Language

A Chinese Data Privacy Law with Strong Influences from the EU


A Chinese Data Privacy Law with Strong Influences from the EU-China Releases the Draft on Its First Uniform Personal Information Protection Law


Authored by Yingying Zhu


The world has witnessed a torrent of lawmaking, regulatory design and enforcement activities regarding data privacy following the enactment of the General Data Protection Regulation (“GDPR”) [1] of the European Union in May 2018. At present, 132 out of 194 countries had put in place legislation to secure the protection of data and privacy. [2]

 

The inadequacy of personal information protection in China has raised widespread public concerns in this big data land with 904 million netizens,[3] vulnerable to data breaches and cyber frauds. In 2016, a professor at the prestigious Tsinghua University wired more than CNY17 million to a fraud, after she received a scam call from the fraud who knew every detail about the deal of a recent sale of her real property.[4] Incidents like this have led to nationwide discussions and provoked reflection among thinkers, legal experts and law makers. 

 

At present, data protection laws, regulations and specifications in China were scattered in sectional laws, regulations and non-binding guidelines, such as the Criminal Law and its Amendment VII, the Consumer Protection Law, the Cybersecurity Law, the Personal Information Security Specification, the Civil Code, etc.

 

On October 13, 2020, after years of brewing, China releases the long-awaited and much-welcomed draft on its first dedicated personal information protection law. The draft has been submitted to the standing committee of the China's top legislature-the National People’s Congress (“NPC”) for the first review and then posted for public comments on NPC’s official website. The comment period lasts until November 19, 2020.

 

Being the first comprehensive law that emulates the GDPR, the draft Personal Information Protection Law (“draft PIPL”) has shown strong GDPR influences as well as its unique Chinese characteristics.

Definition of “Personal Information” and “Sensitive Personal Information”

The types of information considered personal under the draft PIPL include various information recorded electronically or in other forms that is relating to an identified or identifiable natural person (“data subject”), excluding the anonymized information. The processing of personal information includes activities such as the collection, storage, use, handling, transmission, provision, and disclosure of personal information.

Here, “personal information” under the draft PIPL is similar in terms of definition to “personal data” used in the GDPR as well as in its predecessor, the EU Data Protection Directive,[5] because it includes data that relate both to an “identified” or “identifiable” individual. “Identifiable” means that an individual might not currently be identified but could be identified by combining various pieces of data.[6] For example, the name of a person (in particular, a none-celebrity), is often not identified to an individual, but sometimes can easily be linked to an individual with bits of other information, such as an address, a telephone number or a place of work.

 

On a risk-based approach, the draft PIPL defines sensitive personal information (“SPI”) as personal information that once leaked or illegally used may lead to discriminatory treatment or could seriously endanger the safety of persons or property, including information such as one’s race, ethnicity, religious beliefs, personal biological characteristics, medical health, financial accounts, personal whereabouts and so forth.[7] Only personal information processors with a specific purpose and sufficient necessity may process SPI. The draft also requires that the individuals' “independent consent” shall be obtained where processing SPI is to be based on individuals' consent and individuals shall also be informed of the necessity of processing SPI and the impact on them.

 

The draft PIPL, for the first time in China’s privacy protection legislation, specifically defines SPI. As improper disclosures of SPI can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that SPI could be specifically defined and appropriately protected.

 

One problem with the draft PIPL’s definition of SPI, however, is that it seems to ignore a certain type of SPI -a person’s private or secret life that in many defamation cases has been the subject of public online shaming. If an individual’s personal private life (usually unpleasant, eccentric or immoral) was posted on some popular online platforms due to mishandling of that individual’s personal information, and the news goes viral, the victim in many cases would suffer spiritually from attacks of cyber-mobs and internet violence. The suffering can be nothing financial but only emotional. Here, the risk-based definition of SPI in the draft PIPL only covers risks in the form of “discriminatory treatment” or “endangering safety of persons or property”, but leaving out the harm caused to personal reputation and psychological health, which, in many cases, could be the only resulted harm in violation of SPI. The draft PIPL obviously did not give enough consideration to such type of possible harm in its current definition of SPI.

 

Under the GDPR, processing of personal data of a sensitive nature shall be prohibited, unless some stricter preconditions could be met. Such data are classified under the label of SPI[8] and sensitive data are clearly listed by its definition.

 

Though differ in defining, the draft PIPL converges with the GDPR in that both recognize SPI is belonging to a specific category of information that must be treated with extra safeguarding.

Rights of Individuals

Under the draft PIPL, individuals enjoy the right to know and make decisions about the processing of their personal information, and have the right to limit or refuse the processing of their personal information by others, except otherwise provided by laws and administrative regulations

Specifically, individuals enjoy the following rights:

1)    Right to access:[9] the data subject may consult or reproduce his personal information from the information processor;

2)    Right to rectification: upon discovery of any error in the information, the data subject has the right to raise an objection and to request to have a timely correction;

3)    Right to be forgotten: if the handling of personal information is in violation of law, or any prior agreement, or the purposes of processing have been realized, or an individual has withdrawn the consent, the data subject has the right to request a timely erasure. If, however, the retention period prescribed by law has not been completed, or deletion of personal information is technically difficult to achieve, the personal information processor shall stop the processing;

4)    Right to be informed: individuals have the right to be informed about rules concerning the processing of their personal information;

5)    Right to refuse automated decision-making: where an individual believes that automated decision-making has a significant impact on one’s rights and interests, one has the right to request an explanation from the personal information processor and has the right to refuse automated individual decision-making.

Under the draft PIPL, individuals have a broader scope of rights than previous laws in the same sector and it brings China’s protection on privacy even closer to the GDPR standards.[10] It is however interesting to note the “right to data portability”[11] under the GDPR has not been transplanted to its Chinese counterpart. As the right to data portability does not apply to genuinely anonymous data but only to pseudonymous data that can clearly be linked back to a data subject, maybe the notions of cyber- sovereignty and network security with a distinguishable Chinese feature could account for the missing of such right in the Chinese context..

Principles and Conditions for Data Processing

Under the draft PIPL, the general principles for data collection are: data shall be collected lawfully and justifiably, openly and transparently, accurately and kept up-to-date and data collection shall have clear and reasonable purposes and be limited to the minimum scope to achieve such purposes of processing. The data processing activities shall meet the following conditions:

(1) With the consent of the individual;

 

(2) It is necessary for entering into or performing a contract to which the individual is a party;

 

(3) It is necessary for performing of legally-binding duties or obligations;

 

(4) It is necessary to respond to public health incidents or to protect natural persons' security in their lives, health, and property under an emergency;

 

(5) It is within a reasonable range in order to carry out acts such as news reporting and public opinion overseeing in the public interest; or

 

Other circumstances warranted by laws or administrative regulations.

 

The GDPR provides six legal bases for processing personal data, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests pursued by the controller or by a third party.[12] The draft PIPL sets out the above five specific legal bases for processing personal data, which are comparable to the first five legal bases of the GDPR while chipping away the last one concerning “legitimate interests pursued by the controller or by a third party”, on the possible account that it would have the potential of giving too much discretion to the information processor and therefore dilute the value of all the other legal bases.

 

Under the draft PIPL, consent, albeit the most well-known one, is just one of the legal bases a business can rely on to justify the proceeding of individuals’ personal data. Furthermore, for consent to be valid, it must be freely-given, unambiguous and explicit, informed and withdrawable. Consent is not freely-given if individuals have no other meaningful options but to give out their consent. This means businesses shall not create an opt-in-or-leave-it situation when seeking people’s consent. Individuals need to maintain the ability to decline and shall be free from discrimination when they opt out. The draft PIPL also specifies that if there are changes to the purposes or methods for processing information, or to the type of personal information to be processed, the individual's consent shall be re-obtained.

 

Extraterritorial Applicability

 

The GDPR has an extraterritorial scope, because it may apply to businesses established outside the European Union when they offer goods or services to data subjects in the European Union or monitor their behavior when it takes place in the European Union.[13]

 

Modeling on the GDPR’s approach towards extraterritorial application, Article 3 of the draft PIPL expands the law’s territorial scope to data processing activities outside China. Any data processing activities that process personal data within P.R. China, if meeting any of the following conditions, will fall under the territorial scope of the Chinese data protection law:

 

(1) for the purpose of providing products or services to natural persons within the territory;

 

(2) to analyze and evaluate the conduct of natural persons in the territory; or

 

(3) other circumstances provided for by laws and administrative regulations.

 

If this clause remains intact in the final legal text, it means that the Chinese privacy rules now can also apply to data processing activities outside China. The consequence of this expansion is that non-Chinese data controllers and processors must comply with the Chinese data protection obligations when processing data on individuals in China for the above-listed purposes.

Obligations of Personal Information Processor

Under the draft PIPL, the personal information processor, the one who collects, stores, uses, handles, transmits, provides, and discloses personal information, shall have the following obligations:

(1) take necessary measures to ensure the legal compliance of personal information processing activities and prevent unauthorized access, disclosure or theft, tampering, and deletion of personal information;

(2) while processing personal information at certain volume, shall designate a person in charge to be responsible for overseeing personal information processing activities and any protection measures taken;

(3) if processing Chinese individuals’ personal information outside China as provided in Article 3 of the Law shall establish a point of contact within China;

(4) shall conduct periodic audits and risk assessments in advance for certain categories of personal information processing activities;

(5) where there is incident of personal information leakage, shall immediately take remedial measures and notify the supervisory authorities.

Once a data breach occurs, the GDPR requires data controllers to notify supervisory authorities of a security breach within 72 hours after it has been aware of it.[14] Furthermore, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.[15]

In comparison, the draft PIPL is not specific about the timeframe for notification to the supervisory authorities and where personal information processors take measures that can effectively avoid the harm caused by the information leakage, the personal information processors are allowed to not notify the individuals.

Liabilities and Penalties

Violations of the draft PIPL may be subject to a fine of up to CNY1 million (about EUR 0.128 million); the directly responsible management and other directly responsible person may be subject to a fine of between CNY10,000 (about EUR1,283) to CNY100,000 (about EUR12,831). Serious violations of the draft PIPL can be fined up to CNY 50 million (about EUR 6.4 million) or up to 5% of the preceding year's turnover. Where there is an illegal act of data processing activities, it is to be recorded in the business’ credit files with a public announcement posted.

In comparison, under GDPR, the less severe infringements could result in a fine of up to EUR10 million, or 2% of the business’ global annual revenue in the preceding financial year, whichever is higher. For more severe infringements, GDPR sets a maximum fine of EUR 20 million or 4% of annual turnover, whichever is higher.[16]

In an age of constant, complex and sometimes intrusive technological innovation, the high penalties on noncompliance aim to have a deterrent effect on rule-breakers who are mishandling people’s data or using people’s data without adequate measures in place to safeguard them.

Conclusion

The draft PIPL, being the first dedicated law to data privacy protection in China, thus forming a unified force of enforcement, marks a milestone in the country data privacy legislation. The law shows a broader scope of application than the previous sectional laws and regulations and levels up the country’s protection on data privacy closer to the GDPR standards, a.k.a., the global standards, given the large number of countries around the world that have adopted the GDPR model. While highly converging with the EU rules, the draft PIPL demonstrates a unique Chinese characteristics thus showing a strong Chinese voice with a subtle EU accent.

The laws and regulations on data privacy are constantly evolving in China with changes still in the pipeline. We are here to help if you have any problems, issues, concerns regarding data privacy protection inside or outside China.

 



[1] The General Data Protection Regulation (EU) 2016/679.

[2] See https://unctad.org/page/data-protection-and-privacy-legislation-worldwide.

[3]See https://www.thehindu.com/news/international/chinas-netizen-population-hits-record-904-million-report/article31451143.ece.

[4] See http://www.techweb.com.cn/tele/2017-02-20/2489197.shtml.

[5] The Data Protection Directive, officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[6] Paul M. Schwartz & Daniel J. Solove, Reconciling Personal Information in the U.S. and EU, 102 Cal. L. Rev. 886 (2014).

[7] While an official translation is not yet available, the author has referenced the source at https://www.chinalawtranslate.com/en/personal-information-protection-draft for the translation of the texts of the draft PIPL.

[8] Definition of “sensitive personal information” under the GDPR: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

[9] The subtitles are used in this article for convenience only; they are not part of the draft PIPL.

[10] Rights for individuals under the GDPR, see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights.

[11] The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/.

[12] GDPR, Article 6(1).

[13] GDPR, Article 3(2).

[14] GDPR, Article 33(1).

[15] GDPR, Article 34(1).

[16] See https://www.itgovernance.co.uk/dpa-and-gdpr-penalties.

  • 相关资讯 More
  • 点击次数: 1000006
    2024 - 04 - 14
    作者:张琳 在企业用工过程中,职工可能因工作遭受事故伤害或者患职业病。为保障职工获得医疗救治和经济补偿,促进工伤预防和职业康复,分散用人单位的工伤风险,我国制定了《工伤保险条例》,强制要求用人单位为职工缴纳工伤保险,在职工出现工伤时,由用人单位和工伤保险基金分担职工的工伤保险待遇相关费用。职工因工作遭受事故伤害的原因有多种情况,可能是由于职工自身原因、用人单位原因、用人单位其他职工的工作原因或非工作原因、与用人单位有合同关系(如买卖、运输、承包、服务关系等)的单位或其雇用人员与履行合同相关或无关的原因、与用人单位有合同关系(如劳务、分包、挂靠、服务、运输关系等)的个人与履行合同相关或无关的原因、前述单位、个人之外的第三人原因或意外事件等。当工伤事故是由于用人单位其他职工的职务行为时,用人单位既是承担工伤保险待遇的主体,同时又是承担民事侵权责任的主体,这时就发生了用人单位的工伤保险待遇责任和民事侵权责任的竞合。在此情况下,职工是只能选择某一种维权方式、可以在两种维权方式中自主决定选择其中一种、还是两种维权方式可以同时主张,对于这种情况的不同处理结果将极大影响职工和用人单位的相关权益。根据相关司法解释,如职工发生工伤事故,不能向用人单位主张民事侵权责任,只能按工伤保险相关程序要求享受工伤保险待遇;如果是用人单位以外的第三人侵权,可以向第三人主张民事侵权责任。该司法解释虽然是为了解决用人单位工伤保险待遇责任和民事侵权责任竞合问题,但本身具有比较强的原则性,在司法实践中经常产生不同的理解和适用,进而导致不同的裁判结果。笔者拟通过二个案例对此问题进行分析和梳理,以期让读者对此问题有一个更加清晰的认识和理解,并对统一和完善相关问题的解决提出自己的意见和建议。 一、案例简介  案例一:周某与黄某、北京某加工厂、王某提供劳务者致害责任纠纷(参见北京市...
  • 点击次数: 1000006
    2024 - 04 - 07
    作者:金涟伊什么是AI?根据百度百科的介绍,AI即人工智能(Artificial Intelligence),是一个以计算机科学(Computer Science)为基础,由计算机、心理学、哲学等多学科交叉融合的交叉学科、新兴学科,研究、开发用于模拟、延伸和扩展人的智能的理论、方法、技术及应用系统的一门新的技术科学,企图了解智能的实质,并生产出一种新的能以人类智能相似的方式做出反应的智能机器,该领域的研究包括机器人、语言识别、图像识别、自然语言处理和专家系统等。目前大家接触了解较多的人工智能包括百度的文心一言、openai的chatgpt等等。 “文心一言”“chatgpt” 目前网上存在大量关于如何利用人工智能提高效率的信息内容,例如利用AI进行内容整理,文稿撰写,数据分析,可高效助力新媒体创作、图片绘制、视频创作。曾经需要一个经验丰富的数码画师花费数个小时创作完成的插画,如今只需要输入一组关键词,几分钟之内就能输出一张成品图。但在享受人工智能便捷快速的“创作”成果时,我们仍要思考一个问题:利用AI创作的作品是否受著作权法保护? 对于人工智能创作作品是否受中国著作权法保护的问题,北京互联网法院通过一则判例给出了一种答案。2023年11月27日,北京互联网法院作出AI著作权首案宣判,判决认定原告享有其通过AI生成作品的著作权,并判定被告侵权。主要案情如下: 2023年2月24日,该案原告使用开源软件Stable Diffusion通过输入提示词的方式生成了图片,后将该图片以“春风送来了温柔”为名发布在小红书平台。 后原告发现,有百家号账号发布文章时配图使用了涉案图片,没有获得其许可,且截去了其在小红书平台的署名水印,为此,原告将被告告上了法庭。 原告认为,被告严重侵犯了其享有的署名权和信息网络传播权,要求其赔偿经济...
  • 点击次数: 1000004
    2024 - 03 - 29
    作者:张嘉畅《中华人民共和国广告法》对“绝对化用语”的使用有明确规定,旨在规范广告行业,保护消费者权益。商家在广告中应谨慎使用绝对化用语,避免误导消费者。然而,随着电子商务、直播平台的迅猛发展,许多商家和广告人,还是没有办法明确“绝对化用语”的标准是什么?是否任何含有“最”、“顶级”的词语都不能在营销中使用?什么样的绝对化用语有可能被使用在宣传当中,又不会被处罚?关于以上问题,希望本文能够为广告从业者带来一些解答。 “绝对化用语”是指在广告中使用的具有绝对意义或排他性的表述,如“最佳”、“最高级”、“国家级”等。这些用语往往给消费者一种产品具有绝对优势或绝对效果的印象,但实际上往往存在夸大或误导的成分,容易误导消费者,进而损害公平竞争。 《中华人民共和国广告法》第九条第三款规定,广告不得使用“国家级”、“最高级”、“最佳”等绝对化用语。这一规定旨在规范广告用语,防止商家通过夸大其词的宣传误导消费者。 例如,某公司在京东网上经营某品牌户外速干裤,在该商品的宣传页面使用 “大胆融入当下流行的撞色服饰设计元素,告别以往欧洲户外服饰设计呆板,单一,色彩单一,引领户外时尚第一品牌”宣传语。某市市监局据此对该公司作出行政处罚决定。法院认为,“第一品牌”属于与“国家级”、“最高级”、“最佳”含义类似的绝对化用语,在该公司无法提供相关证明文件的情况下,市监局的处罚决定合理合法。 由此可见,该条款极大程度上规范了广告用语。然而,因为条文表述较为模糊,在监管和执法实践中依然存在一些“一刀切”“简单化”等问题。例如,某贸易有限公司在天猫商城经营网店,其宣传女靴商品的页面上写有“特别设计的鞋跟是体现你性感的最佳利器”的广告语。某地工商行政管理局据此对该公司作出行政处罚决定。法院观点认为,上述广告词汇所针对的鞋子在大众中具有较高的认知度,因此其对市场...
  • 点击次数: 1000006
    2024 - 03 - 15
    作者:常春引言:外观设计侵权判定中的判断主体“一般消费者”的界定在理论和实践中一直有争论。例如,一些观点认为一般消费者应当局限于普通消费者群体,不应该具备专业知识。另一些观点认为一般消费者的界定应当根据产品的销售对象确定,也可能具有专业知识。近日,最高人民法院的判例在这个问题上给出了相关指引,明确了“如果产品的功能和用途决定了其只能被作为组装产品的部件使用,该组装产品的最终用户在正常使用组装产品的过程中无法观察到部件的外观设计,则一般消费者主要包括该部件的直接购买者、安装者。” 正文:外观设计,是指对产品的整体或者局部的形状、图案或者其结合以及色彩与形状、图案的结合所作出的富有美感并适于工业应用的新设计。根据司法解释的规定,判断某产品是否侵犯一项外观设计专利权时,需要引入一般消费者这样的一个判断主体,根据一般消费者的知识水平和认知能力对是否构成侵权进行判断。当然,其他司法解释还规定了在考虑一般消费者的知识水平和认知能力时,还应当考虑设计空间,但本文暂不涉及设计空间对一般消费者的知识水平和认知能力的影响。不同类别的产品的一般消费者的界定一般是不同的。相同的类别的产品的一般消费者的界定是否应该相同则存在着多种细分的情形。一般而言,只要体现外观设计的是终产品,或者虽然是终产品的部件,但在终产品中完全可见,或者虽然是终产品的部件,但该部件可以单独使用,在这些情形下,专利权人和被诉侵权人在一般消费者的界定往往不会出现较大分歧,因此一般消费者的知识水平和认知能力也可基本是可以确定的。而在此外的其他的情形中,例如外观设计专利的客体是某一终产品的一个部件,且该部件在终产品上仅部分可见,或者完全不可见时,则专利权人和被诉侵权人在一般消费者的定义上则可能存在较大分歧。原因在于,如果一般消费者针对该产品类别具有较高的知识水平和认知能力,则其可能会注意到一些细微的设计差别,而当其知识水平...
× 扫一扫,关注微信公众号
北京市铭盾律师事务所 www.mdlaw.cn
Copyright© 2008 - 2020北京市铭盾律师事务所京ICP备09063742号-1犀牛云提供企业云服务
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开