China's top legislature, the National People’s Congress, recently enacted the PRC Civil Code (the Civil Code), which will come into force on 1 January 2021. This first ever “codified” legislation covers a wide spectrum of rights and issues ranging from property rights, contracts, matrimonial and family law, to tort liability and personal and personal dignity rights.
In addition to the systematic codification of provisions from existing legislation, the Civil Code has also introduced new provisions and definitions on the right to privacy and the protection of personal information. Aside from those specific data privacy and cybersecurity related provisions set out in existing legislations (e.g., those provided in the PRC Cybersecurity Law, the PRC Consumer Rights Protection Law, and the Information Security Technology - Personal Information Security Specification etc.), the Civil Code details more generally applicable provisions as well as introducing additional personal information protection requirements.
Further, the Civil Code provides clearer legal basis for civil actions against broader privacy and personal information related breaches. Organizations/entities that are involved in the collection and processing of data containing personal information will in the event of any non-compliant conduct, now be facing the prospect of not only potential administrative investigation and related penalties, but also the risk of civil action by affected data owners depending on how such collection and processing is being carried out.
New privacy rights and personal information protection provisions at a glance
Provisions on privacy rights and personal information protection in the Civil Code are detailed in three parts: (i) general declaration of rights provisions, (ii) specific provisions that fall under the umbrella of personal and personal dignity rights, and (iii) standalone provisions that are issue or industry specific.
Some key takeaways
Potential dual-risks of administrative penalties plus civil liability for non-compliance
Administrative sanctions are already available under current legislation (such as the Cybersecurity Law, the Consumer Rights Protection Law) to address certain personal information related infringements, e.g., misconduct by network operators, or infringement of consumers’ rights. The Civil Code however will also impose any potential civil liabilities for violation of privacy and personal information protection provisions going forward. For example, a claim under the Consumer Rights Protection Law requires that the data subject must be a “consumer”. A civil liability claim under the Civil Code will now be expanded to cover a wide category of infringements regardless the data subject’s designated standing.
Such civil liabilities will depend on nature and seriousness of the infringement and any financial consequences that result from it. They include a requirement to cease any infringement, making official apologies, as well as being liable to pay compensation to the victim.
Grounds for exemption of liability introduced for the first time
The Civil Code has introduced three general grounds for the exemption of liability (Article 1036) for anyone/party that handles/processes another party’s personal information:
- The conduct in question is within the consent of the data owner or that person’s guardian (such as in the case of children).
- The reasonable handling/processing of that person’s information which that person has publicly disclosed or that has been lawfully disclosed, except where that person explicitly refuses to the handling/processing of or where the handling/processing of such information would be contrary to his/her vital interests.
- Other acts reasonably carried out to safeguard public interests or that person’s legitimate rights and interests.
Information security obligations emphasized
Article 1038 of the Civil Code imposes information security obligations on parties responsible for handling/processing the relevant personal information. It requires that “the [information] processor shall take technical and other necessary measures to ensure that the personal information it collects and stores are secure, preventing them from being leaked, being tampered or prevent their loss...”. The Civil Code does not detail what such “technical and other necessary measures” should be. For now, companies which handle and process personal information should seek guidance from existing provisions under the Cybersecurity Law (and related rules).
It is worth noting that the National People's Congress also mentioned in its working report that the next step in China’s reform on personal privacy and data protection legislation is to enact a personal information protection law and also a data security law. It is therefore anticipated that these privacy and personal information protection provisions in the Civil Code will in the future form an important part of an overall privacy and data protection regime. Further, guidance on how these provisions in the Civil Code shall work in practice in the form of implementation rules and judicial interpretations are likely to follow sooner rather than later.
To discuss any questions or what this could mean for your organization, please contact the authors.