First Civil Code in China to Bolster Data Privacy Protection
The story of Little Red Riding Hood teaches many of us a life lesson that information security is of critical importance because identity theft could result in double murder and other horrible things. Today we are in a highly digitalized world and almost every netizen is dealing with internet hackers and identity thieves on a daily basis with new threats targeting personal digital information on the rise. Following the global trend towards enhanced protection on data privacy, China is embarking on its own effort to reinforce the protection of personal digital information under the new Civil Code.
After a delay of over two months due to the COVID-19, China's top legislature, the National People’s Congress (“NPC”), held its annual meetings in Beijing from May 22 to May 28. On May 28, the NPC passed the Civil Code of the People's Republic of China (hereinafter “Civil Code”), a wide-ranging legislative package of existing civil laws. The Civil Code, the first-ever in the country’s history, will be in force from January 1, 2021.
In the Civil Code, Chapter VI (Article No.1032 to No.1039) is being dedicated to the right of privacy and protection of personal information, showing an effort of the country to bolster up individuals’ rights to privacy and personal data in this big data land with 904 million netizens,1 vulnerable to data breaches and cyber frauds.
Here's what the Civil Code says about personal data protection, how it is different from the world’s widely recognized data protection regulations, how it impacts individuals and businesses, and how to ensure compliance.
Definition of “Personal Information” and the related terms
The types of information considered personal under the Civil Code include various information recorded electronically or in other forms that can identify a specific natural person (“data subject”) separately or in combination with other information, including a natural person's name, date of birth, identity card number, biological recognition information, address, telephone number, e-mail address, health information, and whereabouts information, among others. The one who collects, stores, uses, handles, transmits, provides, and discloses personal information is defined as the “information processor”.
Here, “personal information” under the Civil Code is similar in terms of definition to “personal data” used in the General Data Protection Regulation (“GDPR”)2 as well as in its predecessor, the EU Data Protection Directive,3 because it includes data that relate both to an “identified” or “identifiable” individual. “Identifiable” means that an individual might not currently be identified but could be identified by combining various pieces of data.4 For example, the name of a person (in particular, a none-celebrity), is often not identified to an individual, but sometimes can easily be linked to an individual with bits of other information, such as an address, a telephone number or a place of work.
Under the GDPR, there is a distinction between the different roles that a business may play when handling personal data: a data controller or a data processor. The responsibilities to individuals and supervisory authorities and the penalties associated with non-compliance are very different for these two roles. Whether a business is a data controller or processor depends on a number of issues. The key criterion is – the entity who determines the purposes for which the data are processed and the means of processing would be the data controller while a data processor acts on behalf of, and only on the instructions of, the relevant data controller.5 A data processor is subject to far fewer obligations than a data controller under the GDPR. Currently, there is no such distinction under the Civil Code, as the data-handling party is uniformly defined as the information processor, the party vis-a-vis the data subject. A distinction is necessary to justify classification because the uniformity would inevitably increase the compliance costs for those businesses who only process personal data in line with others’ instructions.
Furthermore, the Civil Code provides that a deceased person still maintains a right to privacy. And the Civil Code does not distinguish whether the “data subject” under Chapter VI should be a living person or not, so it is reasonable to assume that a decedent’s personal data are likewise protectable under the Civil Code, so as to enhance a person's ability to control the dissemination of personal information after death.
Under the GDPR, processing of personal data of a sensitive nature shall be prohibited, unless some stricter preconditions could be met, because such data are classified under the label of “sensitive personal information”6 and should be handled with extra care. It is not always the case that personal information is "sensitive", while sensitive personal information should belong to a specific set of categories of information that must be treated with extra security. The Civil Code however neither defines “sensitive personal information” nor provides a distinction between “sensitive personal information” and “personal information”. As improper disclosures of sensitive personal information can cause greater harm and damage to the image and reputation of an individual, it is very important to ensure that sensitive personal information could be specifically defined in Civil Code and appropriately protected. The forthcoming judicial interpretation of the Civil Code may further clarify this issue.
What are the rights of Data Subject?
Under the Civil Code, the data subject enjoys the following rights:
1) Right to access:7 the data subject may consult or reproduce his personal information from the information processor according to the law;
2) Right to rectification: upon discovery of any error in the information, the data subject has the right to raise an objection and to request to have a timely correction; and
3) Right to be forgotten: if the handling of personal information was in violation of law, or any prior agreement, the data subject has the right to request a timely erasure.
While being a much welcomed move in the right direction for these GDPR sort-of rights8 to be provided under the Civil Code, there is a lack of clarity. Taking “the right to access” as an example, the below issues are not being properly addressed: how the information can be provided to the data subjects upon request? How fast to make a response shall be considered timely? Is the information processor allowed to refuse a data subject’s request if it is unjustified or excessive? As to the trendy notion, “right to be forgotten”, the law fails to describe how the data shall be deleted in individual cases. Furthermore, if the data processor already made the personal data public, it remains a question as to how to make the concerned data erased.
What are the principles of Data Collection?
Under the Civil Code, the general principles for data collection are: data shall be collected lawfully, justifiably and with necessity and shall not be collected excessively. The data collection activities shall meet the following conditions:
1) With consent of the data subject or his or her guardian, unless otherwise permitted by law;
2) With a public data processing policy in place;
3) The purpose, means and scope of data processing shall be explicitly notified; and
4) There shall be no violation of law, regulations or the agreement of the parties.
Under the GDPR, consent is just one of the legal bases a business can use to justify the collection, handling, and/or storage of people’s personal data.9 Furthermore, for consent to be valid, it must be freely-given, unambiguous and specific, informed and withdrawable. Consent is not freely-given if individuals have no other meaningful options but to give out their consent. This means businesses shall not create an opt-in-or-leave-it situation when seeking people’s consent. Individuals need to maintain the ability to decline and shall be free from discrimination when they opt out. Here, the Civil Code fails to elaborate on how consent shall be obtained and given nor does it provide any details on other legal bases for data processing, which presumably remain to be addressed in further legislative construction.
What are the obligations of Information Processor?
Under the Civil Code, the information processor, who actually plays a combined role of a data controller and a data processor under the GDPR, shall have the following obligations:
1) not disclose or tamper with any personal information collected or stored;
2) not illegally provide any personal information to a third party, without the consent of the data subject, unless the information is anonymized permanently;
3) take technical measures and other necessary measures to ensure the security of the personal information collected and stored and prevent information leakage, tampering, and loss; and
4) take remedial measures in a timely manner for any incidence of personal information leakage, tampering, or loss, for example, the data subject and the supervisory authority shall be timely notified according to the provisions.
The Civil Code is not specific about what safety measures businesses shall undertake to ensure the security of personal information. At present, businesses should encrypt, pseudonymize and/or anonymize personal data whenever and wherever possible, and as technological and corporate best practices are continually evolving, the other technological or security measures shall be taken if suitable and economically applicable.
The Civil Code also touches upon government infringement issue by providing that the state organs, statutory institutions assuming administrative functions, and their staff members shall keep confidential the privacy and personal information of data subjects obtained in the course of fulfilling any governmental or administrative functions, and shall not disclose such information or illegally provide the same for others. Government intrusion into personal privacy has reached a historic height during the COVID-19 as the government aggressively tracks down infected individuals by using surveillance technologies. This shall not be the new norm after the pandemic. The government shall make efforts to ensure that any surveillance data collected during the pandemic shall be taken good care of to protect public from mass data leakage in the aftermath of the coronavirus.
Conclusion
In a nutshell, despite lack of clarity in a few aspects, the Civil Code lays down an important groundwork for data privacy protection. It basically requires that the data processing businesses shall be responsible for what they do with personal data, and shall demonstrate and document the procedures they’ve taken as an effort to safeguard people’s data. To data processing businesses, living up to these requirements will not only result in better legal compliance, but also help to build up a reputation and a competitive advantage. The process of compliance may cost a lot in the beginning, but in the long run, it will prove to be valuable as real dollars, euros or Chinese yuan will be saved because those in compliance are more likely to avoid fines, litigation costs, negative media attention and reputation damage.
As in other parts of the world, laws and regulations in this area are constantly evolving in China as changes and further judicial interpretations are still in the pipeline. The best practice for most businesses is to build an up-to-date, dynamic, adaptable and effective privacy protection program that can skillfully and nimbly deal with changes as they occur. In this manner, data processing businesses are better armed to protect Little Red Riding Hood from falling into the scams of big bad wolves and at the same time, build up their own reputation as trustworthy, law-abiding and responsible enterprises.
Footnotes
2) The General Data Protection Regulation (EU) 2016/679.
3) The Data Protection Directive, officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
4) Paul M. Schwartz & Daniel J. Solove, Reconciling Personal Information in the U.S. and EU, 102 Cal. L. Rev. 886 (2014).
6) Definition of “sensitive personal information” under the GDPR: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
7) The subtitles are used in this article for convenience only; they were not part of the Civil Code.
8) Rights for individuals under the GDPR, see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights
