Assas Legal Innovation meets professionals to exchange on the theme of legal innovation.
For this new edition, Georges Lebauvy met Professor Shenkuo Wu, Associate Professor at the School of Law and the Department of Criminal Law and Criminal Sciences at Beijing Normal University. He has conducted research in the fields of digital law, cyber crime and comparative criminal law.
This interview was realized in English (you can find the French translation here) and made in Beijing on the 28th of December 2019 before the outbreak of Covid 19 pandemic. Therefore, it doesn’t take into account what happened later on the following year.
Could you introduce yourself: what is your academic and professional background?
My interest in cybercrime started when I was at East China University of Political Science and Law, at the Politics and Law Center. There, I made my thesis on the topic of cybercrime.
By chance, I received an offer from the Italian stakeholder of an Italian scholarship to study in Italy in Verona. It was in Verona that I met my professor, Lorenzo Picotti, who was a top expert in cybercrime issues in Italy; he was the national reporter of the OECD in the 1970’s on this topic. At that point, I started my research in the area of data protection and, step by step, I noticed the particular approach of EU towards cyber-issues, cybersecurity and cybercrime. I thought this would be a very good reference for the evolution of Chinese regulation. I returned from Italy in 2014 and the following year, in 2015, China had accelerated regulations on cybersecurity. The second draft of cybersecurity law was issued, and I participated in the legislation procedure and offered some expert references. My desire to deepen my research in this area was reinforced around that time.
Why have you chosen to specialize in cybersecurity and cybercrime?
I have always been interested in emerging issues, and at that time, around 2004/2005, unlike today, cyber-issues were rarely explored by researchers. I thought this could be a personal opportunity to have a new experience and conduct research in that area.
What is the current legislation in China regarding cybersecurity and personal data?
Since 2015, the regulation in cyber-governance area has been strengthened and has improved dramatically. Therefore, it is possible to find many considerations at a policy level, a national legislation level, and an administrative regulation level. Regarding policy issues, there are many initiatives such as: The National Strategy for Big Data, or The National Strategy for AI Development. These policies and initiatives help us to understand better the values sought by Chinese authorities. At the legislative level, China has already issued the Cybersecurity Law, the E-commerce Law and in the future, there will be the Personal Information Protection Law as well as the Data Security Law. Administrative regulations exist such as the Regulation on Online Protection of Children’s Personal Information. There are also many administrative regulations in the area of Personal Information Protection and Critical Information Infrastructure. In China, the framework of regulation has already been established. There are many drafts in this area, such as a draft of a Regulation on Data Security and a draft Regulation for the Security of Transnational Data Flow. In the future we can expect more initiatives and more dedicated norms in this area.
What is the current state of cybercrime in China?
There has been an increase in cybercrime over the last few years. In fact, the rise has been estimated to be around 30% in China.
It is hard to enforce legal sanctions regarding cybercrime offenses because of the jurisdiction problem. Internet is “borderless”: a cyberattack may be carried out from a different country while having an impact on Chinese users. Moreover, the mutual legal assistance between countries is almost useless and the procedure often take a lot of time.
Who are the victims of cybercrime?
Victims can be public or private companies as well as individuals. As a matter of fact, the identity of the victim is irrelevant. What matters most are the technical measures and the sensibility towards the risk.
Only 1% of the victims report their losses. The victims often don’t trust law enforcement and therefore, don’t consider it worth the time and money to report the incidents. Moreover, regarding companies, reporting their cyberattack-associated losses can lead to a loss of confidence on the part of their customers/clients once this information is made public as a result of the investigation process.
What is the impact of cybersecurity and data protection on the Chinese economy?
The privacy protection by companies is viewed as an economic argument. This year, Chinese Ministries have established an ad hoc group dedicated to app governance, privacy compliance and data security compliance. This will help to determine whether an app is dangerous or not. Therefore, companies could become worried about their reputation and how they use and respect the privacy of the individual.
Is the protection of personal data a public concern in China?
Since 2017, the Chinese people talk more about cybersecurity; the public opinion interest and the public demand towards cybersecurity has risen. The self-protection, the awareness about it and the public protection have all increased dramatically. For example, many companies refuse to be listed on the stock market for privacy protection.
What is the Chinese perspective regarding the European initiative of the GDPR? In terms of protection of data is it considered a good legal instrument?
GDPR has a very impressive value in terms of enhancing the public awareness towards privacy protection. GDPR has helped many countries create the framework for privacy protection. We share many values on the subject of privacy protection such as the fundamental rights of protection and also the self-decision of the users towards the network operators. I would say that firstly, we share many common experiences, and secondly that we can have bilateral exchanges and references for the improvement of these systems for the privacy protection.
There is also a research about the GDPR compliance made by Chinese companies. GDPR is viewed as providing high-level standards. The company’s compliance work provides an instrument for Chinese companies to enter into the European market. If the company observes that its’ activity contains a risk of GDPR violation it will back out.
Until now, there have been no cases against Chinese companies of GDPR violation.
If a Chinese company would violate GDPR, there would be several instruments to enforce the sentence. The first, would involve an official recognition in China of the civil sentence rendered by a European court. It is possible and has been successful in several cases. The second tool would be to use international arbitration. The last measure would involve European Data protection board (i.e.: not issuing a visa to a member of a Chinese company in violation of the GDPR).