The Civil Code Offers Strong New Data Protection Rules
As a codified piece of legislation, the comprehensive Civil Code provides clear-cut guidance concerning what constitutes an infringement of personal information.
The Civil Code is a landmark piece of legislation in the history of China. For the first time, the Civil Code enshrines the right to the protection of personal information. Although existing legislation, such as the Consumer Rights Protection Law and the Cybersecurity Law, both refer to personal information protection, it is the Civil Code that has systematically codified the provisions on personal information protection from all these laws. Moreover, the Civil Code has also introduced new provisions on the protection of personal information.
For example, by offering a broad definition of personal information, the Civil Code extends protection to a wide range of personal and private data, such as a person’s name, date of birth, ID number, biometric information, address, telephone number, email address, health information and location. The Civil Code also lays down the principles for protecting personal information. Such strong protection of personal information can only be found in a few countries.
The European countries boast of leading in the protection of personal information, and the General Data Protection Regulation (GDPR) is often viewed as an example of the first set of comprehensive rules for the protection of personal data. While the implications of the GDPR are still being assessed, interestingly, a probe into the Civil Code provisions concerning the protection of personal information will find certain traits of the EU GDPR in the Chinese legislation.
The relevant provision is comparable to the GDPR in terms of the scope of personal information entitled to legal protection and the standard of protection available. Indeed, in a time of globalization, legal systems of various countries and regions are interacting. With the enacting of the Civil Code, a state-of-the-art regime for the protection of personal information has been officially introduced into Chinese legal system.
As a codified piece of legislation, the comprehensive Civil Code provides clear-cut guidance concerning what constitutes an infringement of personal information. For example, according to Article 1030 and Article 1226, one can easily and accurately identify whether a certain act by the credit agency or a medical institution has committed non-compliance for the protection of personal information.
After the Civil Code comes into force, businesses like online operators will have to pay closer attention to the protection of personal information. In daily life and economic activities such as signing an electronic contract and the disposal of virtual assets, inevitably such personal information is processed. According to the Civil Code, businesses or internet service providers shall obtain the consent of an individual or his or her guardian before processing personal information. They shall keep the personal information they have collected and stored confidential and unaltered; they must not provide personal information illegally to a third party; they shall take technological or other necessary measures to ensure the security of personal information; and if a data breach occurs, remedial measures shall be taken such as notifying individuals and reporting to the regulator.
If they fail to do so, they will be held liable for the infringement of personal information. Under the Civil Code, non-compliance may result in potential dual-risks of civil liability plus administrative penalties. The penalties range from stopping further infringement, paying damages and offering an apology, to being subject to the revocation of business license depending on the nature and seriousness of the infringement and any financial consequences that result from it.
Professor Kong Qingjiang is dean of the School of International Law, China University of Political Science and Law.