Cybersecurity, data compliance, and personal information protection are not necessarily at the top of our mind as we go about our daily business. However, these matters are becoming more significant as the ease grows with which such data is obtained. In this article, we will briefly discuss some of the relevant regulatory updates pertaining to data protection and privacy matters.
Just over three years ago, China’s Cybersecurity Law (the CSL) took effect, on June 1, 2017. The CSL is China’s primary law dealing with the protection of “Critical Information Infrastructure” (CII) related to social interests and protection of “personal information” (PI) related to the interests of citizens and organizations.
The Cybersecurity Law and supporting laws and regulations are not only ‘words on paper’, but truly apply in our daily social life, putting a high compliance burden on all kinds of network operators.
While everybody knows about the “green code” related to the Covid-19 outbreak, we also obviously generate lots of other background personal data, which can be collected by websites, government applications, and companies for processing and analysis, and even to generate new information.
This understandably worries many people. Some of the primary questions include, “is such collection by governments and companies legal? Will my information be compromised after being processed? Is it disclosed in some unknown way?”
Of course, within the CSL framework, we can find answers to these questions in various places, and the current framework breaks down into four main areas: network operation security, network products and services, online information management, and PI protection.
At present, there are already dozens of supporting regulations, rules, and standards, with rule-makers at every level constantly updating and interpreting them. Below, we decided to focus on one of the major recent developments in how personal data is handled in China: the newly adopted Civil Code.
Personal Information Protection 2.0
The groundbreaking Civil Code has a chapter focusing specifically on “Personality Rights,” which lays out in detail various expanded legal definitions, and places boundaries on PI, as well as its collection and use.
For example, Article 1034 expands the definition of PI to include “e-mail, health information and whereabouts information.” You can see how relevant this is to the current epidemic situation.
Article 1035 goes on to reemphasize certain limits around the collection of PI, including the requirement of actual consent, and that the scope of use must be made clear. While this is not a huge change, it is important to note that the Civil Code handles consent more specifically than the CSL, offering further limits on who can consent to what, centered on people with limited legal capacity, such as minors.
Related to these two articles, Article 1036 lays out three discrete exceptions under which a PI collector may avoid liability:
- within the reasonable limits of the consent of the natural person or their guardian;
- in a case whereby the reasonable handling of information has been made public or lawfully made public, unless the natural person expressly refuses or the handling of such information infringes on their vital interests; and
- other acts reasonably carried out in order to safeguard the public interests or the legitimate interests of the natural person.
Article 1037 also offers some further answers to the questions posed at the beginning of the article by implicitly expanding peoples’ right to assert control over their PI by allowing them the rights of access, correction, deletion, and more, against any party that collects, stores, uses, or processes their PI.
While this article is just a brief rundown of some of the developments in the Civil Code, it should be clear how robust the concept of protecting PI is becoming in China. When PI collection is necessary, it is regulated by the CSL framework, as well as the Civil Code, and any violation of laws and regulations will be dealt with by the authorities with increasing strictness. In extreme cases, such as massive disclosure of PI, criminal liability might be involved.
It is also worth a final note that a new PI Security Specification will take effect on October 1, 2020, replacing the old version published in 2017. Important updates in that document include a new definition of “authorized consent”, new specifics on personal biometric information, and deeper provisions related to third-party access, which we will discuss later in another brief article.
Again, these updates serve as a bellwether of PI protection in China. We suggest that you pay close attention to rule changes and adjust your compliance programs accordingly, even if laws are still in draft form. If you have specific questions related to any of this information, our team at DaWo Law Firm is standing by.