I believe that most people have received a variety of sales, fraud calls, and these calls usually accurately state your name, working unit, and sometimes even home address. We always doubt that our personal information is being known and used by strangers, how to protect the personal information effectively has become the issue of the daily lives.

On May 14th, 2020, the Commission of Legislative Affairs of the National People's Congress said that the "Personal Information Protection Law" (the "PI Law") is being studied and drafted. At present, the draft has been formed and has been included in the legal cases that the NPC Standing Committee will continue to reviewed in 2020.

Let's take you to learn about the main legislation of personal information protection in China.

The "Cyber Security Law", formally implemented in 2017, has made systematic provisions on network information security.

First of all, the major network operators hold a large number of users' personal information, which must be properly kept and strict establish the information confidentiality system.

Secondly, network operators must follow the principle of necessity, that is, they must not collect personal information irrelevant to the services they provide.

Moreover, the collection and use of the user's personal information must be based on the user's consent, and the personal information collected should not be disclosed, tampered with and damaged.

For the network operators, network products or service providers who violate the relevant laws and regulations, they will be ordered to correct, be warned according to the seriousness of the circumstances, confiscate the illegal income or impose a maximum fine of less than one million yuan.

Article 111 of the General Provisions of the Civil Law, which was formally implemented in 2018, stipulates that the personal information of natural persons shall be protected by law. Any organization or personality that needs to obtain other people's personal information shall ensure the information security according to law, and shall not illegally collect, use, process or transmit other people's personal information, or illegally sell, provide or disclose other people's personal information. It can be seen that on the issue of personal information security, the legislative tendency of protection in Chinese laws is very clear. To this extent, there are 2 GB regulations already in force tackling specifics aspects of treatment of personal information. They are:

  1. Information Security Technology which regulates the security measures to be applied when handling Personal Information in networks.
  2. Security Information Guidance on Protection of Personal Information of Public and Commercial Service Information System

In addition, there is another GB standard being draft it at the moment (Information Security Technology-Guidelines for Security Assessment of Data Cross-border Transfer), which will regulate in detail the acts of transmission of personal information overseas.

It is worth mentioning that the Civil Code just passed this year has made more specific provisions on the protection of personal information.

Article 1034

Personal information of natural persons is protected by law.

Personal information is a variety of information recorded by electronic or other means, which can identify a specific natural person individually or in combination with other information, including name, date of birth, ID number, biometric information, address, telephone number, e-mail, health information, tracking information, etc.

The provisions on the right of privacy shall apply to the private information in the personal information; in the absence of such provisions, the provisions on the protection of personal information shall apply.

We have noticed that compared with the definition of personal information in the network security law, the Civil Code has added "health information", which may be related to this year's epidemic situation, and the protection of personal information in public health emergencies has gradually attracted attention.

Meanwhile, the third paragraph of this article clearly stipulates that "the provisions on the right of privacy shall apply to the private information in personal information", which means that the right of personal information is not equal to the right of privacy, and only the part defined as private information can be applied to the provisions of the right of privacy.

According to the Civil Code, the definition of privacy usually focuses on "private space, private activities and private information that are not willing to be known to others", while "unwilling to be known to others" will be identified according to specific cases in practice.

Article 1035

The processing of personal information shall follow the principles of legality, legitimacy and necessity, and shall not be excessively processed, and the following conditions shall be met:

  1. Obtain the consent of the natural person or his guardian, except as otherwise provided by laws and administrative regulations.
  2. Rules for public processing of information.
  3. Express the purpose, method and scope of information processing.
  4. No violation of the laws and regulations of both parties.

The processing of personal information includes the collection, storage, use, processing, transmission, provision and disclosure of personal information.

The similar content of this article is also stipulated in the network security law, but it only regulates the network operators, while the Civil Code does not specify the subject of regulation, which shows that the Civil Code has expanded the regulation of the subject processing the personal information.

Article 1036

In case of any of the following circumstances when processing personal information, the actor shall not bear civil liability:

  1. Acts reasonably carried out within the scope agreed by the natural person or his guardian.
  2. Reasonably handle the information disclosed by the natural person or other legally disclosed information, except that the natural person explicitly refuses or processes the information to infringe on his or her major interests.
  3. Other acts reasonably carried out in order to safeguard public interests or the legitimate rights and interests of the natural person.

This article provides for the exemption of processing personal information, but it does not specify the specific circumstances of the application of this article. We hope there will be a clearer judicial interpretation of it.

Article 1037

A natural person may consult or copy his / her personal information from the information processor according to law; if he / she discovers that the information is wrong, he / she has the right to raise objection and request necessary measures such as correction to be taken in time.

If a natural person discovers that the information processor has handled his / her personal information in violation of the provisions of laws, administrative regulations or the agreement of both parties, he / she has the right to request the information processor to delete his / her personal information in a timely manner.

In addition to the right of correction and deletion specified in the network security law, the article also specifies that natural persons have the right to query or copy their personal information.

Article 1038

The information processor shall not disclose or tamper with the personal information it collects and stores; it shall not illegally provide its personal information to others without the consent of a natural person, except for those who cannot identify specific individuals after processing and cannot be recovered.

The information processor shall take technical measures and other necessary measures to ensure the safety of the personal information it collects and stores, and prevent the information from being disclosed, tampered with or lost; if the disclosure, alteration or loss of personal information occurs or is likely to occur, it shall take remedial measures in a timely manner, inform the natural person in accordance with the provisions and report to the relevant competent department.

Article 1039

State organs, statutory bodies with administrative functions and their staff members shall keep confidential the privacy and personal information of natural persons known in the course of performing their duties, and shall not disclose or illegally provide them to others.

Generally speaking, it is easier to collect personal information for state organs and their staff, such as bank staff, because of the convenience of their positions.

Although it is generally considered necessary and safe for the above personnel to collect personal information, however, it is undeniable that in practice, it is common for the staff of state organs to divulge the collected personal data and seek illegal interests by taking advantage of their positions. This article only stipulates the obligations of the above-mentioned personnel, but does not specify the corresponding responsibilities for violation of the provisions of this article.

Due to the particularity of identity, it is still questionable whether the corresponding responsibility should be regulated by the Civil Code.

The provisions on the protection of personal information in the Civil Code are mostly in principle and abstract. In practice, we can refer to the GB / T 35273-2017 - "Personal Information Security Specification for Information Security Technology" issued in 2017, which has more specific provisions on the collection, storage, use, processing, transfer, public disclosure of personal information, as well as the responsible departments and personnel.

At the same time, we wait for the Personal Information Protection Law to be released soon!

The article was originally published on HFG Law&Intellectual Property website: http://www.hfgip.com/news/legal-trend-personal-information-protection

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.