Personal data protection under newly issued Civil Code

• the Decision of the Standing Committee of the National People's Congress on Strengthening the Network Information Protection;
• the Cybersecurity Law; and
• the Law on the Protection of Consumer Rights and Interests.

However, the Civil Code extends these laws in some respects, most significantly in providing a clearer basis for individuals to take legal action in relation to breaches of their privacy rights.

Privacy and personal information

Like existing Chinese privacy laws, the provisions of the Civil Code regarding privacy and personal information are not as detailed or prescriptive as Hong Kong's Personal Data (Privacy) Ordinance or the EU General Data Protection Regulation (2016/679) (GDPR). Rather, they are a set of general principles which leave considerable room for interpretation. However, the National People's Congress has flagged the introduction of a personal information protection law and a data security law as the next step in the development of Chinese data privacy law and it is likely that these laws will be more prescriptive.

Part IV of the Civil Code dealing with privacy and personal information is divided as follows:

• Articles 990 to 1000 contain general provisions regarding 'personality rights', which include an individual's right to privacy;
• Articles 1032 and 1033 more specifically prohibit activities which infringe on an individual's right to privacy (eg, spying, eavesdropping, photographing or filming private body parts or spaces or sending uninvited messages); and
• Articles 1034 to 1039 deal specifically with the processing of personal information.

The legislature has apparently noted the overlap between 'privacy' and 'personal information', which is an academic and practical question that has been debated by legal professionals for a long time. The Civil Code provides a principle to deal with such overlap by providing that Articles 1032 and 1033 will apply to 'private information' contained in personal information; in the absence of such provisions, Articles 1032 and 1033 will apply.

Individuals may take legal action to prevent or obtain compensation for an infringement of their personality rights. While the Civil Code does not expressly state when personality rights will be infringed, Part IV strongly suggests that this will include the activities prohibited under Articles 1032 and 1033 and the processing of personal information in breach of Articles 1034 to 1039. There is an exception for the conduct of news reporting carried out in the public interest, but only to the extent that the use of the individual's name and other personal information is reasonable.

'Personal information' is defined as information recorded electronically or otherwise that is capable of identifying a specific natural person, alone or in combination with other information, including the person's name, date of birth, ID number, biometric information, address, phone number, email address, health information and location information. The key provisions concerning the processing of personal information include the following:

• the processing of personal information must be lawful, justified, necessary and not excessive;
• the processing of personal information is permitted only with the express consent of the individual or as required by law, although Article 1036 states that the reasonable processing of personal information is also permitted if:
  • the individual voluntarily disclosed their personal information and did not explicitly refuse to allow processing; or
  • the processing is carried out to protect the public interest or the individual's legitimate rights or interests;
• individuals have the right to obtain access to the personal information that a processor holds about them and to correct that information if it is inaccurate;
• individuals have the right to require a processor to delete their information if the processing is in breach of the law or an agreement between the parties;
• processors should take technical and other necessary measures to ensure that the security of the personal information they hold; and
• in the event of a data breach, the processor should take remedial measures in a timely manner and notify the breach to the affected individuals and the relevant competent authority.

Most of these provisions will be familiar to global businesses that already comply with the GDPR or other privacy laws. However, in some respects, the above provisions are stricter. In particular, it appears that there is less scope under the Civil Code than under many other privacy laws for personal information to be processed without the consent of individual data subjects.

Further, most of the above provisions strongly resemble those already in the Decision on Strengthening the Network Information Protection, the Cybersecurity Law and the Law on the Protection of Consumer Rights and Interests. However, as part of the Civil Code, they will apply more broadly. For example:

• the Decision on Strengthening the Network Information Protection is limited to the protection of personal information in electronic form, whereas the Civil Code applies to all forms of personal information;
• the Cybersecurity Law applies to only network operators, whereas the Civil Code applies to all businesses handling personal information, regardless of whether they also operate a computer network; and
• the Law on the Protection of Consumer Rights and Interests only protects the rights of consumers of goods and services, whereas the Civil Code applies to all natural persons.

Most importantly, the Civil Code will make it easier for individuals to take civil action in relation to privacy breaches. The existing laws do not expressly provide any right for individuals to take such action; they only provide for the authorities to impose administrative fines and penalties. Consequently, it has been difficult for individuals to obtain compensation for breaches. In one widely reported case, 42 individuals unsuccessfully sought to sue Amazon in relation to an incident in which their personal information was obtained by scammers.

The Civil Code makes clear that an individual will have the right to seek a court order to prevent a breach of their privacy rights which is continuing or is about to occur, and compensation for damage (including emotional damage) which is caused by a breach of their privacy rights. The court may also order that an apology or other public announcement be published. If the individual is deceased, their family may take such legal action in their place.

Comment

While the new Civil Code largely restates the existing Chinese laws on privacy and personal information protection, it applies these laws more broadly and makes it easier for individuals to take civil action in relation to breaches. As such, privacy and personal information protection laws are likely to be enforced more often and more broadly in China from 2021 onwards. Companies that process personal information in China should ensure that their existing privacy practices comply with the new Civil Code from 1 January 2021.

For further information on this topic please contact Samuel Yang at AnJie Law Firm by telephone (+86 10 8567 5988) or email (yanghongquan@anjielaw.com). The AnJie Law Firm website can be accessed at www.anjielaw.com.