CHINA / SOCIETY
Broad use of health codes raises privacy and legality concerns
Published: Jun 17, 2020 12:20 AM

A resident scans a QR code at an entrance to a supermarket in Zhengzhou, central China's Henan Province (photo: Xinhua/Li An)

Jie Zi, 24, was stopped by a man in police uniform on her way to a supermarket near her home on Saturday. The man required Jie to show him her Suzhou Health Code (or Sucheng Code), a local version of the health code app in Suzhou, East China's Jiangsu Province where Jie lives.

The man initially asked Jie whether she had installed the app. "After I told him I had installed it, he checked my mobile phone (to make sure)," she complained on Weibo the next day.

Another Suzhou resident, Xiao Guaishou (pseudonym), also said she was offended by an auxiliary police officer at the gate of her residential community on June 9 who forced her to download the Suzhou Health Code app. 

The man grabbed Xiao's bag and prevented her from entering her community after Xiao refused to download the app. "Only when I called 110 (emergency call) did he let me go," Xiao told the Global Times Monday.

The health code system, a convenient way to demonstrate the quarantine status of people returning to work or from their homes, has been widely used across China in the fight against the novel coronavirus (COVID-19) and is based on personal information it collects including one's positions and movements.

The system has become widely used by some regional governments even after the epidemic situation has largely improved in China. A few local versions of the health code, originally intended to battle the virus, have added more functions which require citizens to provide more personal information.

The controversial "update" of the health code has resulted in privacy and legality concerns. Some legal experts reached by the Global Times said they are concerned the "updated" code may lead to information abuse problems and may harm the government's credibility.

"The use of personal information must be within reasonable limits," Ding Xiaodong, deputy director of the Law and Technology Institute under the Renmin University of China, told the Global Times Monday.

Information collection concerns

The Suzhou Health Code was designed by local political, legal and public security authorities as a comprehensive electronic identity code. It contains citizens' information including ID card, residence permit and driving license, local newspaper Suzhou Daily reported on June 3.

It was downloaded 19 million times and had 2.32 billion visits within a week after being launched on May 25, the report said.

The Suzhou government didn't make it compulsory for every citizen to install the code, said Suzhou public service hotline 12345. "But a few schools do force students or their parents to install it," a staffer for the hotline told the Global Times Monday

Jie installed the code at the request of her employer, a kindergarten. She said that many local public institutions have forced their staffers or the residents they serve to install the code.

"They have to finish their 'targets' of reaching a certain number of installations," she told the Global Times.

The collection of citizens' information should be on a voluntary basis and carried out in a humanized way, Ding said.

It must follow the principles of informed consent, purpose limitation and data minimization as well, meaning collectors must let citizens know what their information is used for, and they must neither excessively collect nor overuse it, Ding added.

The information collection amid the COVID-19 pandemic has to some extent violated these principles at the regional level, some observers said.

Among the local versions of health codes in 14 provinces and cities, nine had neither user agreements nor privacy policies, said Lei Ruipeng, deputy dean of the School of Humanities under Huazhong University of Science and Technology, according to a report by Health News in April.

Lawyer Xiong Dingzhong recalled his experience of being asked to provide his identity number at some restaurants in Beijing, saying this kind of information collection was "at an exaggerated degree."

The behavior was understandable during the midst of the pandemic, when personal information was widely collected to serve the then priority of reducing the virus transmission risk, said Xiong, who was also secretary general of the internet law and policy research center at the School of Law under Tsinghua University.

Nonetheless, information that is collected in such an emergency situation should be deleted afterwards rather than being used elsewhere, Xiong added.

"Otherwise, it may hurt the precious credibility and mobilization ability of our government," he told the Global Times Monday.

Deal with risks

The Chinese central government is making efforts to deal with the possible security and privacy risks brought by the health code. 

The State Administration for Market Regulation issued national standards for health codes in April, regulating information collection, processing and utilization, and prohibiting "data leakage."

The relevant authorities are cleaning up redundant virus-fighting codes to bring citizens more convenience, the Xinhua News Agency reported on June 8.

At the regional level, some cities such as Hangzhou in East China's Zhejiang Province, where the health code system was first introduced, have issued rules to ban information abuse and privacy invasion via the health code.

The Hangzhou authorities were reported to have suspended their controversial idea of adding to the local health code a function that would monitor and rank citizens' health condition and behavior such as exercise, alcohol consumption, smoking and sleeping.

As a product of emergency management amid the pandemic, the health code system has its boundaries, said Chen Guangsheng, deputy secretary-general of the Zhejiang government. "Comprehensive assessment and cautious treatment are necessary when the use of the code goes beyond its original boundary," Chen said on June 2 in response to public concerns about the idea.

Broader use of the health code after the pandemic can be reasonable only when the collection of personal information is legal, open and transparent, said lawyer and Certified Information Security Professional (CISP) holder Shi Yuhang.

Collectors must make its purpose, method and range clear to the citizens and obtain their permission, which is required by both the country's existing cybersecurity law and the Civil Code that will be effective next year, Shi said.

"Digitization and intelligentialization are the trends of city development," Shi told the Global Times. "As a big holder of data (of citizens), governments at all levels should live up to the public's trust, and use and protect their information in compliance with laws and regulations."