We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
14 August 2020
China's legislature, the National People's Congress, recently enacted a Civil Code which will come into force on 1 January 2021. The Civil Code is a major landmark in Chinese legal history – it is the first comprehensive codification of China's civil laws, which has been a goal of Chinese governments since the Qing Dynasty.
The Civil Code covers the full scope of Chinese civil law, including property rights, contracts, tort and family law and includes sections on privacy and the protection of personal information. This article outlines the impact of the Civil Code on Chinese data privacy law.
However, the Civil Code extends these laws in some respects, most significantly in providing a clearer basis for individuals to take legal action in relation to breaches of their privacy rights.
Like existing Chinese privacy laws, the provisions of the Civil Code regarding privacy and personal information are not as detailed or prescriptive as Hong Kong's Personal Data (Privacy) Ordinance or the EU General Data Protection Regulation (2016/679) (GDPR). Rather, they are a set of general principles which leave considerable room for interpretation. However, the National People's Congress has flagged the introduction of a personal information protection law and a data security law as the next step in the development of Chinese data privacy law and it is likely that these laws will be more prescriptive.
Part IV of the Civil Code dealing with privacy and personal information is divided as follows:
The legislature has apparently noted the overlap between 'privacy' and 'personal information', which is an academic and practical question that has been debated by legal professionals for a long time. The Civil Code provides a principle to deal with such overlap by providing that Articles 1032 and 1033 will apply to 'private information' contained in personal information; in the absence of such provisions, Articles 1032 and 1033 will apply.
Individuals may take legal action to prevent or obtain compensation for an infringement of their personality rights. While the Civil Code does not expressly state when personality rights will be infringed, Part IV strongly suggests that this will include the activities prohibited under Articles 1032 and 1033 and the processing of personal information in breach of Articles 1034 to 1039. There is an exception for the conduct of news reporting carried out in the public interest, but only to the extent that the use of the individual's name and other personal information is reasonable.
'Personal information' is defined as information recorded electronically or otherwise that is capable of identifying a specific natural person, alone or in combination with other information, including the person's name, date of birth, ID number, biometric information, address, phone number, email address, health information and location information. The key provisions concerning the processing of personal information include the following:
Most of these provisions will be familiar to global businesses that already comply with the GDPR or other privacy laws. However, in some respects, the above provisions are stricter. In particular, it appears that there is less scope under the Civil Code than under many other privacy laws for personal information to be processed without the consent of individual data subjects.
Further, most of the above provisions strongly resemble those already in the Decision on Strengthening the Network Information Protection, the Cybersecurity Law and the Law on the Protection of Consumer Rights and Interests. However, as part of the Civil Code, they will apply more broadly. For example:
Most importantly, the Civil Code will make it easier for individuals to take civil action in relation to privacy breaches. The existing laws do not expressly provide any right for individuals to take such action; they only provide for the authorities to impose administrative fines and penalties. Consequently, it has been difficult for individuals to obtain compensation for breaches. In one widely reported case, 42 individuals unsuccessfully sought to sue Amazon in relation to an incident in which their personal information was obtained by scammers.
The Civil Code makes clear that an individual will have the right to seek a court order to prevent a breach of their privacy rights which is continuing or is about to occur, and compensation for damage (including emotional damage) which is caused by a breach of their privacy rights. The court may also order that an apology or other public announcement be published. If the individual is deceased, their family may take such legal action in their place.
While the new Civil Code largely restates the existing Chinese laws on privacy and personal information protection, it applies these laws more broadly and makes it easier for individuals to take civil action in relation to breaches. As such, privacy and personal information protection laws are likely to be enforced more often and more broadly in China from 2021 onwards. Companies that process personal information in China should ensure that their existing privacy practices comply with the new Civil Code from 1 January 2021.
For further information on this topic please contact Samuel Yang at AnJie Law Firm by telephone (+86 10 8567 5988) or email (email@example.com). The AnJie Law Firm website can be accessed at www.anjielaw.com.
Nicholas Blackmore, special counsel at Kennedys LLP, co-authored this article.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.