China started to establish a system of rules for the protection of personal information in 2012, and since then the government and courts have promulgated a number of related rules.
Currently, China is drafting a Personal Information Protection Law. In the future, the Personal Information Protection Law will form China's personal information protection rule system together with the Civil Code, Cybersecurity Law, Consumer Rights Protection Law, Data Security Law, and other administrative regulations, judicial interpretations, and departmental regulations.
I. Laws
1. Civil Code of China: Part IV Personality Rights (2020)
China stipulates the protection of personal information in the complete chapter of the 2020 Civil Code, that is, Chapter 6 the privacy and protection of personal information in Part IV Personality Rights of the Civil Code of China (from Article 1032 to Article 1039).
The key points of this chapter are as follows:
(1) A natural person shall enjoy the right to privacy. No organization or individual may infringe upon the right to privacy of any other person by spying, intrusion, disclosing or publishing the relevant information or by any other means.(Article 1032 and 1033)
(2) Personal information about natural persons shall be protected by laws.(Article 1034)
(3) Personal information refers to all kinds of information recorded by electronic or otherwise that can be used to independently identify or be combined with other information to identify a specific natural person, including the natural person’s names, date of birth, ID numbers, biometric information, addresses, telephone numbers, e-mail address, health information, whereabouts, etc. (Article 1034)
(4) The processing of personal information shall first obtain the consent of the natural person or his/her guardian, and shall not violate laws, administrative regulations, or the agreements of both parties. (Article 1035)
(5) The processing of personal information includes the collection, storage, use, processing, transmission, provision and disclosure of personal information, etc.(Article 1035)
(6) An information processor shall not divulge or tamper with the personal information that is collected and stored by him/her. Without the consent of the natural person, the information processor shall not illegally provide the personal information of such a natural person to any other, except for the information that has been processed so that the specific person cannot be identified and that cannot be recovered.(Article 1038)
2. Personal Information Protection Law of China (Draft) (2020)
China's legislature, the Standing Committee of the National People's Congress, is drafting the Personal Information Protection Law, and the draft was published on October 12, 2020. As of now, the draft has not been voted on.
The key points of this law are as follows:
(1) This law is not only applicable to any entity or individual's processing of personal information of natural persons in China, but also to specific activities of processing personal information of natural persons in China outside of China. (Article 1)
(2) Sensitive personal information is specially protected. This information includes race, ethnicity, religion, personal biological characteristics, medical health, financial accounts, personal whereabouts. (Article 29)
(3) Information processors can only process sensitive personal information under the following conditions: (1) They must use the information under certain circumstances; (2) They have obtained the specific consent of the individuals involved in the information. (Article 29, Article 30)
(4) If the information processor needs to provide personal information outside of China, it shall obtain the approval of the regulatory authority. (Article 38)
(5) In international judicial assistance, if information processors need to provide personal information outside of China, they should obtain approval from relevant authorities. (Article 41)
(6) When the personal information processed by the information processor reaches a certain amount, it should designate a certain person as the person in charge of personal information protection. The person in charge will supervise its personal information processing activities and protection measures. (Article 51)
(7) If the information processor violates this law, not only will the illegal income be confiscated, but also a fine of less than 50 million yuan or less than 5% of the previous year's turnover will be imposed. (Article 62) This should be the highest fine in all Chinese laws so far.
3. Cybersecurity Law of China (2017)
The fourth part of this law, network information security, stipulates the obligation of network operators to protect users' personal information, such as:
Network operators shall keep confidential the user information they collect, and shall not disclose, tamper with, or destroy the personal information they collect; they shall not provide personal information to others without the consent of the person being collected. (Article 40, Article 42)
Network operators must not collect personal information irrelevant to the services they provide. They must clearly state the purpose, method, and scope of information collection and use, and obtain the consent of the person being collected. (Article 41)
4. Decision on Strengthening the Protection of Network Information (2012)
The Decision establishes, for the first time in China, the rules for the collection and use of personal information and the obligations of network service providers to protect personal information. All of China's legislation on network security and personal information protection can be traced back to this provision.
II. Departmental rule
1. Provisions on the Cyber Protection of Children's Personal Information (2019)
The Provisions aim to protect the personal information security of children (i.e. minors under 14 years old) by supervising collection, storage, use, transfer and disclosure of children’s personal information through the Internet within the territory of China.
2. Measures for Determining the Illegal Collection and Use of Personal Information by Apps (2019)
The Measures aim to provide a reference for regulatory authorities to determine the illegal collection and use of personal information by Apps, and provide guidance for the App operators to self-examination and self-correction and the social supervision of the Internet users.
3. Provisions on Protecting the Personal Information of Telecommunications and Internet Users (2013)
The Provisions stipulates that: (1) Service providers shall publish the rules on the collection and use of personal information. (2)Without the consent of users, service providers shall not collect users’ personal information, and they can only collect the information that is necessary for the provision of service. (3)Service providers shall prevent the leakage, damage, tampering or loss of users’ personal information.
VI. Judicial interpretation
The Provisions aim to interpret Article 36 of the PRC Tort Law, that is, under what circumstances should network users and network service providers bear the tort liability if they use the network to infringe upon the civil rights and interests of others.
Article 36 of the Tort Law stipulates that network users and network service providers who use the network to infringe on the civil rights of others shall bear tort liability.
It is worth noting that, After China's 2020 Civil Code came into effect, the Tort Law was repealed. Civil Code of China: Part VII Liability for Tort provides more detailed regulations on cyber infringement in Article 1194, Article 1195, Article 1196, and Article 1197.
V. Technical Standard
1. Personal information (PI) security specification - National Standard of China (2020) 信息安全技术 个人信息安全规范
Photo by Road Trip with Raj (https://unsplash.com/@roadtripwithraj) on Unsplash