When the data leaks started, people from Wuhan were the first victims. But now people across China are grappling with whether the personal information they surrendered to fight the pandemic is being well protected.

Around the time of the Lunar New Year holiday in late January, many people traveling back to their hometowns from Wuhan were receiving less-than-friendly phone calls and WeChat messages from strangers. Some angrily told them to return to the virus-stricken city. Others asked if they had been eating wild animals, an unconfirmed theory about how the deadly coronavirus first reached humans.

This harassment was the result of wide-ranging doxxing online, with personal information being shared in spreadsheets passed around in WeChat groups, according to Chinese media reports. The data included real names, national ID numbers, phone numbers and home addresses, resulting in spam calls and online harassment.

The victims’ only sin was living in Wuhan, the epicenter of the coronavirus outbreak. Before the city was locked down on January 23, 5 million people left the city to go home for the holiday or because of the epidemic.

People use QR codes required to prove their health and travel status before being allowed to enter a shopping mall in Beijing on May 2, the second day of a five-day national holiday. (Picture: AFP)

In the immediate aftermath of the outbreak, people from Hubei province, where Wuhan is the capital, faced widespread discrimination. But data collection would soon become the default method of combating the spread of the coronavirus as local governments and organizations sought to track who was going where. Soon enough, data leaks were affecting a lot more people than just those from Wuhan.

Last month, the names, addresses, phone numbers and national ID numbers of 6,685 people were circulated in WeChat groups. The victims all had one thing in common: They visited the same hospital in the eastern city of Qingdao.

The hospital in question had recently announced that it had two patients with Covid-19. Rumors reportedly started spreading that some visitors on the leaked list were also infected.

Qingdao police said after investigation that three people were detained for sharing the list. But it’s still not clear how they acquired it in the first place.

The leaks are perhaps made easier by how much China’s fight against the coronavirus relies on troves of personal data collected to trace who has contact with potential coronavirus carriers. This data collection also helps enforce strict social distancing and quarantine measures that some describe as draconian.

These efforts include color-based QR health codes, which are meant to indicate the likelihood that someone has been infected by the virus. The green, yellow or red codes indicate whether someone can freely move around a city or must quarantine for one to two weeks. They’re generated in mini programs on WeChat and Alipay by combining some user-submitted information and real name-based big data held by authorities.

(Abacus is a unit of the South China Morning Post, which is owned by Alibaba, an affiliate of Alipay owner Ant Financial.)

Even some shops and restaurants are collecting data from customers. One report from Xinhua says some shops, restaurants and residential neighborhoods asked people to write down personal information on notepads at their entrances. This has triggered concerns that the information isn’t well protected. In one case mentioned in the report, a neighborhood’s property management staff asked residents to fill in their income.

A resident scans a QR code at an entrance to a supermarket in Zhengzhou in February. (Picture: Xinhua)

“All societies must grapple with how to balance public health interests with personal privacy rights,” said Stuart Hargreaves, a professor at the Faculty of Law at the Chinese University of Hong Kong.

But many Chinese media reports show that personal information leaks from anti-epidemic efforts are happening on a large scale in China. And in some cases, those in charge of the data are the ones leaking it.

In the county of Yiyang in Henan province, the deputy director of the local government’s health department was found to be responsible for sending an internal document about a Covid-19 case to a contact on WeChat. The document contained private information about a patient surnamed Zhang and eleven of Zhang’s family members. It ended up being widely shared on the messaging platform.

In Zhoushan, a city in the eastern province of Zhejiang, personal details of Wuhan returnees were leaked by a community worker. The worker reportedly sent the information over WeChat to her husband, who then shared it with his colleagues, leading to wider circulation.

China has many laws and regulations for protecting people’s personal information, according to Susan Ning, partner at the law firm King & Wood Mallesons. But enforcing these laws is another matter.

China’s Criminal Law and Cybersecurity Law both have articles protecting personal information. Law of the People's Republic of China on Prevention and Treatment of Infectious Diseases stipulates that disease control institutions and medical institutions cannot reveal information that involves personal privacy. The Cyberspace Administration of China (CAC) also published a notice in early February saying that unauthorized companies and individuals aren’t allowed to use the epidemic as an excuse to collect personal information without consent.

Enforcement remains difficult because different organizations and individuals have different understandings about what crosses the line into illegal behavior, Ning said. The result has been people having their data collected illegally in the name of controlling the spread of the virus, according to Ning.

A man in a protective suit requires drivers to scan a QR code to enter a community in Wuhan’s Wuchang district on April 8. (Picture: SCMP)

In March, CAC’s Tianjin arm found that seven apps and mini programs designed to help track the coronavirus were illegally collecting personal information. The programs were developed by private companies, universities, government departments and residential neighborhoods. Many of them didn’t have privacy policies, didn’t inform users about the purpose for collecting the personal information, or didn’t offer features allowing users to change their personal information and register complaints, according to CAC.

In some cases, fake online services outright lie to collect personal information. In one case reported by CCTV, a man surnamed Xue was arrested in Jiangsu for allegedly making a website that claimed to let people register to get face masks. Xue didn’t actually have any face masks and was collecting information for marketing purposes, according to the report.

Even before the Covid-19 outbreak, Chinese regulators have pushed for better protection of user data because of rising consumer concerns. Now practices during the pandemic are prompting concerns that aggressive data collection is here to stay.

This could put China at odds with liberal states, according to Hargreaves. In more liberal countries, it’s generally accepted that limitations on rights can be justified in the name of public health, but they should be proportional and no more than necessary, Hargreaves said. This means these measures should be removed once the threat of the pandemic has passed.

“Of course, the [Chinese] central authorities approach the question of surveillance in a different way,” Hargreaves said. “So it may be the case that measures introduced under the guise of preventing the spread of Covid-19 remain in place there far longer than elsewhere.”