As the Cybersecurity Law (CSL) became effective as of 1 June 2017, the question of the definition and delimitation of personal information rose once again that we will discuss in this article to support corporate program apropos of data protection compliance in China.

As the Cybersecurity Law (CSL) became effective as of 1 June 2017, the question of the definition and delimitation of personal information rose once again. Critical for any compliance program regarding the Chinese data protection legal framework, doubt has spread through companies handling personal information regarding the terms defining personal information as well as information that could be considered as personal information, and those that became mere information from personal information, a process known as anonymization. Though Article 76.5 of the CSL defines personal information as "all kinds of information recorded by electronic or otherwise that can be used to independently identify or be combined with other information to identify natural persons," further analysis are required to grasp the full scope of personal information, a scope that spans forth the Chinese data protection legal framework and that we will discuss in this article to support corporate program apropos of data protection compliance in China.

Dissecting the notion of personal information

Foremost, the definition of personal information under Article 76.5 of the CSL must be further discussed to assess how the definition is reflected in practical matters. As such, we will divide the definition into five components that are as follows:

  • all kinds of information: Taking into account that information can take multiple forms, the law clearly states that various information can form personal information, thus not restricting personal information to true information. False information, such as a man named "Arsene" using online the fake name "Lupin", can become personal information as the law is not restricted to real information, in this occurrence the name "Arsene". Regarding the media through which personal information is transmitted, this component must be combined with the following;
  • recorded by electronic or otherwise: Though the format of transmission rarely occurs to the users, it is a major legal concern, as it must be assessed whether personal information in pictures, audio or text files, among others media, should receive identical legal protection. This element of the definition allows for personal information to be both recorded electronically (i.e., an audio file, a digital picture or any other electronic media) and physically (i.e., a picture, a notebook, a sheet of paper). This component once combined with the first one, widens the scope of personal information to any true or false information, recorded in any existing or future format.
  • that can be used to independently identify or be combined with other information: Allowing information to become personal information through coupling with other information further widens the scope of personal information. By not précising whether such combination should happen within one information set (i.e., information among the same database, notebook, picture, etc.), the law opens the definition of personal information to personal information identified through crosschecking. As such, if information coupled with other information located on various platforms can identify a natural person, such information could be considered as personal information. This concept is particularly important for anonymization and pseudomization purposes as crosschecking could potentially defeat such processing if incorrectly made, thus triggering data protection provisions on the handling of the now reconsidered personal information.
  • to identify: Core element of the definition, the information should be able to identify a legal subject as without such characteristic, information would not be considered as personal information; an element which opens the way to anonymization and pseudonimization.
  • natural persons: Final element of the definition, it restricts personal information to only one category of legal subjects, natural person, thus excluding legal persons defined in Article 36 of the General Rules on the Civil Law of the People's Republic of China (中华人民共和国民法通则), as "organization that has capacity for civil rights and capacity for civil conduct and independently enjoys civil rights and assumes civil obligations in accordance with the law."

It must be noted that those components must all be present in information for it be legally considered as personal information. Would even one component miss, such information would either be information, anonymized personal information or pseudonymized personal information to some extent, thus not falling under the scope of data protection provisions on handling personal information.

An infinity of personal information

Based on the detailed definition of personal information, we can compare it with examples given by Article 76.5 of the CSL:

  • natural persons' names
  • dates of birth
  • ID numbers
  • biometric information
  • addresses and telephone numbers
  • etc.

As expected, all of them fit into the criteria defined hereinbefore, with exception to the ending term that asserts the fact that this list is not meant to be exhaustive, only serving as an explanatory note to the reader on how the concept of personal information should be understood and applied in practice. As such to find a more exhaustive list for our analysis of the scope of personal information, we will have to delve into the newest Information security techniques – personal information security specification (the Specification) drafted by the National Committee of Information Security Standardization Technology (TC260) published for comment in December 2016. As for the current the Information Security Information Guidance on Protection of Personal Information of Public and Commercial Service Information System published on 15 November 2012 by the TC260, which is the current and anterior version of the Specification, it does not include examples of personal information, but a prior definition of personal information that served as a base for the CSL, and will as such not be further analyzed.

Meant to reform the best practices around the handling of personal information, the Specification must be understood as the main explanatory notice on what personal information is and its relevant scope. This is supported by Annex A.1 of the Specification providing examples of personal information. Though the list of example delves in greater detail than the CSL, including among other IP addresses, passwords or credit card number, what is more important is the sheer variety of personal information divided into four categories:

  • Basic personal data
  • Identity personal information
  • Biometric personal information
  • Virtual identity and authentication information

Those categories further support our analysis of the definition of personal information, allowing companies to clearly understand that any information has the potential to become personal information would it satisfy the requirement of the law. As such personal information should be always handled by companies with compliance in mind, with for end disposal of personal information, or anonymization.

From personal information to information, the rise of anonymization

One of the concerns of numerous industries, in particular the big data industry, has always been the place of anonymized personal information in the scope of personal information and the legal consequence, which is whether anonymized personal information should still be considered as personal information under the law, or if they were excluded from the data protection regime, thus waiving the personal information handling obligations set by data protection obligation for this particular set of information. While the concept of anonymized personal information is not unknown in China, it still had to be formulated prior to the CSL, leaving a doubt on the effectivity of this principle in Chinese law and how personal information should be handled to become anonymized personal information.

This doubt has been lifted by the CSL and the Specification, which for the former stipulates in Article 42 of the CSL that network operators can provide information to third parties, would such information been personal information that has been processed in such way, and cannot be recovered to its original state, that it cannot anymore identify the original subject of the personal information, thus creating a category of information that is de facto anonymized personal information. This analysis is further supported by Section 3.11 of the Specification that formally defines anonymization as the process by which personal information is processed in such way that the personal information cannot be used to identify the person and the processed information cannot be restored in its original state. Combined with the definition of personal information, one can possibly follow the CSL and the Specification to anonymize personal information in such way that it will be usable to other parties and services without infringing data protection provisions.

The matter of the definition and limitation of the scope of personal information is one of the main concerns of numerous companies as it will have a lasting impact on their handling of personal information, whether it be their collection, use, transfer or disposal of personal information, and how their business will interact with personal information. China by adopting a definition allowing for the inclusion of a wide range of information to be considered as personal information ensures a potent layer of protection for natural persons located in China. Moreover, it must also be recognized that this protection is not a rein on the development of the industry, as it is supported by provisions on anonymization that allow companies to further use personal information beyond the scope of their collection or consent agreement, as long as they went through the process of being fully anonymized.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.