By Julia DaiHui Xu and Sean Wu

On March 15, 2017, the National People’s Congress (the NPC), the national legislature of People’s Republic of China (the PRC), passed the General Provisions of the Civil Law (the General Provisions). To better protect rights and establish obligations for individuals and entities in modern China, the General Provisions have undergone a major “face lift,” including revisions and the addition of 50 new provisions to the existing 1986 version. Among these new provisions, the clauses introducing “Personal Information” rights and confirming “Data” protection are especially noteworthy.

A personal information right is now recognized as a civil law right and thus creates a private right for tort action. While the definition and scope of “personal information” is currently ambiguous, the Supreme People’s Court is expected to issue its judicial interpretation to the General Provision. In the meantime, other legislation such as the Network Security Law offers the best context by which to assess the possible scope of the term.

While not expressly defining activities deemed “unlawful”, the General Provisions also require individuals and organizations to lawfully collect, use, process, transmit, buy, sell, provide or publicize personal information of others. Again, the Network Security Law provides further guidance on compliance requirements that relate to personal information including, but not limited to: following principles of “Legitimate,” “Reasonable” and “Necessary” when collecting and utilizing personal information; obtaining explicitly informed consent; processing information to eliminate the probability of identifying individuals prior to sharing with third parties; and adopting sufficient protective measures to ensure security of personal information.

In addition, the General Provisions have instated a separate clause for data, unbundling its previous categorization with intellectual property in its draft version. Although data may no longer be considered as intellectual property, the indicative view of the legislators is that it should be regarded as a type of property and needs to be protected.

As legislative efforts in China continue to strengthen protections for personal information and data security from three aspects of the law, i.e., civil, administrative and criminal, companies are advised to seek to establish a more prudent personal information and data management system with higher compliance standards.

Click here read more on the PRC’s General Provisions of the Civil Law.

You may also be interested in:

China Issues Its First Network Security Law