightable subject matter. More often than not, the data set consists of user comments, rankings, grading, and data hierarchy. This combination does not necessarily meet the threshold of a compilation work eligible for copyright protection. On the other hand, in the case of user-generated content, it is infeasible for the platform to collect authorization from each user for the purpose of starting copyright litigation.

That said, this cause of action still has its application. A leading case in this area is Navinfo v. Qihu 360 (2019 Jing 73 Min Zhong No. 1270) relating to the unauthorized use of geographic data.
Navinfo is a leading developer of electronic maps (like Google Maps) in China. Qihu 360 used these electronic maps without due authorization to provide navigation services on its website and app. Navinfo sued Qihu 360 for copyright infringement and unfair competition.

The trial court took Qihu 360’s defense and determined that the map data at issue is not within the scope of the Copyright Law.

The appellant court at second instance took a different approach. It affirmed that a map is a statutory type of copyrightable subject matter and that the major issue in this case is whether Navinfo’s navigational electronic maps were original and to what extent they demonstrated original expression.

In fact, the creative aspect of navigational electronic maps lies in the objective processing of geographic information. The court further reasoned that one can observe the originality of navigationally electronic maps in the process of the measuring of specific objects, landforms, points of interest, and other features in the map and making trade-offs among those pieces of information pursuant to the purpose of developing such maps. This trade-off process is where one can find the originality; different cartographers might choose different expressions of those elements. After discussing originality, the court went on to talk about whether the data embedded in electronic maps is “fixed in any tangible medium of expression.” It elaborated that once the creation process is completed, despite different layers of the electronic map being invoked and rendered during the navigation process, this does not necessarily mean the map is not fixed or finished.

The appellant court concluded that a navigational electronic map meets the originality requirement of the Copyright Law and thus is eligible for protection. It barred Qihu 360 from using or offering navigational services to users without due authorization.