Jamie Horsley on Data Privacy and China’s Social Credit System

How do the United States’ and China’s data policies and privacy laws differ? How are they similar?

At a broad level, the U.S. preceded China in terms of promulgating privacy legislation. We have a privacy law that only applies to the federal government and how it handles the personal private information in government files, including sharing between government departments and disclosing it under our Freedom of Information Act. All 50 states have their own equivalent privacy laws too. We still do not have a national privacy act that applies to companies and other non-governmental actors, although some states, led by California, are adopting such legislation.

Unlike the U.S., China has more of a federal system. If you have federal or national legislation passed by the State Council or the National People’s Congress, it applies throughout the government system all the way down to the township level – throughout the entire country. That’s a big difference.

In the U.S., early on, the courts read a right to privacy into our constitution. People would normally say, “We have a constitutional basis here,” but China does not. And yet, from very early days, there’s been a sense of privacy. In China, the word for privacy suggests something secretive; it has a negative connotation.

In fact, as China began to open up, particularly after 1979 with the Reform and Opening program, they began to develop what they call the socialist market economy, and information became more widely available. There was a sense of privacy being developed. Women in the hospital giving birth to babies started getting phone calls from vendors wanting to sell them baby products. And they’re going, “How did they know? What’s going on here?” So, the concept that the Chinese people don’t care about privacy is simply wrong.

With the invention of the internet and e-commerce, in fact, Chinese people developed an even strongersense of privacy, which we all saw during the anti-zero-COVID policy protests. Once China abandoned their zero-COVID policy, and started lifting all the restrictions, immediately, people began to push to get rid of the health data monitoring. A lot of people outside China were surprised. They were predicting that the Chinese government would want to preserve the advantages of having health information and being able to monitor people, even just from a public health point of view. But people said, “No way.” Some local governments had tried to start codifying and regulating the health codes, which were developed by the private sector and then used by the public. But again, people pushed back and said, “No way.” And so those plans were dropped.

In terms of the basic privacy protection concepts, they’re now very similar in China and the U.S. However, China actually adopted a federal national privacy law in 2021 that applies to the government, as does ours, but also applies, and in fact, is primarily directed at the private sector companies. Now with the internet, FinTech, and everything else, there’s a lot of concern about identity theft and all your normal concerns about privacy.

China’s act is pretty comprehensive; it’s very sophisticated, and it’s actually modeled on the other big existing comprehensive privacy act, which is the European Union’s. In fact, in some respects, the Chinese law is even stricter. It requires that people have to consent to the collection of their information and to the use of it as well. Contrary to what most people might think, China does try to put in place regimes and regulations to really protect people’s privacy.

Even though China’s a one-party state and it’s not elected, it does feel it has to retain its legitimacy with its people. The normal way to do that is through delivering economic growth and social stability, and this idea of privacy has very quickly risen to the top of people’s concerns. The Party understands that their people really care about this. That was a big part of a push toward broader data governance and information governance regulations that have been put in place over the last 10 years – this privacy piece. I think it’s surprising to a lot of people outside China because you don’t expect it.

I think it’s really quite incredible that China moved so quickly after, really, only a 10-year period. Whereas in the United States, where we have our own political issues, we still have not come out with a privacy law, a national one, that will regulate companies, even though we have certain sectoral rules addressing various aspects of private data.

The next question is about a piece you wrote in 2018 for Foreign Policy called “China’s Orwellian Social Credit Score Isn’t Real”. What is social credit? Has China’s Social Credit Initiative changed since 2018?

As China opened up after 1979, it moved from a command-and-control economy to a national market economy in which people were increasingly dealing with strangers.

Chinese economists had been studying how the market economy works, and they realized that, as we always say, “A market economy is a trust economy.” You have to trust the people you’re dealing with. China was experiencing huge problems with fraud, illegality, and counterfeiting issues. This happens around the world, and it was a serious concern in China.

When I first joined Yale in 2002, we were approached by a new partner for us, the State Council Legislative Affairs Office. The economists, legal scholars, and government officials had all been considering, “What can we do to start building trust and mechanisms that will address information asymmetry?” They looked around the world, and the first project they wanted to work on with us was to research the U.S. consumer credit reporting system. What is credit reporting? The banks and financial institutions collect information about us that shows how we repay our credit cards, pay our loans, and manage bills – that we deal well with money and are responsible. Those credit reports are used by employers, landlords, etc., and it has to be with our consent. Again, this gets back to the privacy issue, that financial information is viewed as very, very confidential.

These credit reports provide fundamental information that allows banks and other companies to decide whether to do business with you or hire you. China also wanted a credit information system that applied to both companies and individuals.

After the launch of such a system was delayed, the People’s Bank of China started its own financial credit reporting that would provide information only within the financial system.

This became a model for a way to more broadly address credit and compliance issues. What the State Council decided to do is expand on this model and collect more information. You had this credit reporting database run by the People’s Bank of China that’s collecting all this information on companies and individuals that was kept confidential. On the commercial side, regulators set up a requirement that all companies, even if they’re not listed on the stock market, and no matter what their size, had to have an online, accessible record that discloses basic information, as well as regulatory information about the company: What are your registration details? Have you been fined? Have you been subject to court judgments? Have you defaulted on a loan? That kind of information is collected in the government database, although the financial information need not be made public in the case of unlisted companies.

A lot of foreigners and lawyers thought this database was a great idea, because it facilitated conducting due diligence when you were investigating a company. Meanwhile, the highest court in China, the Supreme People’s Court, which doesn’t really have enforcement powers, was frustrated because many individuals simply ignored  court judgments against them requiring money to be paid.

So, the court founded a public blacklist and obtained cooperation from other agencies to help them enforce certain restrictions – such as on purchasing luxury goods, first class train tickets and the like – on these judgment defaulters that would compel them to actually pay their debts. If you were poor or didn’t have the money, you’d need to work out a deal with the court, but one could no longer just ignore the judgment.

You had these three information collection and sharing initiatives in place and operating  nationally in China, that were eventually housed together within the concept of “social credit.” The Chinese term  for credit can also mean trust. When we were approached initially by the State Council to research credit reporting as part of promoting a trust economy, we called it, in English, the Social Trust Project. Credit reporting is the foundation of what now is called the social credit system, which is a massive information collection and sharing project.

Think of it like a gigantic API, an app, that collects and aggregates all this information. It includes the financial piece, basic information about companies, information about court judgments, as well as about individuals who aren’t paying their debts. Positive as well as negative stuff, but making much of it available in a database that anybody can access to make decisions about the relevant companies and individuals. The social credit system was actually a rather brilliant regulatory innovation to help address China’s information asymmetry issue that facilitated widespread fraud and non-compliance.

The major concerns about the social credit system relate to this massive aggregation of data. China, like everybody else, has issues with leaks, hacking, and information integrity. China also experiences a lot of illegal selling of personal information, including by banks and companies, but also by police officers and other government officials. The mere fact that they were thinking of amassing all this information made people nervous.

Another initial issue was confusing private company credit programs with the official social credit system.  Some platform companies collected information about and based their own evaluations on a wider scope of information including consumption behavior. In some cases, how many friends you had or what your social media presence was seemed also to be factored in. Some Western observers even assumed that the Chinese Communist Party was likely using social credit information as a way to gauge party loyalty.

Meanwhile, in the West, many conflated it with our credit reporting system, which produces scores. In the U.S., we all care about our credit score. However, the credit reporting system in China doesn’t, in the ordinary course, produce a credit score with their reports. It just gives you the raw data and you make your own decision. The social credit system itself does not produce overall numeric scores, per se, and certainly not on individuals. Moreover, at the moment, most individual Chinese are not even covered by it. The system is really focused on market order and market regulation. The covered individuals would mostly be managers, directors of companies, and professionals like accountants, doctors, and lawyers – people that you trust and rely on. If they’re getting in trouble, they’ll be in the social credit system, too.

The social credit system just records what’s going on in terms of regulatory compliance and problems that have been encountered. But in the West, we have this perception that it’s trying to do a lot more. It’s been conflated with facial recognition and technical surveillance. “Black Mirror” type pictures accompanied some early articles – showing people crossing the street with cameras identifying them. Real-time information is not relevant to the system. It would only be relevant if you crossed the street against the lights and were ticketed. And only if you were ticketed repeatedly, or something really serious happened, would the resulting administrative or criminal punishment be recorded in the so-called social credit or regulatory file.

In the West, we often automatically assume the collected information in China’s social credit files can be misused for various purposes, whether it’s to measure party loyalty or by the security services to target people. Obviously, the police, the security services, have their own databases and their own surveillance, but that has nothing to do with social credit. They don’t need a social credit system to do their job; they’ve got plenty of information on their own.

In addition, there’s been an emphasis over the last few years on making clear all the procedural protections and remedies that individuals and companies have under Chinese law that applies within the social credit system. If you find that the information in the file is wrong, you have the right to correct it or to delete it if it’s erroneous.

If you’re properly blacklisted and it’s affecting your ability to get government procurement contracts or get a good job, you’re only on the list for so long. Procedures limit the length and exist to make sure you can get de-listed. And then, as in the United States, services relating to credit repair have grown up, to help rehabilitate those who ended up on a blacklist.

The social credit system has gradually been “legalized, to ensure that the legitimate rights and interests of individuals and companies are protected.” To be sure, there are some real problems to be addressed. Chinese law punishes some kinds of speech that, in the U.S., we think is legal. If you are fined or jailed for your speech, the social credit system can work to help enforce what we see as illiberal rules or laws. But the system is often fundamentally misunderstood. You still see references to social credit scoring, citizen scoring, that kind of thing. In my view, that’s not what’s happening.

What do you think it’s most important for Americans to understand about the Chinese government in the context of data privacy and censorship?

China is a one-party state, overseen and led by the Communist Party of China, and their view of data security is tied to national security issues. Their national security concept is very broad and very comprehensive. It involves economic security, cultural security, you name it. Everything can have an impact on national security as they see it. It also includes any information that may endanger the legitimacy of the Chinese Communist Party.

In China, there’s an added element tied to the content of data and information as well. The Communist Party has a very well-developed propaganda department, which is the one that’s responsible for monitoring information content and censorship of things that they feel will be detrimental to the Chinese Communist Party’s reputation and integrity. It also works against false information and rumors, which was a big concern during COVID.

There’s a different approach in China to the data security issue, not so much privacy. Privacy is privacy.

When I look at how their data governance system is evolving, I think they’re trying to balance national security concerns against economic development. It’s something that we’re going through in the United States now too, in our efforts to counter Chinese and Russian disinformation campaigns. We support free flow of information in principle, but now we’re beginning to see that maybe we don’t want certain kinds of data being shared with countries that we believe are trying to do us harm.

China has the same idea. They developed a concept called “data sovereignty”, which means that all information produced in China about Chinese people, Chinese companies, and scientific research should stay in China so they can protect it and also benefit from it. Because now, particularly with the new digital economyquickly developing – with the Internet, data, AI, and everything else – these huge data sets that China generates have economic value as well. Data is a competitive advantage, too.

The Chinese Communist Party recognizes that suppressing information and interfering with the flow of data will impact economic development, so how they balance those competing interests is critical. The governance regime tries to address it. They put in place concepts, protections, and procedures that are very similar to those we have in the United States and in Europe. I think we have some fundamental common principles including on privacy protection that we can work together on to establish global rules.

The value systems, the fundamental ones, are not that different.

I think on the issue of data, we may end up pretty much on common ground because China has to modify their real concern about the national security implications of data flows in order to facilitate innovation, international commerce, and economic growth. In the U.S., we’re already moving away from our free flow principle to wanting to restrict it. We’ve got to be able to agree on what kinds of data may legitimately be controlled or subject to licenses and export controls. Also, what kind of data should be able to freely flow to help commerce, scientific research, and so on.

I think somehow, hopefully, we’ll be able to reach some accommodations on these important issues because they impact climate, including climate modeling, and health. When’s the next pandemic coming and from where? How can we address it? Data availability and integrity impact the economy, politics, and the ability of individuals to manage their own lives and futures, everything all around the world. Being here at the Carter Center, it’s important for peace, too, that we work these things out and don’t go to war over competitive issues – that we ought to be working out rules of the road bilaterally and globally instead.