Privacy & Information Security Law Blog

The Civil Code of China (the “Civil Code”) was approved by the National People's Congress of China on May 28, 2020 and will take effect January 1, 2021. Part Four of the Civil Code explicitly stipulates that the “Right of Privacy” is one of the “Rights of Personality” covered therein and includes a chapter on “Privacy and Personal Information Protection,” which contains detailed provisions to protect privacy and personal information.

The Civil Code, which has caused heated discussions recently in China, will be the first Code of the People’s Republic of China since its establishment. Currently effective civil laws (including the Marriage Law, the Law of Succession, the General Rules of the Civil Law, the Adoption Law, the Guarantee Law, the Contract Law, the Property Law, the Tort Law and the General Principles of the Civil Law) will be repealed simultaneously once the Civil Code becomes effective. In total, the Civil Code has seven Parts and Supplementary Provisions.

The General Principles of the Civil Law promulgated in 1986 did not recognize the Right of Privacy as one of the “Rights of Personality.” The Tort Law promulgated in 2009 is the first law that explicitly stipulates that the right of privacy shall be protected as one of people’s civil rights, but the provisions are quite general.

Privacy

Chapter Six of Part Four of the Civil Code (“Chapter Six”) defines Privacy as “a natural person’s peace of life and the private space, private activities and private information which he/she is unwilling to let others know,” and it lists the following actions that are not allowed to be conducted by any organization or individual without consent:

• disturbing the peace of other people’s private lives through telephone, text message, instant messaging tool, email, leaflets, etc.;
• entering, shooting and peeping into other people's private space such as houses, hotel rooms, etc.;
• shooting, peeping into, eavesdropping, publicizing other people’s private activities;
• shooting, peeping at private parts of other people;
• processing private information of other people; and
• invading the right of privacy of other people in other ways.

Personal Information

As previously discussed on this blog, the Cybersecurity Law promulgated in 2017 systematically regulates the protection of personal information, and the Civil Code, jointly regulating this area, details, extends and develops the Cybersecurity Law in certain respects.

Chapter Six defines Personal Information as “all kinds of information recorded electronically or in other ways [that] independently or in combination with other information allows the identification of a natural person’s individual identity, including: natural persons' names, dates of birth, ID numbers, biologically identified personal information, addresses, telephone numbers, email addresses and whereabouts, etc.” Among these listed examples, “email addresses and whereabouts” are not included in the Cybersecurity Law.

Chapter Six sets up the principles of processing (i.e., collecting, storing, using, transmitting, providing and publicizing) people’s personal information which include legality, appropriation, and necessity, and are subject to the following:

• obtaining consent from such natural person or his/her guardian, unless otherwise provided by laws and regulations;
• publicizing the rules of processing the information;
• expressing the purpose, method and scope of processing the information; and
• no violation of laws or regulations or agreement between the two parties.

Exceptions where the information processor does not face civil liabilities also are listed in Chapter Six, including:

• the conducted action is within the scope of consent by such natural person or his/her guardian;
• reasonable processing of the information that has been publicized by such natural person or other information which has been legally publicized, unless such natural person explicitly rejects the processing or processing such information will infringe on the significant interests of such natural person;
• other actions reasonably conducted to maintain public interests or legal interests of such natural person.

Chapter Six also stipulates certain rights of the information subject and certain obligations of the information processor, and it is worth noting that it is explicitly stipulated that the governmental and statutory authorities undertaking administrative responsibilities shall maintain the confidentiality of the personal information obtained during their performance of responsibilities and shall not leak such information or illegally provide such information to others.

Chapter Six distinguishes between private and personal information but stipulates that the provisions of privacy apply to the private information within personal information.

Tort Liability

Chapter Seven of the Civil Code covers “the Tort Liabilities,” and contains several articles relating to network infringement, which may include all manner of infringement (including infringement relating to privacy or personal information). Relevant requirements and obligations of the network user and network service providers are summarized as follows:

• In case of infringement, the network user (the “obligee”) is entitled to notify the network service provider to take necessary measures such as removal, blocking, breaking links, etc., and such notice shall include preliminary proof and true identification information of the obligee (false notification that infringes others’ interests shall face liability).
• The network service provider shall, upon receipt, deliver such notice to the relevant network user (the “obligor”) and take necessary measures according to the preliminary proof and the service type. Failure to take necessary measures will lead to joint liabilities.
• Upon receipt of such notice, the obligor may submit a statement of no infringement, which shall include preliminary proof of no infringement and the true identification information of the obligor.
• The network service provider shall, upon receipt, deliver such statement to the obligee, and inform the obligee that he or she could make a report to competent authorities or file a lawsuit in court. Within a reasonable period, if the network service provider does not receive any notice that a report or lawsuit has been initiated, such network service provider shall cease the measures that have been taken with respect to the obligor.
• A network service provider who knows or should have known that an infringement exists but that does not take necessary actions, shall bear joint liabilities with the obligor.