2020.06.03 DONG, Xiao (Marissa)、ZHU, Tong、DONG, Junjie
In August 2018, the Civil Code of the People's Republic of China (Draft) (“Draft Civil Code”) was released for the first time to the public and has been continuously revised and improved after numerous deliberations by the Standing Committee of the Thirteenth National People's Congress. In December 2019, the Standing Committee of the Thirteenth National People's Congress decided to submit the Draft Civil Code to the third session of the Thirteenth National People's Congress for deliberation, and ultimately the latest version of the Draft Civil Code was officially adopted on May 28, 2020 (“Civil Code”). According to the Civil Code, rules and regulations regarding personality rights were independently codified as one of the highlights (“Chapter of Personality Rights”). As a special section of the Chapter of Personality Rights, there are eight articles stipulating in detail the definition and the scope of privacy and personal information protection, the requirements for personal information protection, the rights and obligations of responsible subjects and opposite natural persons. The Civil Code will be implemented on January 1, 2021.
Before the Chapter of Personality Rights takes effect, Article 110 of the General Rules of Civil Law makes it clear that natural persons have the right of privacy and Article 111 prescribes that personal information is protected by law, but the General Rules of Civil Law do not define “personal information” or “privacy”. The Civil Code defines “privacy” on the basis of the existing legal provisions for the first time and further clarifies the boundaries and scope of personal information and right of privacy.
Article 1032 of the Chapter of Personality Rights basically adopts the current general definition of the right of privacy, and stipulates that privacy is the peace of a private life of natural persons and private space, private activities and private information that natural persons do not want others to know. Article 1034 makes it clear that the provisions on the rights of privacy shall apply to the private information that belongs to personal information; if there is no corresponding provisions, the provisions on the protection of personal information shall apply.
Prior to the promulgation of the Chapter of Personality Rights, the definition of personal information is stipulated in the Regulations on the Protection of Personal Information of Telecommunications and Internet Users, the Measures on the Punishment of Acts that Violate the Rights and Interests of Consumers, and the Cybersecurity Law of the People's Republic of China (“Cybersecurity Law”), respectively. In contrast to the provisions of Article 76 of the Cybersecurity Law, Article 1034 of the Chapter of Personality Rights adds the “e-mail, health information and whereabouts information” to the enumeration of the definition of personal information, which states that "personal information is all kinds of information recorded electronically or otherwise that can identify a particular natural person, either alone or in combination with other information, including the natural person's name, date of birth, identity document number, biometric information, address, telephone number, e-mail, health information, whereabouts information, etc."
In the course of deliberations on the third draft of the Chapter of Personality Rights, some committee members suggested that a distinction should be made between general information and sensitive information, and that the content and scope of sensitive information of personal privacy that may affect the security and property of people should be appropriately expanded, but the Chapter of Personality Rights ultimately does not further distinguish between general information and personal sensitive information on the basis of the third draft. This may be left to be further interpreted and applied in civil judicial practice after the Civil Code takes effect.
Article 1035 of the Chapter of Personality Rights reaffirms the principles of legality, legitimacy and necessity and stipulates specific requirements for the processing of personal information: (1) the consent of the natural person or guardian should be obtained, unless otherwise stipulated by laws and administrative regulations; (2) the need for rules for the public processing of information; (3) the need for statements clearly informing the purpose, method and scope of processing; and (4) not to violate the provisions of laws and administrative regulations and agreements between the parties.
Compared to previous laws and regulations such as Cybersecurity Law, the Chapter of Personality Rights emphasizes the need to obtain the consent of a guardian for the collection of personal information of persons without civil capacity, such as minors, or persons with limited civil capacity. With regard to the protection of the personal information of minors, the Civil Code defines natural persons under the age of 18 as minors and persons with no civil capacity or limited civil capacity. The consent of a guardian shall be obtained for the processing of the personal information of minors. The Provisions on the Cyber Protection of Children's Personal Information stipulates that the collection and use of the personal information of a child under the age of 14 shall be subject to the consent of the child's guardian. Whether it is required to obtain consent from the guardian for processing personal information of minors over 14 years old needs further clarification in practice. Moreover, Article 1035 also applies to the handling of the personal information of other persons with no or limited civil capacity such as elderly persons with inadequate capacity to discern and understand, and this remains to be clarified in practice.
In addition, the Chapter of Personality Rights removes the concept of the collection of personal information and treats collection as part of personal information processing, stating that "personal information processing includes the collection, storage, use, processing, transmission, provision and disclosure of personal information". This Article places additional emphasis on the “non-disproportionate handling” of personal information as compared to the third draft of the Chapter of Personality Rights.
Article 1037 of the Chapter of Personality Rights clarifies and specifies the rights of natural persons on their personal information. In addition to the rights of correction and deletion explicitly provided in the Cybersecurity Law, the Chapter of Personality Rights further provides the right of natural persons to access or copy their personal information in accordance with the law. According to the Information Security Technology - Personal Information Security Specification, when the subject of a personal information requests the personal information controller to realize the rights of the subject of the personal information, the entrusted processor and the relevant personal information recipient shall assist the personal information controller to respond to the request for the rights of personal information. Article 1037 of the Chapter of Personality Rights, on the other hand, provides that natural persons have the right to exercise their personal information subject rights in accordance with the law to the information processor, which seems to imply that natural persons have the right to request the exercise of personal information subject rights from all the parties that collect, store, use and process their personal information. This remains to be clarified in practice.
Article 1036 of the Chapter of Personality Rights clearly stipulates for the first time three situations in which the protagonist does not bear civil liability for handling the personal information: (1) within the reasonable limits of the consent of the natural person or their guardian; (2) in a case whereby the reasonable handling of information has been made public or lawfully made public, unless the natural person expressly refuses or the handling of such information infringes on their vital interests; and (3) other acts reasonably carried out in order to safeguard the public interests or the legitimate interests of the natural person.
Article 1038 of the Chapter of Personality Rights stipulates that information processors shall not divulge or falsify the collected or stored personal information; illegally provide personal information to others without the consent of the natural person, except for the information that has been processed and cannot be recovered and through which no particular individual may be identified.
In addition, Article 999 of the Civil Code also stipulates that the name, title, image and personal information of a civil subject may be used reasonably for the purpose of public interest, such as news reporting and public opinion monitoring; if the use unreasonably infringes on the personality rights of a civil subject, the civil liability shall be borne in accordance with the law.
Article 1039 of the Chapter of Personality Rights clearly stipulates that State bodies, statutory body with administrative functions and their personnel shall keep the private and personal information of natural persons known to them in the course of their duties confidential and shall not divulge or unlawfully make available to others the private and personal information of natural persons.
During the deliberation of the third draft of the Chapter of Personality Rights, some committee members advised on adding provisions regarding the liability for leakage, falsification, and the unlawful provision of personal information, and the leakage or unlawful provision of privacy and personal information of natural persons to others by State bodies and their staff. The Chapter of Personality Rights did not ultimately specify the liability for the unlawful provision of personal information.
The Civil Code also contains special provisions for the protection of personal information in two special instances.
Firstly, a patient’s private and personal information protection are specifically stipulated. Article 1226 states that medical institutions and their personnel shall keep the private and personal information of their patients confidential. If a patient's private and personal information is leaked, or if a patient's medical records are disclosed without their consent, the medical institution or their personnel shall be liable for an infringement.
Secondly, Article 1030 stipulates that the relationship between civil subjects and credit information processors such as credit agencies should be subject to the provisions in the Chapter of Personality Rights relating to the protection of personal information and the relevant provisions of other laws and administrative regulations.
The Civil Code has been finalized after numerous reviews and amendments. It defines the boundaries between personal information and right of privacy under the civil law system, clarifies the scope of personal information, introduces requirements on personal information protection and stipulates the responsibilities and obligations around personal information protection. It also leaves room for the further formulation of personal information protection laws. How these provisions will be applied in future judicial practice and how “personal information” protection claims will become a remedy for individuals in addition to the right to privacy are of great concern and remain to be seen in practice.