A closer look at China's Personal Information Protection Law

The Personal Information Protection Law of China was recently passed during the 30th session of the Standing Committee of the National People's Congress, and will officially enter into force on Nov 1. The promulgation of the law has aroused widespread attention both at home and abroad, as the protection and utilization of personal data has become increasingly important with the development of communication technology and the digital economy.

Being accustomed to all kinds of apps that bring us convenience, the internet has penetrated every aspect of our daily life. It is not strange to fill in some personal information — some of which could even be private and sensitive — when downloading a new app or registering an account on a website. As such, it rarely occurs to us how our rights could be infringed upon or what damages we would suffer if our personal information and data cannot be stored and managed in a safe manner without clear legal obligations to restrain the information collector.

Personal information leakage has already caused very serious consequences. For example, the case of Xu Yuyu. Xu, 18 and newly admitted to college, was swindled out of a tuition fee she worked extremely hard to prepare by those who illegally obtained the phone number of the proctors of the college entrance exam and conducted targeted communication fraud. Subsequently, the young girl died, and the criminals were convicted of violating personal information and fraud and sentenced to jail. The case has been highlighted as one of the top 10 cases promoting the rule of law in China. Undoubtedly, it has made the public and the authorities realize the significance of enhancing personal information protection.

Another exemplary case, called the first case of face recognition in China, has also fueled extensive discussion concerning the collection and protection of sensitive personal information. A membership card holder contended that a wildlife park had no right to get their facial scan information and fingerprints to upgrade its entrance monitoring system, and sued the wildlife park in court. The court ruled the wildlife park must delete the personal information obtained and compensate the member in damages.

In recent years, cases regarding personal information protection have been increasing drastically. On one hand, people are more concerned about the protection of their personal information; on the other, as a key element of the digital economy, personal information and data could generate tremendous commercial value if properly handled. They can help businesses provide more personalized products and services to consumers and accelerate the development of the digital economy. Therefore, a personal information law must achieve sometimes contradictory objectives.

Generally speaking, the law has adopted a straightforward approach to the protection of personal information, avoiding getting bogged down in endless academic discussion over whether the issue is property rights or personality rights, general personal rights or specific personal rights, or other thorny questions. To show what the law actually does, we can take a look at some interesting highlights.

First, it has set up a comprehensive legal framework for the protection of personal information. It has adopted a relatively broad definition of personal information to make the scope of protection as wide as possible, covering almost any conduct that might cause misuse of personal information, including collecting, storing, processing, transferring, providing and deleting. The law has also set forth the principle that natural persons, enterprises and administrative agencies all have an obligation to protect other’s personal information during private contact, business transactions or public administration. Moreover, the second paragraph of Article 3 sets out three conditions under which the law shall apply to personal information processing activities outside China’s borders, which maintains the law’s extraterritorial effect when necessary.

Second, the law has struck a better balance between the protection and utilization of personal information. Theoretically, any processing of personal information without consent would infringe upon the person’s legal interests and constitute wrongdoing. That’s why the inform and consent principle has been regarded as a universally acknowledged rule with respect to dealing with personal information.

However, in the information age, it is inevitable our personal information is exposed to service providers and internet platforms. Along with the development of big data, machine computation and algorithms to collect and analyze personal information has become a common practice in the internet industry to assist in decision-making. Some have compared information to petroleum in the digital era. Apart from personal consent, legal authorization is another way to have access to personal information. Thus, the law has explicitly listed six situations in which personal consent is not needed. Typical situations include, as the law stipulates, the necessary executing of a contract, the performing of statutory duties or obligations, dealing with public health emergencies, and protecting people’s lives and property in emergencies.

Third, the law has clarified the rights of the citizen who consent for their personal information to be collected and processed, such as the right to know and decide, the right to access and copy and the right to withdraw prior consent whenever a person changes their mind.

The obligations of the information processor have also been specified. According to the law, the processor must take concrete measures to ensure the legality of its activities and the safety of the information obtained, establish an internal risk management mechanism and designate a specific person in charge of the protection of personal information, regularly conducting third-party compliance audits with respect to personal information protection.

In order to further regulate the platform economy, promote its healthy development and protect the interests of consumers, article 58 of the law contains specific obligations for personal information processors who provide important internet platform services, have a large number of users and complex business types. If a statutory obligation is not abided by, these information processors would face high fines, with the highest being five percent of their annual gross revenue.

In a nutshell, the Personal Information Protection Law of China serves as the basic law in this area. Compared with similar legislations of other countries, it is not hard to see the law not only reflects international standards, but also possess distinctive Chinese characteristics. In the future, the authority should enhance its implementation to give full play to its function of protecting personal information and promoting the digital economy.

The author is PhD candidate in law at the University of Chinese Academy of Social Sciences.

The opinions expressed here are those of the writer and do not necessarily represent the views of China Daily and China Daily website.

If you have a specific expertise, or would like to share your thought about our stories, then send us your writings at opinion@chinadaily.com.cn, and comment@chinadaily.com.cn.