Proposed policy will have both positive and not-so-positive consequences for any organization serving Chinese consumers: Analyst
The focus of China’s proposed Digital Identity proposal revolves around three key items: minimization of data sharing, user rights, and legal compliance, with data security being the fulcrum, an industry analyst said today.
Late last week, Xinhua, the government news agency of the Communist Party of China, reported that “Chinese citizens may, in the future, be able to avoid providing explicit personal information for internet service providers by using cyberspace IDs, according to a draft document published to solicit public opinion.”
The document, from the country’s Ministry of Public Security and the Cyberspace Administration of China, asks for comments and suggestions from residents to be submitted on or before August 25.
According to Xinhua, the draft indicates that the IDs will take two forms, one as a series of letters and numbers, and the other in the form of an online credential, with both corresponding to an individual’s real-life identity, but excluding any plaintext information.
After reviewing the draft, Manish Jain, principal research director at Info-Tech Research Group, said that the proposed policy will have both positive and not-so-positive consequences for any organization serving Chinese consumers.
On the positive side, he said it will bring benefits that Aadhaar, the 12-digit unique identity number based on biometrics that is available to all residents of India, brought to that country. In addition, it will also pave the way to “improved user trust, reduced fraud, standardization of user required for KYC (Know Your Customer) regulations and reduced data handling burden for organizations.”
However, from the not-so-positive perspective, said Jain, aside from impacting organizations the way GDPR did, it is also going to “impact both the business model and operating model of many consumer-facing organizations. They will have to budget for new costs associated with the integration of digital ID with their infrastructure and compliance with new digital ID regulations. They will also have to invest in training consumers, privacy fortification of their infrastructure, provision for legal risks emanating from any data leakage, and driving user adoption.”
In addition, he said, organizations may be asked to purge all the PII (personally identifiable information) data they have about Chinese consumers and replace it with the National Digital ID number and credentials.
As for when it may be implemented, Jain said, “considering the Public Security Department and National Cyberspace administration have invited public feedback on the proposal by August 25, only a month after publishing the proposal, it would not be surprising if China launches the Digital ID by the end of 2024.”
Asked if there will differences in how online identity will be handled in China compared to other nations such as India, with its Aadhaar identifier, or France, whose France Connect allows residents to authenticate their identity to most government departments based on a verified identity already provided to another department, he said he expects that to be the case.
“China is proposing a National Digital ID in three forms: an alphanumeric identifier, an ID certificate, and online credentials,” said Jain. “This approach is similar to other countries like Estonia, which uses eID, Smart ID, and Mobile ID. However, it differs slightly from India’s system, which was built for a similar population size, where Aadhaar serves as a numeric identifier and a card. For online transactions, Aadhaar relies on one-time passwords sent to registered cellphones, enhancing its security.”
Another key difference, he said, is that in China’s proposal, regulatory accountability and operational governance are vested in two existing regulatory bodies: the Public Security Department and the National Cyberspace Administration.
“This structure presents a risk of centralized data control by the Chinese government. In contrast, India, with a comparable population, has established a separate statutory authority under the provisions of the Aadhaar Act 2016 to govern Digital ID.”
Similarly, in Australia, said Jain, “the Digital Transformation Agency (DTA) holds the governing responsibilities. Entrusting the governance of Digital ID to an independent statutory body mitigates the risk of complete government control over data and fosters greater trust in the Digital ID system.”
