Protection of citizens' rights in cyberspace under Chinese law
The article examines the issues of legal support for the protection of citizens' rights in cyberspace under Chinese law. The purpose of the study is to analyze the theoretical and practical aspects of the balance between the protection of citizens' rights and public interests when using personal information in information and telecommunications networks. It is noted that the legal regulation of personal data protection in the territory of the People's Republic of China is carried out within the framework of the law, which establishes the general principles of personal data protection, and by state regulators, which determine the rules for the application of the law. It is concluded that there is a symbiosis of the European approach to the concept of personal data and the Chinese tradition of the inapplicability of the category of fundamental human rights and freedoms to personal information.
Keywords: personal data, personal information, public interests, cyberspace, cybersecurity, information and telecommunication networks.
Introduction. Ensuring the protection of the rights of citizens of any country in cyberspace is based on the existing risks that arise in the process of carrying out activities in the digital environment. These risks may include: collection of personal information about users by websites; storage of information accumulated about network users; creation of a user identity profile based on analysis of user behavior in cyberspace; use or dissemination of collected information about users.
With the development of digital services, the protection of personal data has become a key role in ensuring and protecting the personal rights of citizens. Following the European Union, more and more countries around the world are developing their own rules for the protection of personal data, while often taking as a basis the Guidelines of the Organization for Economic Cooperation and Development (OECD) on the Protection of Privacy and Cross-border Exchange of Personal Data [1] or the General Data Protection Regulation (GDPR) [2]. Some countries, such as the United States, have chosen an industry-specific approach to data protection through laws regulating certain types of legal relations (financial services, consumer protection, protection of the rights and legitimate interests of children, etc.). A number of countries, on the contrary, adhere to an integrated approach to the legal regulation of personal data protection (in particular, Canada, Japan, Singapore).
For many years, China has deliberately chosen not to interfere in this area of legal regulation. However, the development of digital technologies and the Internet has forced a revision of established approaches.
Legal regulation of cybersecurity in China. Since June 1, 2017, the Law on Cybersecurity, adopted on November 7, 2016, has been in force in the People's Republic of China <1>. Unlike GDPR, China's Cybersecurity Law has broader legal regulation and extends its effect not only to personal data of citizens, but also to the protection of national security and sovereignty in cyberspace [4].
--------------------------------
<1> Electronic resource. The Law of the People's Republic of China on Cybersecurity is a regulatory act designed to ensure network security, protect the sovereignty of cyberspace and national security, as well as social and public interests, protect the legitimate rights and interests of citizens, legal entities and other organizations, as well as the healthy development of economic and social informatization (see: baidu.com ).
Cybersecurity is defined as measures necessary to prevent cyber attacks, intrusions, interference, destruction, illegal use, unexpected accidents, and to ensure the stability and reliability of networks. The Law defines personal data as any information stored in electronic form or in any other way that, by itself or in combination with other information, allows the identification of the subject. The law applies to companies that collect and process personal data, including foreign companies. If a company does not comply with the requirements of this law, it may be held liable in the form of a fine in the amount of up to ten times the amount of illegally obtained profit, a ban on carrying out activities on the Internet, revocation of a business license.
The Law on Cybersecurity of the People's Republic of China, depending on the type and scope of activity, divides companies that collect or process personal data into "network operators" and "operators of critical information infrastructure."
Network operators include owners, managers and network providers, which, as a rule, includes any company that provides services through the use of the Internet, i.e. currently this is the majority of companies.
The category of operators of critical information infrastructure is not precisely defined and includes companies belonging to strategically important sectors (telecommunications, finance, energy, transport) or using an information platform.
In addition, this category includes companies whose volume of collected or processed data exceeds the threshold of 1,000 GB, or those whose violation of network security may lead to damage exceeding the threshold corresponding to a fine of 10,000 to 100,000 yuan, as well as companies that do not fall under the category of critical information operators information infrastructure, but collecting or processing personal data on behalf of the operator of critical information.
The distinction between these two categories has lost its relevance in practice due to the adoption of additional provisions that have tightened the obligations of network operators, thus bringing them closer to the legal regime of operators of critical information infrastructure.
Among the differences currently existing are the obligation of operators of critical information infrastructure to appoint a security officer certified by the Chinese Cyberspace Administration, as well as the obligation of the Chinese Cyberspace Administration to carry out security checks of operators of critical information infrastructure when making online transactions for the purchase of goods and services.
The chapter of the Law on Cybersecurity of the People's Republic of China devoted to information security focuses on the protection of personal data itself. An important place is given to the consent of the user whose data is to be processed. Their collection, use, and transfer cannot be carried out without his consent, and in case of damage or leakage of this data, the user must be warned. The subject of personal data should be able to request any company to delete the data collected about him.
In 2021, China introduced new rules formalizing the practice of censorship. Producers of information content must reproduce and publish information consistent with the principles of the Chinese State. Companies are invited to promote the ideology of the Chinese Communist Party, as well as its decisions and projects, strengthen the influence of Chinese culture in the world and show the real China, corresponding to the positive image of the country and its interests. These provisions restrict freedom of speech, but in China, compliance with the rules established by the party is seen as a sign of respect for Chinese culture.
The rules prohibit netizens from posting negative content, they must promote any content that speaks of good taste, style and responsibility, that praises truth, kindness and beauty, that promotes unity, mutual understanding and stability. It is illegal to distribute content that harms the honor and interests of the nation. Users should glorify the core values of socialism, promote the moral culture and spirit of the Chinese time, and accurately describe the spirit of the Chinese nation. All individuals and organizations using cyberspace must necessarily comply with the country's Constitution and laws. In addition, the Chinese government urges respect for "social morality," which means that netizens should not put cybersecurity at risk so as not to violate national honor and national interests. Goods and services distributed in cyberspace must comply with applicable national requirements. Service platforms are required to adhere to the "core value orientation" of the Chinese state.
Protection of personal information in the legislation of the People's Republic of China. On November 1, 2021, the Personal Information Protection Law of the People's Republic of China (PIPL) came into force in China, adopted on August 20, 2021 at the 30th meeting of the Standing Committee of the National People's Congress of the 13th convocation <2>. He introduced the concept of "important data", i.e. such data that can directly affect national security, the economy, social stability or public health in the event of their leakage, as well as the concept of "confidential personal data", i.e. such data, the leakage, publication or abuse of which may endanger the safety of individuals or their property, lead to a violation of the business reputation of third parties or discrimination.
--------------------------------
<2> The Law of the People's Republic of China on the Protection of personal information // China's Leading Corporate Service Provider Electronic resource.
Confidential personal data includes, among other things, biometric data, religious beliefs, data on a person's health status, place of residence and financial situation. The processing of confidential data is possible only for a specific purpose and subject to strict security measures. Network operators who collect sensitive data or confidential personal data are required to appoint a person responsible for implementing a data protection program, handle complaints related to this data, and interact with national authorities such as the Chinese Cyberspace Administration.
Thus, before any transfer of personal or important data outside China, the operator of a critical information infrastructure must conduct a self-assessment aimed at ensuring data security and obtain the approval of the competent national authority. The network operator must comply with the same restrictions in the case of the transfer of important data, but it does not need to seek the approval of a national authority for the transfer of personal data outside China.
Before starting to provide services, companies must verify the authenticity of their customers' or users' personal data. This provision may impede freedom of expression, as the collected data can be transferred to national authorities upon their request. Similarly, the requirement to store information on servers in China and cooperate with national authorities may jeopardize trade secrets. China is committed to securing the supply chain of critical information infrastructure and guaranteeing national security. This is achieved through a cybersecurity check that operators must undergo and which allows the Chinese authorities to ensure that all information transmitted by these operators will be available to the authorities.
The Law of the People's Republic of China on the Protection of Personal Information extends its effect to companies that process data in China. If the processing of personal data is carried out outside China, the law applies to the personal data of individuals located in China, in the presence of one of the following circumstances: the company carries out activities for the sale of goods or services to individuals in China; the company carries out activities for the analysis and assessment of consumer behavior in China; the presence of other circumstances provided for by the law or administrative regulations of China [3].
In order to provide personal data to a party outside the territory of the People's Republic of China, the personal data operator must meet one of the following criteria: have a positive security clearance certificate issued by the national Cyberspace Administration; have a personal data protection certificate issued by a specialized institution in accordance with the regulations of the national Cyberspace Administration; have an agreement with a foreign data recipient in accordance with a standard agreement, developed by the National Cyberspace Administration.
Operators of critical information infrastructure are required to store personal data in China. If it is necessary to transfer data outside the country, a security assessment is required by the national Cyberspace Administration. Thus, in order to transfer personal data outside the territory of China, it is necessary to have the approval of the Chinese regulatory authority and the consent of the personal data subject.
Unlike the Law of the People's Republic of China on Cybersecurity, the Law of the People's Republic of China on the Protection of Personal Information explicitly excludes anonymous information from the category of personal data. The processing of personal data is limited to explicit and reasonable purposes and the minimum required amount of information collected necessary for the purposes of processing in accordance with the principles of openness and transparency. The processing, use and transfer of personal data that endangers national security or harms public interests is considered illegal.
As a general rule, the processing of personal data in China is possible only with the consent of the personal data subject. However, the Law provides for a number of cases where this is possible without obtaining consent. Firstly, we are talking about cases where data processing was necessary to fulfill obligations established by law, manage personnel in accordance with labor standards and rules, as well as for the purpose of concluding and executing a contract to which an individual is a party. Secondly, this is a group of cases related to circumstances of force majeure: in emergency situations in order to protect the life, health and property of individuals, during information reporting in the public interest. Finally, the processing of personal data does not require consent if the person has disclosed information about himself.
If foreign organizations or individuals violate the rights and legitimate interests of Chinese citizens when processing personal data or pose a threat to national security, the National Cyberspace Administration may include such organizations or individuals in the list of limited recipients of personal data and prohibit the provision of personal data in relation to these organizations or individuals.
Protection of personal data in the judicial practice of the People's Republic of China. On April 11, 2022, the Supreme People's Court of China published typical cases on judicial protection of personal rights, among which a special place is occupied by the case of violation of personal rights through intelligent algorithmic software. Software using artificial intelligence technology, the rights to which belonged to the defendant, used the image of an individual without his consent and created a virtual character based on it. The problem was that the defendant only created conditions for downloading the plaintiff's data, and the download itself was carried out by users. During the trial, the Beijing court ruled that the defendant's actions were related to the use of a common personality image, including the portrait and name of the plaintiff. Although specific images were uploaded by third-party users, the application of the defendant's algorithms actually encouraged and organized user uploads. Accordingly, the defendant has ceased to be just a neutral provider of technical services and, therefore, must be responsible for violating the plaintiff's rights to name, image and personality in general as a content service provider.
The case of illegal trade in personal information is also of interest. According to the circumstances of the case, the defendant has been selling personal data for a long time, including names, phone numbers, email addresses, etc. of users of WeChat, QQ and other Internet resources.
The plaintiff stated that the defendant openly and illegally bought, sold and distributed personal data on the Internet without the consent of the subjects of personal data, as a result of which personal information was illegally used, violating the rights and interests of the persons concerned and the public interest.
The court pointed out that when receiving personal data, organizations or individuals must ensure information security in accordance with the law and have no right to illegally collect, use, process or transfer personal data. The defendant illegally obtained the personal data of individuals without their consent and illegally sold them for profit. This case is the first civil trial in the public interest for the protection of personal data after the introduction of the Civil Code of the People's Republic of China. The Court clarified that large-scale encroachment on personal data constitutes a violation of public interests in the field of public information security <3>.
--------------------------------
<3> 11.04.2022 // An electronic resource.
Conclusions. A special feature of the legal regulation of personal data protection in cyberspace in the territory of the People's Republic of China is the existence of a framework law (PIPL), which introduces the basic principles of regulating the protection of personal data, while the regulation of certain issues of the application of the law is carried out by state regulators, in particular the Cyberspace Administration of China.
The concept of personal data is used by the Chinese legislator in the context of the European legal tradition. At the same time, the right to protect personal information in China does not belong to the category of fundamental human rights and freedoms and is not considered an individual right. So, while in the EU the protection of identity in cyberspace takes priority over public interests, in China the priority is given to the protection of public interests. The European approach demonstrates the principles of balancing the rights and legitimate interests of citizens and public authorities and the reasonableness of restrictions on citizens' rights, while the Chinese approach draws attention to the economic potential of data and state interests, public security and propaganda of state ideology.