Analysis of Legality

As is known to all, Finland attaches great importance to the security and privacy of personal data. Any enterprise, individual and government should follow relevant laws on data security. As a government-level system, Chinese health monitoring platform, if introduced to Finland, should also comply with the relevant laws of Finland and the European Union.

As a government-level application in China, EPIHC undoubtedly should in compliance with relevant regulations and laws in China. EPIHC needs following the Information Security Technology - Personal Information Security Specifications, also known as the China Data Protection Regulations (CDPR). The European Union's rules for protecting personal information security and privacy are called General Data Protection Regulations (GDPR).

30

The GDPR came into effect in the European Union on May 25^th, 2018, while China's corresponding CDPR came into effect earlier on May 1^st, 2018. However, this does not mean that the CDPR precedes that of the EU. In fact, the GDPR's predecessor was the European Union's Computer Data Protection Act of 1995. The European Parliament has approved the GDPR on April 14^th, 2016. (GDPR.EU, 2020.) It is widely believed that China is the most direct recipient of the GDPR of the European Union, and introducing CDPR is largely influenced by GDPR. GDPR is considered being the most stringent personal data protection regulation in the history of the world, which will revolutionise the personal data protection of European Union citizens.

Although CDPR is a legal provision formulated according to the framework of GDPR, the Chinese government has also made corresponding modifications according to its own national conditions, which means that although CDPR and GDPR share a great degree of similarity, they cannot be applied to each other in the two regions. First, by comparing CDPR and GDPR, it can be found that CDPR has a more detailed description of personal data. However, this does not mean that CDPR is more stringent than GDPR. On the contrary, CDPR controls the details so that some data can bypass these details. As is known to all, China’s e-commerce is absolutely leading in the world, and the excessively strict data protection mechanism will make big data analysis and electronic economy face significant challenges. Second, although CDPR has detailed provisions on personal data protection, the Chinese government has added more rules on national security, which sometimes may invalidate some provisions on personal data protection. There are also data protection clauses for national and regional security in GDPR, but GDPR pays more attention to the importance of personal data.

Some other scholars believe that CDPR is actually more stringent than GDPR.

Although there are many differences between CDPR and GDPR, it is a compatible mode of data protection mechanism between the two regions. (Sacks, 2020.) Although there are differences and similarities between the two provisions, this does not prove whether EPIHC can satisfy both CDPR and GDPR. As for whether Chinese health

31

monitoring platform can be introduced into Finland, it needs to study whether EPIHC can fully meet the requirements of GDPR.

Although the protection of personal data on Chinese health monitoring platform is gradually improving, it is not perfect. When the government initially promoted EPIHC, because of the limited time and the neglect of the complete and coherent legal system of personal information protection, EPIHC had poor operability and was too aggressive in emergency treatment. Some medical units and their staff have poor legal awareness of personal information protection and management and pay little attention to it, which leads to the disclosure of some personal information and whereabouts. The above incidents have led to some people being harassed by harassing text messages, abusive phone calls, discrimination and even personal attacks.

Considering the severity and harmfulness of COVID-19, the Chinese government think it as a major public health emergency in particular, and because this event with regional characteristics, so in the first stage, the promotion EPIHC for epidemic information collection and processing, use only regarding the Emergency Response Law of China and the law on the prevention and treatment of infectious diseases and other related laws and regulations. In such a state of emergency, the Chinese government cares more about the prevention and control of the epidemic and has no intention to steal user information. However, such a radical measure also brings a great threat to personal data security.

Meanwhile, this monitoring platform is not fully under CDPR or GDPR of the European Union. The most immediate health code flaw in data security is the lack of the right to informed consent. At the beginning of the launch of the health code, most of the multiple health codes in different provinces of WeChat platform or Alipay platform lacked user agreement or privacy policy, or even many of the health code had neither. China’s CDPR stipulates that network operators should publicly collect and show the purpose, manner and scope of personal data when collecting and using such data. In the second chapter of GDPR of the European Union, there are the same

32

provisions about the right of consent (General Data Protection Regulation (GDPR), 2020). In Internet information service, user agreement and privacy policy are legal and the most commonly used ways to obtain users’ informed consent. Given that the use of health code in China is semi-mandatory or even mandatory, the lack of both protocols is actually an infringement of citizens' privacy rights.

Using health code is undoubtedly an effective means of epidemic prevention worthy of promotion. However, the government and relevant departments have not put forward countermeasures to deal with the information collected during the epidemic after the epidemic. The data protection work of the health code is obviously not comprehensive.

To a large extent, it only pays attention to the collection and use of information but ignores the erasability of data. For data that has been collected, if the data has not been deleted after the purpose of the data collection has been achieved, it is likely that the data will be used for other activities unrelated to the original purpose of the data collection. Even the collected data is at risk of being stolen, which is not only a violation of the security of user data but also an illegal act. This behaviour has seriously violated the relevant regulations in the CDPR. Since the formulation of CDPR is largely based on the GDPR of the European Union, this behaviour is also against the relevant provisions of GDPR. There are clear provisions in article 17 of chapter 3 of GDPR (General Data Protection Regulation (GDPR), 2020):

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b. … c. …

d. the personal data have been unlawfully processed;

33

e. … ”

Through the item-by-item analysis of GDPR, it can be found that the direct introduction of EPIHC mainly violates the right of informed consent and the right to erasure (‘right to be forgotten’). Obviously, if the Chinese health monitoring platform is directly introduced into Finland, it is against the rights of the data subject stipulated in the GDPR of the European Union. However, as a public health emergency of international concern, COVID-19 is extremely harmful to human beings and has profound negative social and economic effects. For this kind of emergency, there should be more comprehensive laws and regulations to follow. As described in article 9 of chapter 2 of GDPR, it is necessary to collect and process personal data for the sake of public health and public interest, and to protect the vital interests of the data subject or other relevant personnel, the data must also be processed (General Data Protection Regulation (GDPR), 2020). Although there is a description in GDPR of how to process personal data in a state of emergency, this does not mean that any agency can violate the right of informed consent and the right to erasure, as they can coexist and are of the same priority, and there is no conflict between them.

From a legal point of view, Chinese health monitoring platform does not fully meet the European Union’s requirements for data security. However, there is no evidence to prove the abuse or even infringement of personal data by EPIHC. EPIHC is undoubtedly an effective tool to prevent the spread of the epidemic, it only needs to make some uncomplicated adjustments to the agreements and functions of EPIHC to make it meet the requirements of the European Union so that it can be promoted in Finland.