On 28 May 2020, the National People’s Congress voted through the long-awaited Civil Code, the first in the history of China. The Civil Code is a landmark piece of legislation that codifies China's private laws and will take effect on 1 January 2021.
For the first time, the Civil Code enshrines the right to privacy and the principles of personal information protection. It defines personal information and provides and sets out the legal basis for personal information processing, the obligations on the personal information processors, the rights of individuals to their personal information and the duties on administrative bodies. Despite raising a number of questions, which we hope will be addressed in the awaited Personal Information Protection Law, it paves the way for future legislation in this area.
In this e-bulletin we highlight the key provisions of the Civil Code on right to privacy and personal information protection and set out our observations.
Under the Civil Code a personality right is defined as a right that an individual enjoys based on his or her personal freedom and dignity. Historically, the right to privacy has not been established as a personality right in China’s civil law. Neither the Constitutional Law nor the General Principles of Civil Law touch on the right to privacy. Whilst the Tort Law expressly protects privacy as a civil right, it does not define the right to privacy and falls short of recognising the right to privacy as a personality right.
As for personal information, the Cybersecurity Law introduced in 2016 was the first piece of national legislation to protect online personal information. However, its obligations only extend to network operators and information collected over the network. The recommended national standards, contained in the Personal Information Security Specification, lack mandatory legal effect. Future legislation on personal information protection will hinge on the fundamental principles of personal information protection being enshrined in the Chinese law.
The Civil Code now defines and recognises the right to privacy as a personality right on par with other fundamental human rights such as the right to life, health and reputation. It lays down the principles for protecting personal information in China.
KEY PROVISIONS OF CIVIL CODE
I. Definitions of right to privacy and personal information
Under the Civil Code, an individual is entitled to enjoy the right to privacy free from any infringement. Privacy is defined as peace in a person’s private life and private space, and in activities and information that the individual does not wish others to know.
Personal information is defined as the information, recorded electronically or otherwise, that can, alone or combined with other information, identify an individual. Examples of an individual’s personal information include the person’s name, date of birth, ID number, biometric information, address, telephone number, email address, health information and location. This definition is identical to that adopted in the Cybersecurity Law.
II. Boundary between privacy and personal information
Different regimes apply to privacy and personal information protection. The Civil Code recognises the right to privacy as a personality right but falls short of recognising that an individual has a personality right in personal information. It simply states that an individual’s personal information is protected by law. There is some overlap between the scope of privacy and personal information as an individual’s personal information which is considered to be private information will be governed by the provisions applicable to the right to privacy instead of under the regime for personal information. The precise scope of private information is unclear however as it is not defined in the Civil Code.
III. Processing of personal information
Definitions of processing and processor
The Civil Code officially introduces the concept of personal information processing which includes collecting, storing, using, adapting, transmitting, providing and publicising personal information. This is similar to the definition of “processing” in the General Data Protection Regulation (GDPR) under EU law. It also introduces the concept of a personal information processor, which, although not defined, can be interpreted to mean any person that processes personal information and therefore to cover both personal data controller and processor as defined under the GDPR.
The Civil Code also reiterates the principles to be followed when processing personal information, namely lawfulness, legitimacy and necessity. These principles already exist in current laws and regulations such as the Cybersecurity Law and the Personal Information Security Specification.
Obligations on personal information processors
The Civil Code requires personal information processors to comply with the following requirements when processing personal information:
obtain the consent of the individual or his or her guardian (contemplating the situation where the individual is a child);
make public the personal information processing rules;
indicate clearly the purpose, method and scope of the personal information processing; and
comply with the applicable laws, regulations and the agreement with the individual.
In addition, personal information processors are required to:
keep confidential and unaltered the personal information collected and stored;
not provide personal information illegally to a third party, unless the personal information has been processed so that the individual cannot be identified nor the identity recovered;
take technological or other necessary measures to ensure the security of the personal information; and
take remedial measures, notify individuals and report to the regulator if a data breach occurs or may happen.
State authorities and administrative bodies and their employees are also obliged to protect personal information that comes to their knowledge when discharging their duties as well as respecting the right to privacy.
Legal bases for processing of personal information
The Civil Code provides a safe harbour for a personal information processor against civil legal liability for its processing activities where the processor:
acts reasonably within the scope of the consent given by the individual or his or her guardian;
reasonably processes publicly available personal information that has been made public by the individual or by other legal means, unless the individual has expressly forbidden any processing of such information or the processing will infringe the individual’s vital interest; or
acts reasonably to protect the public interest or the legal interests of the individual.
These provisions in fact set out three legal bases for personal information processing in China. As noted above, the Civil Code also suggests that processing will be permitted if the personal information has been processed in an irreversible manner that the individual cannot be identified.
IV. Individual’s right to personal information
The Civil Code gives an individual the following rights in relation to the personal information that has been collected by the personal information processor:
to access and copy the personal information;
to request correction of the personal information; and
to request deletion of the personal information if the individual discovers that the processor has breached any laws, regulations or the agreement between them.
V. Activities breaching the right to privacy
Unless otherwise permitted by law or consented to by the individual the Civil Code prohibits the following activities:
interfering with a person’s private life through means such as telephone, messages, instant messenger, emails and flyers;
entering or filming in, or surveillance on private spaces, such as a home or hotel room;
filming in, surveillance or wiretapping and making public a person’s private activities;
filming a person’s private body parts;
processing a person’s private information; or
other activities that infringe on a person’s right to privacy.
I. Laying the foundations for personal information protection
The Civil Code for the first time affords general protection in the civil law for personal information. It extends the protection of personal information from the narrow scope currently afforded by the Cybersecurity Law to protection in all aspects of life. It paves the way for individuals to bring legal claims for infringement of their personal information.
It also lays the foundations for future laws on personal information protection. In fact, the Legal Affairs Office of the National People’s Congress has advised that it has finalised the first draft of a new Personal Information Protection Law which it expects to submit to the Standing Committee for review soon.
II. Personal information right or protection of personal information?
It is worth noting that the Civil Code protects personal information but does not recognise an individual’s rights to non-private personal information as a personality right, despite including provisions on personal information in the section of the Civil Code on personality rights. This implies that an individual will only have an economic interest in their personal information rather than a personality right. This could mean that an individual could only bring a private claim for infringement of non-private personal information and claim for damages if loss can be proved. If it were a personality right, the individual would be able to claim non-monetary remedies, such as rehabilitation of reputation or a formal apology.
The Civil Code provides certain rights to individuals to control the processing of their personal information by having, for instance, access rights and the right to require its deletion or correction. These have been included in the chapter of the Civil Code on personality rights. However, it is unclear what the legal nature of such rights is. If individuals are denied such rights to their personal information, it is unclear what remedies would be available to individuals, for instance would they be able to bring a private claim for infringement or should they make a complaint about the matter to the relevant data protection authority?
III. More questions to be answered
The Civil Code refers to “personal information processor” to indicate a person that processes personal information, but does not differentiate between a controller that determines the purpose and means of personal information processing and the party that processes the personal information on behalf of the controller, defined under GDPR as a processor. The Personal Information Security Specification also adopts “personal information controller”. The inconsistency between the Civil Code and other regulations could lead to confusion as to the role and obligations of the parties processing personal information. With the Civil Code using the term “processor”, the future Personal Information Protection Law may face a dilemma as to whether to follow the Civil Code in using “processor” or to distinguish between the controller and processor.
Another question arises as to the scope of the provisions on personal information in the Civil Code, which seem to apply to all data processing activities. However it would be impractical and unnecessary to require an individual to perform the obligations that are required of a personal information processor in a purely personal scenario within a household or private setting.
The scope of private personal information that is to be protected by laws on the right to privacy rather than the personal information regulations also need to be clarified.
A further point requiring clarification is the age of consent for children. The Civil Code requires the consent of a guardian to be obtained, presumably in the case of a child’s personal information being processed, but omits to specify the age of consent for children.
The Civil Code provides that privacy and non-private personal information are governed by different regimes, but it remains unclear how the two regimes will differ in terms of recourses and remedies and what exactly the relevant provisions or regulations are.
Hopefully these questions will be answered by the Personal Information Protection Law which is still going through the legislative process.