As China ramps up its legal protection of personal data, large-scale personal information collection and processing may violate the law if done without users’ informed consent. Photo: VCG
When ride-hailing giant Didi Global Inc. was fined last week for cyber and data security breaches — including illegal collection of facial information — it sent an 8 billion yuan ($1.2 billion) signal to the Chinese public that user data infringements are taken seriously.
As China ramps up its legal protection of personal data, large-scale personal information collection and processing may violate the law if done without users’ informed consent. The country’s top prosecutor reported 2,000 public interest cases (link in Chinese) regarding personal information in 2021, a nearly threefold increase from the previous year.
So how can individuals protect their personal information rights? While difficulties in finding legal professionals with the right expertise and poor compensation remain issues, Caixin lists four laws that can be consulted in efforts to hold companies to account for data misuse, whether by addressing their administrative and criminal liability or by forcing them to face civil claims or public interest lawsuits.
Personal Information Protection Law
The Personal Information Protection Law (link in Chinese) enacted in November 2021 grants individuals the right to know how their personal information is being handled and the right to refuse to hand it over. Moreover, it gives them the right to file a lawsuit and claim compensation when their rights are abused.
Article 66 of the law states that mishandling of personal information, including illegal collection, processing and disclosure, could leave a company with a fine of up to 50 million yuan or 5% of the previous year’s turnover. The person with direct responsibility or others in charge may be fined between 100,000 and 1 million yuan.
In practice, large-scale illegal collection of personal information is often hidden, making it hard for people to know whether they have suffered an infringement. As Chinese citizens develop greater awareness of how to protect their personal data, misuse may become harder to conceal.
In mid-July, an online influencer accused software company Kingsoft Corp. of censoring her unshared draft novel. The company said it does not censor its users’ local files but admitted it reviews files hosted on its platforms, something legal experts said could breach China’s Personal Information Protection Law.
Also in July, after an online outcry over a potential violation of data privacy, several Beijing neighborhoods took back health monitoring bracelets they had given out to people in home quarantine for Covid-19.
Garbage bins equipped with face recognition technology are installed in a Beijing neighborhood in 2020. The lids of the bins opens only when residents are identified. Photo: VCG
The Civil Code of the People’s Republic of China (link in Chinese), which came into effect at the beginning of 2021, was a landmark piece of legislation that enshrined the protection of personal information with a chapter dedicated to “rights to privacy.”
The Civil Code specified that citizens’ personal information including name, date of birth, ID number, biometric data, contact information, health and whereabouts were protected. Organizations and individuals were required to follow the principles of “legality, legitimacy, and necessity” when processing such personal information.
A 2020 Supreme Court amendment added “disputes over personal information protection” as a cause of action in civil litigation cases, giving those claiming personal information violations the right to file a civil lawsuit.
In September 2021, a list of 52 mobile apps, including those of China Southern Airlines, tea chain Hey Tea and Dida Chuxing, were ordered to rectify practices that had infringed on users’ rights, such as collecting personal information unnecessarily, asking for excessive permissions to access data and misleading users.
Cyber Security Law
The 2016 Cyber Security Law (link in Chinese) requires internet service providers capable of collecting user information to “clearly inform and obtain consent from the user” and forbids network operators from “disclosing, tampering with, or damaging personal information collected.”
Internet service providers could be fined between one and 10 times their illegal income when found to have violated the rules. Serious cases could lead to the suspension of the businesses involved and an investigation into criminal liability.
In 2019, a professor in the eastern city of Hangzhou sued a local safari park in China’s first facial recognition lawsuit. A year later, the district court ordered the park to delete the facial data of the plaintiff when he applied for a fingerprint-activated annual card.
In 2015, the ninth amendment (link in Chinese) of the Criminal Law included the crime of violating citizens’ personal information, stipulating that anyone who had illegally obtained, sold or provided such personal information to others would bear criminal liability.
The scope of the law extended from the 2009 version which only regulated staff at state organs and financial, telecommunications, transportation, education and medical units.
According to a legal interpretation (link in Chinese) issued by the Supreme Court in 2017, a fine of between one and five times the illegal income would be applied, adding that illegally obtaining, selling or providing more than 50 pieces of sensitive personal information such as communication content or credit information or making illegal gains of 5,000 yuan for so doing could result in up to three years in prison.
If the violations caused serious consequences such as death, mental illness or kidnapping, the offender could be jailed for up to seven years.
Source: Caixin Global