Author: Samuel Yang, Nicholas Blackmore
China’s legislature, the National People’s Congress, recently enacted a Civil Code which will come into force on 1 January 2021. The Civil Code is a major landmark in Chinese legal history – it is the first comprehensive codification of the civil laws of the People’s Republic of China, which has been a goal of Chinese governments since the Qing Dynasty.
The Civil Code covers the full scope of Chinese civil law, including property rights, contracts, tort and family law – and also includes sections on privacy and the protection of personal information. Samuel Yang (Partner from Anjie Law Firm) and Nicholas Blackmore (Special Counsel from Kennedys) outline the impact of the new Civil Code on Chinese data privacy law.
Most of the provisions of the Civil Code regarding privacy and personal information are not new. Much of the Civil Code is a restatement and consolidation of the existing privacy laws contained in the Decision of the Standing Committee of the National People’s Congress on Strengthening the Network Information Protection, the Cybersecurity Law, and the Law on the Protection of Consumer Rights and Interests. However, the Civil Code does extend these laws in some respects, most significantly in providing a clearer basis for individuals to take legal action in relation to breaches of their privacy rights.
Like existing PRC privacy laws, the provisions of the Civil Code regarding privacy and personal information are not as detailed or prescriptive as Hong Kong’s Personal Data (Privacy) Ordinance or Europe’s General Data Protection Regulation. Rather, they are a set of general principles which leave considerable room for interpretation. However, the National People’s Congress have flagged the introduction of a personal information protection law and a data security law as the next step in the development of Chinese data privacy law, and it is likely that these laws will be more prescriptive.
The provisions of Part IV of the Civil Code dealing with privacy and personal information are in several sections:
- articles 990 to 1000 contains general provisions regarding “personality rights”, which include an individual’s right to privacy;
- articles 1032 and 1033 more specifically prohibit activities which infringe on an individual’s right to privacy, such as spying, eavesdropping, photographing or filming private body parts or spaces, or sending uninvited messages; and
- articles 1034 to 1039 deal specifically with the processing of personal information.
The legislators have apparently noted the overlap between “privacy” and “personal information”, which is an academic and practical question debated by legal professionals for a long time. The Civil Code provides a principle to deal with such overlap by providing that those provisions on privacy (articles 1032 and 1033) shall apply to the “private information” in personal information; in the absence of such provisions, the provisions on the protection of personal information (articles 1032 and 1033) shall apply.
Individuals may take legal action to prevent or obtain compensation for an infringement of their personality rights. While the Civil Code does not expressly state when personality rights will be infringed, the structure of Part IV strongly suggests that this will include the activities prohibited under articles 1032 and 1033 and the processing of personal information in breach of articles 1034 to 1039. There is an exception for the conduct of news reporting carried out in the public interest, but only to the extent that the use of the individual’s name and other personal information is reasonable.
“Personal information” is defined as information recorded electronically or otherwise that is capable of identifying a specific natural person, alone or in combination with other information, including the person’s name, date of birth, ID number, biometric information, address, phone number, email address, health information, and location information. The key provisions concerning the processing of personal information include:
- processing of personal information must be lawful, justified, necessary and not excessive;
- processing of personal information is only permitted with the express consent of the individual or as required by law – although article 1036 states that reasonable processing of personal information is also permitted if: (a) the individual voluntarily disclosed their personal information and did not explicitly refuse to allow processing; or (b) the processing is carried out to protect the public interest or the individual’s legitimate rights or interests;
- individuals have the right to obtain access to personal information a processor holds about them and to correct that information if it is inaccurate;
- individuals have the right to require a processor to delete their information if the processing is in breach of the law or an agreement between the parties;
- processors should take technical and other necessary measures to ensure the security of the personal information they hold; and
- in the event of a data breach, the processor should take remedial measures in a timely manner and notify the breach to the affected individuals and the relevant competent authority.
Most of these provisions will be familiar to global businesses who already comply with the General Data Protection Regulation or other privacy laws. In some respects, however, they are more strict. In particular, it appears that there is less scope under the Civil Code than under many other privacy laws for personal information to be processed without the consent of the individual.
Most of the above provisions strongly resemble those already in the Decision on Strengthening the Network Information Protection, the Cybersecurity Law and the Law on the Protection of Consumer Rights and Interests. However, being in the Civil Code, they will apply more broadly. For example:
- the Decision on Strengthening the Network Information Protection is limited to the protection of personal information in electronic form, whereas the Civil Code applies to all forms of personal information;
- the Cybersecurity Law applies only to network operators, whereas the Civil Code applies to all businesses handling personal information, regardless of whether they also operate a computer network; and
- the Law on the Protection of Consumer Rights and Interests only protects the rights of consumers of goods and services, whereas the Civil Code applies to all natural persons.
Most importantly, the Civil Code will make it easier for individuals to take civil action in relation to privacy breaches. The existing laws do not expressly provide any right for individuals to take such action; they only provide for the authorities to impose administrative fines and penalties. Consequently, it has been difficult for individuals to obtain compensation for breaches. In one widely- reported case, 42 individuals unsuccessfully sought to sue Amazon in relation to an incident in which their personal information was obtained by scammers.
The Civil Code makes clear that an individual will have the right to seek a court order to prevent a breach of their privacy rights which is continuing or is about to occur, and compensation for damage (including emotional damage) which is caused by a breach of their privacy rights. The court may also order that an apology or other public announcement be published. If the individual is deceased, their family may take such legal action in their place.
The official Chinese text of the Civil Code is available here; no English translation is available at this time.
While the new Civil Code largely restates the existing Chinese laws on privacy and personal information protection, it does apply these laws more broadly and make it easier for individuals to take civil action in relation to breaches. As such, we are likely to see privacy and personal information protection laws enforced more often and more broadly in China from next year onwards. Companies who process personal information in China should double-check that their existing privacy practices comply with the new Civil Code from 1 January 2021.