*This privacy alert article has utilised Google translate of the Civil Code for analysis as the text of the law is only available in Chinese
The People’s Republic of China (‘China’) through the 3rd session of the 13th National People’s Congress (‘Congress’) adopted the Civil Code of China (‘Civil Code’) on May 28, 2020, which will come into effect from January 1, 2021. The Civil Code is an important legislation for China because it codifies private laws for the first time in their history. The civil code has abolished individual laws such as tort law, contract law, guarantee law, rights in rem law, marriage law, inheritance law etc. Through the Civil Code, China shall also be adopting a more extensive data protection regime as the Civil Code enshrines ‘right to privacy’ and ‘principles of personal information’. Such principles have been adopted considering the definitions as provided in the world’s most comprehensive data governance law, the General Data Protection Regulation (‘GDPR’). The Civil Code also provides for more detailed definitions of personal information other than existing regulations such as the Cybersecurity Law, Consumer Rights Protection Law, Personal Information Security Specifications, etc. The Civil Code has also provided for actions to be taken in case of breach of privacy, this means that organisations which are processing and collecting data, in case of a breach or non-compliance, shall not only be subject to an administrative action and investigation but also a suit under the civil law by data subjects.
About the Privacy Law
The Civil Code contains 3 (three) detailed parts (which we have identified) of privacy rights and personal information protection provisions.
Part I: Laying Down Rights
Chapter V, titled ‘Civil Rights’, provides for the general provision of privacy wherein Article 110 gives all natural persons right to privacy and article 111 states that personal information of all natural persons shall be protected by law. Article 111 puts an obligation on the organisations obtaining personal information to ensure safety of the information so obtained and such information shall not be collected, used, processed, bought or sold, provided, disclosed or transmitted illegally.
Part II: Detailed Rights to Natural Persons and Obligations on Collection, Storage etc
Chapter VI, titled ‘Privacy and Personal Information Protection’, provides for more specific definitions and rights associated with natural citizens regarding the processing of data. In this regard a brief of the provisions are provided as under:
Article 1032 specifically asserts the right to privacy. It prohibits organisation and individuals from spying, intrusion, disclosure etc;
Article 1033 of the Code prohibits organisations and individuals from:
infringing peace of others’ lives by telephone, text message, instant messaging, emails and leaflets etc.;
(i) entering, filming and peeping into other people’s residences and hotel rooms;
(ii) photographing, spying, eavesdropping and disclosing private activities of other;
(iii) photographing or peeking into others’ private body parts;
(iv) dealing with private information of others; and
(v) infringing on others privacy in other ways.
Article 1034 defines personal information as information that is recorded electronically or otherwise which can identify a person either alone or in combination with other information including name, date of birth, any identification number, biometric information, address, telephone number, email, health information, whereabouts etc.;
Article 1035 states that personal information must be processed on the basis of lawfulness, fairness and necessity and should not be over processed and shall:
(i) obtain consent of natural personals or their guardians (in case of minor);
(ii) provide rules for public handling of information;
(iii) clearly state the purpose, method and scope of information processing; and
(iv) ensure that it does not violate any law or agreements.
Article 1036 exempts organisations and individuals from civil liability, if it:
(i) has acted within the scope of consent obtained;
(ii) reasonably disposes the information disclosed to it by natural persons themselves, unless they refuse or if the processing infringes the interest; or
(iii) other acts reasonably performed to protect public interest or legal rights of natural persons.
Articles 1037 to 1039: rights of data subjects and obligations of data processors (including state agencies). Such obligations shall include maintaining information security standards. Data subjects have been granted the following rights:
(i) Right to access: data subjects have been granted the right to consult or reproduce the information available with the information processor.
(ii) Right to rectification: If the data subjects find any error in the information available with the information processor, they shall have the right to correct such information in the records of the information processor.
(iii) Right to be erasure: If the data subjects are of the view that the information processor is in breach of the law or any agreement, they shall have the right to get the information deleted with the information processor.
Part III: Industry Specific
Part III of the civil code is more industry specific, with provisions which are focused on specific stakeholders. For example, Article 1030 which provides for the relationship between credit agencies and processing of personal data, and Article 1226 provides for associated rights of patients with medical institutions. Therefore, a claim can be brought in case of breach of rights under the Civil Code by either the credit rating agencies or health institutions. It is expected that the mass surveillance programs as carried out during the pandemic COVID19 shall not continue.
BlockSuits Critique
Privacy v. Personal Information
An essential aspect that is missing in the Civil Code is that while it protects personal information of individuals, it does not recognise personality interest on non-private personal information. This essentially means that while citizens shall have a right to bring claims before the authorities, such claims may only be restricted to ‘economic’ interests and not ‘personality’ rights. Personality rights as defined under Part IV, Article 990 are “rights to life, body, health, name, name, portrait, reputation, honour, and privacy enjoyed by civil subjects”. Given the current reading of the Civil Code, there is a possibility that data subjects shall only be able to claim damages if they are able to prove economic loss is proved. If the privacy regime was extended to non-private personal information and personality rights, the data subject could have also claimed damages under non-monetary claims, for example, a formal apology for breach of data or redaction of the data to rehabilitate reputation. Moreover, execution of the law is yet to be observed as certain aspects such as remedy under the right to erasure is not provided in clarity. In this regard, it is not clear as to if the data subject shall approach the data protection authority with the claim or file a claim in private. Further, if such information has been disclosed in the public domain, how is such information to be deleted, is yet to be clarified.
Clarity on Consent
The Civil Code provides rights to the organisation mainly in the basis if obtaining a consent of an individual. However, it fails to address the ‘opt-in or leave-it’ scenarios where organisation either require all the terms to be agreed to, or a refusal of goods/services. In this regard GDPR clearly states that such scenarios will be treated as consent not freely given.
No Distinction between Processor and Controller
The law when compared with the GDPR, the civil code does not provide much specificity into regulations. For example, under Article 4(8) of the GDPR a ‘processor’ is defined as ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’ and a ‘controller’, under Article 4(7), is defined as ‘ the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’. The liability of the controller under the GDPR is higher than the processor. This essentially means that there is a clear distinction between who determines the purpose of the processing of data (controller) and the organisation/individual who actually processes the data (processor).
The Civil Code in this regard, under Article 111, states that “the personal information of natural persons is protected by law. Any organization or individual who needs to obtain the personal information of others shall obtain and ensure the safety of the information in accordance with the law, and shall not illegally collect, use, process or transmit the personal information of others, and shall not illegally buy or sell, provide or disclose the personal information of others” and Article 1035 states that “processing of personal information shall follow......... The processing of personal information includes the collection, storage, use, processing, transmission, provision, and disclosure of personal information”. These 2 (two) Articles of the civil code nowhere provides a distinction between a processor and controller which essentially means that no distinction between an organisation who determines the purpose of the data and the organisation who actually processes the data on the premise of a ‘lawful purpose’ has been defined in the Civil Code. Therefore, controllers and processors have the same liability under the Civil Code.
Interestingly, under clause 3.4 of the Personal Information Security Specification, a ‘personal information controller’ has been defined to state “an organization or individual that has the authority to determine the purposes and/or methods of the processing of personal information”. Such inconsistencies in the Civil Code and existing laws in China may prove confusing for data subjects and organisations while determining their rights and liabilities.
Distinction as Sensitive Personal Information
The Civil Code does not classify any personal information as sensitive personal information. Laws like GDPR emphasis on extra security and compliance requirements for sensitive personal information. The upcoming Personal Data Protection Bill, 2019 in India goes further to have another category as ‘critical data’, which has to be more secure than even sensitive personal information. The lack of such classification will secure financial information of an individual just as much as an email.
While the civil law is a step forward towards a data governing environment in China, there remain a lot of legal specificities unanswered. The law is also intertwining with other current legislations and it is important for Chinese authorities to provide clarifications as to which set of legislation would prevail in a matter of dispute. The Personal Information Protection Law and Data Security Law in China are still at a draft stage and the Civil Code will definitely usher the way for improving more practicalities around damages and the functioning of the data protection regime in China.
Final Thoughts
The regulations as provided by the civil code are similar and familiar to those provided by the GDPR. The current laws in China do not provide data subjects a specific remedy in case of a breach of privacy and personal information. Post-January 1, 2021, all ‘natural persons’ in China shall be able to enforce civil actions in case of breaches. Moreover, the current laws also provide a much ‘designated’ aspect to subjects as to who can enforce privacy rights. Such as, under the Consumer Rights Protection Law, the person bringing a suit against an organisation shall be a ‘consumer’. However, the Civil Code shall not be restricted to such designations and provides for expansion covering a variety of infringements. An interpretation can also be gathered as to the fact that there may be the possibility of a dual penalty for non-compliance (under administrative sanctions and civil actions).
It is also important to note that the Chinese Government is underway in forming a Data Security Law of the People’s Republic of China. Currently, unlike jurisdictions such as Hong Kong, EU, UK, and Canada, China does not have a specific data protection law. The data privacy provisions enumerated in the Civil Code may also help in forming an ‘overall’ data protection regime in China. Economies around the globe have been focussing on refurbishing privacy regimes. Often regarded as California’s GDPR, the California Consumer Privacy Act is an essential piece of legislation granting consumers more autonomy over how their data shall be processed. While implementing privacy laws and governing disputes, the Chinese authorities shall also consider the global regime as a matter of precedent for analysing practical scenarios and assessing damages. The Civil Code is definitely a step forward for China as it paves the path for individuals to bring more substantial legal claims with regards to infringement of privacy rights.
The article is authored by Shivani Agarwal, Founder and Samaksh Khanna, Co-founder, BlockSuits.
Comments