After much anticipation, the Civil Code was passed by the PRC National People's Congress on 28 May 2020, and will come into force on 1 January 2021. An extensive piece of legislation, the Civil Code contains 1260 articles and a section on the "Right of Privacy and Personal Information Protection", which extends the current scope of protection of privacy and personal information.
Privacy and Personal Information
The Civil Code sets out separate requirements pertaining to (i) the right of privacy and (ii) personal information protection in the PRC.
(I) RIGHT OF PRIVACY
The Civil Code provides that all natural persons enjoy the right of privacy, which is defined as the private life, space, activities and information that one is unwilling to disclose to others. This is the first time that the right of privacy is defined in a statute in the PRC – although the existing General Provisions of Civil Law (implemented in 2017) cited the right of privacy, it did not provide a definition. The Civil Code stipulates that any "private information" contained in one's "personal information" shall be protected by rules pertaining to the right of privacy, and if no such rules are applicable, the requirements relating to the protection of personal information shall apply, thus clarifying that, while the concepts of privacy and personal information may overlap, they are not equivalent.
The Civil Code prohibits any organisation or individual from engaging in the following privacy-intrusive activities:
- intruding into another's private life through phone calls, text messages, instant messaging tools, emails and flyers;
- entering, photographing or spying on another's private space, such as his home or hotel room;
- photographing, spying on, eavesdropping on or disclosing another's private activities;
- photographing or peeping at another's private body parts;
- processing another's private information; and
- infringing the right of privacy through other means (a catch-all provision).
The above restrictions are subject to exemptions, such as the express consent of the affected individual, or "acts reasonably carried out in order to safeguard the public interest" (which appears to give considerable latitude for surveillance activities conducted by state authorities).
(II) PERSONAL INFORMATION PROTECTION
In relation to the protection of personal information, the Civil Code imposes requirements which are largely akin to the existing rules under the CSL and its related guidelines and specifications. For instance, the Civil Code specifies that organisations or individuals may only process (i.e. collect, store, use, edit, transfer, provide or disclose) personal information when they have, inter alia, obtained the personal information subject's consent and disclosed the purpose, method and scope of the processing of personal information. Also, as with the CSL, the Civil Code provides that technical measures shall be taken to ensure the security of personal information, and imposes obligations to notify data subjects and relevant authorities of data breaches, and confers data subjects with rights of access, correction and deletion of personal information.
Notably, the Civil Code applies to any organisation or individual as long as they collect, store, use, edit, transfer, provide or disclose personal information. The requirements under the Civil Code apply equally to both personal information "controllers" and personal information "processors" (i.e. entities which process personal information on another's behalf and not for their own purposes). The personal information protection requirements under the Civil Code are subject to exemptions, such as acts reasonably carried out in order to safeguard the public interest, or where the relevant personal information has been voluntarily disclosed to the public (unless the processing of such personal information is expressly refused by the data subject or harms his material interest).
The Civil Code is a noteworthy addition to the PRC's existing laws, regulations and guidelines concerning personal information protection. It is the first time that a separate "right of privacy" has been encapsulated into law.
In terms of personal information protection, the Civil Code in theory has a broader scope of application (covering any organisation or individual as long as they collect, store, use, edit, transfer, provide or disclose personal information) as opposed to the CSL which only applies to network operators and critical information infrastructure operators. The Civil Code captures organisations that adopt both analogue and digital processes while the CSL focuses on digital ones. Given the all-pervasive use of technology in China, the distinction remains academic. In addition, while existing laws and regulations mostly lay down criminal and administrative sanctions for violations of personal information protection requirements (e.g. fines, warnings, suspension of business), the Civil Code provides for civil liability for non-compliance, such as damages, orders for cessation of breaches of the law and public apologies. As privacy awareness has increased in the last couple of years, the Civil Code will give consumers greater bargaining power when dealing with companies that collect their personal data.
Finally, the Civil Code also gives individuals the right to access their personal information in addition to the rights of correction and deletion which are already covered under the CSL. At present, the right of access is only provided under the Information Security Technology – Personal Information Security Specification GB-T 35273-2017 (the "PI Specification"), a non-binding best practices standard issued in 2018, but not the CSL.
Uncertainties Still Remain?
Similar to the CSL, the Civil Code only sets out high-level and generic requirements relating to privacy and personal information protection. It is short on detail, and lacks nuanced distinctions and distillations similar to data protection laws in other jurisdictions, such as the General Data Protection Regulation ("GDPR") in the EU. It also does not distinguish between sensitive and general personal information, set out different requirements for personal information "controllers" and "processors", or stipulate rules on automated decision-making, cross-border data transfers and the retention of personal information. Although detailed rules relating to these issues are encapsulated in the PI Specification, the PI Specification is a non-binding standard which lacks the same statutory force as the Civil Code or the CSL. It is therefore uncertain how much weight PRC courts will give to the guidelines in the PI Specification when interpreting the requirements under the Civil Code.
That being said, PRC authorities have been signaling their intention of formulating a comprehensive personal information protection regime over the past few years, and have announced plans to introduce a new Personal Information Protection Law and Data Security Law later this year. While no further details of the proposed legislation have been disclosed so far, it is anticipated that they will consolidate and possibly refine the piecemeal laws, regulations and non-binding national and local guidelines in the PRC on personal information protection. Hopefully, this will give more clarity to the PRC's personal information protection regime and bring it closer to international standards.
For businesses operating in the PRC, the introduction of the Civil Code signals an increase of the cost of non-compliance with privacy obligations – they will have to take into account potential civil liability in addition to criminal and administrative penalties stipulated under present laws and regulations such as the CSL. Businesses should also bear in mind the new requirements in relation to the right of privacy under the Civil Code, which are separate from personal information protection obligations. Meanwhile, they should closely track the developments of the proposed Personal Information Protection Law and Data Security Law which are expected to be introduced later this year.
As far as private individuals are concerned, the Civil Code provides them with a clearer route to seek civil remedies from entities that collect their data for breaching privacy or personal information protection rules. Nonetheless, given the exemption provided for acts reasonably carried out in the public interest, it is unlikely that the Civil Code would curtail the ability of state bodies to conduct surveillance activities and process the personal information of citizens.
Visit us at www.mayerbrown.com
Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.