Joyce Wen[1]
In the era of big data, while data and information bring convenience to our life, the issue of personal information leakage is also becoming more and more prominent. This is why the protection of personal information has become the focus of attention in today’s society. Although a number of Chinese laws and regulations have sporadically addressed the issue of personal information protection, there was no special law for personal information protection until October 21, 2020, when the draft Personal Information Protection Law of the People’s Republic of China (hereinafter, the “Draft”) was officially released. The purpose of this article is to summarize the main laws and regulations on personal information protection in China and briefly explain the highlights of the Draft for your reference.
I. Laws and regulations related to the protection of personal information
1. On February 28, 2009, the Amendment (VII) to the Criminal Law of the People’s Republic of China (going into effect on February 28, 2009) added the crimes of selling or illegally providing citizens’ personal information and illegally acquiring citizens’ personal information by the personnel of state organs or financial, telecommunications, transportation, educational and medical institutions. That was the first time when the acts of illegally acquiring, selling or illegally providing a citizen’s personal information by specific personnel were included in the scope of the criminal regulation.
2. On October 25, 2013, the Decision of the Standing Committee of the National People’s Congress on Amending the Law of the People’s Republic of China on the Protection of Consumer Rights and Interests (going into effect on March 15, 2014) specifically stipulates that an operator that collects and uses a consumer’s personal information shall follow the principles of legal compliance, justification, and necessity, specifically indicate the purposes, manners and scope of collecting or using the information, and obtain the consent of the consumer. An operator that collects and uses a consumer’s personal information shall disclose its collection and use rules and shall not violate the provisions of laws and regulations and the agreement between the parties on the collection and use of the information. An operator and its personnel shall strictly maintain the confidentiality of a consumer’s personal information as collected and shall not disclose, sell or illegally provide such personal information to others. An operator shall take technical measures and other necessary measures to ensure the security of information and prevent the leakage and loss of a consumer’s personal information. In the event of or in any likelihood of information leakage or loss, remedial measures shall be taken immediately.
3. On August 21, 2014, the Provisions of the Supreme People’s Court on Several Issues Concerning the Application of Law in the Trial of Civil Dispute Cases Involving the Use of Information Networks to Infringe on Personal Rights and Interests (going into effect on October 10, 2014) clearly stipulate the civil liability for the use of information networks to infringe on personal information.
4. On August 29, 2015, the Amendment (IX) to the Criminal Law of the People’s Republic of China (going into effect on November 1, 2015) amended Article 253-1 of the Criminal Law to expand the scope of the subject of the crime by clearly stipulating that those who sell or provide a citizen’s personal information to others in material aspects shall assume criminal liability. In addition, those who sell or provide to others a citizen’s personal information obtained in the performance of duties or provision of services in violation of the relevant requirements of the state shall be severely punished. In addition, the crime is changed into “the crime of infringing on a citizen’s personal information,” and the separate “crime of selling or illegally providing a citizen’s personal information” and the “crime of illegally acquiring a citizen’s personal information” are abolished at the same time.
5. On November 7, 2016, the Cybersecurity Law of the People’s Republic of China (going into effect on June 1, 2017) stipulates that personal information refers to all kinds of information recorded electronically or otherwise that can identify a natural person’s personal identity by themselves or in combination with other information, including but not limited to a natural person’s name, date of birth, identification document number, personal biometric information, address, telephone number, etc. In addition, Chapter IV, as a dedicated chapter, contains systemic provisions on cybersecurity. A network operator shall keep the user information it collects strictly confidential and establish a sound user information protection system. Additionally, a network operator that collects and uses personal information shall follow the principles of legal compliance, justification, and necessity, discloses the collection and use rules, specifies the purposes, manners and scope of information collection and use, and obtains the consent of the individual whose information is collected. In addition, a network operator shall not collect personal information unrelated to the services it provides, shall not collect and use personal information in violation of the provisions of laws and administrative regulations and the agreement between both parties, shall handle the personal information it keeps in accordance with the provisions of laws and administrative regulations and the agreement with the user, and shall not disclose, tamper with, or destroy the personal information it collects or provide personal information to others without the consent of the person from whom it was collected, except for information that has been processed to the extent that specific individuals cannot be identified and that such information cannot be restored.
6. On March 15, 2017, the General Principles of the Civil Law of the People’s Republic of China (going into effect on October 1, 2017) clearly stipulates that personal information of natural persons is protected by law. Any organization or individual who needs to obtain personal information of others shall obtain the information and ensure its security in accordance with law, shall not illegally collect, use, process or transmit personal information of others, and shall not illegally trade, provide or disclose personal information of others.
7. On May 8, 2017, the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues Concerning the Application of Law in Handling Criminal Cases Involving Infringement of Citizens’ Personal Information (going into effect on June 1, 2017) mainly clarifies issues such as the scope of a citizen’s personal information, the conviction and sentencing standards for the crime of infringing upon a citizen personal information, as well as the joinder of crimes involved in the crime of infringing upon a citizen’s personal information, unit crimes, quantity calculation, etc.
II. Interpretation of the highlights of the Draft
1. Determination of the effect of extraterritorial application
Article 3 of the Draft, which provides for the application scope of the law, specifically stipulates that the Draft shall apply not only to activities of processing personal information of natural persons within the territories, but also to activities of processing personal information of natural persons outside the territories in any of the following circumstances: (a) such activities aim to provide products or services to natural persons within the territories; (b) such activities are acts engaged to analyze or assess natural persons within the territories; or (c) there are other circumstances stipulated by law or administrative regulations. The Draft draws on the long-arm jurisdiction of the European Union’s General Data Protection Regulation (GDPR) and sets out the effect of extraterritorial application, thereby enhancing the protection of personal information.
2. Reinforcement of personal information processing rules
1) Six principles of personal information processing are clarified.
The Draft specifies six principles that should be observed in processing personal information: the principle of good faith (Article 5), the principle of clear and reasonable objectives (Article 6), the principle of minimum necessity (Article 6), the principle of openness and transparency (Article 7), the principle of accurate information (Article 8), and the principle of imputability of information processing (Article 9).
2) The basis for legally processing personal information is expanded.
The Draft breaks away from the Cybersecurity Law as the sole legal basis for processing personal information and, instead, expands the legal basis for processing personal information based on the provisions of the Civil Code. Pursuant to Article 13 of the Draft, a processor of personal information may process personal information if one of the following circumstances is met: (1) the consent of the individual is obtained; (2) such processing is necessary for the conclusion or performance of a contract to which the individual is a party; (3) such processing is necessary in order to perform statutory duty or statutory obligations; (4) such processing is necessary in order to respond to a public health emergency, or to protect the life, health and property of a natural person in an emergency; (5) personal information is processed within a reasonable scope for news reporting, public opinion supervision and other acts for the sake of public interest; or (6) there is any other circumstance specified in laws and administrative regulations.
3) The circumstances under which separate consent should be obtained for processing personal information are specified.
| Legal Requirements | Legal Provisions |
| Separate Consent | A personal information processor provides the personal information it has processed to a third party (Article 24). |
| A personal information processor discloses the personal information it has processed (Article 26). | |
| Personal images or personal identification characteristics information collected by any image capture or personal identification equipment installed in public places are disclosed or provided (Article 27). | |
| Sensitive personal information is processed based on the consent of the individual (Article 30). | |
| A personal information processor provides personal information outside the country (Article 39). |
3. The rights of personal information subjects and the obligations an information processor should assume are clarified.
Chapter IV of the Draft provides for the rights of individuals in personal information processing activities in the form of a special chapter, specifically including: the right to be informed and decide (Article 44), the right to access and copy (Article 45), the right to correct and supplement (Article 46), the right to delete (Article 47), the right to request explanations and clarifications (Article 48), and the right to request the personal information processor to establish a mechanism for receiving and processing applications for the exercise of personal rights (Article 49). Chapter V of the Draft specifies the obligations of personal information processors in various aspects, such as ex-ante risk assessment (Article 54), interim compliance (Article 50) and ex-post remediation (Article 55) so to ensure the security of personal information.
4. The rules for cross-border provision of personal information are clarified.
Article 40 of the Draft specifies the requirement that personal information shall be stored locally. Pursuant to the provision, operators of critical information infrastructure and personal information processors that handle personal information by quantities that reach the quantity threshold stipulated by the state network information department shall store the personal information collected and generated within the territories of the People’s Republic of China within the territories. If it is indeed necessary to provide personal information outside the country, the security assessment organized by the state network information department shall be passed; and if laws, administrative regulations and the state network information department require that no security assessment is required, such requirement shall govern. Article 38 of the Draft clarifies the conditions for cross-border provision of information. Pursuant to such article, personal information can be provided outside the country in any of the following four circumstances: (1) such provision has gone through security assessment organized by the state network information department in accordance with the law; (2) personal information protection certification has been conducted by a professional organization in accordance with the requirements of the state network information department; (3) a contract has been executed with the overseas recipient to stipulate the rights and obligations of both parties and to ensure that their personal information processing activities meet the personal information protection standards stipulated in the Draft, and (4) there are other conditions stipulated by laws, administrative regulations or the state network information department.
5. Strict legal liability and increased public interest litigation
Article 62 of the Draft provides that an illegal act of personal information processing will be subject to “a fine of up to RMB 50 million or up to 5% of the revenue from the previous year.” In addition, the violator can be ordered to suspend the relevant business, shut down for rectification, or its business permits or business licenses can be revoked. Compared with the maximum fine of RMB 1 million under the Cybersecurity Law, the intensity of punishment is significantly increased, which further demonstrates the intensity and determination in the state’s protection of personal information.
In addition, Article 66 of the Draft also introduces a public interest litigation system to deal with personal information processors in violation. If a personal information processor processes personal information in violation of the Draft and infringes on the rights and interests of many individuals, the people’s procuratorate, the department responsible for the implementation of personal information protection and the organization determined by the state network information department can bring a lawsuit to the people’s court in accordance with law.
III. Conclusions
The period for soliciting public opinions for the Draft was concluded on November 19, 2020. According to the Spokesperson of the Legislative Affairs Commission of the Standing Committee of the National People’s Congress, the Draft will be scheduled for further deliberations in the meetings of the Standing Committee in 2021 so that it will be promulgated as soon as possible. It is expected that the much-anticipated Draft, which is called the “umbrella” of personal information, will be implemented as soon as possible in order to resolve the long-standing dilemma that personal information protection regulations are scattered in separate legal provisions.
[1] The author is a lawyer at Shanghai Lee, Tsai & Partners. However, the contents of this article merely reflect personal opinions and do not represent the position of this law firm.