Control of Personal Information

In previous articles, we focused narrowly on the draft Personal Information Protection Law (the “Draft”), analyzing some of its “key provisions and discussing their potential effects. In this article, we will take a look at how the Draft interacts with the upcoming Civil Code.

New Rights Codified

While China has generally recognized that personal information should be afforded some protection, the Civil Code offers a strict codification of such protection as a legally enforceable right by identifying control over personal information as an independent right, distinct from privacy, as well as creating specific remedies applicable in case of personal information infringement.
This still might be too general to allow individuals, in practice, to file civil claims against those who infringe on their personal information. Indeed, this broadness creates a bit of confusion when differentiating the concepts of personal information protection and privacy. Nonetheless, while this probably does not represent an end point, it marks a good start for personal information protection in the private sector.

Combined Protections

Under the Civil Code, there are several major elements of personal information protection, including the right to inquiry, change, or correct. The Draft also creates a more complete and concrete protection mechanism. Take the right to delete as an example: the individual may request the processor to delete their personal information in case of non-compliance or violation of agreement pursuant to Article 1037 of Civil Code. The Draft also provides for further situations in which individuals may exercise such rights, as discussed below.

Potential Effects

Chapter 5 of the Draft provides further details about the obligations of information processors. In practice, information processors usually use standard documents such as User Agreements or Terms & Conditions to specify how they process personal information, yet usually remain silent about their obligations. The Draft fills many of those gaps. For instance, if the processor fails to take proper steps in case of personal information breach according to Article 55 of the Draft, the individual will likely be able to claim damages against the processor. In addition, if the standard documents mentioned above include opts out or in some way inappropriately limits the rights of a user, or attempt to avoid legal obligations, they will likely not hold up against legal scrutiny.

Interactions between Civil Claims and Regulatory Enforcement

Although civil liability and administrative penalties sometimes run parallel to each other, we believe this won’t always be the case for information processors. For example, if there is a relatively large number of individuals filing civil claims against a personal information processor, the authorities are likely to take extra steps to examine whether the processor’s overall practices are compliant. In a worst case scenario, this could open one up to criminal liability.
On the other hand, and this should be in the back of everyboy’s mind, it is also possible that publicly mentioned penalties from the authorities might trigger some individuals with relevant interests to file civil claims. In fact, from a burden-of-proof angle, it is easier for individual to convince a court that the information processor has done something wrong under such circumstances.

Bottom line

While the Civil Code and the Draft “attack” in separate ways, information processors should be extremely cautious about the legal effects and liabilities triggered by these interactions and overlaps once the Civil Code takes effect.

This is the third article of a series of articles we plan to write about cybersecurity, data protection, and compliance. We are now offering data compliance services and related trainings through DaWo Academy. Please don’t hesitate to reach out if you have any questions.