While new legislation introduces the right to one’s personal information and specifies data protection, the definition and scope of lawful uses remains uncertain.
• A personal information right is recognized as a civil law right and thus creates a private right for tort action.
• Data are considered a type of “intangible” property, but separate from intellectual property like trade secrets, copyright and patents.
• The best way to understand the scope of the term is to compare the new General Provisions to other recent legislation including the Network Security Law.
On March 15, 2017, the National People’s Congress (the NPC), the national legislature of People’s Republic of China (the PRC), passed the General Provisions of the Civil Law (the General Provisions), the opening chapter of a civil code that the NPC is still drafting and plans to enact in 2020. The General Provisions are promulgated based on the 1986 version. Though historically significant, the 1986 version had become very outdated given the rapid economic growth and dramatic social changes in China in the three decades since the “Reform and Opening-up” policy. In order to suit new conditions arising in China’s social and economic development and to better protect rights and establish obligations for individuals and entities, the General Provisions have undergone a major “face lift,” including revisions or deletions of 155 then-existing provisions, and additions of 50 new provisions to the 1986 version. Among these new provisions, the clauses introducing “Personal Information” rights and confirming “Data” protection are especially noteworthy.
“Personal Information” Right
Clause 111 of the General Provisions sets forth that natural persons’ personal information is protected by law. Each organization or individual shall obtain and ensure security of others’ personal information in accordance with law. Any person, whether an organization or an individual, shall not unlawfully collect, use, process, transmit, buy, sell, provide or publicize others’ personal information.
The Potentially Broad Scope of Personal Information
The concept of personal information has been introduced into the General Provisions without a definition or scope. The most recent and comprehensive personal information definition is provided by the Network Security Law Article 76, stating “information could be used to identify individuals solely or/and collectively, and it further enumerates that personal information shall include but not limited to individuals’ name, birthdate, identification number, biological identification information, address and phone number.” In judicial practice, information concerning identification, property, location, telephone records, transaction, and education of an individual has usually been recognized as personal information.
While the Supreme People’s Court is expected to issue its judicial interpretation to the General Provision at some point (not likely in the near future), which hopefully will include a clear definition of Personal Information, as of now other legislation offers the best context by which to assess the possible scope of the term.
Prior to the promulgation of the General Provisions, the term Personal Information has been adopted in the laws, regulations, and rules that govern or have impacted certain industrial sectors, for example: financial services, telecommunications, life sciences, logistics, and internet-based industries. Now with the passage of the General Provisions, the protection of personal information is universally mandated for all individuals and organizations.
Action of Tort
Before the personal information right was formally introduced into the General Provisions, a victim of personal information infringement had to turn to the administrative agencies or prosecutors for recourse to hold offenders responsible for administrative and/or criminal liabilities. The court seldom supported a claim for infringement of personal information unless the victim was also able to prove that his/her right of fame had been damaged as a result of infringement of his/her personal information. However, now that the right of personal information has been incorporated into the General Provisions, any individual or organization is entitled to bring a lawsuit based on the cause of action of tort for infringement of personal information.
The General Provisions require individuals and organizations to acquire personal information lawfully and not to unlawfully collect, use, process, transmit, buy, sell, provide or publicize personal information. Notably, however, the General Provisions do not expressly explain what activities would be considered as “unlawful.”
Before any judicial interpretations or implementing rules of the General Provisions in this respect are promulgated, other legislation may serve as reference. For example, the Network Security Law is the most recent legislation the Outstanding Committee of NPC has adopted, and it includes comprehensive mandates governing how personal information should be handled. The compliance requirements related to dealing with personal information must meet all of the following:
• Principles of “Legitimate,” “Reasonable,” and “Necessary” should be followed when collecting and utilizing personal information.
• Organizations should obtain explicitly informed consent from individuals.
• The scope of personal information collection should be relevant and not excessive.
• The information should be accurate and kept up to date.
• Sharing personal information with third parties may be permitted provided the information has been processed to eliminate the probability of identifying individuals.
• Information managers must adopt sufficient protective measures to ensure the safety of personal information.
• For certain sectors, regarded as Critical Information Infrastructure, personal information shall be kept within China and its transmission across border requires business necessity and governmental approval.
Equally important, Clause 127 of the General Provisions recognizes that, data, along with internet virtual property, shall be protected in accordance with other governing laws.
Nature of Data
Looking at the legislative history, the first draft of the General Provisions for public comment had categorized data as intellectual property, like copyright, trademark or patent. However, data has been removed from the intellectual property clause (Article 123) to a separate clause (Clause 127). This change demonstrates the likely view of legislators, i.e., that although data may not be considered as intellectual property, it should be regarded as a type of property and needs to be protected.
Some data may involve personal information. So, notably data security and personal information protection are closely related, but separate terms. Data, commonly stored in physical form, is the carrier and transmission medium of intangible information, including individuals’ personal information. In practice, the data security vulnerability could lead to infringement of personal information.
Data Protection Provided in Existing Laws
Since the General Provisions separate data and internet virtual assets from other types of properties, legislators likely intend that other laws (current and future) will regulate and protect data and virtual assets. There are some existing laws that have already provided various measures for protecting data in different forms. For example, data that constitutes copyright, patent, trade secret and other forms of intellectual property may be protected by the relevant intellectual property rights laws and regulations. Also, the PRC’s Anti-Unfair Competition Law has prohibited illegal infringement of others’ trade secrets, which may be presented in the form of data.
The General Provisions are a milestone in the PRC’s legislative history. The provisions further consolidate various regulations governing fragmented pieces of data and individuals’ personal information, and have set up an overarching guidance in the civil law landscape. The General Provisions have not specified the “unlawful” activities in relation to the protection for individuals’ personal information, or expressed any detailed data protection measures, but such legislative efforts should be seen in the context of the recent passage of Network Security Law and the pending judicial interpretation on criminal infringement of personal information. The trend demonstrates legislators’ enhanced awareness of and strengthened protections for personal information and data security from three aspects of the law, i.e., civil, administrative and criminal. Therefore, in response to this trend, companies should be prepared in advance to establish a more prudent personal information and data management system with higher compliance standards.