China’s national legislature on March 15, 2017 passed the General Provisions of the Civil Law (the “General Provisions”), the opening chapter of a civil code planned to be enacted in 2020. The General Provisions were adopted at the closing meeting of the annual session of the National People’s Congress (NPC), with 2,782 of the 2,838 deputies present voting in favor. It takes effect on Oct 1, 2017.

Article 111 of the General Provisions[1] stipulates the rules for the protection of personal data, which is believed to be one of the highlights of the General Provisions. The protection of personal data was first included in Article 109 of the Second Draft of the General Provisions of the Civil Law (the “Second Draft”)[2] on October 31, 2016, aiming to curb the prevalent illegal collection, processing and trading of personal data in the Internet era. Article 109 of the Second Draft provides that “[T]he personal data of individuals is protected by law. Entities and individuals are prohibited from collecting, utilizing, processing, transmitting personal data illegally or supplying, making public or selling personal data illegally.”

Compared with the Second Draft, the General Provisions finally adopted on March 15, 2017 further stipulate in Article 111 that “all entities and individuals are obligated to keep secure the personal data they lawfully collect”, emphasizing the data holder’s legal responsibility for data protection.

Highlights of the General Provisions in relation to protection of personal data

It is observed that the incorporation of personal data protection in the General Provisions has set the legal ground for China’s future formulation and adoption of separate laws or specific rules governing personal data protection, which is considered as a groundbreaking initiative.

Although the protection of personal data had been discussed in a number of previous legislations in China, none of these legislations has ever clarified the issues in relation to the ownership of personal data. Traditional civil law only protects the privacy right of individuals. However, the scope of personal data is much more extensive than personal privacy and different from privacy, personal data carries both personality and property features.

Moreover, Article 111 of the General Provisions on personal data protection is said to have established, for the first time, individual’s civil rights on its own data and confirmed the ownership of such personal data. It is understood that for breach of personal data, Article 111 provides the legal basis for the aggrieved individuals to seek damages against the wrongdoer by bringing a claim for tort.

China’s recent legislative efforts in the area of personal data protection

Prior to the adoption of the General Provisions, China has been endeavoring to set up the legal regime for personal data protection in recent years. Below is a snapshot of China’s major legislative developments in the area of data protection.

The intensive legislative efforts by Chinese authorities in recent years as noted above have set up the legal framework for data security and personal data protection from the dimensions of civil, criminal and administrative laws involving various sectors such as banking & finance, telecommunication, e-commerce, etc. It is expected that more rules and regulations will be formulated in the near future to put China’s personal data protection into full play.

Collecting and handling personal data with guidance

For companies that collect, process and use personal data during their business operations, data related compliance has become crucial. While exploiting the commercial value of the data collected to provide better products and services to customers, companies are required to deal with the collection and use of personal data prudently and to ensure the security of the data collected. Service terms and privacy policies in compliance with laws and regulations should be put in place; important issues such as data trading, data profiling, cross border transmission of data shall be handled very carefully with professional guidance.

Protecting personal data as the critical competitive advantage and commercial resources

It is also worth noting that in a recent litigation between two social networking platforms Sina Weibo and Maimai[3] for unfair competition, the court indicated in its decision that “collection and utilization of data could confer competitive advantage on and generate commercial benefits to business operators. Data has become a kind of critical competitive advantages and commercial resources for business operators”. Although the court did not further discuss the ownership of the personal data and specify the rights owned by social networking platform on personal data legally collected during the operation, the decision set forth the general principle that data could be considered as the critical competitive advantage in the business operation nowadays which is in line with the recent worldwide discussion of how data or “big data” would affect competition policy[4]. The business operators controlling the personal data in accordance with legitimate privacy policy and data processing shall be entitled to protect the personal data as their commercial resources.

As such, in addition to procure the proper use of personal data, companies must also guard against other competitors’ improper acts of “stealing” data from them. It is advisable for companies to establish an internal data protection mechanism to prevent any unauthorized data crawling by competitors. Also, in case of data exchange with a third party, a well drafted contract is necessary to clearly define the scope of data to be exchanged and clarify the obligation of personal data protection. The due diligence work on the security of the network environment of the third party in advance will also be important.

As the role that collection, processing and use of big data plays in the business operations of companies continues to grow, and the globalization encourages the transmission and use of data all over the world, multinational companies in particular, should constantly keep track of the legislative and regulatory developments of personal data protection in China, and also in other jurisdictions. We will continue to update companies of any new developments regarding the data protection in this area in China as well as in other jurisdictions, to help ensure the proper and legitimate use of personal data.