On Nov. 7, China’s National People's Congress Standing Committee enacted its Cybersecurity Law, which will come into force June 1, 2017. With the official promulgation, China’s data protection legislation is entering into a new stage.
In the past three months, data protection has become a nationwide focus in China. A teenager died of a heart attack two days after the cash her relatives had saved for her to go to university was stolen by an accurate telecom fraud, and the Chinese media has reported many similar tragedies recently. Under the pressure, China's Ministry of Public Security issued a national arrest warrant to quickly arrest the suspect. The Supreme People's Court, the Supreme People's Procuratorate, the Ministry of Public Security, the Ministry of Industry and Information Technology and the other six departments jointly promulgated the notice to prevent and combat telecommunications network fraud crime. However, as is well known, the real source of fraud is the lack of protection of personal information, which leads to illegal resale.
Due to these circumstances, beginning Oct. 31 the Chinese government has made significant legislative developments in relation to personal information protection. Specifically, the General Principles of Civil Law (draft) and the Cybersecurity Law that were deliberated by NPC Standing Committee aim to make provisions for the protection of personal information.
New civil rights — personal information rights
The right of personal information is firstly defined as a basic civil right in the “General Principles of Civil Law (draft)” which is to set the basic principles of civil activities. This draft law separates “personal information rights” from privacy rights and provides that "The personal information of natural persons is protected by law, and no organization or individual may illegally collect, use, process or transmit personal information, or illegally provide, disclose or sell personal information.” For this innovation, the legislature regards the right of personal information as an important citizen right in the modern information society. The protection of personal information has the realistic significance for protecting the personal dignity of citizens from illegal intrusion as well as maintaining the normal social order.
If the law comes into force, personal information protection will be brought into the civil rights, which protect personal information from being abused or misused.
New provisions on personal information protection
In the Cybersecurity Law, the “Network Information Security” section puts forward specific new requirements for personal information protection, including the following areas:
- User information protection system – (Article 40) “Network operators shall establish and complete user information protection systems, and strictly preserve the secrecy of user information they collect.”
- The principles and requirements on personal information collection and processing – (Article 41) “Network operators collecting and using personal information shall abide by principles of legality, propriety and necessity, explicitly stating the purposes, means and scope for collecting or using information, and obtaining the consent of the person whose data is gathered.
Network operators must not gather personal information unrelated to the services they provide; must not violate the provisions of laws, administrative regulations or bilateral agreements to gather or use personal information; and shall follow the provisions of laws, administrative regulations or agreements with users to process personal information they have saved.”
- The liability of network operator for protecting personal information – (Article 42) “Network operators must not disclose, distort or damage personal information they collect, without the agreement of the person whose information is collected, personal information may not be provided to others. Except where it has been processed in such a manner that it is impossible to distinguish a particular individual and it cannot be retraced.
Network operators shall adopt technological and other necessary measures to ensure the security of personal information they collect, and prevent information leaks, damage or loss. Where a situation of information leakage, damage or loss occurs, or might occur, they shall promptly take remedial measures, timely notify users and report the matter to the competent departments according to regulations.”
- Rights of personal data – (Article 43) “Where an individual discovers network operators have violated the provisions of laws, administrative regulations or bilateral agreements in collecting or using their personal information, they have the right to request the network operators to delete their personal information; where discovering that personal information gathered or stored by network operators contains errors, they have the right to request the network operators to make corrections. Network operators shall adopt measures for deletion or correction.”
- Prohibitions of illegally acquiring, selling or providing personal information to others – (Article 44) “Individual or organization must not steal or use other illegal methods to acquire personal information, and must not sell or unlawfully provide others with citizens’ personal information.”
By introducing General Principles of Civil Law (draft) and Cybersecurity Law in the personal information protection area, China has realized the integration with the existing international standard as well as U.S. and European personal information protection legislation. These two draft laws directly reflect the Organization for Economic Cooperation and Development and Asia-Pacific Economic Cooperation privacy frameworks and the basic principles of the EU General Data Protection Regulation.
Cybersecurity Law covers most basic principles of EU GDPR
Basic principles of the GDPR on personal information protection are reflected in the Network Information Security section of the Cybersecurity Law.
- The principle of accountability is reflected in Article 40: Network operators shall establish and complete user information protection systems and strictly preserve the secrecy of user information they collect.
- The principles of lawfulness, fairness and transparency are reflected in Article 41: Network operators collecting and using personal information shall abide by principles of lawfulness, legitimacy and necessity, explicitly stating the purposes, means and scope for collecting or using information, and obtaining the consent of the person whose data is gathered.
- The principles of purpose limitation and data minimization are also reflected in Article 40: Network operators collecting and using personal information shall abide by principles of lawfulness, legitimacy and necessity, explicitly stating the purposes, means and scope for collecting or using information, and obtaining the consent of the person whose data is gathered.
- A mandatory data breach notification requirement is firstly provided in the Article 42: Where a situation of information leakage, damage or loss occurs, or might occur, network operators shall promptly take remedial measures, notify users and report the matter to the competent departments according to regulations.
- Particular emphasis is placed on the rights of the data subject in Article 43: Where an individual discovers network operators have violated the provisions of laws, administrative regulations or bilateral agreements in collecting or using their personal information, individuals have the right to request the network operators to delete their personal information; where discovering that personal information gathered or stored by network operators contains errors, they have the right to request the network operators to make corrections. Network operators shall adopt measures for deletion or correction.
The Cybersecurity Law has been officially announced, and General Principles of Civil Law is also forthcoming. Both laws would play very significant roles in the development of cyber security governance and legalization in China, especially for the protection of privacy, cross-border data transfer and personal information protection. These laws will lay a solid legal foundation for China in the future. Of course, due to the nature of the Basic Law in their respective fields, these two laws more reflect the legislature's value judgments and the basic direction of personal information protection.
photo credit: Light River via photopin