Certain aspects of the legal regulation of personal data protection under Chinese law in the digital age
The proposed article is devoted to the study of issues related to the analysis of the legal regulation of personal data protection under Chinese law in the era of new digital technologies. The Law of the People's Republic of China "On the Protection of Personal Data" of 2021 has some similar features to the EU General Data Protection Regulation, but at the same time stands out for the pragmatism of the regulatory impact on public relations. In the Russian Federation, the issues under consideration came to the attention of the legislator much earlier, in particular, it is worth noting the Federal Law of July 27, 2006. No. 152-FZ "On Personal Data" and Federal Law No. 99-FZ dated May 7, 2013 "On Amendments to Certain Legislative Acts of the Russian Federation in Connection with the Adoption of the Federal Law "On Ratification of the Council of Europe Convention on the Protection of Individuals with Automated Processing of Personal Data" and the Federal Law "On Personal Data". These acts are aimed at protecting the rights and freedoms of individuals and citizens in the processing of personal data, including privacy, and extend their effect to the entire process of processing personal data, including non-automated processing of personal data. Given the existing time lag in the legal regulation of the issues under consideration in Russia and China, there are obviously differences in approaches to the processing of personal data in our countries, in particular, a draft law has been developed in Russia allowing individuals to delete their personal data from commercial databases, this increases the value of legal research in this area and allows you to predict the legal the development of the regulatory policy of the state, taking into account relevant foreign experience.
Keywords: legal regulation, personal data, China, Russia, digital technologies, legislation.
According to the China Internet Network Information Center <1>, as of June 2023, the number of Internet users in China reached 1.079 billion people, and the Internet penetration rate reached 76.4%. According to these indicators, China continues to be the largest country in the world. In recent years, due to the rapid development and widespread penetration of new information and communication technologies such as cloud computing, big data, blockchain, 5G and artificial intelligence, there has been an active penetration of the Internet into traditional economic sectors <2>. The acceleration of digital transformation is directly related to the increase in the number of personal data processing cases. In this regard, the problems of collecting, processing, and strengthening the protection of personal data have become the most important practical issues to which great importance is attached in the PRC, and certain concerns are voiced by members of the public.
--------------------------------
<1>
<2> Sevalnev V.V. Certain aspects of legal regulation of e-commerce and smart contracts under the legislation of the People's Republic of China // Legal regulation of contractual relations arising in connection with the development of digital technologies (smart contracts): Collection of scientific articles: Materials of the round table (Moscow, December 19, 2018). Moscow: Publishing Group "Lawyer", 2019. pp. 84-91.
In August 2021 The Standing Committee of the National People's Congress (hereinafter - the PC of the National People's Congress) adopted the Law of the People's Republic of China "On the Protection of Personal Data" (hereinafter - the Law of the People's Republic of China POA), which entered into force on November 1, 2021. <3> The Law of the People's Republic of China POA is the first special legislative act in the legal system of the People's Republic of China, which regulates public relations related to protection of personal data. This legal act makes up for the previously existing shortcomings of legal regulation in the field of personal data protection in the People's Republic of China. As noted by Chinese researchers <4>, the legal act in question is in conjunction with the Laws of the People's Republic of China "On Network Security" in 2016, "On Data Security" in 2021, "On Electronic Commerce" in 2018 <5>, the Civil Code of 2020, the Criminal Code of 1997 (ed. 2020) and other laws It creates the foundations of the system of legislative protection of personal data in the People's Republic of China and lays a solid foundation for the economic and social development of the country in the context of the digitalization process.
--------------------------------
<3>
<4>
<5>
The Law of the People's Republic of China ZPD was adopted in order to protect the personal information of individuals, regulate its processing and promote its rational use at the 30th meeting of the PC of the National People's Congress of the XIII convocation on August 20, 2021. The law consists of 71 articles, which are grouped into 8 chapters.
The basic principles of personal data protection are of great functional importance, since they contain not only the basic requirements for the implementation of personal data processing activities, but also serve as the basis for building an integrated personal data protection system that includes the process and all aspects of personal data processing. The Law of the People's Republic of China ZPD takes into account relevant international and foreign experience and law enforcement practice, but is primarily based on Chinese specifics. Articles 5-9 of the Law of the People's Republic of China of the POA formulate the basic principles of personal data protection. First, it is the principle of legality, proper method, necessity and good faith. This principle is the basic principle of personal data protection in China. He logically continues and develops the principle of legality, proper method and necessity, previously enshrined in the Law of the People's Republic of China "On Network Security". Secondly, it is the principle of goal limitation. The principle in question stipulates that the processing of personal data must contain a clear and reasonable purpose. This principle, together with the above-mentioned principle of legality, proper method, necessity and good faith, establish a standard for evaluating the purposes of personal data processing, as well as limit personal data processing activities. Thirdly, it is the principle of openness and transparency. Article 7 of the Law of the People's Republic of China on Personal Data establishes that personal data processors are required to disclose the rules of processing and inform individuals of the purpose, method and scope of personal data processing. Fourth, it is the principle of completeness and accuracy. This principle means that personal information processors must ensure the quality of the personal information they process and avoid adverse effects on personal rights and interests due to inaccurate and incomplete personal information. Fifth, this is the principle of protection and safety. The main purpose of this principle is to ensure the security of personal information when processed by various methods and organizations in China.
The concept and scope of personal data form the basis for the work on the protection of personal data, and are also the starting point for the legal mechanism for the protection of personal data in the legal space of China. In the doctrine of Chinese law enforcement, there are two approaches to defining the concept of "personal information" - the theory of identification and the theory of correlation. So-called identification means whether an individual can be identified as a standard for determining personal and non-personal information. This is a common identification method in traditional legislation on the protection of personal information <6>. In the decision of the PC of the National People's Congress on strengthening the protection of information on the Internet from 2012 <7>, the concept of "identification" was formulated for the first time at the legal level; in 2016, the Law of the People's Republic of China "On Network Security" fixed an approach to defining the concept of "generalization and enumeration" of personal information, which, in essence, refers to identifying data. In the case of association theory, the latter refers to obtaining additional relevant information about a particular individual when that particular individual is known. In practice, due to the limited amount of identifiable information combined with dynamic changes in the attributes of personal information, it is difficult to use a universal method of personal data protection. In China, a combination of both approaches - identification and association - has been established in the processing of personal data, which expands the content of personal data as an object of processing.
--------------------------------
<6>
<7>
For the first time, the Law of the People's Republic of China establishes the volume of confidential personal information in the form of an enumeration, defining it as "personal information that, after leakage or illegal use, may lead to a violation of the personal dignity of individuals or their safety and property" (Article 28), and also lists biometric data, religious and similar beliefs of an individual, medical data, financial accounts, location and personal information of citizens aged 14 and over. The approach used in the PRC with respect to confidential personal information is based on the experience of the General Data Protection Regulation of the European Union (hereinafter - GDPR), but there are differences in the definition of specific areas of application. In particular, art. 9 GDPR directly uses the enumeration method to identify confidential personal data that may disclose racial or ethnic origin, political views, religious or philosophical beliefs, membership in a trade union, as well as the processing of genetic data, biometric data for the purpose of unambiguous identification of an individual, data related to the health, sex life or sexual orientation of an individual. Taking into account the specifics of confidential personal information, the Law of the People's Republic of China DPA establishes stricter requirements for the processing of confidential personal information.
According to Article 13 of the Law of the People's Republic of China, personal consent is required as the basis for the legitimate processing of personal data of an individual. On this basis, the norms of Article 14 of the Law in question for the first time consolidate the receipt of individual consent and written consent of an individual. Individual consent is related to the concept of general consent. It aims to establish the obligation of personal information processors to inform, and also emphasizes that companies should encourage individuals to pay attention to the processing of their personal information and clearly inform users, and the user makes his choice. Taking into account that in practice there are a large number of issues such as authorization and mandatory user consent to the processing of personal data, the Law of the People's Republic of China DPA clearly establishes separate consent requirements for the following scenarios: provision, disclosure and processing of confidential personal information to others. Personal information processors should distinguish consent in these scenarios from consent in other common scenarios and avoid obtaining personal consent through an authorization mechanism.
Written consent is a type of consent that differs from oral consent, and is intended to strengthen the formal requirements for personal consent. In accordance with Article 14 of the Law of the People's Republic of China, the POA establishes that if personal information is lawfully processed by obtaining consent, and laws and administrative regulations provide for obtaining the written consent of an individual, then written consent must be obtained in accordance with the requirements of relevant regulations. The forms of written consent may vary and may be expressed in the form of a contract, mail, as well as other methods, including paper and electronic methods.
An important goal of the development of the Law of the People's Republic of China is to clarify the rights of personal data owners by systematically designing the legal system in order to strengthen the control of individuals over their personal information and achieve the goal of personal data protection. The Law of the People's Republic of China ZPD takes into account the current legislation of the People's Republic of China, as well as the practice of the European Union, expressed in the GDPR. The Law of the People's Republic of China provides for a special chapter "Personal rights in the processing of personal information", art. 4 - 49 provide for a number of rights to personal information, such as the right to know, the right to make decisions and the right to restrict the processing of personal data. At the same time, in order to ensure the effective exercise of rights related to personal data, the Law of the People's Republic of China POA also requires that personal data processors create a mechanism for accepting and processing applications from individuals to exercise their rights, as well as develop appropriate rules for the protection of such rights. For example, art. 45 provides for the right to access and reproduce personal information and at the same time requires that the personal information processor provide such information in a timely manner; another example is Article 46, which provides for the right to correct and supplement personal information and at the same time requires that the personal information processor promptly verify, correct and supplement this data. In addition, in order to protect the legitimate rights and legitimate interests of the close relatives of the deceased, the PRC Law of the People's Republic of China takes into account the relevant norms of the Civil Code of the People's Republic of China, providing that in the event of the death of an individual, his close relatives, according to the law, can use the relevant personal information of the deceased, in particular, exercise the rights of access, reproduction, correction, deletion, etc. (Article 49).
Due to the continuous and rapid development of international digital commerce, the demand for cross-border transfer of personal information is increasing. The Law of the People's Republic of China ZPD establishes Rules for the cross-border provision of personal data. A set of clear and systematic rules for the cross-border movement of personal information has been developed, which take into account the needs of protecting the rights and interests of personal information. Objective security requirements meet the real needs of international economic and trade exchanges. There are four legal scenarios for cross-border provision of personal information. The Law of the People's Republic of China DPA stipulates that if personal data processors need to provide personal information to foreign countries in connection with business and other needs, they must undergo a security assessment organized by the National Department of Network Telecommunications, or be certified by a professional organization for the protection of personal data, or conclude a contract when both parties agree on the rights and obligations or fulfill other conditions stipulated by laws, administrative regulations (art. 38). These conditions are optional for the cross-border provision of personal data, on the basis of which two necessary conditions must also be met, namely, obtaining the separate consent of the natural person to provide their personal data cross-border and taking the necessary measures to protect the processing of personal data by foreign recipients. The Law of the People's Republic of China ZPD establishes restrictive requirements for the cross-border provision of several types of special personal information. Firstly, for personal information processed by government agencies, it should be stored by default on the territory of the People's Republic of China; secondly, for operators of critical information infrastructure and personal information processors who process personal information to a certain extent, in principle, personal information collected and generated by these organizations. For the above types of entities, if there really is a situation where it is necessary to provide personal information abroad, a security assessment is carried out (Articles 36, 41). In China, the rules for providing personal information to foreign judicial or law enforcement agencies have been improved. The Law of the People's Republic of China has adopted provisions that are consistent with the requirements for ensuring compliance with legislation on cross-border data of the Law of the People's Republic of China "On Data Security". For those who need to provide personal information abroad in connection with international judicial assistance or administrative law enforcement assistance, it is clearly stated that they must submit an application for approval to the relevant competent authorities in accordance with the law. The Law of the People's Republic of China provides for a blacklist system for the cross-border movement of personal information, as well as a system for monitoring discriminatory measures against other countries or regions. If foreign organizations or individuals engage in personal data processing activities that violate the rights and interests of Chinese citizens in the field of personal data or endanger national security or public interests, they may be included in the list of restrictions or prohibitions on the provision of personal data (Article 42).
For a long time before the development of the Law of the People's Republic of China, in comparison with the huge commercial benefits received by companies, the intensity and actual amount of penalties imposed by the relevant laws of China for the illegal actions of such companies were relatively low and did not exceed 10,000 yuan. In the European Union, after the entry into force of the GDPR, as of October 2021, there are more than 800 cases of penalties with a total fine exceeding 1.29 billion euros <8>. The Law of the People's Republic of China has significantly increased penalties for illegal handling of personal information or failure to comply with obligations to protect personal data. Article 66 of the Law of the People's Republic of China POA clarifies the general responsibility of personal data processors for violating the provisions and legal liability in the presence of serious circumstances when a fine of no more than 50 million yuan or less than 5% of the turnover of the previous year may be imposed, a decision may also be made to suspend the relevant business or close the business for correction. In addition, it is allowed to revoke the relevant business license; it is possible to impose a fine on directly responsible persons and other persons. And it may also be decided to ban guilty persons from working as directors, supervisors, and senior management personnel. In addition, art. 69 of the Law of the People's Republic of China, the POA clarifies the system of civil liability based on the principle of presumption of guilt when personal data processors cause damage, and establishes a method for calculating losses incurred by individuals as a result of benefits received by personal data processors, it is allowed to use judicial mechanisms on this issue if the parties cannot reach an appropriate agreement.
--------------------------------
<8>
In the process of developing the Internet industry and the digital economy, China attaches great importance to the protection of personal information, adheres to standardization in the design and development of such activities, and effectively protects the legitimate rights and interests of citizens. The evolution of the personal data protection mechanism in China is characterized by a transition from indirect protection to direct protection and eventually to comprehensive protection of personal data. At the beginning of the development of the Internet industry in China, indirect protection of personal information was mainly achieved by protecting the privacy rights of citizens. For example, the Law of the People's Republic of China "On Tort Liability" adopted in 2009 provided for the right to privacy as a civil right and protected the personal information of a citizen. In 2021, this Law lost its force due to the adoption of the new Civil Code of the People's Republic of China. China's Internet industry has entered a stage of rapid development, so the state has begun to protect personal information on the basis of new legislation. In recent years, when personal information and user data have become the most valuable key factor for various sectors of the economy, China has strengthened the protection of personal information of citizens, and therefore the Law of the People's Republic of China "On the Protection of Personal Information" has become not only a key part of the legislation in the field of personal data protection in China, but also a comprehensive and systemic legal act who have adopted relevant international and foreign experience.