13 January 2021
Following the global trend towards enhanced protection on data privacy, China has launched the Civil Code, the first-ever in the country’s history which has been in force since January 1, 2021.
The code, in part, bolsters individuals’ rights to privacy and personal data in this big data land with 904 million netizens, vulnerable to data breaches and cyber frauds. Despite the lack of clarity in a few aspects, the Civil Code lays down an important groundwork for data privacy protection. It basically requires that the data processing businesses shall be responsible for what they do with personal data, and shall demonstrate and document the procedures they have taken as an effort to safeguard people’s data.
According to Yingying Zhu, Partner Beijing MINGDUN Law Firm, this will not only result in better legal compliance but also help to build up a reputation and a competitive advantage.
“The process of compliance may cost a lot in the beginning, but in the long run, it will prove to be valuable as real dollars, euros or Chinese yuan will be saved because those in compliance are more likely to avoid fines, litigation costs, negative media attention and reputation damage,” she says. “To build a privacy respectful real world or online environment will be beneficial to individuals in China. Privacy forms the basis of individuals’ rights and freedom. To free from unlawful intrusion to personal data and to safely entrust your data to the businesses you are dealing with are critical to the well-being of individuals in China.”
While being a much-welcomed move in the right direction for these GDPR sort-of rights to be provided under the Civil Code, issues have not been properly addressed. How can the information be provided to the data subjects upon request? How fast should a response be made to consider it timely? Is the information processor allowed to refuse a data subject’s request if it is unjustified or excessive? Zhu says that as to the trendy notion, “right to be forgotten”, the law fails to describe how the data shall be deleted in individual cases. Furthermore, if the data processor already made the personal data public, it remains a question as to how to make the concerned data erased.
“Under the GDPR, consent is just one of the legal bases a business can use to justify the collection, handling, and/or storage of people’s personal data,” she says. “Furthermore, for consent to be valid, it must be freely given, unambiguous and specific, informed and withdrawable. Consent is not freely-given if individuals have no other meaningful options but to give out their consent. This means businesses shall not create an opt-in-or-leave-it situation when seeking people’s consent.
Individuals need to maintain the ability to decline and shall be free from discrimination when they opt-out. Here, the Civil Code fails to elaborate on how consent shall be obtained and given nor does it provide any details on other legal bases for data processing, which presumably remain to be addressed in further legislative construction.”
She adds, “Normally the clarification of a new law will be made in further judicial interpretations to be released by the China Supreme Court.”
The Civil Code also touches upon government infringement issue by providing that the state organs, statutory institutions assuming administrative functions, and their staff members shall keep confidential the privacy and personal information of data subjects obtained in the course of fulfilling any governmental or administrative functions, and shall not disclose such information or illegally provide the same for others. Government intrusion into personal privacy has reached a historic height during the COVID-19 as the government aggressively tracks down infected individuals by using surveillance technologies.
“This shall not be the new norm after the launch of the Civil Code,” says Zhu “The government shall make efforts to ensure that any surveillance data collected during the pandemic shall be taken good care of to protect public from mass data leakage in the aftermath of the coronavirus and in due compliance of the Civil Code. Under the new Civil Code, data processing businesses and the government are better armed to protect the public from falling into the scams of internet hackers and identity thieves and at the same time, build up their own reputation as trustworthy, law-abiding and responsible entities.”
Excel V. Dyquiangco
Please wait while the page is loading...
