Administrative and legal protection of personal data in China: problems and solutions
Personal data has become the most important type of information in Chinese society. The rapid expansion of the information array has increased the risks and problems of personal data protection. The protection of personal data is related not only to the field of private legal relations, but also to the state apparatus when it comes to the process of collecting, processing and using personal data by administrative authorities. China's current legislation is developing rapidly. Administrative and legal protection in the field of personal data has a certain legal basis, but still faces many difficulties in legal practice. In this regard, it is necessary to adopt a special law on the protection of personal data, create a mechanism for strict supervision and improve legal protection.
Keywords: personal data, administrative legislation, network society, protection of rights.
China has turned to personal data protection issues relatively late, compared to many countries. Although in recent years, this problem has received close attention both at the official level and in the legal literature. In particular, it focused on the legal protection of personal data of citizens, clarifying the powers of executive authorities to prevent and identify offenses in this area.
Unlike in Russia <1>, there is still no special law in the legislation of the People's Republic of China that would fix the official definition of personal data. The Chinese doctrine uses the theory of "identification" to define them. Its supporters believe that personal information is information that can directly or indirectly identify a person. Such information may include: the name of the citizen, date of birth, ID number, address of residence, phone number, education and other similar information. The key element of this theory is the "identification of information". In this case, in order to qualify the data as personal, it is necessary to answer the question whether they can help in identifying an individual. The main representatives of this trend among Chinese scientists are Qi Aimin <2>, Zhou Hanhua <3>, Wang Liming <4>, Zhang Xinbao <5>, Diao Shengxian <6> and some other jurists.
--------------------------------
<1> Federal Law No. 152-FZ of July 27, 2006 (as amended on December 31, 2017) "On Personal Data" // Federal Law of the Russian Federation. 2006. No. 31 (Part 1). Art. 3451.
<2>
<3>
<4>
<5>
<6>
The introduction of the definition of "personal data" is due to the growing variety of categories of information in China. It is also generally accepted that it includes the concepts of personal data and personal integrity. The fact is that some types of data have not previously been directly linked to a person's personality, but now new technologies allow them to be found and put together, as a result of which their use can harm individual interests. Therefore, the category of personal integrity provides protection for a new type of personal data that was not previously considered part of the traditional concept. This approach protects not only various biometric information, but also everyone's right to automatic data processing.
The essence of the state approach to the definition of personal data lies in the fact that this concept is based on the idea of a "personality", directly refers to the "personality itself" and influences it. In this case, a person acquires the right to an identity, within which the collection, storage, processing, transfer of personal data is carried out, and in case of violation of these rights, the subject can take advantage of the opportunity to protect such information, including resorting to administrative means.
It should be agreed with Yang Chunfu that the main goal of "faithful government of the state" is to rely in the management process on legal norms that ensure the personal benefits of everyone, which would improve public power, limiting it and involving citizens in public administration. In this case, a positive effect is achieved in the relationship between the state, the government and citizens <7>. It is obvious that China is still on the way to improving the system of ensuring personal human rights. At the same time, a number of fundamental sources of law should be indicated, the norms of which ensure the protection of citizens' right to personal data.
--------------------------------
<7>
The constitutional basis of legislation on the protection of personal data is the constitutional principle of Article 38 of the Constitution of the People's Republic of China: "The honor and dignity of citizens of the People's Republic of China are inviolable" <8>. The administrative legislation of the People's Republic of China on the protection of personal data is still relatively fragmented, but its norms are of great importance in the structure of the mechanism of legal regulation in this area. The main source of administrative law in this area is the "Rules on Disclosure of Information of the Government of the People's Republic of China" <9>. This act was adopted by the State Council of the People's Republic of China and is not a law. According to its general principle, administrative authorities are not allowed to disclose information concerning the identity of citizens at their discretion. Article 15 allows disclosure of personal data only in two cases: 1) with the consent of the citizen; 2) if non-disclosure may cause damage to public interests. Also, if the disclosure of information affects the interests of third parties, then for its disclosure the administrative body is obliged to obtain their permission (art. 32). At the same time, citizens, legal entities and other organizations have the right to request changes in official information if they have evidence that the information about them is incorrect (art. 41).
--------------------------------
<8> The Constitution of the People's Republic of China (adopted on December 4, 1982, as amended from 1988, 1993, 1999 and 2018).
<9> Order of the State Council of the People's Republic of China dated April 5, 2007 No. 492 "Rules on Disclosure of Information of the Government of the People's Republic of China" (ed. dated 04/03/2019).
The collection, processing and use of personal data by government agencies is an official action that does not create, modify or terminate legal relations. Nevertheless, official entities are obliged to exercise their powers without going beyond the limits established by the norms of law. This statement is obvious and true for any state, but since the PRC does not have a framework law on personal data, problems may arise in law enforcement practice related to officials' understanding of their responsibilities in the field.
It should be agreed with Zhang Shufang that "the development of the rule of law inevitably requires the unification and harmonization of the norms of the law itself" <10>. Thus, the "Rules for Disclosure of Government Information" establish only the basic principles of personal data protection, but do not define specific standards and procedures. Existing regulations are insufficient for comprehensive and effective protection of citizens' right to personal data, which creates prerequisites for violations of these rights by administrative authorities, and citizens cannot always receive appropriate legal assistance, since they are unable to find the proper substantive justification for their claim (they often simply have nothing to refer to in courts and higher administrative authorities organs). So, in 2016. citizen Feng Yun filed an administrative claim that an incorrect "place of work" was recorded in his Social Pension Insurance Sheet, and demanded that the Leshan Human Resources and Social Security Department make corrections to the register of pension insurance information, the court ruled to dismiss the claims, recognized the claims as unfounded (the decision of the Middle-level People's Court of Leshan in 2016, case No. 71-1181/2016) <11>. The decision reflected all the shortcomings of the current norms of law, and the court simply did not want to go beyond the material norms. In addition to filling these gaps, legal liability, including administrative liability, may become an important factor stimulating officials to perform their duties.
--------------------------------
<10>
<11>
Meanwhile, the legislation on administrative responsibility in China is uncodified, it is represented by multi-level sources of administrative law, intertwined vertically and horizontally, between which conflicts may arise. In particular, the administrative and legal protection of personal data is provided by independent acts in force in the field of telecommunications, banking, insurance, medical care, the Internet, etc. Such normative sources cover a wide range of legal relations and have a diverse content. The legal literature traditionally points out that "in China, there are fragmentary standards for the protection of personal information that protect unclear interests, have a low level of effectiveness and vague instructions for law enforcement agencies, as well as create other problems" <12>. There are too few laws at the state level on the protection of personal data. An example of regulation can be paragraph 3 of Article 6 of the Law of the People's Republic of China "On Identity Cards". In accordance with it, public security agencies and police officers are obliged to keep secret the personal data of a citizen that they have become aware of in connection with the manufacture, issuance, verification or retention of an identity card. In accordance with Article 19 of the said Law, administrative sanctions are imposed on guilty officials for the disclosure of personal data during the creation, issuance, verification, withdrawal of an identity card and the related violation of the rights and legitimate interests of citizens, and criminal liability ensues with severe consequences.
--------------------------------
<12>
The current legal norms provide only for the obligation of administrative authorities and their employees to maintain the confidentiality of personal information. The fact is that the legislation does not clearly define ways to protect the relevant rights in case of violation by administrative authorities. It only states the general rule according to which citizens have the right to file a complaint with the appropriate supervisory authority. Affected citizens can turn to general administrative and legal remedies established in such acts as the Law of the People's Republic of China on Administrative Review <13>, the Law of the People's Republic of China on Administrative Procedure <14> and the Law of the People's Republic of China on State Compensation <15>. At the same time, none of them clearly indicates whether a citizen can declare a re-administrative review of his case in a higher authority. Also, their norms do not specify whether the state will pay compensation in case of violation of personal data rights.
--------------------------------
<13> The Law of the People's Republic of China dated April 29, 1999 No. 76 "On Administrative Review" (as amended. dated 09/01/2017).
<14> The Law of the People's Republic of China dated April 4, 1989 No. 16 "On Administrative Procedure" (as amended. dated 06/27/2017).
<15> The Law of the People's Republic of China dated May 12, 1994 No. 23 "On State Compensation" (as amended. dated 26.10.2012).
As a result, there are cases in which the authorities do not perform many of the usual duties for other situations. For example, government agencies do not notify a citizen about the purposes of collecting personal data, the categories of personal data being processed. It is logical to assume that in the case of processing incomplete or unreliable information, the personal data subject has the right to require the operator to supplement, modify, clarify or update them, but these requirements are not supported by the Chinese legislator (they are not even mentioned in the sources of law). There is a situation of weak protection of personal data, in which citizens are forced to expect violations of their rights at any time. In the absence of detailed legislative regulation, the legal regime of personal data turns out to be insufficiently effective in the exercise of their powers by administrative bodies, while state control bodies do not receive adequate opportunities to identify violations and ensure legality.
One of the first attempts to solve some of the identified problems was the changes made in 2015 to Article 2 of the Law on Administrative Procedure of the People's Republic of China. Now citizens are allowed to appeal against actions (inaction) administrative bodies that have caused violations of their personal data, but the wording of the norm does not allow them to fully take advantage of this opportunity. Firstly, the administrative body still does not announce the collected data, and the data owner does not participate in the collection process. As a result, citizens do not know who collected and stored their personal data, which makes it impossible to identify the violator. Secondly, the development and complexity of information technology creates new opportunities for data collection, dissemination and concealment of violations. Citizens, unlike government structures, are less protected because they do not have the opportunity to collect evidence necessary to defend their rights in court, and losing in the process becomes the most likely result. Thirdly, there is no proper understanding of the legal nature of the rights being protected. Courts, as a rule, limit themselves to protecting specific personal data related to confidential information, but refuse to perceive the right to personal data as part of a higher-order right - the right to identity. Thus, the subject of judicial protection of citizens' rights is narrowed.
As Luo Haocai and Song Gongde rightly noted, "the fundamental importance of personal data protection is that a government with trust and the ability to exercise rights can provide public goods necessary for the development of society in accordance with the laws, and citizens feel safe." <16> Of course, when choosing a legislative model for personal data protection, it is necessary to fully take into account the inviolability and protection of personal rights. Thus, in the absence of a general law of the People's Republic of China, acts on the protection of personal data were adopted in several economically developed provinces and cities <17>. It should be noted that regional acts do not solve the general problem, but only soften the sharpest corners. The "Rules on disclosure of information by the Government of the People's Republic of China", as noted, do not have sufficient legal force in the legislative system, which significantly weakens their effect. At the same time, it is generally recognized in legal science that "without the early adoption of a special law of the People's Republic of China, it is impossible to ensure comprehensive protection of personal data, as well as achieve a harmonious information society" <18>.
--------------------------------
<16>
<17> Examples of provincial and local acts: The Regulations of the Government of Jiangsu Province dated September 23, 2011 "Regulations on Informatization in Jiangsu Province" (ed. from 09/23/2011) // The Government of Jiangsu Province, 2011; Regulation of the Government of Shanghai dated December 28, 2003 No. 15 "Personal data management of personal credit of Shanghai" (as amended. dated 09.03.2014) // Government of Shanghai, 2003.
<18>
It seems that the purpose of personal data protection in public and private law is the same, in both cases the norms are based on identical basic principles, therefore, in the future Law of the People's Republic of China "On Personal Data Protection" it is possible to combine the norms of both public and private law. It should also identify authorized administrative bodies that should be responsible for overseeing compliance with personal data legislation, as well as establish a vertical management system that develops from the center to the local level. It is advisable to include in this Law general provisions on personal data, basic principles and methods of their protection, to provide for ways of collecting, processing and using personal data by state bodies and non-governmental organizations, as well as to consolidate the grounds and procedure for control and supervisory activities in this area.
Diao Shengxian and Qin Qin rightly noted that as the functions of public administration become more complex and the number of employees increases, the likelihood of their violations of legal norms increases. Therefore, the State needs to pay due attention to control and supervision in various areas of the exercise of its power <19>. Of course, this statement is fully suitable for the administrative information disclosure system, which needs to be adjusted. The collection and processing of personal data by authorities should not be solely within their exclusive discretion. A guarantee against managerial arbitrariness in this case may be the obligation of government entities to inform citizens about actions regarding their personal data, and the procedure for processing such data should be transparent. In this regard, the collection and storage of personal information could be centralized, as well as the control of its use. It is advisable to create a special information body at the regional or at the highest government level, whose functions would include the primary processing of government information, as well as the collection, classification and storage of personal data processed by all government agencies. Such a structure could issue licenses for the processing of personal data, which would minimize the possibility of violating the rights and legitimate interests of citizens. Such an information body should not only control all other state bodies, but also comprehensively protect the integrity of the procedure for processing personal data by subjects who have the right to process them. If the transformations are carried out, then the administrative procedures for collecting, storing, processing, and disclosing personal data will turn out to be more coherent, normatively sound, and predictable for citizens.
--------------------------------
<19>
In a sense, the rule of law is the rule of procedure, and acting in accordance with the law means acting in accordance with the procedure. The famous American judge William O. Douglas also said: "It is the procedure that defines the main difference between the rule of law and the rule of the ruler." <20> Russian scientist Yu.N. Starilov draws attention to the fact that "the low level of efficiency of administrative activities carried out by executive bodies of state power is largely due to gaps in the legal regulation of administrative procedures and the inability to use their potential, principles and procedures in the adoption of administrative acts" <21>.
--------------------------------
<20>
<21> Starilov Yu.N. Administrative procedures are an integral part of legislation on state and municipal management: problems of theory, practice and lawmaking // Bulletin of the Voronezh State University. Series: Law. 2019. N 4. P. 11.
It is important that the following principle is rooted in the administrative law of the People's Republic of China: based on the unequal status of citizens and government agencies, it is not necessary to obtain the consent of citizens when authorities use their personal data in accordance with their authority; however, if necessary, citizens should be informed about the use of such information. At the same time, the use of personal data by government agencies must comply with the standard of "reasonable use".
It is well known that there is no right without protection, therefore it is proposed to introduce the following novelties into the legislation and law enforcement of the People's Republic of China.
First, it is necessary to form a system of monetary compensation for causing material damage resulting from violation of the right to personal data. The harmer (including the State) is obliged to compensate the victim for significant material damage or pay the benefit received by him as a result of the violation. That is, "if an authority illegally collects, processes and uses personal data or does not fulfill its obligations to properly verify them and thereby harms the rights and legitimate interests of citizens as subjects of information, citizens have the right to demand compensation for their losses. The right to compensation, compensation is a burden for loss, not an assessment of the action or cause of loss" <22>.
--------------------------------
<22>
Secondly, it is necessary to improve the mechanism of judicial protection in this area by allowing lawsuits in defense of public interests. The illegal collection of personal information by administrative authorities in itself violates the interests of an indefinite circle of people. Thus, the Prosecutor's Office should have the right to apply to the courts to protect public interests and actively use it. This will improve the protective mechanism in the field of personal data, since the prosecutor's office has a natural advantage in obtaining evidence, and it also implements the function of prosecutorial supervision itself, which means it is obliged to bring its cases to a logical conclusion.
One should agree with the figurative statement of Luo Haocai and Song Gongde: "Citizens in a state governed by the rule of law need more rights to know, participate, express their opinions and control the state. As one of the subjects of government, it is not enough for a citizen to stand in long queues outside the "national theater" and simply receive empty hands the rights granted by the government, formulated rules and public decisions. On the contrary, they want to become masters themselves" <23>.
--------------------------------
<23>
The right to personal data provides the subject of information with a chance to dispose of information about his identity without fear that it will turn against him. The protection of personal data in China, as in any country, should correspond to national interests and the peculiarities of the state system, but in some cases the advantages of the comparative legal method are obvious. For example, the experience of the countries of the continental legal family, which have a single law on personal data protection, may be useful for China.
