Home | Databases | WorldLII | Search | Feedback ALTA Law Research Series

Graham Greenleaf --- "China's proposed Personal Information Protection Act (Part I): The principles" [2008] ALRS 8; (2008) 91 Privacy Laws & Business International Newsletter 1

Last Updated: 10 June 2010

China’s proposed Personal Information Protection Act (Part I): The principles

Graham Greenleaf, University of New South Wales Faculty of Law
7 February 2008
Published in (2008) 91 Privacy Laws & Business International Newsletter 1-6, February 2008

Some Chinese experts have predicted that 2008 may be the year in which the Peoples Republic of China will introduce a national data protection law, though others are more cautious. Although there are reported to be at least two draft data protection laws circulating for discussion within the Chinese government, the draft which has received the most official acknowledgment is that by Professor Zhou Hanhua, the director of the Institute of Law at the Chinese Academy of Social Sciences. Professor Zhou led a team of experts commissioned by the Chinese government to draft a law to be considered by the Informatics Committee of the State Council. A draft was submitted in 2005 (the ‘Experts’ Suggestions’ draft), and made public by Professor Zhou in 2006 (Zhou et al, 2006).

In August 2007 Professor Zhou stated that he expected the law to be enacted next year, but it might take longer to iron out some details. Qin Hai, deputy director of the policy and planning department of the State Council's Informatisation Office (SCIO) stated at that time ‘We've finished drafting the law and will submit it to the State Council's Legal Affairs Office’ (China Daily, 2007). Local experts who translated the Act also expect that its provisions ‘could become part of the final law’ (Maisog and Zhao, 2006). Maisog points out that there are at least three legislative channels in China through which a data protection law could be developed: (i) the National People's Congress, the principal national legislative body, which meets annually each March; (ii) the Standing Committee of the National People's Congress which meets more frequently and can pass national legislation; and (iii) the ten person State Council, which has ministries under its authority and can pass administrative regulations even in the absence of an underlying national law (BNA, 2007). March 2008 is therefore the next key date, but it is quite likely, as with major legislation in any jurisdiction, that it may take considerably longer.

In this article (and its following part) I consider the main features of the ‘Experts’ Suggestions’ draft, as the most reliable current indication of the form a future Chinese data protection law might take, and indicate how it relates to information privacy laws in Europe and in other Asia-Pacific countries. I have paraphrased and interpreted provisions for the purposes of explanation and for brevity, and quoted the translations of key terms from the English translation by Maisog and Zhao (2006), drawing also on the translation by Liu (2007) of Professor Zhou’s legislative report, and the report by Sutton, Zhang, and Hart (2007) resulting from EU-China collaborations on data protection law. Reference should be made to the whole Act for the precise provisions. Even if China’s data protection law, when enacted, differs considerably from this draft both in detail and perhaps in underlying concepts, this draft will remain significant as indicating some of the earliest and most detailed expert thinking on the subject of privacy in China.

Related developments in China

China legislated for a new national Disclosure of Government Information law on January 2007, which will come into force on May 1, 2008 (Wen, 2007). China still has not ratified the International Covenant on Civil and Political Rights (article 17 of which protects privacy), although it signed the ICCPR in 1998. Nor is it a party to the 1st Optional Protocol to the ICCPR, which allows individuals to make ‘communications’ (complaints) to UN human rights bodies. It ratified the International Covenant on Economic, Social and Cultural Rights in 2002 but with a reservation concerning trade unionism. China participated in the development of APEC’s Privacy Framework (2003-05) through its Privacy Subgroup, but has not yet indicated that it will be involved in any of the Subgroup’s ‘Pathfinder’ projects. China’s commitment to privacy protection is clearly still evolving.

Ten key Principles (‘General Provisions’)

The Articles of Chapter 1 lay out ten ‘General Provisions’, called ‘Principles’ in Articles 2-8. This is similar to the sets of data protection principles usually found in international privacy agreements, European privacy laws or those in other Asia-Pacific countries. The General Provisions are stated to apply to both ‘Government Authorities’ (which includes government at all levels) and ‘Other Data Processors’ (broadly, the private sector) , but they are then elaborated separately for each of these sectors in Chapters 2 and 3. I will call them ‘data processors’ though this composite term is not used in the Act.

(1) Purpose and basis – The stated purposes are to regulate the processing of personal information in both sectors, to protect individual rights and to facilitate the orderly flow of personal information.
(2) Lawfulness – Processing must comply with this Act unless there is an express exception in another law.
(3) Protection of rights – ‘Data Subjects’ may request data processors to disclose personal information relating to them, and to correct or cease to use false or inaccurate information.
(4) Balance of interests – ‘The protection of Personal Information shall neither impede the rights and freedom of other persons nor harm the interests of the state or public societal interests’.
(5) Information quality – Data processors must adopt measures to ensure they only use personal information for purposes ‘related’ to the purpose of collection, and to ensure its ‘accuracy, integrity and timeliness’.
(6) Information security – Data processors must take measures to prevent personal information being disclosed, lost or destroyed, and against other security breaches.
(7) Professional duties – Personnel of data processors have a professional duty to protect confidentiality of personal information and to not use or disclose it without authorisation.
(8) Remedy – Data subjects have the right to seek administrative remedies or commence litigation where their rights under the Act have been breached. Breaches by data processors should cause liability for compensation to Data Subjects. All parties have the right to apply for administrative review of the actions of government agencies in charge of information resources, or commence an administrative lawsuit.
(9) Scope – “Personal Information” is defined to mean information which can, by reference to it alone or in comparison with other information, be used to identify a specific individual. Other terms are also defined. Both manual and automated processing are included.
(10) Exceptions – The Act does not apply to the processing of personal information by state security agencies for the purpose of protecting state security (scope to be determined by the State Council), or by citizens solely for their own individual or family activities. It does not apply where the amount of Personal Information being processed is relatively small and the processing activity is not likely to infringe upon the rights of individuals (scope to be determined by regulations by the agency in charge of information resources for the State Council). Legislative or judicial agencies also do not come within the meaning of government authorities.

‘Personal information’ was considered to be more neutral than either ‘personal data’ (used in Europe) or ‘privacy’ (used in the USA) (Liu translation, 2007).

A striking omission from these General Provisions is that there is no explicit collection limitation principle, however there are explicit but different collection limitation principles in relation to each sector in Chapters 2 and 3. Use and disclosure is only restricted here by the weak requirement that it must be for ‘related’ purposes, but in relation to non-government processors Chapter 3 provides more strict limitations. There is no specific ‘Openness’ principle, but it is included in the Chapter 2 and 3 elaborations. These examples illustrate how these General Provisions must be read subject to their specific elaborations for each broad sector (government and non-government) in Chapters 2 and 3. However, the Chapter 1 principles will remain of importance where the later chapters do not elaborate on something covered by the General Provisions.

The scope of the exemption for small-scale and un-harmful processing in Principle 10 is uncertain because it depends on regulatory interpretation. This was the subject of considerable debate by the experts (Liu translation, 2007) Australia’s ‘small business exemption’ may exempt up to 90% of all businesses. Otherwise, except for the predictable exemption for state security agencies, the scope of the legislation is comprehensive. There are no special provisions for sensitive information, for reasons including possible constitutional questions (Liu translation, 2007).

Processing by government authorities

Regulation of processing by Government Authorities in Chapter 2 includes detailed provisions on collection and use (Section 1), access rights (Section 2), and Correction (Section 3).

Government authorities may only collect personal information within the scope of their lawful authority, and it must be for a specific purpose and be no more than is needed for that purpose. The policy of minimal collection is underlined by requirements to ‘decrease societal burdens [and] avoid duplicative collection’, and a requirement for prompt deletion of irrelevant information.

Government authorities are required to register proposed personal information collection activities with the relevant agency in charge of information resources at their level, but there are many exceptions, concerning security, policing, personnel, and other matters. These ‘registered’ collection activities are to be announced publicly and the documentation of them is to be open to public inspection. This is a form of implementation of the ‘Openness’ principle, a principle not explicitly included in the General Provisions.

Government authorities may only process personal information (which includes both use and disclosure) for the purpose for which it was collected, subject to nine exceptions. Some of these exceptions are so broad (‘other public interests’; preventing damage to important rights and interests of others; proper reasons and only used for internal government purposes), that it is difficult to see that they impose any significant limitations on use within the government sector provided the use is for a purpose within the legitimate scope of activities of the agency concerned. From a common law perspective, it appears as if a rule something like ‘minimum necessary collection for a statutory purpose’ applies, but once collected any use of the information intra vires the functions of the agency is permitted. We could say that the finality principle is only applied weakly within the government sector.

Where a government authority discloses personal information to a third party (under the above exceptions) it is required to impose specific requirement concerning use, further disclosure etc on the third party recipient, and they must abide by those requirements. This is an innovative requirement , in an area which is often something of a lacunae in other data protection laws.

The application procedures for a person to access information about themselves are set out in Section 2 in some detail, including specific allowance for applications by electronic mail, and a requirement for receipts to be issued. These requirements will apply to government authorities at all levels in China’s government, and are clearly intended to impose a level of uniformity and predictability in how access applications are processed, which should benefit individual rights. Exceptions to the access right are just as broad as the exceptions allowing uses for purposes beyond the purpose of collection. The ‘balance of interests’ principle is then supposed to be applied where the agency deems that it would be appropriate to over-ride these exceptions, but the result is only that the government authority may decide to allow access in such cases. In other words, there are broad and ill-defined exceptions to the right of access, with a discretion in agencies to allow access if they want to.

There are numerous provisions governing the time within with access decisions must be made, access procedures, costs and other administrative matters. Because of the wide discretions to refuse access, they will be mainly relevant to non-contentious applications.

The procedures for handling applications concerning correction or cessation of use of inaccurate data in Section 3 require decisions to normally be made within 15 days after lodgment of an application, with extensions only allowed up to 30 days. The authorities may, on their own initiative or on application, give notice of corrections to previous third party recipients of the information. These are strong requirements in favour of individuals.

Processing by the private sector (‘other data processors’)

Private sector data processors are regulated in Chapter 3, which establishes a registration system (Section 1), expands on collection obligations (Section 2) and on the rights of data subjects (Section 3), and encourages self-regulatory trade mechanisms (Section 4).

Private sector organisations or individuals (unless exempted as individual or family processing) undertaking processing of personal information must register with the appropriate government agency in charge of information resources. If their principal business is personal information processing, or they earn profits through it, they must do so before beginning processing. A considerable amount of information must be registered (and updated), including details of disclosure and security practices, and other matters yet to be determined by the by the agency in charge of information resources of the State Council. The Act says that, except for special circumstances this is only to be a pro forma registration, but that the registration agency must also conduct substantive examinations, presumably in circumstances such as when registration before processing is required. No fees are to be charged for registration.

Collection or other aspects of processing of personal information may only be for specific purposes. Information may not be processed (including being collected) unless one of six conditions apply, but they are extremely broad, including consent, protection of important interests of the Data Subject , protection of lawful interests of a third party, the public interest, and as provided in other laws and regulations. However, this apparent breadth is reduced by a subsequent provision that processing for purposes beyond the purpose of collection may only take place without consent if one of three conditions applies. First, if expressly provided for by law. Second, if necessary to protect the life, health or property of persons (data subject or other individuals) and it is difficult to obtain the Data Subject’s consent. Third, if necessary for government authorities to carry out their legal responsibilities, and obtaining consent will prevent them from doing so.

Personal information may only be collected by legal and proper means. When it is collected directly from the Data Subject, notice must be given of specified matters. No notice is therefore required when personal information is collected from third parties.

The Data Subject’s right to access personal information is subject to broadly stated exceptions where such access would be harmful to the interests of the data subject or a third party, or as provided by other laws and regulations. There is also a specific exception where repeated request for the same information impedes the data processor’s work – a form of ‘vexatious applicant’ exception. Access charges are to be set by the local price administration agency. The right to have inaccurate data corrected, or use of it ceased, is restated. There is a right to written reasons if access is declined in full or in part, or corrections or cessation of use refused. There is no specific right to have third parties informed of corrections, unlike with government agencies.

The Act states a policy supporting establishment of self-regulatory trade associations and for the gradual transfer of government functions under the Act to them. The requirements for such bodies are to be provided by the agency in charge of information resources of the State Council, but they are to register with the relevant local bodies. Their functions are set out, including accepting complaints from Data Subjects. It is not specified whether there must be a right to seek review of any decisions by such trade associations, though this would seem to be implied by the Principle of Remedy in Chapter 1.

Cross border transfers

The Act only restricts the cross border transfer of personal data by Other Data Providers, not be government authorities. In this it is similar to current Australian law, the only other national jurisdiction in the Asia-Pacific to have data export restrictions in force. However, the Act only provides that government agencies in charge of information resources may restrict cross-border transfers if certain conditions are met, unlike in the European Union (or in Australia), where transfers must be restricted unless enabling conditions are met. Because of the number of Chinese agencies who could be involved in this process, there could be potential for conflicting rulings.

Grounds for restrictions are that state security or other significant state interests may be involved, where China has duties under international law, where other laws restrict transfers, and where the recipient country or area does not give ‘sufficient’ legal protection. The agency in charge of information resources of the State Council will determine which countries or areas come within this last category. Unless and until there was such a determination, it would appear that no cross-border transfers would be prohibited. The reference to ‘areas’ will, among other things, allow consideration to be given to the position of Special Administrative Areas (SARs) with separate legal systems (Hong Kong and Macau), or to Chinese Taipei (Taiwan).

Part II of this article in the next issue of Privacy Laws & Business International Reporter will cover administration of the Act, and remedies under it, and make some comparisons with other laws. The author wishes to gratefully acknowledge the assistance of the translation of the draft Act by Maisog and Zhao (Hunton & Williams LLP), but is responsible for all interpretations made. Mr Maisog may be contacted at <bmaisog@hunton.com>.

References

BNA Privacy Watch ‘Experts Foresee Data Protection Law In China, Discuss Probable Provisions’, Bureau of National Affairs, Inc. 9 March 2007, available at <http://www.bna.com/>

China Daily “Law on personal info 'next year'” China Daily 6 August 2007, available at <http://fec2.mofcom.gov.cn/aarticle/news/200708/20070804962853.html>

Liu, Yue (draft English translation) summary of Zhou, Hanhua et al Legislative Study Report, 2007, unpublished, University of Oslo Faculty of Law

Maisog, Manuel E. and Zhao, Angela (English translation) Zhou, Hanhua et al Personal Information Protection Act of the People’s Republic of China (Experts’ Suggestion), 2006, Hunton & Williams LLP, Beijing, China

Sutton Graham, Zhang Xinbao, and Hart Thomas Personal Data Protection in Europe and China: What Lessons to be Learned? EU-China Information Society Project, Beijing, November 2007, available from The Constitution Unit, UCL Department of Political Science, London; see also
<http://www.eu-china-infso.org/Regulation/regulation094158@2007-06-20.html>

Wen, Jiabao “Research on Freedom of Information and electronic government in China,” May 28 2007 available at <http://foichina.blogspot.com/search/label/FOI%20in%20China>

Zhou, Hanhua et al Personal Information Protection Act of the P.R.C. (Experts’ Suggestion) and Legislative Study Report, 2006, Institute of Law, Chinese Academy of Social Sciences, Beijing, China