The Civil Code of China (the “Civil Code”) was approved by the National People's Congress of China on May 28, 2020 and will take effect January 1, 2021. Part Four of the Civil Code explicitly stipulates that the “Right of Privacy” is one of the “Rights of Personality” covered therein and includes a chapter on “Privacy and Personal Information Protection,” which contains detailed provisions to protect privacy and personal information.
The Civil Code, which has caused heated discussions recently in China, will be the first Code of the People’s Republic of China since its establishment. Currently effective civil laws (including the Marriage Law, the Law of Succession, the General Rules of the Civil Law, the Adoption Law, the Guarantee Law, the Contract Law, the Property Law, the Tort Law and the General Principles of the Civil Law) will be repealed simultaneously once the Civil Code becomes effective. In total, the Civil Code has seven Parts and Supplementary Provisions.
The General Principles of the Civil Law promulgated in 1986 did not recognize the Right of Privacy as one of the “Rights of Personality.” The Tort Law promulgated in 2009 is the first law that explicitly stipulates that the right of privacy shall be protected as one of people’s civil rights, but the provisions are quite general.
Privacy
Chapter Six of Part Four of the Civil Code (“Chapter Six”) defines Privacy as “a natural person’s peace of life and the private space, private activities and private information which he/she is unwilling to let others know,” and it lists the following actions that are not allowed to be conducted by any organization or individual without consent:
- disturbing the peace of other people’s private lives through telephone, text message, instant messaging tool, email, leaflets, etc.;
- entering, shooting and peeping into other people's private space such as houses, hotel rooms, etc.;
- shooting, peeping into, eavesdropping, publicizing other people’s private activities;
- shooting, peeping at private parts of other people;
- processing private information of other people; and
- invading the right of privacy of other people in other ways.
Personal Information
As previously discussed on this blog, the Cybersecurity Law promulgated in 2017 systematically regulates the protection of personal information, and the Civil Code, jointly regulating this area, details, extends and develops the Cybersecurity Law in certain respects.
Chapter Six defines Personal Information as “all kinds of information recorded electronically or in other ways [that] independently or in combination with other information allows the identification of a natural person’s individual identity, including: natural persons' names, dates of birth, ID numbers, biologically identified personal information, addresses, telephone numbers, email addresses and whereabouts, etc.” Among these listed examples, “email addresses and whereabouts” are not included in the Cybersecurity Law.
Chapter Six sets up the principles of processing (i.e., collecting, storing, using, transmitting, providing and publicizing) people’s personal information which include legality, appropriation, and necessity, and are subject to the following:
- obtaining consent from such natural person or his/her guardian, unless otherwise provided by laws and regulations;
- publicizing the rules of processing the information;
- expressing the purpose, method and scope of processing the information; and
- no violation of laws or regulations or agreement between the two parties.
Exceptions where the information processor does not face civil liabilities also are listed in Chapter Six, including:
- the conducted action is within the scope of consent by such natural person or his/her guardian;
- reasonable processing of the information that has been publicized by such natural person or other information which has been legally publicized, unless such natural person explicitly rejects the processing or processing such information will infringe on the significant interests of such natural person;
- other actions reasonably conducted to maintain public interests or legal interests of such natural person.
Chapter Six also stipulates certain rights of the information subject and certain obligations of the information processor, and it is worth noting that it is explicitly stipulated that the governmental and statutory authorities undertaking administrative responsibilities shall maintain the confidentiality of the personal information obtained during their performance of responsibilities and shall not leak such information or illegally provide such information to others.
Chapter Six distinguishes between private and personal information but stipulates that the provisions of privacy apply to the private information within personal information.
Tort Liability
Chapter Seven of the Civil Code covers “the Tort Liabilities,” and contains several articles relating to network infringement, which may include all manner of infringement (including infringement relating to privacy or personal information). Relevant requirements and obligations of the network user and network service providers are summarized as follows:
- In case of infringement, the network user (the “obligee”) is entitled to notify the network service provider to take necessary measures such as removal, blocking, breaking links, etc., and such notice shall include preliminary proof and true identification information of the obligee (false notification that infringes others’ interests shall face liability).
- The network service provider shall, upon receipt, deliver such notice to the relevant network user (the “obligor”) and take necessary measures according to the preliminary proof and the service type. Failure to take necessary measures will lead to joint liabilities.
- Upon receipt of such notice, the obligor may submit a statement of no infringement, which shall include preliminary proof of no infringement and the true identification information of the obligor.
- The network service provider shall, upon receipt, deliver such statement to the obligee, and inform the obligee that he or she could make a report to competent authorities or file a lawsuit in court. Within a reasonable period, if the network service provider does not receive any notice that a report or lawsuit has been initiated, such network service provider shall cease the measures that have been taken with respect to the obligor.
- A network service provider who knows or should have known that an infringement exists but that does not take necessary actions, shall bear joint liabilities with the obligor.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code