China - The Third Draft Of The Compilation Of Personal Rights In The Civil Code Has Strengthened The Provisions On Personal Information Protection.
Legal News & Analysis - Asia Pacific - China - Cybersecurity
12 September, 2019
On August 23 2019, the 12th Session of the Standing Committee of the 13th National People's Congress reviewed the Compilation of Personal Rights in the Civil Code (Draft), and on August 27 2019 released the third draft of the Compilation of Personal Rights in the Civil Code (Draft) ("Third Draft"), in which personal information protection was highlighted1. Compared with the current General Provisions of the Civil Law of the People's Republic of China ("General Provisions of the Civil Law"), the Third Draft further establishes the civil protection system for personal information, defines the scope of personal information, details the requirements for personal information protection, and clarifies the relevant responsibilities and obligations.
1. Civil protection system for personal information
Article 111 of the General Provisions of Civil Law clearly stipulates that the law protects personal information. The Third Draft, based on Article 111 of the General Provisions of Civil Law, further regulates the protection of personal information and privacy rights. Article 811 of the Third Draft clarifies that “privacy refers to private spaces, private activities or private information that individuals are not willing to disclose to others”. Article 813 stipulates that personal information refers to various types of information that can be used to identify a specific person.
2. The scope of personal information
The scope of personal information is not clearly defined in the General Provisions of Civil Law. However, the definition of personal information is scattered throughout the Provisions on the Protection of Personal Information of Telecommunications and Internet Users, the Measures on Punishment for the Infringement of Consumer Rights, Cybersecurity Law ("CSL"), and other laws and regulations.
Article 813 of the Third Draft complies with the definition of personal information in the CSL, which stipulates that “personal information refers to various types of information which are recorded in electronic or any other form and used alone or in combination with other information to recognize the identity of an individual, including name, date of birth, ID number, biological identification information, address, telephone number and e-mail address, as well as the tracking information of the individual". Compared with the Compilation of Personal Rights in the Civil Code (second draft) released on April 26 2019, the Third Draft expands the scope of personal information, adding an "e-mail address” and “tracking information" into the scope. During the process of the Third Draft’s review, the committee members suggested to continue to expand the scope of personal information protection based on the practice, and appropriately broaden the definition and scope of personal sensitive information that may affect the personal security and personal property safety2.
3. Requirements for personal information protection
Article 111 of the General Provisions of the Civil Code only requires in general that “any organization or individual who needs to obtain the personal information of others shall obtain and ensure the security of the information according to the law, and shall not illegally collect, use, process or transmit the personal information of others, and shall not illegally buy or sell, provide or disclose others’ personal information." The specific requirements for personal information protection and the rights of the individual are provided in various laws and regulations such as the Decision of the Standing Committee of the National People's Congress on Strengthening the Protection of Network Information, the Provision on the Protection of Personal Information of Telecommunications and Internet Users, and the CSL.
The Third Draft has detailed the rules on the conditions of personal information collection and the rights of individuals through Articles 814 to 815.
Article 814 of the Third Draft stipulates there are four conditions for personal information collection and processes, which includes the need to obtain the consent of the person or their guardian, disclose the rules on the personal information collection and processing to the public, clearly indicate the purpose, method and scope of the collection and processing, in compliance with the laws and regulations, and in compliance with the agreement reached by the two parties.
Article 815 of the Third Draft clearly stipulates that individuals have the right to inspect, transcribe and copy their personal information; if the information is incorrect, they can make corrections; if the data controller’s personal information collection and processing violates the laws, regulations or the agreements reached by the two parties, the individual has the right to request that the personal information controller delete his or her personal information in a timely manner.
4. Responsibilities and obligations of personal information protection
Article 816 of the Third Draft clearly stipulates three situations in which individuals are not subject to civil liability in the collection and processing of personal information:
(a) within the scope of consent from the individual or their guardian;
(b) the information has been disclosed voluntarily or has been legally disclosed to the public, except in the instance that the individual has explicitly refused such processing or the processing would infringe their interests;
(c) other acts performed in a reasonable manner in order to protect the public interest or the legitimate rights and interests of the individual.
In the first situation, during the process of review, some members pointed out that the current scopes of personal information collected by many mobile apps are too broad and unnecessary. Although the consent from individuals or their guardians have been obtained in “a packaged way”, their rights have been seriously violated and this is against the comprehensive protection of their personal information. Therefore, it is proposed to amend the first situation to "acts performed within the scope of consent agreed to by individuals or their guardians, and such acts shall be in accordance with the functions of the software or the carrier that collects and processes personal information and shall be limited to the purpose of achieving this service3.
Article 817 of the Third Draft clarifies that information collectors and controllers shall not disclose or tamper with personal information, and may not illegally provide personal information to others without the consent of the subjects. State departments and their staff shall not disclose or illegally provide an individual’s private and personal information to others. During the review process, some members pointed out that the Third Draft only stipulated the obligations of the personal information collectors, personal information controllers and state departments and their staff, but did not clearly stipulate the relevant legal liability. Therefore, for the purpose of strengthening the personal information protection, it is recommended to add the liability of personal information collectors and controllers for disclosing, tampering with, illegally providing personal information and the liability provisions for state departments and their staff for disclosing or illegally providing an individual’s private and personal information4.
5. Our observations
Prior to the Compilation of Personal Rights in the Civil Code (Draft), under the civil law system, provisions relevant to personal information protection were mainly provided in Article 111 of the General Provisions of Civil Law and the relevant provisions of the Law of the People's Republic of China on Tort Liability. However, in practice, due to various factors such as the difficulty in producing evidence, the degree of personal information protection through civil litigation is very limited. The Compilation of Personal Rights in the Civil Code (Draft) has, under the civil law system, defined the scope of personal information, clarified the requirements for personal information protection, and stipulated the responsibility and obligation of personal information protection. However, it remains to be seen by us whether it will be an effective means of personal information protection and grant further possibilities on personal information protection for individuals in the future.
Marissa (Xiao) Dong, Partner, Jun He