There is as yet no law specifically addressing personal information processing in China. The laws that do relate to personal information processing were originally intended to regulate different subject matter and therefore bear upon personal information processing indirectly. However, these laws still impose requirements that happen to have the practical effect of also affecting personal information processing. Therefore, although the laws do not yet address the topic of personal information in a direct, coordinated and systematic way, taken together they address many of the individual components of what lawyers in many jurisdictions would recognize as personal information protection law.

Stated in very general overview, examples of such laws include:

  1. Constitutional provisions (Articles 38 and 40 of the Constitution of the P.R.C.) that establish rights that relate to privacy, such as a right of dignity of the person, prohibitions against insult, defamation, false accusation or false information directed against Chinese citizens, and a right of freedom and secrecy of correspondence. These provisions do not, however, establish an express constitutional right to privacy, even though their subject matter may be related to privacy.
  2. Provisions of civil law (Article 120 of the General Principles of the Civil Law of the P.R.C.) that protect a citizen’s right of personal name, portrait, reputation or honor.
  3.  A provision of criminal law (Article 253 of the P.R.C. Criminal Law) that makes working personnel of state agencies, or of organizations in particular industry sectors, potentially subject to criminal liability if they sell or illegally provide to other persons individual information of citizens obtained during the course of such organization’s performance of official duties or provision of services. An organization and its responsible officers could also be made subject to the same criminal liability, if it obtains information that had been misappropriated in this way.
  4. A judicial interpretation (the Interpretation of the Supreme People’s Court on Issues regarding the Ascertainment of Liability for Compensation for Psychological Damages in Civil Torts) that protects an individual’s rights of personality, including an individual’s privacy, by granting a right to claim for psychological damages.
  5. Provisions of computer-related and internet-related laws that require that computer information systems must not be used to endanger the legitimate interests of citizens of China, or to endanger the national and public interests.
  6. Provisions of computer-related, internet-related and database-related laws that require that the contents of particular databases must be kept confidential, must be protected by security measures and procedures and may not be breached, altered or distributed.
  7. Regulations that require particular consents to be obtained before personal information may be collected in certain circumstances.

Local laws also apply in particular places. Rights established under the foregoing laws are typically subject to limitations, including limitations related to public security, state security and state secrets, or criminal investigations.

New laws and regulations that deal with individual components of personal information protection may (and will) be enacted from time to time, including at local levels. For example, the Standing Committee of the National People’s Congress may be discussing a draft Tort Liability Law that will impose joint and several liability on internet service providers which improperly post personal information on the internet. The precise content of any such new laws or regulations, however, can only be made precisely known as and when they are actually promulgated. Before then, it is common for a generous extent of rumors and speculation to circulate.

Some of the foregoing laws establish a private right of action. In such instances, a violation of the law can lead to claims against the transgressor in a People’s Court in China. Others do not establish a private right of action, leaving some practical uncertainty as to how an aggrieved citizen could pursue a remedy for a violation of rights established under these laws. Still, the lack of a private right of action does not contradict or eliminate the fact that the right exists in principle, and leaves open the possibility of enforcement by government agencies. Finally, depending on circumstances, private rights of action might be exercised under laws that have established such private rights of action, under the same sets of facts and circumstances that give rise to a violation of laws that have not established a private right of action, thus effectively allowing a private citizen to proceed on an action under one law even if another law would not have allowed the action.

Fines will be imposed for violations, while laws that allow a private right of action can also expose a violator to claims for psychological damages, compensation for losses, cessation of the infringement, rehabilitation of reputation, elimination of illegal effects, and extension of an apology. The criminal law provision carries potential liability of up to three years or detention, and a fine imposed as a concurrent penalty or as a single penalty on its own.

There has been activity in China in the past that has suggested that a coordinated and systematic personal information protection law could be in the offing. For instance, around the year 2003, the Chinese government tasked a group of academics from the Chinese Academy of Social Sciences to research and prepare a draft data protection law. A draft law was finished in 2005 and later published. The leader of this task force liaised with a number of privacy academics and think tanks internationally, including the Centre for Information Policy Leadership at U.S. law firm Hunton & Williams. For a time it appeared that this effort could have led to the enactment of a coordinated and systematic personal information protection law. However, prospects later became less clear after a ministerial reorganization of many of the agencies and bodies involved. At the time of writing, prospects of when such a law may be enacted remain unclear.

There are a number of questions that will have to be resolved in connection with any eventual enactment of a coordinated and systematic personal information protection law in China. Among these is the question of what conceptual approach should underpin the legislation. While not an immediately obvious point, it is actually a fundamental issue as it involves an important decision on what objectives, and even values and priorities, would be served or promoted by the protection of personal data. For instance, from a Western perspective, it is straightforward: personal information protection laws reflect cultural concepts of personal privacy that are something of a human right that is linked to individual dignity and personal freedom.

This issue of choosing what objectives, values and priorities are to be upheld by personal information protection legislation is more problematic for China. While in the West it seems obvious that personal information protection legislation should uphold personal rights of privacy, in China a more communal culture traditionally exists that does not perceive privacy in the same way as in the West. In fact, the traditional Chinese perspective sometimes assigned negative connotations to privacy. A lot of this can be seen from the Chinese language itself. For example, the saying “to walk private” (??) means “to smuggle.” And the four-character saying “self private, self benefit” (????) means “selfish” or “self-centered.” With this kind of traditionally indifferent and even sometimes negative cultural perspective on “privacy,” it might be a fair wager that personal information protection legislation will not arise in China on the conceptual basis of protecting privacy as an element of individual dignity and personal freedom.

As a result, when and if it does arrive, personal information protection legislation could be likely to have to respond to a different conceptual driver than those that inform and order personal information protection in the West. It is not now clear what that conceptual driver will be. It is possibly a decision that has not been made yet. It is a decision that the Chinese will have to make on their own, and that is not susceptible to outside intervention. Depending on what values and priorities are ultimately chosen and intended to be served, a personal information protection law could be positioned and cast as a consumer protection law, as a tort law, as an item of banking regulation (such as a bank secrecy law), or as a matter of law and order, among many possibilities.

Finally, there is also a prospect that no coordinated or systematic personal information protection legislation will be enacted in China at all, at least in the foreseeable future. In that instance, personal information protection law will exist, but only in a continuation and extension of its current scattered, piece-by-piece form. This could well be the long term result if the questions of which conceptual approach should prevail, and of what values and priorities should be served, simply prove to be too thorny for the Chinese to resolve in sufficiently prompt manner to head off a default adoption of a patchwork approach. In this default scenario, other legislative projects would then take up isolated elements of personal information protection on a piecemeal, act-by-act basis.

This weblog entry was originally published on the DataGuidance website (