Privacy rights and the protection of personal data
Locations
The National People’s Congress of the People’s Republic of China (“National People’s Congress”) has voted to pass the Civil Code of the People’s Republic of China (“Civil Code”). The Civil Code will come into force on 1 January 2021.
Privacy and data protection lawyers will be particularly interested in its effects on privacy and the protection of personal data. The Civil Code provides some rights to privacy and the protection of personal data in its section relating to personality rights, giving them an elevated legal status in China.
The National People’s Congress has confirmed that detailed legislation on data protection and data security will be drafted in the next stage, and we expect these two laws to be enacted within two years.
Below we consider the section of the Civil Code relating to privacy and the protection of personal data in more detail:
1. Establishing a privacy right and defining privacy and personal data
“Article 1032 - Natural persons have the right to privacy. No organisation or person shall violate another's right to privacy by identifying, invading, disclosing or making public, their private matters.”
The Civil Code defines privacy in this fashion:
“Privacy refers to a natural person’s right to a private life free of interference and their location, activities or information which they do not wish others to know about.”
Our understanding is that under Article 1032, privacy will relate more to an individual’s private or secret business, and it will contains some personal data which is private and secret, however, there is also an definition of personal data in this section, which differentiates the two words:
“Personal data refers to various types of information that can be used separately or in combination with other information to identify a natural person via electronic or other means, including but not limited to the name, date of birth, ID number, biological identification information, address, telephone numbers, email address, and the tracking information of a natural person. Personal secret data shall also be subject to obligations of privacy.”
We understand that this is a very similar definition to that employed in the Cybersecurity Law of the People’s Republic of China (the “CSL”); this definition changes only a few words to make it more precise and easier to understand.
Personal data is a separate concept from privacy under the two Articles, as not all personal data is secret, and privacy will contain private or secret activity which would not fall within the above definition of personal data. Personal secret data is the overlap area between personal data and privacy and both the privacy and the data protection regimes will apply to it.
2. Processing and the data processor
Under Article 1035, the word “processing” refers to the collecting, using, processing, transferring, and sharing of personal data, making the data public or other operations upon it.
According to Article 1036, data processors have a legal obligation to respond to a data subject's rights request, including the rights to access, correct and delete their data. It appears that organisations or persons processing personal data will be regarded as data processors in the Civil Code and also that the meaning of "data processor" here will be different from that under EU GDPR. However, there is currently no clear definition of data processor under the Civil Code, which will need to be clarified at a later stage.
3. Personal data protection principles
Under Article 1035, the processing of personal data must comply with principles of legality, justification and necessity, and that processing be non-excessive. This is similar to the CSL, and the prohibition on excessive processing of personal data has been clarified. This is a welcome development, although the test for identifying unnecessary or excessive processing has yet to be set out.
4. Lawful basis and consent
Under the Civil Code, consent is not the only lawful basis for engaging a subject's privacy rights or processing their personal data. Under Article 1033, engaging privacy rights can be justified if it is required by a legal obligation. Under Article 1035, to process personal data, data processors must obtain consent from the individual or their guardian, unless the processing is required by law or regulation. Under Article 1038, relating to sharing of personal data, consent or legal requirement is a lawful basis, but anonymised information is exempt (as anonymised information will not be within the definition of personal data since it can no longer be linked to an identifiable individual).
In addition, under Article 1037, when processing personal data, data processors will not be held accountable in the following situations:
The processing is within the scope of a consent;
The personal data in question has already been disclosed by the individuals themselves or it is already in the public domain (except for when an individual explicitly objects to the processing, or processing is contrary to their vital interests);
When processing is reasonable and to protect the public interest or protect the lawful interests of the individual.We understand that the wording “will not be held accountable” is not the same as “lawful”, but these scenarios will provide a way for enterprises to avoid punishment. The words “within the scope of consent” are another issue, as they remain to be clarified. We understand consent is not specific under the CSL and we may need to pay more attention to the requirements of consent, and how to obtain consent from individuals, when these issues are subject to judicial scrutiny in future.
5. Data Subject Rights
According to Article 1036, the rights of a data subject are to access, correct and delete their personal data, similar to the rights granted under the CSL. In more detail:
The right to access: this includes the right to inquire about or obtain a copy of the subject's personal data.
The right to correct: when an individual finds that data held about him or her is inaccurate, the individual can request correction.
The right to delete: when an individual has found that the data processor has breached the requirements of law or regulation, or the requirements of the agreement between the data processor and the data subject, the individual can require deletion of his or her personal data.
The right to close an account (注销权) is not provided under the Civil Code; this is a special right under the E-commerce Law of the People’s Republic of China.
The Civil Code does not specify the timeframe within which the data subject’s request must be responded to, which may be clarified in the upcoming personal data protection legislation.
6. Data Breaches
Under Article 1038 of the Civil Code, data processors will have an obligation to prevent data breaches. They must adopt technical and other necessary measures to secure personal data from any data breach, falsification, or loss. If there is, or may be, a data breach, data processors must take measures to deal with it, and inform affected data subjects and the relevant authorities.
Unlike the GDPR, there is no timeframe (such as 72 hours) specified for a response to a data breach under the Civil Code. We expect that the details of data security and data breach management will be provided in the upcoming data security legislation.
7. Marketing
There are no requirements specifically relating to direct marketing under the Civil Code, however, there is a section which will affect marketing activities: Article 1033 (1) - without a legal obligation, or obtaining consent, it is not permitted to invade an individual’s privacy by telephone, SMS, instant messaging tools, email, leaflet or in another manner. We understand that this requirement is intended for protection of privacy, however, it will affect marketing as well.
Conclusion
In summary, although the upcoming data protection law and data security law still have much to achieve, the Civil Code has dedicated an entire section to the requirements of privacy and protection of personal data, which enhances their importance at Civil Code level. However, there remain some questions and matters to be clarified. We will continue to monitor legislative developments and prepare updates accordingly.