China Economic Bulletin | No. 20 (15 August 2022)
Recent Developments of Data Governance in China and Implications for Foreign Investment – Part 2 of 4
Authors: Jasper Habicht, Isabeau Höhn, Jessica Köhler
Protection of Personal Information in China: Towards a Rival to European Standards?
Early developments: Privacy as predecessor of protection of personal information
The protection of personal information in the People’s Republic of China was only codified as a personal right with the latest revisions of civil law over the last years. Prior to such codification, personal data protection was based on a combination of criminal legal norms that by their nature only covered certain severe cases and provisions regarding privacy that protected an individual against the abuse of personal data primarily if the individual has suffered damage (Habicht 2013). Only very recently, the protection of personal data evolved into a comprehensive right that effectively protects the individual against actions of other actors such as third parties or even state actors.
Until 2017, when the Cybersecurity Law entered into force, the protection of personal data was not codified in a coherent way. As from 2009, the Chinese Criminal Law punished the illegal provision or acquisition of personal data by employees of state authorities as well as of financial, telecommunications, transport, educational, and medical institutions in severe cases (Criminal Law: art. 253a). The Chinese Tort Liability Law of 2009 defined the right to privacy as equally ranked to the right to one’s name and other similar personal rights, which are protected against the abuse by other individuals, enterprises, or organisations. Internet users and internet service providers who infringe upon the rights of others should bear legal responsibility according to the Tort Liability Law. Other norms and administrative measures existed that aimed to protect personal data in the context of the internet, mostly focusing on providers of internet or other data-driven services.
While a cursory framework for the protection of personal data has thus existed in China since at least 2009, several mechanisms such as the requirement to obtain consent of the affected person before processing personal data or the right of the person concerned to be informed about the data stored or have it corrected did not exist. Furthermore, the protection of personal data was covered by inconsistent legal concepts: On the one hand, the “protection of personal data” existed only within the narrow scope of criminal law. On the other hand, the “right to privacy” in the context of civil law would primarily protect the individual from damages that occurred from abuse of their personal data.
The Cybersecurity Law: Data security as a proxy for the protection of personal data
The Cybersecurity Law of 2017 has set up a new basic framework for the protection of personal data that regulates the processing of such data by individuals, enterprises, and organisations, but also by state agencies. It detaches the concept of “protection of personal data” from the narrow scope of criminal law by defining relatively minor infringements as punishable administrative offences. In addition, the law introduced a comparatively broad definition of “personal data” that comprises “all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity” (Cybersecurity Law: art. 76(1)v), which means that not only singular data directly related to a natural person, such as names, birth dates, identification numbers, or biometric data, is covered by this definition, but also data that in combination with other data can be used for identification.
While a considerable part of its rules deals with the protection of personal data, the Cybersecurity Law in general aims to establish a basic framework for data security which in part also is applicable to the processing of personal data. The law, for example, requires enhanced security measures for critical information infrastructures whose scope is to be defined in other regulations. It requires network operators to establish measures that meet the codified security requirements. Virtually every system that consists of two or more computers or other devices that process data and between which information is transmitted can be regarded as a data network according to the definition of the law (Cybersecurity Law: art. 76(1)i). In this regard, the law covers a wide range of applications. Network operators are understood as owners or administrators of these networks or providers of network services (Cybersecurity Law: art. 76(1)i). Due to the broad definition of the term “network”, not only internet service providers or telecommunication enterprises are covered by the definition of network operators and hence need to abide by the regulations codified in the law, but also financial institutions, providers of cybersecurity products and network service providers. Network operators are responsible for compliance with the legally defined security requirements and are subject to sanctions in the event of violations. Network operators are required to implement measures and organisational structures to ensure the security of data within the network, they need to implement measures to prevent theft or destruction of data through cybercrime, and they shall ensure the availability and confidentiality of data via backups and encryption (Cybersecurity Law: art. 21). Summing up, the Cybersecurity Law defines a quite rigid framework to protect digitally processed data in general, which also needs to be taken into account when dealing with personal data.
The Cybersecurity Law, however, also includes regulations specifically aimed at protecting personal data. According to these provisions, the collection of personal data is only allowed if individuals are informed about this collection and agree to it (Cybersecurity Law: art. 41). The disclosure as well as the illegal acquisition of personal data is punishable by law (Cybersecurity Law: art. 64). The Cybersecurity Law does not mention a right to information about the stored data, and individuals only explicitly have the right to request deletion of their data where the network operator has violated the regulations of the law (Cybersecurity Law: art. 43). A novelty to the processing of personal information introduced by the Cybersecurity Law is that personal data and other important data collected or generated within the jurisdiction of the People’s Republic of China must be stored domestically (Cybersecurity Law: art. 37). While this is very similar to the provisions of the European General Data Protection Regulation (GDPR) that only allows the transmission to countries outside of the EU when certain criteria are met, such provisions may pose a challenge for companies that operate internationally (KPMG Advisory (China) Limited 2017).
The Civil Code and the Personal Information Protection Law: Towards a right to informational self-determination?
With the introduction of the Civil Code in 2020, a row of older laws, such as the Tort Liability Law, ceased to be in effect. Instead, most of the regulations codified in these laws were taken over into the first comprehensive normative document of civil law in the People’s Republic. The Civil Code for the first time explicitly protects a natural person’s personal information and prohibits the illegal processing of such data. The new law devotes a whole chapter to the right of privacy and protection of personal information (Civil Code: chapter VI (artt. 1032–9)) where a broad definition of personal information, similar to that of the Cybersecurity Law, is given along with the right of a natural person to receive information about their personal information that is being processed, to request the correction of this data and even to request deletion if the processing is in breach of agreement or illegal. The Civil Code states that state organs are required to process personal information confidential and exclusively within the scope of their responsibilities (Civil Code: art. 1039). The regulations introduced in 2020 for the first time set the basis for a comprehensive legal framework for the protection of personal data, that not only covers criminally relevant cases or cases where the individual has suffered damage. The regulations regarding the protection of personal data in the Civil Code mark a shift from the principle of privacy being the underlying norm for protecting personal information towards the concept of informational self-determination, also known in German and European law, that focuses on the right of an individual to decide about and control their data. However, it needs to be highlighted that the law does not explicitly formulate a right to informational self-determination and, in contrast to German law, such a right is not derived from the constitution. It is still quite possible that courts in the future will acknowledge that the protection of personal data is as important as the right to privacy.
In August 2021, the Personal Information Protection Law was passed, which has entered into force as of November 2021. The law is the first comprehensive legal framework covering protection of personal data in China. It again embraces the legal approach that acknowledges the individual’s right to control the use of their data and shares a lot of similarities with the European GDPR. It also defines its application to data processed outside of China in cases where individuals in China are targeted (Personal Information Protection Law: art. 3(2)ii) and requires risk-specific compliance measures to be applied (Personal Information Protection Law: art. 55). The new law further distinguishes between normal and sensitive personal data, again similar to the GDPR, stating that biometrics, religious or medical information, or data regarding minors has to be treated with special scrutiny (Personal Information Protection Law: art. 28). Finally, the law introduces a consent-first approach, where individuals need to explicitly agree to the processing of their data out of their own free will, except in certain strictly defined cases (Personal Information Protection Law: art. 13). Entities that disregard individuals’ rights when processing personal data, for example by rejecting an individual’s claim to delete or correct their personal information, can be sued in a court in China (Personal Information Protection Law: art. 50). Almost at the same time, the Data Security Law was passed, that sets up a legal framework for the protection of data in general, not only in electronic form, but also in non-electronic form (Data Security Law: art. 3(1)). Apart from defining the duties of the state to implement measures for data security as well as regulations regarding the duty of data processing entities to regularly perform risk assessments and to enhance data security measures, the law also defines data handling to include activities such as collecting, storing, using, processing, transmitting, or providing data (Data Security Law: art. 3(2)).
Implications of the latest legal revisions for cross-border activities
Especially for enterprises that work cross-border, the processing of data within China or data of Chinese nationals may pose a new challenge, since multiple data protection regimes with possibly colliding regulations have to be taken into account. Further, since the scope of China’s new law includes the processing of Chinese nationals abroad, companies must assess the risk of being reported by a Chinese national or authority, or even of becoming involved in legal proceedings in China. On the other hand, since most provisions of the Chinese Personal Information Protection Law are very similar to the regulations codified in the European GDPR, enterprises that adhere to the European regulations may not be confronted with too high a challenge to additionally conform with the new Chinese data protection regime.
As could be shown, the protection of personal information in China evolved primarily through multiple steps taken by the legislators: First, not only crimes related to personal data or cases where the individual concerned has suffered any damage, but also relatively minor breaches of data protection regardless of their direct effect to a certain individual have become punishable. Second, the scope of application has been broadened in a number of relevant definitions of data or environments where data processing takes place. Third, by giving the person concerned more sovereignty over their data, the protection of personal data has been aligned with that regulated in other international standards, such as the GDPR. In fact, official sources point to the fact that the Chinese Personal Information Protection Law has been influenced by the norms regulated in the GDPR and other international standards related to protection of personal data at least to a certain extent (Liu 2020). The aim to “promote mutual recognition of rules and standards for the protection of personal information with other countries, regions and international organisations” has even been codified in the law (Personal Information Protection Law: art. 12), which shows China’s eagerness not to develop a competing system of data protection, but rather a compatible framework that should facilitate the international transfer of personal data. While the enactment of the Personal Information Protection Law surely is an important step towards a unified framework including not only basic rules for the processing of personal data, but also for the implementation of security measures for data processing, implementation rules with detailed norms regarding the enforcement of legal provisions are still needed.
Only the future can show how the new regulations on data protection will be implemented in practice, how strictly the supervisory authorities will act and whether the rights granted to persons concerned can suffice to mitigate the power of single entities that own large collections of data vis-à-vis a single individual. While the new Personal Information Protection Law provides a comprehensive framework regarding the protection of personal information and the recently introduced Civil Code introduces the concept of personal information protection, this concept is not derived from constitutional rights like it is, for example, in German law and the current legal framework cannot effectively protect against state intervention. It is therefore highly questionable that the Chinese data protection scheme will be regarded as having an adequate level of data protection by the European Commission in the near future. Still, it is an important step towards the international harmonisation of data protection standards.
- Civil Code of the People’s Republic of China [中国人民共和国民法典], adopted on 28 May 2020 (Civil Code).
- Criminal Law of the People’s Republic of China [中华人民共和国刑法], adopted on 1 July 1979, revised on 14 March 1997, last amended on 28 February 2009. (Criminal Law)
- Cybersecurity Law of the People’s Republic of China [中华人民共和国网络安全法], adopted on 7 November 2016 (Cybersecurity Law) (English translation at https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-cybersecurity-law-peoples-republic-china/, last visited on 18 October 2021).
- Data Security Law of the People’s Republic of China [中华人民共和国数据安全法], adopted on 10 June 2021 (Data Security Law).
- Habicht, Jasper (2013): “Datenschutz im Cloud-Computing nach chinesischem Recht”, Zeitschrift für Chinesisches Recht 20(4), pp. 303 ff.
- KPMG Advisory (China) Limited (2017): “Overview of China’s Cybersecurity Law” (online at https://assets.kpmg/content/dam/kpmg/cn/pdf/en/2017/02/overview-of-cybersecurity-law.pdf, last visited on 20 October 2021).
- Liu Junchen [刘俊臣] (2020): “Explanation on the Law of the People’s Republic of China on the Protection of Personal Information (Draft) – at the 22nd Meeting of the Standing Committee of the 13th National People's Congress on 13 October 2020 [关于《中华人民共和国个人信息保护法（草案）》的说明——2020年10月13日在第十三届全国人民代表大会常务委员会第二十二次会议上]” (online at http://www.npc.gov.cn/npc/c30834/202108/fbc9ba044c2449c9bc6b6317b94694be.shtml, last visited on 10 January 2022).
- Personal Information Protection Law of the People’s Republic of China [中华人民共和国个人信息保护法], adopted on 20 August 2021 (Personal Information Protection Law).
Tort Liability Law of the People’s Republic of China [中华人民共和国侵权责任法], adopted on 26 December 2009 (Tort Liability Law).