research-article

Understanding Chinese Internet Users' Perceptions of, and Online Platforms' Compliance with, the Personal Information Protection Law (PIPL)

Authors:

Morgana Mo Zhou,

Zhicong LuAuthors Info & Claims

Proceedings of the ACM on Human-Computer Interaction, Volume 8, Issue CSCW1

Article No.: 138, Pages 1 - 26

https://doi.org/10.1145/3637415

Published: 26 April 2024 Publication History

Abstract

The Personal Information Protection Law (PIPL) was implemented in November 2021 to safeguard the personal information rights and interests of Internet users in China. However, the impact and existing shortcomings of the PIPL remain unclear, carrying significant implications for policymakers. This study examined privacy policies on 13 online platforms before and after the PIPL. Concurrently, it conducted semi-structured interviews with 30 Chinese Internet users to assess their perceptions of the PIPL. Users were also given tasks to identify non-compliance within the platforms, assessing their ability to address related privacy concerns effectively. The research revealed various instances of non-compliance in post-PIPL privacy policies, especially concerning inadequate risk assessments for sensitive data. Although users identified some non-compliant activities like app eavesdropping, issues related to individual consent proved challenging. Surprisingly, over half of the interviewees believed that the government could access their personal data without explicit consent. Our findings and implications can be valuable for lawmakers, online platforms, users, and future researchers seeking to enhance personal privacy practices both in China and globally.

References

[1]

Mamtaj Akter, Leena Alghamdi, Dylan Gillespie, Nazmus Sakib Miazi, Jess Kropczynski, Heather Lipford, and Pamela J Wisniewski. 2022. CO-oPS: A Mobile App for Community Oversight of Privacy and Security. In Companion Publication of the 2022 Conference on Computer Supported Cooperative Work and Social Computing. 179--183. https://doi.org/10.1145/3500868.3559706

Digital Library

[2]

Darcy WE Allen, Alastair Berg, Chris Berg, Brendan Markey-Towler, and Jason Potts. 2019. Some economic consequences of the GDPR. Allen DWE, Berg A, Berg C, Markey-Towler B and Potts J (2019)?Some Economic Consequences of the GDPR', Economics Bulletin, Vol. 39, 2 (2019), 785--797.

[3]

Markus Andresen, Martin Bjerke, Thorben Dahl, Aksel Langø Karlsen, Brage Staven, and Erik Wiker. [n.,d.]. The General Data Protection Regulation-Affecting User Perception of IoT Related Privacy Concerns? ( [n.,d.]).

[4]

David Basin, Søren Debois, and Thomas Hildebrandt. 2018. On purpose and by necessity: compliance under the GDPR. In International Conference on Financial Cryptography and Data Security. Springer, 20--37. https://doi.org/10.1007/978--3--662--58387--6_2

Digital Library

[5]

Alex Bowyer, Jack Holt, Josephine Go Jefferies, Rob Wilson, David Kirk, and Jan David Smeddinck. 2022. Human-GDPR Interaction: Practical Experiences of Accessing Personal Data. In CHI Conference on Human Factors in Computing Systems. 1--19. https://doi.org/10.1145/3491102.3501947

Digital Library

[6]

Martin Brodin. 2019. A framework for GDPR compliance for small-and medium-sized enterprises. European Journal for Security Research, Vol. 4, 2 (2019), 243--264. https://doi.org/10.1109/ISSRE5003.2020.00032

[7]

Igor Calzada. 2022. Citizens' data privacy in China: The state of the art of the Personal Information Protection Law (PIPL). Smart Cities, Vol. 5, 3 (2022), 1129--1150. https://doi.org/10.3390/smartcities5030057

[8]

Lelio Campanile, Mauro Iacono, Fiammetta Marulli, and Michele Mastroianni. 2021. Designing a GDPR compliant blockchain-based IoV distributed information tracking system. Information Processing & Management, Vol. 58, 3 (2021), 102511. https://doi.org/10.1016/j.ipm.2021.102511

Digital Library

[9]

C Castelluccia, S Guerses, M Hansen, JH Hoepman, J van Hoboken, B Vieira, et al. 2017. Privacy and data protection in mobile applications: A study on the app development ecosystem and the technical implementation of GDPR. (2017). https://doi.org/10.2824/114584

[10]

China Internet Network Information Center. 2021. The 48th Statistical Report on China's Internet Development (in Chinese). (September 2021).

[11]

Xiao Cheng. 2021a. Analyzing General Provisions of Personal Information Protection Law of the People's Republic of China (in Chinese). Journal of National Prosecutors College, Vol. 29, 5 (2021), 3--20.

[12]

Xiao Cheng. 2021b. Analyzing Personal Information Handling Rules of Personal Information Protection Law of the People's Republic of China (in Chinese). Tsinghua University Law Journal, Vol. 3 (2021).

[13]

European Union Commission. 2016. General Data Protection Law. https://gdpr-info.eu/, Accessed August 2nd, 2022.

[14]

Juliet Corbin and Anselm Strauss. [n.,d.]. Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory, 2012.

[15]

People's Daily. 2021. Concerned about the protection of personal information: why do cell phones "know" me so well? (in Chinese). https://www.chinanews.com.cn/gn/2021/11-01/9599189.shtml, Accessed July 27, 2022.

[16]

Southern Metropolis Daily·Wancaishe. 2022. What is the status quo of App supervision after the implementation of the Personal Insurance Law? What changes have occurred in the enterprise? Experts discuss (in Chinese). https://finance.eastmoney.com/a/202212252597298690.html, Accessed Jan 9th, 2023.

[17]

Ming Fan, Le Yu, Sen Chen, Hao Zhou, Xiapu Luo, Shuyue Li, Yang Liu, Jun Liu, and Ting Liu. 2020a. An Empirical Evaluation of GDPR Compliance Violations in Android mHealth Apps. In 2020 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE). 253--264. https://doi.org/10.1109/ISSRE5003.2020.00032

[18]

Ming Fan, Le Yu, Sen Chen, Hao Zhou, Xiapu Luo, Shuyue Li, Yang Liu, Jun Liu, and Ting Liu. 2020b. An empirical evaluation of GDPR compliance violations in Android mHealth apps. In 2020 IEEE 31st international symposium on software reliability engineering (ISSRE). IEEE, 253--264. https://doi.org/10.1109/ISSRE5003.2020.00032

[19]

Casey Fiesler, Michaelanne Dye, Jessica L Feuston, Chaya Hiruncharoenvate, Clayton J Hutto, Shannon Morrison, Parisa Khanipour Roshan, Umashanthi Pavalanathan, Amy S Bruckman, Munmun De Choudhury, et al. 2017. What (or who) is public? Privacy settings and social media content sharing. In Proceedings of the 2017 ACM conference on computer supported cooperative work and social computing. 567--580. https://doi.org/10.1145/2998181.2998223

Digital Library

[20]

Elizabeth Fife and Juan Orjuela. 2012. The privacy calculus: Mobile apps and user perceptions of privacy and security. International Journal of Engineering Business Management, Vol. 4, Godivs te 2012 (2012), 4--11. https://doi.org/10.5772/51645

[21]

Mélanie Bourassa Forcier, Hortense Gallois, Siobhan Mullan, and Yann Joly. 2019. Integrating artificial intelligence into health care through data access: can the GDPR act as a beacon for policymakers? Journal of Law and the Biosciences, Vol. 6, 1 (2019), 317. https://doi.org/10.1093/jlb/lsz013

[22]

Felipe González, Andrea Figueroa, Claudia López, and Cecilia Aragon. 2019. Information Privacy Opinions on Twitter: A Cross-Language Study. In Conference Companion Publication of the 2019 on Computer Supported Cooperative Work and Social Computing. 190--194. https://doi.org/10.1145/3311957.3359501

Digital Library

[23]

Google. 2023. Google Privacy Policy. https://policies.google.com/privacy?hl=en-US/, Accessed July 13, 2023.

[24]

Jie Gu, Yunjie Calvin Xu, Heng Xu, Cheng Zhang, and Hong Ling. 2017. Privacy concerns for mobile app download: An elaboration likelihood model perspective. Decision Support Systems, Vol. 94 (2017), 19--28. https://doi.org/10.1016/j.dss.2016.10.002

Digital Library

[25]

The Guardian. 2019. The Guardian's Privacy Policy. https://www.theguardian.com/info/video/2019/sep/12/the-guardians-privacy-policy-video, Accessed July 13, 2023.

[26]

Rex Hartson and Pardha Pyla. 2012. The UX Book: Process and Guidelines for Ensuring a Quality User Experience 1st ed.). Morgan Kaufmann Publishers Inc., San Francisco, CA, USA.

Digital Library

[27]

Saad Sajid Hashmi, Nazar Waheed, Gioacchino Tangari, Muhammad Ikram, and Stephen Smith. 2021. Longitudinal compliance analysis of android applications with privacy policies. In International Conference on Mobile and Ubiquitous Systems: Computing, Networking, and Services. Springer, 280--305. https://doi.org/10.1007/978--3-030--94822--1_16

[28]

Franziska Herbert, Steffen Becker, Leonie Schaewitz, Jonas Hielscher, Marvin Kowalewski, Angela Sasse, Yasemin Acar, and Markus Dürmuth. 2023. A World Full of Privacy and Security (Mis) conceptions? Findings of a Representative Survey in 12 Countries. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems. 1--23. https://doi.org/10.1145/3544548.3581410

Digital Library

[29]

Supervision in China. 2021. The era of brutal gold mining for personal information is over (in Chinese). http://www.npc.gov.cn/npc/c30834/202111/06172ca5e0ff4fde800d19d734b63206.shtml, Accessed July 27, 2022.

[30]

Steven J Jackson, Tarleton Gillespie, and Sandy Payette. 2014. The policy knot: Re-integrating policy, practice and design in CSCW studies of social computing. In Proceedings of the 17th ACM conference on Computer supported cooperative work & social computing. 588--602. https://doi.org/10.1145/2531602.2531674

Digital Library

[31]

Jingdong. 2021. Privacy Policy of Jingdong (in Chinese). https://hlc.m.jd.com/privacy/, Accessed January 1, 2021.

[32]

Smirity Kaushik, Yaxing Yao, Pierre Dewitte, and Yang Wang. 2021. "How I Know For Sure": Peopletextquoterights Perspectives on Solely Automated Decision-Making (SADM ). In Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021). USENIX Association, 159--180. https://www.usenix.org/conference/soups2021/presentation/kaushik

[33]

Spyros Kokolakis. 2017. Privacy attitudes and privacy behaviour: A review of current research on the privacy paradox phenomenon. Computers & security, Vol. 64 (2017), 122--134.

[34]

Lin Kyi, Sushil Ammanaghatta Shivakumar, Cristiana Teixeira Santos, Franziska Roesner, Frederike Zufall, and Asia J Biega. 2023. Investigating deceptive design in GDPR's legitimate interest. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems. 1--16. https://doi.org/10.1145/3544548.3580637

Digital Library

[35]

Xabier Larrucea, Micha Moffie, Sigal Asaf, and Izaskun Santamaria. 2020. Towards a GDPR compliant way to secure European cross border Healthcare Industry 4.0. Computer Standards & Interfaces, Vol. 69 (2020), 103408. https://doi.org/10.1016/j.csi.2019.103408

Digital Library

[36]

Josephine Lau, Benjamin Zimmerman, and Florian Schaub. 2018. Alexa, are you listening? Privacy perceptions, concerns and privacy-seeking behaviors with smart speakers. Proceedings of the ACM on human-computer interaction, Vol. 2, CSCW (2018), 1--31.

Digital Library

[37]

Claire Laybats and John Davies. 2018. GDPR: Implementing the regulations. Business Information Review, Vol. 35, 2 (2018), 81--83. https://doi.org/10.1177/0266382118777808

[38]

Michael Lewis-Beck, Alan E Bryman, and Tim Futing Liao. 2003. The Sage encyclopedia of social science research methods. Sage Publications.

[39]

Thomas Linden, Rishabh Khandelwal, Hamza Harkous, and Kassem Fawaz. 2018. The privacy policy landscape after the GDPR. arXiv preprint arXiv:1809.08396 (2018). https://doi.org/10.48550/arXiv.1809.08396

[40]

Peder Lind Mangset. 2018. Analysis of mobile application's compliance with the general data protection regulation (gdpr). Master's thesis. NTNU. http://hdl.handle.net/11250/2560789

[41]

Davit Marikyan, Savvas Papagiannidis, Rajiv Ranjan, and Omer Rana. 2021. General Data Protection Regulation: An Individual's Perspective. Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3492323.3495620

Digital Library

[42]

Meta. 2023. Meta Privacy Policy. https://www.facebook.com/privacy/policy/, Accessed July 13, 2023.

[43]

Jayashree Mohan, Melissa Wasserman, and Vijay Chidambaram. 2019. Analyzing GDPR compliance through the lens of privacy policy. In Heterogeneous Data Management, Polystores, and Analytics for Healthcare. Springer, 82--95. https://doi.org/10.1007/978--3-030--33752-0_6

[44]

Susan Mok. 2021. The PRC Personal Information Protection Law and its Regulatory Impact on Multinational Entities. China Law & Practice (Sep 24 2021). https://lbapp01.lib.cityu.edu.hk/ezlogin/index.aspx Copyright - Copyright ALM Media Properties, LLC Sep 24, 2021; Last updated - 2021-09--24; SubjectsTermNotLitGenreText - China.

[45]

Business observation website. 2022. "Personal Information Security Annual Report (2022)" is released: App personal information protection level has been significantly improved (in Chinese). http://news.hexun.com/2022--12--30/207571508.html, Accessed Jan 9th, 2023.

[46]

Cyberspace Administration of China. 2022. Decision of the Cyberspace Administration of China to make administrative punishment related to network security review in accordance with the law for DDT Global Co (in Chinese). https://mp.weixin.qq.com/s/6v-BVICScq1loDmdx7x9ww, Accessed July 30, 2022.

[47]

The Nation People's Congress of the People's Republic of China. 2021. Personal Information Protection Law of the People's Republic of China (in Chinese). (2021). http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml

[48]

Anthony J Onwuegbuzie, Nancy L Leech, and Kathleen MT Collins. 2012. Qualitative analysis techniques for the review of the literature. Qualitative Report, Vol. 17 (2012), 56.

[49]

Chinju Paul, Kevin Scheibe, and Sree Nilakanta. 2020. Privacy concerns regarding wearable IoT devices: how it is influenced by GDPR?. In Proceedings of the 53rd Hawaii International Conference on System Sciences.

[50]

Annika Pinch, Jeremy Birnholtz, Ashley Kraus, Kathryn Macapagal, and David A. Moskowitz. 2021. ?It's not exactly prominent or direct, but it's there": Understanding Strategies for Sensitive Disclosure Online. In Companion Publication of the 2021 Conference on Computer Supported Cooperative Work and Social Computing. 149--152. https://doi.org/10.1145/3462204.3481740

Digital Library

[51]

Wanda Presthus and Hanne Sørum. 2018. Are consumers concerned about privacy? An online survey emphasizing the general data protection regulation. Procedia Computer Science, Vol. 138 (2018), 603--611. https://doi.org/10.1016/j.procs.2018.10.081

[52]

Huw Roberts. 2021. Informational Privacy with Chinese Characteristics. Digital Ethics Lab Yearbook (2021).

[53]

Nader Sohrabi Safa, Faye Mitchell, Carsten Maple, Muhammad Ajmal Azad, and Mohammad Dabbagh. 2022. Privacy Enhancing Technologies (PETs) for connected vehicles in smart cities. Transactions on Emerging Telecommunications Technologies, Vol. 33, 10 (2022), e4173. https://doi.org/10.1002/ett.4173

[54]

Maggi Savin-Baden and Claire Howell Major. 2023. Qualitative research: The essential guide to theory and practice. Taylor & Francis.

[55]

Jannick Sørensen and Sokol Kosta. 2019. Before and after gdpr: The changes in third party presence at public and private european websites. In The World Wide Web Conference. 1590--1600. https://doi.org/10.1145/3308558.3313524

Digital Library

[56]

Steven E Stemler. 2004. A comparison of consensus, consistency, and measurement approaches to estimating interrater reliability. Practical Assessment, Research, and Evaluation, Vol. 9, 1 (2004), 4. https://doi.org/10.7275/96jp-xz07

[57]

Jackson Stokes, Tal August, Robert A Marver, Alexei Czeskis, Franziska Roesner, Tadayoshi Kohno, and Katharina Reinecke. 2023. How language formality in security and privacy interfaces impacts intended compliance. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems. 1--12. https://doi.org/10.1145/3544548.3581275

Digital Library

[58]

A. Strauss and J.M. Corbin. 1997. Grounded Theory in Practice. SAGE Publications. 96045918 https://books.google.com.hk/books?id=TtRMolAapBYC

[59]

Joanna Strycharz, Jef Ausloos, and Natali Helberger. 2020. Data protection or data frustration? Individual perceptions and attitudes towards the GDPR. Eur. Data Prot. L. Rev., Vol. 6 (2020), 407. https://doi.org/1021552/edpl/2020/3/10

[60]

Sun and Shadow Flying Fun 51. 2020. How can we protect personal information when mobile apps are overly invasive of privacy? (in Chinese). https://www.freebuf.com/articles/database/239684.html, Accessed July 29, 2022.

[61]

Radek Tahal and Tomávs Formánek. 2020. Reflection of GDPR by the Czech Population. Management & Marketing, Vol. 15, 1 (2020), 78--94. https://doi.org/10.2478/mmcks-2020-0005

[62]

Nguyen Binh Truong, Kai Sun, Gyu Myoung Lee, and Yike Guo. 2019. Gdpr-compliant personal data management: A blockchain-based solution. IEEE Transactions on Information Forensics and Security, Vol. 15 (2019), 1746--1761. https://doi.org/10.1109/TIFS.2019.2948287

Digital Library

[63]

Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. 2019. (Un) informed consent: Studying GDPR consent notices in the field. In Proceedings of the 2019 acm sigsac conference on computer and communications security. 973--990. https://doi.org/10.1145/3319535.3354212

Digital Library

[64]

Iris Van Ooijen and Helena U Vrabec. 2019. Does the GDPR enhance consumers' control over personal data? An analysis from a behavioural perspective. Journal of consumer policy, Vol. 42, 1 (2019), 91--107. https://doi.org/10.1007/s10603-018--9399--7

[65]

Yang Wang, Huichuan Xia, and Yun Huang. 2016. Examining American and Chinese internet users' contextual privacy preferences of behavioral advertising. In Proceedings of the 19th ACM Conference on Computer-Supported Cooperative Work & Social Computing. 539--552. https://doi.org/10.1145/2818048.2819941

Digital Library

[66]

Zhong Wang and Qian Yu. 2015. Privacy trust crisis of personal data in China in the era of Big Data: The survey and countermeasures. Computer Law & Security Review, Vol. 31, 6 (2015), 782--792. https://doi.org/10.1016/j.clsr.2015.08.006

[67]

Christian Wirth and Michael Kolain. 2018. Privacy by blockchain design: a blockchain-enabled GDPR-compliant approach for handling personal data. In Proceedings of 1st ERCIM Blockchain Workshop 2018. European Society for Socially Embedded Technologies (EUSSET). https://doi.org/10.18420/blockchain2018_03

[68]

Richmond Y Wong, Andrew Chong, and R Cooper Aspegren. 2023. Privacy Legislation as Business Risks: How GDPR and CCPA are Represented in Technology Companies' Investment Risk Disclosures. Proceedings of the ACM on Human-Computer Interaction, Vol. 7, CSCW1 (2023), 1--26. https://doi.org/10.1145/3579515

Digital Library

[69]

Brad Wuetherick. 2010. Review: "Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory 3e" (Corbin and Strauss)., Vol. 36 (12 2010). https://doi.org/10.21225/D5G01T

[70]

Chen Xuan-bo. 2020. Personal Information Protection and Improvement of Information Disclosure System for Network Service Providers (in Chinese). Journal of South-Central Minzu University (Humanities and Social Sciences), Vol. 40, 1 (2020), 174--180.

Cited By

Huang YZhou YZhao HFang LRiedel TBeigl M(2024)ExTea: An Evolutionary Algorithm-Based Approach for Enhancing Explainability in Time-Series ModelsMachine Learning and Knowledge Discovery in Databases. Applied Data Science Track10.1007/978-3-031-70381-2_27(429-446)Online publication date: 8-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-70381-2_27

Index Terms

Understanding Chinese Internet Users' Perceptions of, and Online Platforms' Compliance with, the Personal Information Protection Law (PIPL)
1. Human-centered computing
  1. Human computer interaction (HCI)
    1. Empirical studies in HCI
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Privacy protections

Recommendations

Understanding the Level of Compliance by South African Institutions to the Protection of Personal Information (POPI) Act
SAICSIT '16: Proceedings of the Annual Conference of the South African Institute of Computer Scientists and Information Technologists

Privacy entails controlling the use and access to place, location and personal information. In South Africa, the first privacy legislation in the form of the Protection of Personal Information (POPI) Act was signed into law on 26 November 2013. The POPI ...
Compliance to personal data protection principles

We examined how organizations' privacy policy meet the compliance requirement.We found privately-owned organizations have higher compliance level.Sectors with more personal sensitive data have significantly higher compliance score.Government sectors ...
Internet Security Protection in Personal Sensitive Information
CIS '14: Proceedings of the 2014 Tenth International Conference on Computational Intelligence and Security

At the present, personal sensitive information protection is faced with serious situation. In order to solve the problems in personal sensitive information protection in internet, the model of security protection in personal sensitive information is ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Human-Computer Interaction

Proceedings of the ACM on Human-Computer Interaction Volume 8, Issue CSCW1

CSCW

April 2024

6294 pages

EISSN:2573-0142

DOI:10.1145/3661497

Editor:
Jeff Nichols
Apple Inc., United States

Issue’s Table of Contents

Copyright © 2024 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 April 2024

Published in PACMHCI Volume 8, Issue CSCW1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
171
Total Downloads

Downloads (Last 12 months)171
Downloads (Last 6 weeks)34

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Huang YZhou YZhao HFang LRiedel TBeigl M(2024)ExTea: An Evolutionary Algorithm-Based Approach for Enhancing Explainability in Time-Series ModelsMachine Learning and Knowledge Discovery in Databases. Applied Data Science Track10.1007/978-3-031-70381-2_27(429-446)Online publication date: 8-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-70381-2_27

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents