On 28 May 2020, the National People's Congress ("NPC"), the top legislator in China, adopted the Civil Code of the People's Republic of China. The Civil Code will become effective on 1 January 2021.
The new Civil Code consolidates a number of key legislation in China, including, notably, the PRC Contract Law, the PRC General Provisions on Civil Law and the PRC Tort Law. In our four-part special TMT series, we will examine four key areas of the Civil Code most relevant to the TMT sector.
In Part 1 of the series, we will take a look at some of the new concepts introduced by the new Civil Code to protect, and regulate the processing of, personal data in China. Most relevant to the TMT sector.
Where are the data protection provisions?
There are over 1,100 articles in the new Civil Code. The key provisions on data protection are mainly contained in Chapter VI (Privacy and Personal Information Protection) of Book IV (Personality Rights). There are also provisions in other chapters which relate to data protection.
1. Data processors and data processing
The new Civil Code introduces the concept of "data processor" or, to be precise, "personal information processor", which is used to describe persons who process personal information. The Civil Code also contains a new definition of "processing", which is stated to mean "the collection, storage, use, processing, transfer, provisioning, disclosing, etc. of personal information".
This definition however should not be confused with the definition of "data processor" commonly found in other data protection regulations, such as the GDPR. The Civil Code does not draw a distinction between "data controllers" and "data processors". When the term "personal information processor" is used in the Civil Code, this should be read to mean any entity that conducts personal information processing. All related obligations therefore will apply equally to an entity that processes personal information regardless of whether it is processing it for its own purposes or on behalf of another entity. This approach is consistent with the approach adopted in the PRC Cybersecurity Law, where the term "network operator" is used and similarly no distinction is drawn between a "data controller" and the a "data processor".
2. New legal basis for processing
In China, in order to process personal information, typically a consent is required. The Civil Code has now provided potentially further legal basis for processing personal information. Article 1036 of the Civil Code sets out two additional circumstances whereby a data processor may process personal information without incurring civil liability:
(i) reasonably processing public information which has been disclosed by a natural person, and
(ii) reasonably undertaking other acts so as to safeguard public interest or lawful interest of the natural person to which the personal information relates.
These legal grounds (or exemptions) are not new as they are included in the National Standard entitled "Information Technology Security – Personal Information Security Specification" ("the PI Specification"). Their inclusion in the Civil Code nevertheless is significant given that the PI Specification as a set of recommended national standards does not have the force of law like the Civil Code. Reliance on these grounds could still present potential legal risks. The incorporation into the Civil Code provides much more legal certainty for assessment the lawfulness of a business' data processing activities. It remains to be seen how the two legal grounds will be enforced by relevant authorities.
3. Individual rights to personal information
The Civil Code sets out several individuals' rights to personal information, which are similar to those already included in the PRC Cybersecurity Law. "New" rights are introduced by the Civil Code: a natural person has rights to access and obtain a copy of his personal information from a data processor in accordance with law. The Civil Code does not provide further details on how a data processor should respond to the individual subjects' access requests.
4. Liability for the state organs and their staff in performing their duties
The Civil Code provides in Article 1,039 that state authorities and their staff are required to keep confidential personal information of natural persons uncovered in the course of fulfilling their duties. This means that they could be held liable for their illegal data processing activities, e.g. unauthorised disclosure of personal information.
5. Protection under specific circumstances
The Civil Code also introduces provisions in other chapters to address personal information protection in specific industries, e.g. credit rating agencies (Art. 1,030), healthcare institutions (Art. 1,226), etc. This also implies the legal basis for an infringed subject to seek civil remedies from the responsible parties.
In response to the fast-evolving digital dynamic, the Civil Code echoes not only the existing data protection provisions under the PRC Cybersecurity Law, but it also enhances the protection of personal information by codifying the accumulated best practice and introduces new concepts into the law. As a comprehensive code in regulating civil activities, the Civil Code establishes merely an overarching framework for general privacy and personal information protection without detailing further implementing elements. It has been intended by the PRC Government that all such details will be included in the upcoming "Personal Information Protection Law" and the "Data Security Law", both of which have been included in NPC's legislative agenda for 2020. The legislative agenda released on 20 June 2020 indicates that both laws will be subject to initial examination this year. Earlier in May 2020, NPC indicated that there is already a draft Personal Information Protection Law, and the draft Data Security Law was just released on 2 July 2020.
The Civil Code therefore might have provided a glimpse of what is to come. It also remains to be seen whether some of the unsettled issues, e.g. the lack of distinction between data controllers and processors, the absence of a dedicated data protection authority, etc., would be properly addressed in the much anticipated legislation.