When Sharon Liu, a finance professional in the eastern Chinese city of Tianjin, bought a flat through an online brokerage platform late last year, she never agreed to give strangers her personal information. Now, up to three times a day, she receives calls from people she has never met who know her full name and home address.

“They’re seriously disturbing my work and personal life,” said Liu, who answers them for fear of missing important calls. “Given that they know my address and my phone number, I don’t feel safe,” she told the Post.

Liu is not alone. From job seeking sites with lax privacy controls to company insiders actively abetting personal data theft, China is still grappling with data privacy concerns as underground trading of personal information thrives amid Beijing’s push to have the digital sector play a bigger role in China’s domestic economy.

Without a law dedicated to protecting personal information, and the lack of clear guidelines, China’s enforcement agencies have struggled to keep up with an increasingly skilled industrial chain of insiders and data brokers.

“We have to acknowledge that [the situation of] Chinese citizens’ personal information leakage and infringement is grim,” said Steve Zhao, a partner and intellectual property lawyer at the Beijing-based Gen law firm.

Zhao, who specialises in the underground online economy, described China’s black market for data as a professional and industrialised value chain connected to a range of illegal activities including fraud, extortion, and violent debt collection.

Last year, five employees at Chinese courier company YTO Express were found to have been renting their company accounts to an underground data broker group for 500 yuan (US$77) a day, leading to the personal information of more than 400,000 users being leaked, including names, addresses, national identification numbers and phone numbers.

Even though the brokers were arrested for selling the data to telemarketing fraudsters in China and South-East Asia, it is too late to remove victims’ information from the internet once it is disseminated.

In March last year, personal data from 538 million users of microblogging site Weibo was leaked and sold on the dark web, including phone numbers, gender and their geographical location. In August 2018, one of the biggest hotel chains in China, Huazhu Hotel Group, reported a leak that resulted in information from 130 million of its customers appearing on a dark web forum.

“We’re a populous country with a flourishing digital economy, so the underground data industry involves a large amount of personal information,” said Samuel Yang, a partner and specialist in cybersecurity and data protection at the Anjie law firm.

Tianjin flat buyer Liu suspects a real estate brokerage leaked her personal data, but without proof she cannot take any action.

“Trying to defend your rights won’t hurt these big platforms,” Liu said. “If the leak is not from buying a flat it would be from buying something else, and the salespeople won’t stop calling.”

Challenges lie ahead for policymakers, who need to strike a balance between stronger government control, protecting personal privacy and encouraging companies to leverage the full potential of data.

“The Chinese government is preparing for a concerted push to create the regulations and norms that will support the buying, selling and circulation of data throughout the digital economy,” said Kendra Schaefer, head of tech policy research at Trivium China.

Last year, the central government signalled that data would play a leading role in China’s social and economic development when it listed data as a new factor of production along with land, labour and capital, with the goal of integrating the physical and digital economies.

The central government has been trying to figure out how to create a viable market for data and establish rules around it, to ensure the smooth and secure circulation of data by pushing its bureaucracy to openly share its data, but also companies to share data from search, e-commerce and social media services for the development of a third-party big data platform.

The country’s 14th five-year plan, unveiled earlier this month, fast tracked the roll-out of two “fundamental” pieces of legislation, the Personal Information Protection Law (PIPL) and the Data Security Law. The PIPL, as its name suggests, will address personal privacy issues, while the Data Security Law will establish rules around the market for data and the basic regime of data security management, legal experts said.

With insider theft being a major source of personal information leaks, companies need to improve their own control measures and both laws will push them to do that, said Anjie’s Yang. The draft version of the PIPL, for instance, says that companies can be fined up to 50mil yuan (RM31.58mil) for violations.

“Hefty fines proposed by the Personal Information Protection Law will have a great deterrent effect on companies, who will be more motivated to protect user data,” Yang added. – South China Morning Post