Language

A Chinese Data Privacy Law with Strong Influences from the EU


A Chinese Data Privacy Law with Strong Influences from the EU-China Releases the Draft on Its First Uniform Personal Information Protection Law


Authored by Yingying Zhu


The world has witnessed a torrent of lawmaking, regulatory design and enforcement activities regarding data privacy following the enactment of the General Data Protection Regulation (“GDPR”) [1] of the European Union in May 2018. At present, 132 out of 194 countries had put in place legislation to secure the protection of data and privacy. [2]

 

The inadequacy of personal information protection in China has raised widespread public concerns in this big data land with 904 million netizens,[3] vulnerable to data breaches and cyber frauds. In 2016, a professor at the prestigious Tsinghua University wired more than CNY17 million to a fraud, after she received a scam call from the fraud who knew every detail about the deal of a recent sale of her real property.[4] Incidents like this have led to nationwide discussions and provoked reflection among thinkers, legal experts and law makers. 

 

At present, data protection laws, regulations and specifications in China were scattered in sectional laws, regulations and non-binding guidelines, such as the Criminal Law and its Amendment VII, the Consumer Protection Law, the Cybersecurity Law, the Personal Information Security Specification, the Civil Code, etc.

 

On October 13, 2020, after years of brewing, China releases the long-awaited and much-welcomed draft on its first dedicated personal information protection law. The draft has been submitted to the standing committee of the China's top legislature-the National People’s Congress (“NPC”) for the first review and then posted for public comments on NPC’s official website. The comment period lasts until November 19, 2020.

 

Being the first comprehensive law that emulates the GDPR, the draft Personal Information Protection Law (“draft PIPL”) has shown strong GDPR influences as well as its unique Chinese characteristics.

Definition of “Personal Information” and “Sensitive Personal Information”

The types of information considered personal under the draft PIPL include various information recorded electronically or in other forms that is relating to an identified or identifiable natural person (“data subject”), excluding the anonymized information. The processing of personal information includes activities such as the collection, storage, use, handling, transmission, provision, and disclosure of personal information.

Here, “personal information” under the draft PIPL is similar in terms of definition to “personal data” used in the GDPR as well as in its predecessor, the EU Data Protection Directive,[5] because it includes data that relate both to an “identified” or “identifiable” individual. “Identifiable” means that an individual might not currently be identified but could be identified by combining various pieces of data.[6] For example, the name of a person (in particular, a none-celebrity), is often not identified to an individual, but sometimes can easily be linked to an individual with bits of other information, such as an address, a telephone number or a place of work.

 

On a risk-based approach, the draft PIPL defines sensitive personal information (“SPI”) as personal information that once leaked or illegally used may lead to discriminatory treatment or could seriously endanger the safety of persons or property, including information such as one’s race, ethnicity, religious beliefs, personal biological characteristics, medical health, financial accounts, personal whereabouts and so forth.[7] Only personal information processors with a specific purpose and sufficient necessity may process SPI. The draft also requires that the individuals' “independent consent” shall be obtained where processing SPI is to be based on individuals' consent and individuals shall also be informed of the necessity of processing SPI and the impact on them.

 

The draft PIPL, for the first time in China’s privacy protection legislation, specifically defines SPI. As improper disclosures of SPI can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that SPI could be specifically defined and appropriately protected.

 

One problem with the draft PIPL’s definition of SPI, however, is that it seems to ignore a certain type of SPI -a person’s private or secret life that in many defamation cases has been the subject of public online shaming. If an individual’s personal private life (usually unpleasant, eccentric or immoral) was posted on some popular online platforms due to mishandling of that individual’s personal information, and the news goes viral, the victim in many cases would suffer spiritually from attacks of cyber-mobs and internet violence. The suffering can be nothing financial but only emotional. Here, the risk-based definition of SPI in the draft PIPL only covers risks in the form of “discriminatory treatment” or “endangering safety of persons or property”, but leaving out the harm caused to personal reputation and psychological health, which, in many cases, could be the only resulted harm in violation of SPI. The draft PIPL obviously did not give enough consideration to such type of possible harm in its current definition of SPI.

 

Under the GDPR, processing of personal data of a sensitive nature shall be prohibited, unless some stricter preconditions could be met. Such data are classified under the label of SPI[8] and sensitive data are clearly listed by its definition.

 

Though differ in defining, the draft PIPL converges with the GDPR in that both recognize SPI is belonging to a specific category of information that must be treated with extra safeguarding.

Rights of Individuals

Under the draft PIPL, individuals enjoy the right to know and make decisions about the processing of their personal information, and have the right to limit or refuse the processing of their personal information by others, except otherwise provided by laws and administrative regulations

Specifically, individuals enjoy the following rights:

1)    Right to access:[9] the data subject may consult or reproduce his personal information from the information processor;

2)    Right to rectification: upon discovery of any error in the information, the data subject has the right to raise an objection and to request to have a timely correction;

3)    Right to be forgotten: if the handling of personal information is in violation of law, or any prior agreement, or the purposes of processing have been realized, or an individual has withdrawn the consent, the data subject has the right to request a timely erasure. If, however, the retention period prescribed by law has not been completed, or deletion of personal information is technically difficult to achieve, the personal information processor shall stop the processing;

4)    Right to be informed: individuals have the right to be informed about rules concerning the processing of their personal information;

5)    Right to refuse automated decision-making: where an individual believes that automated decision-making has a significant impact on one’s rights and interests, one has the right to request an explanation from the personal information processor and has the right to refuse automated individual decision-making.

Under the draft PIPL, individuals have a broader scope of rights than previous laws in the same sector and it brings China’s protection on privacy even closer to the GDPR standards.[10] It is however interesting to note the “right to data portability”[11] under the GDPR has not been transplanted to its Chinese counterpart. As the right to data portability does not apply to genuinely anonymous data but only to pseudonymous data that can clearly be linked back to a data subject, maybe the notions of cyber- sovereignty and network security with a distinguishable Chinese feature could account for the missing of such right in the Chinese context..

Principles and Conditions for Data Processing

Under the draft PIPL, the general principles for data collection are: data shall be collected lawfully and justifiably, openly and transparently, accurately and kept up-to-date and data collection shall have clear and reasonable purposes and be limited to the minimum scope to achieve such purposes of processing. The data processing activities shall meet the following conditions:

(1) With the consent of the individual;

 

(2) It is necessary for entering into or performing a contract to which the individual is a party;

 

(3) It is necessary for performing of legally-binding duties or obligations;

 

(4) It is necessary to respond to public health incidents or to protect natural persons' security in their lives, health, and property under an emergency;

 

(5) It is within a reasonable range in order to carry out acts such as news reporting and public opinion overseeing in the public interest; or

 

Other circumstances warranted by laws or administrative regulations.

 

The GDPR provides six legal bases for processing personal data, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests pursued by the controller or by a third party.[12] The draft PIPL sets out the above five specific legal bases for processing personal data, which are comparable to the first five legal bases of the GDPR while chipping away the last one concerning “legitimate interests pursued by the controller or by a third party”, on the possible account that it would have the potential of giving too much discretion to the information processor and therefore dilute the value of all the other legal bases.

 

Under the draft PIPL, consent, albeit the most well-known one, is just one of the legal bases a business can rely on to justify the proceeding of individuals’ personal data. Furthermore, for consent to be valid, it must be freely-given, unambiguous and explicit, informed and withdrawable. Consent is not freely-given if individuals have no other meaningful options but to give out their consent. This means businesses shall not create an opt-in-or-leave-it situation when seeking people’s consent. Individuals need to maintain the ability to decline and shall be free from discrimination when they opt out. The draft PIPL also specifies that if there are changes to the purposes or methods for processing information, or to the type of personal information to be processed, the individual's consent shall be re-obtained.

 

Extraterritorial Applicability

 

The GDPR has an extraterritorial scope, because it may apply to businesses established outside the European Union when they offer goods or services to data subjects in the European Union or monitor their behavior when it takes place in the European Union.[13]

 

Modeling on the GDPR’s approach towards extraterritorial application, Article 3 of the draft PIPL expands the law’s territorial scope to data processing activities outside China. Any data processing activities that process personal data within P.R. China, if meeting any of the following conditions, will fall under the territorial scope of the Chinese data protection law:

 

(1) for the purpose of providing products or services to natural persons within the territory;

 

(2) to analyze and evaluate the conduct of natural persons in the territory; or

 

(3) other circumstances provided for by laws and administrative regulations.

 

If this clause remains intact in the final legal text, it means that the Chinese privacy rules now can also apply to data processing activities outside China. The consequence of this expansion is that non-Chinese data controllers and processors must comply with the Chinese data protection obligations when processing data on individuals in China for the above-listed purposes.

Obligations of Personal Information Processor

Under the draft PIPL, the personal information processor, the one who collects, stores, uses, handles, transmits, provides, and discloses personal information, shall have the following obligations:

(1) take necessary measures to ensure the legal compliance of personal information processing activities and prevent unauthorized access, disclosure or theft, tampering, and deletion of personal information;

(2) while processing personal information at certain volume, shall designate a person in charge to be responsible for overseeing personal information processing activities and any protection measures taken;

(3) if processing Chinese individuals’ personal information outside China as provided in Article 3 of the Law shall establish a point of contact within China;

(4) shall conduct periodic audits and risk assessments in advance for certain categories of personal information processing activities;

(5) where there is incident of personal information leakage, shall immediately take remedial measures and notify the supervisory authorities.

Once a data breach occurs, the GDPR requires data controllers to notify supervisory authorities of a security breach within 72 hours after it has been aware of it.[14] Furthermore, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.[15]

In comparison, the draft PIPL is not specific about the timeframe for notification to the supervisory authorities and where personal information processors take measures that can effectively avoid the harm caused by the information leakage, the personal information processors are allowed to not notify the individuals.

Liabilities and Penalties

Violations of the draft PIPL may be subject to a fine of up to CNY1 million (about EUR 0.128 million); the directly responsible management and other directly responsible person may be subject to a fine of between CNY10,000 (about EUR1,283) to CNY100,000 (about EUR12,831). Serious violations of the draft PIPL can be fined up to CNY 50 million (about EUR 6.4 million) or up to 5% of the preceding year's turnover. Where there is an illegal act of data processing activities, it is to be recorded in the business’ credit files with a public announcement posted.

In comparison, under GDPR, the less severe infringements could result in a fine of up to EUR10 million, or 2% of the business’ global annual revenue in the preceding financial year, whichever is higher. For more severe infringements, GDPR sets a maximum fine of EUR 20 million or 4% of annual turnover, whichever is higher.[16]

In an age of constant, complex and sometimes intrusive technological innovation, the high penalties on noncompliance aim to have a deterrent effect on rule-breakers who are mishandling people’s data or using people’s data without adequate measures in place to safeguard them.

Conclusion

The draft PIPL, being the first dedicated law to data privacy protection in China, thus forming a unified force of enforcement, marks a milestone in the country data privacy legislation. The law shows a broader scope of application than the previous sectional laws and regulations and levels up the country’s protection on data privacy closer to the GDPR standards, a.k.a., the global standards, given the large number of countries around the world that have adopted the GDPR model. While highly converging with the EU rules, the draft PIPL demonstrates a unique Chinese characteristics thus showing a strong Chinese voice with a subtle EU accent.

The laws and regulations on data privacy are constantly evolving in China with changes still in the pipeline. We are here to help if you have any problems, issues, concerns regarding data privacy protection inside or outside China.

 



[1] The General Data Protection Regulation (EU) 2016/679.

[2] See https://unctad.org/page/data-protection-and-privacy-legislation-worldwide.

[3]See https://www.thehindu.com/news/international/chinas-netizen-population-hits-record-904-million-report/article31451143.ece.

[4] See http://www.techweb.com.cn/tele/2017-02-20/2489197.shtml.

[5] The Data Protection Directive, officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[6] Paul M. Schwartz & Daniel J. Solove, Reconciling Personal Information in the U.S. and EU, 102 Cal. L. Rev. 886 (2014).

[7] While an official translation is not yet available, the author has referenced the source at https://www.chinalawtranslate.com/en/personal-information-protection-draft for the translation of the texts of the draft PIPL.

[8] Definition of “sensitive personal information” under the GDPR: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

[9] The subtitles are used in this article for convenience only; they are not part of the draft PIPL.

[10] Rights for individuals under the GDPR, see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights.

[11] The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/.

[12] GDPR, Article 6(1).

[13] GDPR, Article 3(2).

[14] GDPR, Article 33(1).

[15] GDPR, Article 34(1).

[16] See https://www.itgovernance.co.uk/dpa-and-gdpr-penalties.

  • 相关资讯 More
  • 点击次数: 1000006
    2024 - 11 - 22
    作者:张嘉畅在当今这个知识产权(IP)经济蓬勃发展的时代,从影视、文学、游戏到音乐,IP的身影无处不在。数据显示,中国的IP产业市场规模已突破千亿元大关,并持续增长。发展到现在,尤其是在“打卡探店”经济的推动下,餐饮行业也纷纷利用IP主题餐厅、IP食品和布景打卡等方式吸引顾客。  (伦敦Pooh corner咖啡厅,图源自小红书用户Kunkunnnnn)知识产权(IP)是一个广义概念,包括专利权、著作权、商标权和商业秘密等无形资产权利。在本文中,我们将“IP”主要理解为文学、艺术和科学作品,而“IP权利”则特指作品著作权(版权)。本文也将仅围绕著作权侵权相关问题进行讨论。对于店铺经营者来讲,伴随着高额的经济利益而来的,是潜在的著作权侵权风险。在餐厅、咖啡厅等餐饮店当中,风格模仿、主题布景、主题饮食产品,或是售卖或赠送的主题周边是比较常见的IP应用的场景。那么,开设主题餐饮店或使用IP吸引顾客时,哪些情况下可能产生著作权侵权风险呢?一、经营者应确定所使用的IP是否受到版权保护有一些餐厅经营者是出于情怀或爱好,为了结交同好或扩大自己喜欢的IP的影响力而在其经营的店铺中使用IP元素。这时,如果被使用的作品已经超出著作权保护期限,即已经进入公有领域,其财产权不再受到版权保护。根据《中华人民共和国著作权法》第二十三条规定,自然人的作品财产权保护期为作者终生及其死亡后五十年;法人作品财产权截止于作品首次发表后第五十年的12月31日;视听作品的财产权保护期为五十年,截止于作品首次发表后第五十年的12月31日。不受版权保护的作品可以在不篡改或扭曲其作品本质的情况下用于商业使用。在我国比较常见的主题有四大名著主题餐厅,或艺术主题餐厅(使用世界名画、名著当中的文字摘录进行装潢)等,均是使用了广为大众所知的IP对餐厅进行了包装加工。在仅适用作品元素的情况下,无论是主题布景或是...
  • 点击次数: 1000001
    2024 - 11 - 15
    作者:陈巴特2024年11月12日,《国务院办公厅关于2025年部分节假日安排的通知》发布,根据2024年11月修订的《全国年节及纪念日放假办法》,自2025年1月1日起,全体公民放假的假日增加2天,其中春节、劳动节各增加1天。根据该通知,2025年春节期间放假安排为:1月28日(农历除夕、周二)至2月4日(农历正月初七、周二)放假调休,共8天。1月26日(周日)、2月8日(周六)上班。曾经除夕不放假,多年来一直是国人吐槽的重心。对国人来说,除夕的重要性不亚于大年初一。炮竹一声除旧岁,春风送暖入屠苏。自古至今,除夕可以说是一年中最重要的一天。这一天,家人欢聚一堂,互送祝福,祭祖先,贴春联,包饺子,吃年饭,一起辞旧迎新。对于远方的游子,在外打拼一年,很大程度就是为了满足回家过年的渴望。虽然很多企事业单位考虑到除夕的重要性,每年也安排除夕放假,劳动者也可以通过休年休假实现回家过年的愿望,但毕竟此前国家法定节假日未包括除夕,回家的感觉还是不一样。如今,国家正式将除夕确定为法定节假日,可谓“喜闻乐见、大快人心、普天同庆、奔走相告”!然鹅,并不是每一位劳动者都能享受到这美好的春节假期的。地球在转,社会依然要运转,各餐饮、旅游、交通运输等服务行业的企业会比平时更加繁忙,赶工期的企业也可能加班加点……那么,问题来了!如果春节假期全在上班,企业怎么计算加班工资?一、什么是法定节假日?我国法定节假日有哪些?法定节假日是由国家法律、法规统一规定的用以开展纪念、庆祝活动的休息时间,也是劳动者休息时间的一种。劳动者在这些日子可以享受带薪休假。包括全体公民放假的节日和部分公民放假的节日及纪念日。根据2024年11月10日修订的《全国年节及纪念日放假办法》规定,全体公民放假的节日包括:1、元旦,放假1天(1月1日);2、春节,放假4天(农历除夕、正月初一至初三);3、清明节,放假1天(农历清明当日);...
  • 点击次数: 1000011
    2024 - 11 - 08
    作者:常春【摘要】在专利侵权案件中,中国专利法意义上的”制造者”不仅限于实施具体制造行为的主体,还包括组织生产资源、协调生产环节并确定产品技术方案的主体。近年来,随着生产链分工日益细化,最高法在多个案例中将具备协调、指挥等作用的主体纳入”制造者”范畴,逐步形成了扩展的制造者认定标准。本文以多个典型案例为基础,分析在专利侵权中制造者身份的认定、共同侵权构成要件及法律适用。【关键词】专利侵权、制造者、共同侵权、连带责任、专利法一、案件背景与争议焦点近日最高人民法院知识产权庭公布了第(2021)最高法知民终2301号判决的裁判要旨,其中指出专利权人某家庭制品公司发现金华某文体用品公司在京东平台销售的杯子侵犯其发明专利权。金华某文体用品公司通过购买防伪标签获得商标授权,委托永康某工贸公司生产杯子,并完成销售。此外,广州某贸易公司和浙江某工贸公司负责审核产品图样、提供授权和防伪标签。专利权人认为金华某文体用品公司、广州某贸易公司及浙江某工贸公司共同侵权,要求赔偿。在一审中,法院仅认定金华某文体用品公司为制造者,但二审中最高人民法院认为广州某贸易公司、浙江某工贸公司通过防伪标签控制和审核图样和产品样品等行为对制造环节起到了控制作用,将三家公司认定为共同侵权,要求其承担连带赔偿责任。本案的争议焦点在于:1)如何认定“制造者”身份;2)如何认定多主体构成共同侵权;3)对合法来源抗辩的适用标准。二、专利侵权案件中“制造者”身份的认定在专利侵权中,“制造者”不仅指实际的制造行为实施者,也包括间接控制和主导制造过程的主体。以下典型案例有助于进一步说明最高法在制造者认定中的标准:1. 四川金象赛瑞化工公司与山东华鲁恒升化工公司技术秘密与专利侵权案(案号:(2020)最高法知民终1559号)中,多方被告分别负责不同生产环节,共同构成了专利侵权行为的制造者。最高法认为即使没有直接制造行为,但...
  • 点击次数: 1000006
    2024 - 10 - 28
    作者:杨秀芸2020年修订的《企业名称登记管理规定》首次确认了企业名称争议可以通过行政裁决的形式处理。随后2023年10月1日起施行的《企业名称登记管理规定实施办法》进一步细化了企业名称争议裁决制度的相关规定,包括处理原则、流程时限、考虑因素等。部分省份也紧跟步伐,相继颁布与企业名称登记与争议处理相关的地方性规定,如广西壮族自治区市场监督管理局印发《广西壮族自治区企业名称争议处理办法》,云南省市场监督管理局印发了《云南省企业名称争议裁决办法(试行)》等等。尽管这些规定的出台为企业名称争议的解决提供了更为明确的处理路径,但在实践中,适用企业名称争议裁决程序仍面临诸多挑战。以下是本人在处理企业名称争议裁决中遇到的难题以及对解决策略的初步想法。一、企业名称争议处理分割化的困境与思考(一)困境描述笔者在进行企业名称投诉的实践中,观察到一种普遍现象,如果他人登记的企业字号与在先企业字号、注册商标都高度近似的情形下,在先权利人在投诉或争议裁决申请文件中,会将企业名称侵权、商标侵权及不正当竞争纠纷一并提出,请求行政机关综合考虑,从而给出一个公正的处理决定。但是行政登记机关往往在收到文件后,会将企业名称侵权、商标侵权及不正当竞争等纠纷划分至不同科室或部门处理,如:注册许可科聚焦于企业名称登记的合规性审查,注重形式审查,而知识产权科或商标科或不正当竞争科会专注于商标侵权与不正当竞争,注重实质审查。这种“各自为政”的处理模式,虽在一定程度上体现了专业分工,却也因信息孤岛效应而难以形成对案件全面、系统的认知,从而导致许多企业名称争议案件难以获得公正、合理的裁决。(二)探讨企业字号和商标均是现代企业重要的商业标识,企业字号是用来区别生产经营者的,代表企业的信誉,须与商品的生产者或经营者相联系而存在。商标是用来区别商品或服务来源的,须与其所依附的特定商品或服务相联系而存在,代表着商品或服务的信誉、质...
× 扫一扫,关注微信公众号
北京市铭盾律师事务所 www.mdlaw.cn
Copyright© 2008 - 2020北京市铭盾律师事务所京ICP备09063742号-1犀牛云提供企业云服务
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开