Cybersecurity And Data Protection In China: The Civil Code Lays The Foundation For Data Protection In China.

Legal News & Analysis - Asia Pacific - China - Regulatory & Compliance - Cybersecurity

Cybersecurity And Data Protection In China: The Civil Code Lays The Foundation For Data Protection In China.


15 June 2020



The third session of the Thirteenth National People's Congress voted on May 28, 2020 to pass the highly anticipated Civil Code of the People's Republic of China ( "Civil Code "). The "Civil Code" is a landmark piece of legislation. It is the first civil code in Chinese history formed by systematically integrating and compiling and compiling my country's current private law norms. The Civil Code will be implemented on January 1, 2021.

The Civil Code for the first time stipulates the principles of privacy and protection of personal information, defines the concept of personal information, sets out the legal basis for processing personal information, regulates the obligations of personal information processors, natural persons’ rights to their personal information and Duties of administrative organs. Although there are many problems to be solved in the future "Personal Information Protection Law", the "Civil Code" has laid the foundation for future legislation in this field.

This article focuses on the key provisions of the Civil Code on privacy and protection of personal information, and explains our views.




According to the provisions of the Civil Code, personality rights refer to the rights enjoyed by individuals based on their personal freedom and dignity. Historically, Chinese civil law did not explicitly recognize the right to privacy as the right to personality. Neither the Constitution nor the General Principles of Civil Law contains provisions on privacy. Although the Tort Law clearly protects privacy as a civil right, it does not define privacy, nor does it establish privacy as Personality rights.

In terms of personal information, the Cyber ​​Security Law, promulgated in 2016, is the first national-level legislation to protect personal information on the Internet. However, its provisions on the obligations of relevant subjects only concern network operators and the information collected through the network. However, the recommended national standards in the "Personal Information Security Code" lack mandatory legal effects. Future legislation on the protection of personal information will depend on whether the basic principles on the protection of personal information can be established in Chinese law.

The Civil Code defines the right to privacy and establishes it as a personality right parallel to other basic rights such as the rights to life, health, and reputation, and stipulates the basic principles for the protection of personal information in China.


Key provisions in the Civil Code


I. Definition of privacy and personal information

According to the Civil Code, natural persons enjoy the right to privacy without any infringement. Privacy is defined as the tranquility of the private life of natural persons and the private spaces that are unwilling to be known to others. Private activities and private information.

The definition of personal information refers to various information recorded electronically or in other ways that can identify a specific natural person alone or in combination with other information, including the natural person’s name, date of birth, ID number, biometric information, address, and phone number , E-mail, health information, whereabouts information, etc. This definition is consistent with the definition adopted in the Cybersecurity Law.

II. The boundary between privacy and personal information

The Civil Code applies different rules to the protection of privacy and personal information. The Civil Code recognizes that the right to privacy is a right of personality, but it does not stipulate that natural persons enjoy the right to personal information, only that the personal information of natural persons is protected by law. In addition, there is overlap between the scope of privacy and personal information defined in the Civil Code: According to the Civil Code, private information in personal information is subject to the provisions on privacy, not the protection of personal information. The Civil Code 》The specific scope of private information has not been clearly defined.

III. Processing of personal information

Definition of processing and processor

The Civil Code introduces the concept of personal information processing. The processing of personal information includes the collection, storage, use, processing, transmission, provision, and disclosure of personal information. This is the same as the EU’s General Data Protection Regulation (“ GDPR ”). The definition of "processing" is similar. The Civil Code also introduces the concept of personal information processor.
Although it is not clearly defined, it can be understood as any person who processes personal information according to the regulations, and it can be understood that this definition includes the personal data controller defined by GDPR And processor.

The Civil Code also reiterates the principles to be followed when processing personal information, namely the principles of legality, legitimacy and necessity. This principle has already been reflected in existing laws and regulations or national standards such as the "Network Security Law" and "Personal Information Security Standards."

Duties of personal information processors

The Civil Code stipulates the following requirements that personal information processors must comply with when processing personal information:

  • Obtain the consent of the natural person or (if the natural person is a child) his guardian;

  • Open personal information processing rules;

  • Express the purpose, method and scope of processing personal information; and

  • Comply with the provisions of applicable laws and regulations and agreements with natural persons.

In addition, personal information processors must do the following:

  • Keep personal information collected and stored confidential without any tampering;

  • Do not provide personal information to third parties illegally, except for information that cannot be identified and cannot be recovered after processing;

  • Take technical measures or other necessary measures to ensure the security of personal information; and

  • If a data breach occurs or may occur, remedial measures should be taken to notify the natural person and report to the regulatory agency.

State organs and administrative departments and their employees are also obliged to protect the personal information obtained when performing their duties and respect the privacy rights of natural persons.

Legal basis for processing personal information

The Civil Code provides a safe haven for processors of personal information, and stipulates that the processors shall not bear civil liability when:

  • Acts reasonably carried out within the scope agreed by the natural person or his guardian;

  • Reasonably handle the information disclosed by the natural person on his own or other legally disclosed information,
    unless the natural person explicitly refuses or processes the information to infringe his major interests; or

  • Reasonable actions taken to protect the public interest or the natural interests of the natural person.

These provisions of the Civil Code actually clarify the three legal foundations for the legal processing of personal information in China. In addition, the Civil Code also stipulates that if personal information is processed in an irreversible manner so that it cannot identify a specific individual and cannot be recovered, such information processing will also be permitted.

IV. Natural persons' rights to personal information

With regard to personal information collected by personal information processors, the Civil Code grants natural persons the following rights:

  • The right to access and copy personal information;

  • The right to raise objections and request correction of personal information; and

  • The right to delete personal information when it is found that the processor of personal information violates any laws and regulations or the agreement between the two parties.

V. Privacy violations

Unless the law of illegal law stipulates otherwise or obtains the consent of a natural person, the Civil Code prohibits the following acts ():

  • Invade the private life of others by telephone, SMS, instant messaging tools, e-mail, flyers, etc.;

  • Enter or take pictures or peep in private spaces (such as family homes or hotel rooms);

  • Filming, peeping or eavesdropping and disclosing the private activities of others;

  • Photograph private parts of others' bodies;

  • Processing private information of others; or

  • Other violations of the privacy rights of natural persons.


Our observation


I. Lay the foundation for personal information protection

For the first time, the Civil Code provides extensive protection of personal information in the civil law, extending the protection of personal information from the narrow scope of the Cyber ​​Security Law to all aspects of personal life, and bringing civil proceedings against individuals for infringement of their personal information Paved the way.

The Civil Code also laid the foundation for future legislation on the protection of personal information. In fact, the Legal Work Committee of the National People's Congress has released news that it has completed the first draft of the new Personal Information Protection Law, which is expected to be submitted to the Standing Committee of the National People's Congress for deliberation soon.

II. Right of personal information or protection of personal information?

It is worth mentioning that although the "Civil Code" protects personal information and the provisions on the protection of personal information are included in the personality rights code, the "Civil Code" does not specify that the rights of natural persons to non-private personal information belong to the personality Rights, this may mean that a natural person only enjoys economic benefits rather than personality rights over his personal information. That is to say, under the circumstances that can prove the existence of actual losses, the natural person can only file a civil action for infringement of non-private personal information and demand damages. If an individual has a personality right to non-private personal information, the natural person will be able to request non-pecuniary relief, such as restoring reputation or paying an apology.

The Personal Rights Code of the Civil Code gives natural persons some rights to control the processing of their personal information, such as the right to access and the right to delete or correct personal information. However, the legal nature of such rights has not yet been clarified. If a natural person is deprived of the above personal information rights, it is not clear what remedy the natural person can take, can he file a claim for infringement, or should he file a complaint with the relevant data protection agency?

III. Unanswered questions

The "personal information processor" in the Civil Code refers to the person who processes personal information, but the Civil Code does not distinguish between the controller that determines the purpose and method of processing personal information and the processing of personal information on behalf of the controller like GDPR By. "Personal Information Security Code" also adopted the definition of "personal information controller". Inconsistencies between the Civil Code and other regulations may lead to confusion regarding the roles and obligations of the parties handling personal information. In the case where the definition of "processor" has been used in the Civil Code, it may make the future "Personal Information Protection Law" face a dilemma, that is, whether to follow the provisions of the Civil Code on "processor", or Distinguish between the controller and the processor.

Another issue that deserves attention is the scope of application of the personal information protection provisions in the Civil Code. The provisions of the Civil Code seem to apply to all data processing activities. However, it is impractical and unnecessary to require individuals to perform their personal information processor obligations under purely private circumstances such as family or private environments.

In addition, it is necessary to further clarify the scope of private information that is protected by the right to privacy and not protected by the regulations on personal information as stipulated in the Civil Code.

Another issue that needs to be clarified is the standard age for children to have the right to agree to the processing of personal information. We understand that the Civil Code requires the consent of the guardian when processing personal information of children, but does not specify the age of the child who needs the consent of the guardian.

The Civil Code stipulates that private and non-private personal information is subject to different regulations, but it is still unclear how these two regulations differ in terms of claims and relief, and what regulations and regulations apply to them.

We look forward to the "Personal Information Protection Law" which is still in the process of legislation to respond to the above issues. 

To subscribe or consult, please contact Gong Yu .


herbert smith Freehills


For further information, please contact:


James Gong, Herbert Smith Freehills