In practice, China’s judicial authorities often do not have smooth access to the data of Internet companies.
China is exploring to achieve an optimum balance among the interests of the State, the public, enterprises, and individuals in data retrieval, so as to ensure that judicial authorities access the data with minimal damage.
The article, the Interest Measurement and Typical Ways for Access to the Data of Internet Enterprises by Judicial Authorities (司法机关调取互联网企业数据之利益衡量与类型化路径), published in Journal of National Procurators College (国家检察官学院学报), No. 11, 2020，introduces the details on judicial authorities’ access to data of Internet enterprises. The authors of this article are Dr. Bei Jinxin (贝金欣), the Third-Grade Senior Prosecutor of the Supreme People's Procuratorate, and Dr. Xie Shu (谢澍), Associate Professor of China University of Political Science and Law.
I. Starting with a case
The article starts with a case involving a Didi driver and a passenger in China in August 2018.
Didi is a Chinese Internet giant that offers ride-hailing services like Uber. In August 2018, a male driver on its platform robbed, raped and killed a female passenger, and then dumped the body. This case shocked the whole country and attracted widespread attention.
When the suspect was committing the crime, the victim's friends had been informed of the situation and called the police, and the police immediately asked Didi to provide the data in order to identify the location of the driver and the vehicle so as to stop the crime as soon as possible. However, Didi did not wish to disclose its data to the police and hence refused to cooperate, which eventually led to the death of the victim.
In the process of providing network services, Internet enterprises collect and master a large quantity of users' data. From this case, the authors point out that China shall formulate relevant rules to clarify under what circumstances and to what extent judicial authorities may require the Internet service providers to disclose the personal information of customers.
For Internet enterprises, there is a conflict between the protection of personal data and the demand of judicial authorities for data retrieval, and they have to figure out the solution to dealing with the conflict. The future rules will help the Internet enterprises to address this conflict and remove the uncertainty in such issues.
II. How to address the conflict under the existing legal framework
In China, a couple of existing laws at different hierarchic levels and in different fields have already stipulated that Internet enterprises are obliged to provide applicable information and data.
For example, during administrative law enforcement, the people’s government departments at the provincial level or above may require the relevant departments, institutions, and personnel to promptly collect and report the relevant information when the risk of cybersecurity incidents intensifies. See Article 54 of the “Cyber Security Law” (网络安全法).
Institutions engaged in internet finance shall submit reports on large-amount transactions and suspicious transactions to the Anti-Money Laundering Center in accordance with relevant provisions on anti-money laundering. See Article 14 of the “Administrative Measures for Anti-Money Laundering and Anti- terrorist Financing of Institutions Engaged in Internet Finance (for Trial Implementation)” (互联网金融从业机构反洗钱和反恐怖融资管理办法（试行）).
During the criminal investigation, the court, the procuratorate, and the police authorities shall have the authority to collect or obtain evidence from entities or individuals. Internet operators shall also provide technical support and assistance for public security organs and state security organs in their efforts to safeguard State security and investigate criminal activities in accordance with the law. See Article 54 of the Criminal Procedure Law and Article 28 of the Cyber Security Law.
The above-mentioned rules specify the power of government departments to access the data of Internet enterprises and the obligation of Internet enterprises to provide assistance. However, due to the complexity of specific situations and the lack of detailed provisions, such rules have not been implemented as well as expected. The aforesaid Didi Case is a typical example.
III. How do Internet enterprises view these rules
Most of the Chinese Internet enterprises believe that providing data undermines their self-interest to some extent, so they have the following concerns about how to respond to the demands of the judicial authorities:
Firstly, it is concerned about negative reviews.
Data is directly related to customers’ privacy, so if Internet companies disclose customers' privacy to others, even if the act is consistent with laws, it is likely to arouse customers’ disgust. Moreover, as data protection policies differ from country to country, the implementation of one country's regulations by Internet companies may result in a hindrance to their development in another country and lead to discriminatory treatment.
Secondly, it may increase the operating costs of enterprises.
With the continuous growth of illegal and criminal activities on the Internet, the frequency of data retrieval by judicial authorities is also increasing. As it is more frequent for judicial authorities to request data retrieval from Internet enterprises, it inevitably costs more human resources, technology, sites, and other resources of Internet enterprises.
Thirdly, data dissemination leads to potential business risks.
The data of enterprises have huge economic value. Enterprises worry that the judicial authorities will use the data for activities other than criminal investigations, share the data with other organizations, or result in data leakage after the data retrieval due to inadequate security measures. Such kind of data dissemination will pose a great threat to the enterprise’s operation.
IV. How will China solve this issue in the future
While a set of comprehensive and reasonable rules is still wanting to date, the act of Internet companies to provide or not to provide data may both cause secondary harm, and then arouse public doubts on Internet companies, and even lead to lawsuits. Therefore, the authors argue that future rules, be it conservative or radical, may not be the best choice.
On 3 July 2020, the Data Security Law (Draft) (the Draft, 数据安全法(草案))was published on the website of the National People's Congress (NPC) for public comment. The Draft states that the State will implement a multi-level protection scheme on data, and that it must fulfill its social obligation such as protecting data security when conducting data activities.
The authors suggest that the rules for judicial authorities to retrieve the data of Internet enterprises can be designed in line with the Data Security Law. In other words, legislators shall, according to indicators such as the urgency and danger of the circumstances of data retrieval and the degree of infringement upon personal rights by the act of data retrieval, establish a response hierarchical mechanism for the Internet enterprises, so as to facilitate the Internet enterprises to formulate and process the requests for data retrieval in accordance with different response levels.
The authors’ proposal, so far, is only a theoretical opinion, and we have not found that China's judicial authorities have begun to prepare for a similar mechanism yet.
Contributors: Guodong Du 杜国栋