New Report on Limits of “Consent” in China’s Data Protection Law – First in a Series for Joint Project with Asian Business Law Institute

The Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI) are publishing today the first in a series of 14 detailed jurisdiction reports that will explore the role and limits of consent in the data protection laws and regulations of 14 jurisdictions in Asia Pacific (Australia, China, Hong Kong SAR, India, Indonesia, Japan, Macau SAR, Malaysia, New Zealand, the Philippines, South Korea, Singapore, Thailand, and Vietnam), as part of FPF and ABLI’s ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific.” 

The first report focuses on the status of “consent” and alternatives to consent as lawful bases for processing personal data in the People’s Republic of China. Over the coming weeks, FPF and ABLI will continue publishing these reports, which will inform a forthcoming comparative review paper with detailed recommendations to promote legal convergence around requirements for processing personal data in the Asia Pacific region. 

Background on the ABLI/FPF Project

In August 2021, ABLI and FPF concluded a cooperation agreement to understand, analyze, and support the convergence of data protection regulations and best data protection practices in the Asia Pacific region through joint research, publications, and events. This collaboration builds on the substantial work done by ABLI and FPF on data protection and privacy laws and frameworks in the Asia Pacific (APAC) region. 

The starting point for FPF’s collaboration with ABLI is the understanding that as personal data protection frameworks in Asia are at a critical stage in their development – whether they are in the process of adoption or reform, or are at the early stages of their implementation – there is an urgent need for understanding where they differ and for identifying opportunities for convergence of key data protection rules and principles at the regional level.

Previous work by ABLI has demonstrated the collective benefits of legal certainty and convergence in the area of cross-border flows of personal data in APAC. As this work has proven useful for policymakers as they address these issues, ABLI and FPF launched a joint project with the same philosophy and methodology, entitled “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” to promote legal convergence around principled, accountability-based requirements for processing personal data in Asia Pacific.

In APAC as elsewhere, there is a growing conversation around the limitations of “notice and consent” and how to address them. Notice and consent requirements have long been used to justify the collection and processing of personal data. However, in recent years, this justification has increasingly been called into question:

• Over-reliance on consent has led to the development of a “tick-the-box” approach to data protection for organizations and “consent fatigue” for individuals, which contradict the original purpose of data protection laws.
• The requirement to obtain consent (especially where consent must be given explicitly) is increasingly proving inadequate in the era ambient of computing, the Internet of Things (IoT), and multi-stakeholder digital ecosystems and platforms. 
• Consent requirements are also increasingly complex for organizations to apply, and legal fragmentation has made operations across jurisdictions even more challenging, leading to unnecessary compliance costs.

Many APAC jurisdictions have already come to recognize the limitations of consent, especially in the digital space. To highlight a few examples:

• In 2018, a report of a Committee of Experts on a Free and Fair Digital Economy in India described the operation of notice and consent on the internet as “broken” and questioned whether consent alone could be an effective method for protecting personal data and preventing individual harm. 
• In 2019, New Zealand’s then-Privacy Commissioner, John Edwards, declared in a much-cited blog post that click-to-consent was “not good enough anymore” and called for consumers and businesses alike to rethink consent and move towards Privacy by Design. 
• In 2020, Singapore restructured its Personal Data Protection Act from a primarily consent-based framework to permitting collection, use, and disclosure of personal data without consent in a wide range of situations, including ​​”vital interests of individuals,” “matters affecting the public,” “legitimate interests [of organizations],” “business asset transactions,” “business improvement purposes,” and “research.”

However, this trend is not shared by all jurisdictions. Many data protection laws in APAC (and elsewhere) still require consent by default for the collection and processing of personal data. “Tick-the-box” compliance habits or reluctance to change user experience often lead organizations to fall back on consent. In APAC, these problems are reinforced by the fragmentation of regional laws – for all its limitations, consent is still often perceived as a common denominator and the “easiest” or “safest” way to comply across borders in APAC—even where consent is not necessary or even justifiable or where accountability-focused options like legitimate interests could apply and would be better suited to the needs of both organizations and individuals.

The ABLI and FPF project aims to guide the development of data protection frameworks in APAC away from consent-centric, “tick-the-box” compliance requirements and towards responsible data practices and accountability for privacy when processing personal data. At the same time, the project recognizes that effective policies need to balance the interests of individuals in protecting their personal data and organizations in using personal data, while also promoting the interests of broader society, such as developing a vibrant digital economy and preventing crimes and fraud. 

This requires frameworks to realign the role of consent by returning consent to the position that it occupied in the very first data protection frameworks as one of several, equal legal bases for processing of personal data, rather than as the default or even sole basis for processing personal data.

First Report: Consent in China’s Data Protection Law

In the first stage of this collaboration, FPF and ABLI have undertaken a comprehensive review of the role and position of “notice and consent”’ in 14 APAC jurisdictions: Australia, China, Hong Kong SAR, India, Indonesia, Japan, Macau SAR, Malaysia, New Zealand, the Philippines, South Korea, Singapore, Thailand, and Vietnam.

These reports draw on insights provided by thought leaders, regulators, and practitioners during the first event co-organized by FPF and ABLI: a virtual panel entitled “Exploring Trends: From ‘Consent-Centric’ Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific” which was co-hosted by Singapore’s Personal Data Protection Commission in September 2021.

To that end, FPF and ABLI are delighted to announce the first publication in this joint project: a detailed jurisdiction report on the status of consent in China’s data protection framework.

China’s data protection law has been evolving in recent years. Though China’s personal data protection framework has traditionally prioritized consent, the adoption of the Personal Information Protection Law last year was a paradigm shift which repositioned consent as one of seven equal legal bases for processing personal data in a model likely inspired by the GDPR.

This report provides a detailed overview of relevant laws and regulations in China on:

• notice and consent requirements for processing personal data;
• alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
• statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in general and sector-specific laws and regulations. 

The reports draw from the professional knowledge, experience, and opinions of a wide range of expert contributors from across the APAC region. ABLI and FPF are grateful for the invaluable contributions of these contributors, who have kindly shared detailed information, comments, and clarifications on the legal frameworks in their respective jurisdictions.

Upcoming for the ABLI/FPF Project

Over the coming weeks, FPF and ABLI will publish these reports as part of an ABLI-FPF Series on Convergence of Data Protection and Privacy Laws in APAC.

The findings presented in the reports will also inform the second stage of ABLI and FPF’s collaboration: a comparative review paper which sets out proposals as to how policymakers can not only promote legal convergence in the APAC region but also help organizations to move away from overreliance on lengthy privacy policies and often artificial consent and towards responsible data practices that strike a balance between the needs of organizations that collect and process data, the rights of individuals in protecting their data, and the interests of society at large.

FPF hopes that these publications will prove useful to lawmakers, governments, and regulators in APAC (and beyond) who are currently drafting, reviewing, or implementing data protection laws in their respective jurisdictions.