The Standing Committee of the National People’s Congress published the Personal Rights of the Civil Code (draft for third reading) on August 27 for public comment. Chapter Six (Articles 811-817) is dedicated to Privacy Rights and Personal Information (PI) Protection. The new chapter, if enacted in its current form, would extend the scope of personal protection to both privacy rights and PI.
Privacy is defined statutorily for the first time in the draft Civil Code as private space, private activities and private information which a natural person is unwilling to be made known to other persons, and that no organization or individual may infringe the privacy rights of other persons through spying, intrusion, leakage or public disclosure (Article 811). “Not willing to be made known to other persons” is a highlight of the new third draft and was not reflected in earlier drafts. The draft Civil Code provides that, except as stipulated by law or with the consent of the right holder, no one may search, enter, peer into or invade privacy space, or harass the peaceful lives of other persons through text messages, telephone calls, instant messages, emails, flyers or other means (Article 812).
Parallel to privacy rights, the draft Civil Code also protects individuals’ PI. Article 813 expands the scope of PI to include “email address” and “whereabouts” along with the natural person’s name, date of birth, personal ID number, biometric information, address and phone number. PI handling would include the use, processing, transmission, provision and making public of PI. When collecting and processing PI, the following precautions must be observed: (i) obtaining consent of the natural person or his/her guardian; (ii) making public the rules for information collection and processing; (iii) making clear the purpose, means and scope of information for collection/processing; and (iv) no violation to law or administrative regulations or mutual agreements (Article 814).
The following acts in collecting/processing PI would not incur civil liability: (i) acts committed within the scope of agreement with the natural person/guardian; (ii) processing of self-disclosed PI or information having been legally available to the public, provided that the natural person expressly denies that the processing or possession of such information would infringe his/her major interests; and (iii) other acts reasonably committed in order to safeguard the public interest or the natural person’s lawful interests (Article 815).
The draft Civil Code marks another enhancement of protection of PI since China’s Cybersecurity Law took effect on June 1, 2017, when for the first time a comprehensive set of data protection provisions were included in national legislation. China has since then been working on several regulations and national standards concerning PI and data protection including:
- Information Security Technology – Personal Information Security Specification (PI Specification) issued by the National Information Security Standardization Technical Committee (TC260), effective on May 1, 2018, draft amendment released on June 25, 2019 for comment
- Draft Data Security Administrative Measures released by the Cybersecurity Administration of China (CAC) on May 28, 2019 for comment
- Draft Measures on Security Assessment of Personal Information Cross-Border Transfers released by CAC on June 13, 2019 for comment
- Draft Information Security Technology – Basic Specification for Collecting Personal Information in Mobile Internet Applications released by TC260 on August 8, 2019 for comment
- Provisions on Protection of Children’s Personal Information in Networks issued by CAC on August 23, 2019
- Information Security Technology – Guidance on De-identification of Personal Information issued by TC260 on August 30, 2019
That being said, China still lacks an omnibus privacy or PI protection law, although a comprehensive privacy protection law is expected to be drafted within the next five years. This creates several loopholes. For instance, the current draft Civil Code has not listed information such as individual’s accounts and passwords, medical history, financial data, communications records, marital status, religion and juveniles’ personal data, and has not made a distinction between general PI and sensitive PI. Such illustrations and distinctions, as well as detailed protection of PI, can be found in such documents as the PI Specification. The PI Specification is a voluntary and recommended national standard, and businesses are expected to comply with it to demonstrate compliance with PI protection requirements under the Cybersecurity Law. However, the PI Specification is not itself a mandatory document and enjoys no statutory status as would the Civil Code with respect to the imposition of sanctions for violations.
We also note that Article 817 of the draft Civil Code specifically prohibits state organs and their staff from leaking PI obtained in the performance of their duties. However, Article 816(iii) exempts “acts reasonably committed in order to safeguard the public interest” from civil liability, which essentially provides leeway for government organs to collect and process PI in ways in which private information collectors and controllers are restricted, such as by forcing private entities or individuals to disclose to the government the PI under their control, intruding upon private communications and mass surveillance without consent, all in the name of the public interest. The draft Civil Code is largely directed to civilian rather than government infringement. Thus, government intrusions into personal privacy may continue to be extraordinary in depth and extent.