Back to Asia Pacific Regional Forum publications

Dora Si
Deacons, Hong Kong
dora.si@deacons.com

Andy Yu
Deacons, Hong Kong
andy.yu@deacons.com

 

Increasing public concern over privacy is an international trend. With the long-awaited personal data protection law still under discussion, the National People’s Congress has set out its goal to enhance personal information protection in China by enshrining an individual’s right to privacy and personal data in the recently enacted Civil Code.

The Civil Code is a landmark piece of legislation. It consolidates and updates several major laws covering a wide range of civil and commercial issues from matrimonial and property law to tort and contract, which will all be abolished once the Civil Code comes into effect on 1 January 2021^[1]. 

In addition, the Civil Code strengthens the protection of the privacy and personal information of citizens by clarifying the concept of personal information, the legal basis for processing personal information and civil actions in relation to breaches. It also imposes statutory obligations for protecting personal information on data controllers and data processors.

While it remains to be seen how the broad principles in the Civil Code will be interpreted and applied in practice, businesses should take proactive steps to manage the increasing compliance risks by reviewing their practices in the lifecycle of personal information processing.

This article will take a brief look at the vital issues that businesses need to consider, with reference to the new provisions of the Civil Code as well as the updated Personal Information Security Specifications (PIS), the latest version (GB/T 35273-2020) of which will come into force on 1 October 2020.^[2] Although this national standard is not legally binding, the PIS has been widely accepted by regulatory authorities and various industries as the best practice to manage personal information in China. It is expected to supplement the Chinese data protection regime before further implementing rules and judicial interpretation are available.

Types of personal information

It is important for businesses to understand the nature of the ‘personal information’ that they process, as the applicable compliance obligations vary.

Personal information under the Civil Code refers to:

‘Various kinds of information, recorded by electronic or other means, capable of being used to independently identify, or in combination with other information to identify, a natural person's identity, including a natural person’s name, date of birth, identity care number, biometric identification information, residential address, phone number, email address, health information and location information, etc.’^[3]

This is very similar to the definition and examples given in the PIS. However, the PIS has two additional categories that require more stringent treatment and stronger protection: ‘sensitive personal information’ and ‘biometric identification information’.

‘Sensitive personal information’ is defined in the PIS as personal information, the leakage, illegal provision or abuse of which, will jeopardise a data subject’s rights and interests.^[4] Some examples are:

• personal identification information (eg, ID card and passport);
• personal financial information (eg, bank account number and transaction record); and
• personal health information (eg, medical record and genetic history).^[5]

Additional obligations concerning the collection of sensitive personal information include making prominent references in the privacy policy to draw data subjects’ attention to such acts^[6] and adopting security measures such as encryption when transmitting and storing sensitive personal information.^[7]

Biometric identification information includes fingerprints, palm prints and facial recognition characteristics.^[8] Businesses are required to independently inform data subjects of the specific rules of collection, usage and storage and obtain data subjects’ express consent before collecting, using or otherwise handling biometric identification information.^[9]

Businesses should also adopt security measures such as segregating the storage of biometric identification information from other personal identification information and storing only the abstract instead of the original specimen of biometric identification information collected^[10] to minimise the potential negative impact on data subjects in case of data breach.

Data subjects’ consent

The Civil Code affirms a data subject’s consent as a legitimate basis for businesses to process personal information in China.^[11] The PIS sets out detailed guidelines on how consent should be sought under different circumstances in order to tackle the problem of excessive collection and use of personal information. For instance, where certain products or services are capable of performing multiple business functions and personal information is required to carry out these functions, businesses should refrain from obtaining a ‘bundled consent’, for example, by requiring data subjects to check a one-off consent box without giving options to opt out of certain business functions.^[12] The recommended practice is to seek consent for each individual function by:

• distinguishing the core business functions of the products/services from the extended functions;^[13]
• informing data subjects of the types of personal information required for performing each of the core and extended functions;^[14] and
• providing data subjects with the option to select the functions of products or services they wish to subscribe, and obtaining only the necessary, minimum types and quantity of personal information.^[15]

If data subjects refuse to provide the requisite consent or decide to opt out of certain business functions, businesses shall neither continually request the data subjects’ consent nor take other steps to adversely affect the data subjects’ use of business functions to which they have consented.^[16]

Passing personal information on

Another key consideration relates to the provision of personal information by, or to, third parties such as business partners and service providers.

Under the Civil Code, transferring personal information without a data subject’s consent is prohibited.^[17].Before obtaining the personal information of others from third-party information providers, the PIS requires businesses to ascertain from such providers whether the personal information was legitimately obtained by them.^[18] Businesses are recommended to seek a contractual warranty from third-party information providers confirming that consent for transferring or providing data has been obtained. Businesses should also ensure that such personal information is processed within the scope of the data subject’s consent.^[19] Otherwise, businesses must obtain fresh consent from the data subjects.

The PIS also requires data controllers to take on a proactive role in monitoring and managing the processing activities of third parties. Depending on the nature of the relationship with such third parties, contractual terms should be put in place to set out the parties’ relevant rights and obligations including, but not limited to:

• the right to audit third parties’ records of their processing activities;
• the limitation of purposes for which third parties may process the personal information; and
• the relevant party’s obligations to adopt security measures to protect the personal information provided.^[20]

These steps may help data controllers to manage the scope and extent of their civil tortious liabilities to data subjects in the event of data breach or infringement of personal information rights.

Data processors providing data processing services, whether internally or for others, should note that the Civil Code has extended the statutory obligations of protecting personal information to them. Data subjects may take civil action pursuant to the Civil Code for infringing personal information rights against data processors even in the absence of a contract between them, save certain exceptions. 

Exercise of data subjects’ rights

The Civil Code imposes an obligation on a data processor to respond to a data subject’s request for accessing, copying, amending and deleting their personal information.^[21]

Data subjects’ requests to cancel their accounts should be handled as specified in the PIS.^[22] In particular, unreasonable conditions should not be imposed on data subjects to hinder the account cancellation process.^[23] Where the cancellation of an account for a certain business function will affect the operation of another account in relation to a different business function, the consequences and implications should also be explained to the data subject in detail.^[24] In cases where manual handling of an account cancellation is involved, the verification and processing of such a cancellation request should be completed within 15 working days upon acceptance of the request.^[25]

Conclusion

There is growing public awareness of personal information protection in China, especially as the implementation of the Civil Code draws near and the Chinese regulators have shown determination to step up their enforcement effort to rectify any malpractice. As the adage goes, prevention is always better than cure. Businesses should closely monitor developments and take appropriate steps to manage.