[Guest Post] Privacy and Data Protection in Chinese Civil Code: First Clarification of Personal Data Protection from the Perspective of Civil Law in China

This Kat is delighted to host a guest post by Zihao Li, a PhD candidate at CREATe, University of Glasgow, on privacy and data protection in the Chinese Civil Code. 

Here is what Zihao writes:

On 28 May 2020, the first Chinese Civil Code (CCC) was adopted. It will come into effect on 1 January 2021.

Chapter 6 (Privacy and Protection of Personal Information) of Part 4 (Personality Rights) of the CCC emphasises ‘privacy and personal data’ in particular and provides several principles and data rights for personal data collection and processing.

Combined with relevant legislation, regulations and standards, such as the cybersecurity law, the consumer protection law, the ninth amendment to the criminal law and the personal information standard, the protection of privacy rights and personal information is further strengthened in China. This marks overall improvement of the legal status of personal data protection in this country.

Although the CCC does not outline personal data protection in detail, it does clarify, for the first time, the legal status and protection rules of personal data from the perspective of civil law. Moreover, the CCC also serves as a legal basis for the forthcoming personal data protection and data security law in China. As confirmed by the National People’s Congress, detailed legislation on data protection and data security will be drafted and is expected to be enacted within two years.

With respect to the detailed principles and rights that the CCC establishes, five points require special attention. These are outlined below.

1. Defining Privacy Rights and Personal Data from the Perspective of Civil Law

Article 1032 of the CCC clarifies that "natural persons have the right to privacy. No organisation or person shall violate another's right to privacy by detecting, invading, disclosing or making public, their private matters." It defines privacy as follows:

Privacy refers to the tranquillity of the private life of a natural person, and their private space, private activities and private information which they do not wish others to know about.

In light of Article 1034, it separately defines the personal data of natural persons as follows:

Personal data refers to various types of information that can be used separately or in combination with other information to identify a natural person via electronic or other means, including a nature person’s name, date of birth, ID number, biological identification information, address, telephone numbers, email address, and the tracking information among others.

Accordingly, under the CCC, personal data and privacy are different concepts, and personal data does not always fall within the right to privacy; however, these two concepts overlap. When it comes to personal confidential data, both privacy rights and personal data may apply.

It is to be noted that ‘private life free of interference’ is incorporated within the right to privacy, thus enriching and expanding the meaning thereof. As Article 1033 states, it refers to conventional privacy violations, such as photographing, peeping at and eavesdropping on, as well as the publication of private activities; however, it also refers to the invasion of the tranquillity of third-party private lives in the digital era (e.g. through instant messaging tools, email and pop-up ads on web pages).

2. Clarifying the Principles and Conditions of Processing Personal Data

The CCC also provides several general principles that should be followed when processing personal data. Under Article 1035, the personal data of a natural person shall be processed under the principles of lawfulness, justification and necessity, and it shall not be excessively processed. In general, the processing of personal data must meet the following conditions:

(1) With consent of the natural person or his guardian, unless as otherwise prescribed by laws and administrative regulations;
(2) The rules for publicly handling information;
(3) Explicitly indicating the purpose, method and scope of handling information;
(4) Not violating the provisions of laws or administrative regulations or the agreement between the both parties.

These conditions embody the ‘principle of informed consent’, which is an overarching and important principle of personal information protection. In essence, this principle requires data controllers or processors to collect and use personal information only with the full knowledge and consent of users. Its legal basis is founded in the theory of individual autonomy.

In addition, the CCC also defines the processing of personal data in Article 1035, which stipulates that the processing of personal data includes (among other things) the collection, storage, use, handling, transmission, provision and disclosure of personal information.

The codification of general principles and conditions is significant. However, a test must be put into place that can identify unneeded or excessive processing.

3. Lawful Basis and Exemptions to Personal Data Processing

Although the Chinese Cybersecurity Law stipulates that ‘informed consent’ and ‘data anonymization’ are two lawful requirements for processing personal data, the CCC further clarifies these terms and adds other lawful processing determinants under Article 1035 (as discussed above). Although the CCC does not provide a concept of data anonymisation, Article 1038 prescribes that "without the consent of a natural person, the personal data shall not be illegally provided for anyone else, excluding the information through which the specific individual cannot be identified after processing and which cannot be restored". It appears that, in order to bypass personal data protection laws, the term ‘data anonymisation’ should be explicitly defined.

In accordance with Article 1036, there are three exemptions to the processing of personal data:

(1) The acts properly conducted within the scope agreed by the natural person or their guardian.
(2) Properly processing the information that the natural person has published or other information that has been legally published, except the case that it is explicitly refused by the natural person or when processing of the information infringes upon their significant interests.
(3) Other acts properly conducted for protecting the public interests or the lawful rights and interests of the natural person.

Although Article 1036 describes three exemptions, the concept of said exemptions, such as ‘properly conduct’, ‘public interests’ and ‘information has been published/disclosed’, remain uncertain. Further judicial explanations and legal guidance appear therefore needed.

4. Data Subject Rights

Based on Article 1037, a natural person is entitled to the following three rights:

(1) Right to access: A natural person is able to consult or reproduce his/her personal data from the data handler according to the law;

(2) Right to correct: Upon discovery of any information error, he/she has the right to object and request corrections as well as take other necessary measures in a timely manner;

(3) Right to delete: If a natural person finds that an information handler’s treatment of his/her personal information is in violation of the laws and administrative regulations or the agreement between the two parties, then he/she has the right to request that the information handler deletes it in a timely manner.

It is also worth noting that, when compared with Chinese Cybersecurity Law, the CCC entitles users to the right to access, thereby ensuring the implementation of rights to correct and delete. In addition to these three data rights, as a supplement, Chinese E-Commerce Law is vested with the 'right to logout' (close an online account) from a data subject. Compared with the EU General Data Protection Regulation, the data subjects’ rights are still limited in the CCC, and some notions are uncertain (e.g. no specific regulation for data handlers’ respond timeframe. These uncertainties might be addressed by the impending personal data protection and data security laws.

5. Data Breaches

As for data breaches, Article 1038 of the CCC requires the following:

an information handler shall not disclose or tamper with any personal information collected or stored thereby;
the information handler shall take technical measures and other necessary measures to ensure the security of the personal information collected and stored thereby and prevent data leakage, tampering, and loss; and for any personal information leakage, tampering, or loss that occurs or is likely to occur, remedy measures shall be taken in a timely manner, the natural person shall be notified according to the provisions, and it shall be reported to the competent department.

Like the data subjects’ rights provision, there is no timeframe for a response of data handling following a data breach. It also lacks detail concerning how to safeguard data security and data management when data is leaked, and, accordingly, the specific operation standards should be listed. However, since such provisions in the CCC are fundamental, it is possible that further detailed provisions will be provided in the upcoming data security legislation.

To conclude, the data protection provisions in the CCC improve the legal status of personal data and privacy protections, thereby enhancing the importance of data protection at the CCC level. However, several notions and issues need to be further clarified. Indeed, in China, the legislation of data protection and security has a long way to go.

Photo courtesy: Jin's mum 🐈