Data Privacy under the PRC Network Security Law and the Draft PRC E-Commerce Law

First, here are some slides for quick reference if you are lazy and don’t want to read.



The PRC Network Security Law (“NS Law”) has come into force on June 1, 2017. This law provides certain provisions in relation to the data privacy. Some of them appear to be beneficial to the individual data owners, whilst some others may be counter-productive to the protection of data privacy.

In parallel, the legislative branch of the Chinese government has published a draft PRC E-Commerce Law (“Draft EC Law”) for public consultation in December 2016.  This draft law has not yet to be passed by the PRC National People’s Congress (NPC) to become effective. However, its provisions have reflected some basic attitudes of the Chinese authority towards the protection of data privacy.

This essay sets out and provides my comments on the key provisions with respect the data privacy under the NS Law and the Draft EC Law.  In order to make readers digesting these laws easily, I will apply Daniel J. Solove’s theory of categorization of the data privacy issues.

1. Data Collection and Aggregation

“Aggregation” means the gathering of a person’s data from different sources and then combining them to form a clearer image of the person.

  • Art. 22.3 of the NS Law: ISP cannot collect its users’ personal information without the expressive consent. Art. 41 of the NS Law: ISP shall publish the rules, purpose, method, and scope of collection of personal information. No collection without users’ consent.[Comments: (i) These provisions do not distinguish “collection” and “aggregation”.  (ii) As a result, although these provisions have clearly required an operator to obtain consent before collecting its users’ information, they did not address the issue whether a third party can search and aggregate personal information (either from the public domain or from the first-hand data collectors.)]

2. Surveillance

Surveillance means the act or system enabling the government or a company to monitor user’s activities (“Big brother is watching you”).

  • Art. 51 of the Draft EC Law obliges E-commerce business operators to provide data to government authority (although it also said that the government authority should adopt “necessary measures” to protect data security).
    [Comments: (i) This provision legitimized (rather than prohibited) the surveillance practice.]
  • Art. 21.3 of the NS Law: ISPs are obliged to monitor and record user’s activities and should keep records for no less than 6 months.
    [Comments: (i) this could be counter-productive to protecting privacy from the individual data owner’s perspective; (ii) the 6 months storage obligation is not new in China, but the NS Law makes the compliance to be a necessity (at least on paper). ]

3. Identification

Identification means to identify a particular person or a particular group of persons by data analysis.

  • Art. 42.1 of the NS Law: No sharing of identifiable personal data without consent. Art. 50 of the Draft EC Law: an E-commerce business entity is obliged to take protection measures to ensure anonymity before it shares the e-commerce data with another E-commerce business entity.[Comments: Article 42 of the NS Law first prohibits business operators from divulging personal information to a third party. Then it says that if the data cannot identify a particular person, then it is fine to transfer without the data owner’s consent. Article 50 of the Draft EC Law has generally kept consistency with the NS Law on this regard. ]
  • Art. 45 of the Draft EC Law confirms that the buyers have autonomy over their personal data; it also defines the personal data with a detailed list, such as name, ID certificates number, address, contact details, information of geographical location, bank card info, transaction records, payment records and records of accepting logistic services.[Comments: The Draft EC Law did not distinguish the “private personal data” and the “business personal data”.  In some countries, use and aggregation of the business contacts (e.g. office telephone numbers, office email address and other info shown on a business card) may enjoy certain exemptions.]
  • Art. 46 of the Draft EC Law first provides that collection of personal data requires user consent; then it prohibits the denial of service due to the user’s refusal of providing personal data.

4. Disclosure and Insecurity

Disclosure means the data holder’s own act of disclosing the private facts. Insecurity means the situation that the data is attacked and stolen.

  • Art. 21. 2 and 21.4 of the NS Law request ISP to take technical measures to protect its system from attack; ISP also needs to classify, backup and encrypt data.
  • Art. 22.1 and 22.2 of the NS Law request ISP to take remedial actions when its system is in risk; provide security maintenance during the term of service. These provisions also generally requested the producer of network security products or services to report the authority about the data breach.
  • Art. 27 of the NS Law generally prohibits hacking acts. It also prohibits the assistance of hacking practice, such as tech support, advertising, and settlement of payment.
    [Comments: The provision did not clarify if the “assistance” means knowingly assistance. It also did not clarify if “constructive knowledge” also applies to this provision.]
  • Art. 42.2 of the NS Law requests ISP to take technical measures to protect data from disclosure, damages or loss. It also mentioned that the data holder shall report the data breach to the relevant authority.
  • Art. 49 of the Draft EC Law provides that e-commerce business entities must establish rules and technologies to prevent disclosure of data. It also provides if there is a data breach, the e-commerce business entity is obliged to (i) take remedial measures, (ii) notify the users and (iii) report to government authorities.

5. Exclusion 

Exclusion means the act/rule disabling/excluding a user from maintenance and deletion of his personal data from the system. The reason for deletion can be either those data are objectively outdated or the data owner simply changed its mind of disclosing the data.

  • Art. 43 of the NS Law: User has right to request deletion if the service provider’s collection or use of personal information in breach of the law/agreement; or there are mistakes in the personal information.[Comments: According to this provision, if there is no mistake in the personal information and the service provider does not breach the contract, then the data owner will not have right to remove the data he/she has provided to the service provider. It is not clear whether “mistake” herein includes “outdated”.  However, it seems clear that data owner would have lost an absolute right of deletion.]
  • Art. 47 of the Draft EC Law: provides that when a user requests correction or supplement of his/her personal information, the E-commerce business entity should correct or supplement the information accordingly.
  • Art. 48(3) of the Draft EC Law: provides that a user has right to delete its personal information. However, such right of deletion only arises (and is only mentioned) upon lapse of agreed / statutory term of preservation of personal data.

6. Increased Accessibility

Increased accessibility means, without the consent of the personal data owner, making the information that is already available to the public EASIER for a wider scope of the audience to access.

E.g., a buyer’s review of a particular product is usually made available to the public.  However, the buyer might not want his friends or colleagues to know that he purchased such product.

Neither the Draft EC Law nor the NS Law has provision preventing increased accessibility of data.

7. Blackmail, which means using a person’s personal data to blackmail him/her.

In e-commerce scenarios, it is possible that an e-commerce vendor may blackmail a buyer with the buyer’s personal records when the vendor gives a negative review of the vendor’s product. The Draft EC Law has no provision preventing such blackmails.

8. Distortion

Distortion: means disseminating false and misleading information to manipulate the way a person is perceived and judged by others.

  • Art. 42.1 of the NS Law provides that service providers cannot distort personal information. But this appears to be too general.
  • Art. 52 of the Draft EC Law stipulates that the state should promote all e-commerce business entities to ensure that information is accurate and reliable etc.

9. Second Use

Second use means the use of data for purposes unrelated to the purposes for which the data was initially collected without the data subject’s consent.

  • Art. 52 of the Draft EC Law provides that the State shall establish public data sharing mechanism. Such mechanism necessarily involves the second use of data. However, no guidance or rules are provided in relation to second use except to the extent that the State should ensure e-commerce business entities shall protect the liability, security, and authenticity of aggregated data.


Draft PRC E-Commerce Law: Compliance Check

Below are a few slides reflecting the result of a compliance check of the leading e-commerce service providers’ user terms or privacy policies (sorry I will not disclose their names).  The survey was conducted under the assumption that the provisions in Draft PRC E-Commerce Law (as published for public comments on December 27, 2016) will be effective.




Capture4 Capture5

Integrating the Cultural Diversity into the Welfare Theory: What We Should Acknowledge in the Debates

IP & Creative Industry Series:

Integrating the Cultural Diversity into the Welfare Theory: What We Should Acknowledge in the Debates

Executive Summary

Other than listing out the “advantages” and “disadvantages” of each school of the IP theories, this essay tries to apply the theories into two controversial topics: (a) traditional knowledge and (b) copyright reform.

This essay argues that, while each of the four mainstream IP theories has their “functions” in policy forming, the welfare theory brings a platform for stakeholders in different sectors and countries. However, without appreciating the diversity of culture and the variety of people’s demands to the good life, it would be hard to reach consensus on basic aspects of the IP law reform, not to say building a legal system that is adaptive to the fast-developing technologies.

The next section of this essay addresses the hype in the protection of “traditional knowledge”. I will argue that, while the “fairness” theory and the “personal hood” are used to support their arguments, parties of debates appear to cite these theories with utilitarian purposes. The platform of conversation was actually built on the base of welfare theory.

The third section discusses the copyright reform by reviewing the history of Chinese copyright laws. I will argue that he driving force of copyright reform in developing countries are utilitarian purposes. Personhood and fairness theories are used by policy makers to decorate their arguments. Social welfare integrated with cultural perspectives is indeed the driving force of legal reforms.

Debates on Traditional Knowledge

Among others, debates relating to traditional knowledge focus on two aspects of sub-topics. One is about the protection or using of traditional culture heritages in contemporary arts or entertainment contents; the other focuses on using certain community’s knowledge in medical or other scientific developments.

To support their arguments in “creating new laws to protect” the indigenous communities from free use of traditional knowledge by current content industry and pharmaceutical industry, people cite theories from different schools of IP theories. For examples:

  • using labor-desert theory to argue that the culture heritages should be owned by the original group of people and their descendants;
  • using distributive justice theory to argue that enabling indigenous people with certain IP protection to their cultural expressions is a mechanism of redistribution of wealth;
  • using personhood theory to argue that because traditional knowledge manifests the personalities of their creators, the IP laws should admit the interest of the descendant’s of the creators.
  • On the other hand, people against the new exceptions and laws for the traditional knowledge also cites various theories purposely (if not randomly). For examples,
  • using the “public domain” theory (which derives from the Lockean theory) to argue that traditional knowledge protection will “encroach the public domain” and thus prevents freedom of idea and discourage the innovation;
  • using personhood theory to argue that, because all persons must be enabled to express themselves artistically, the low should recognize increasing dependence of creativity upon re-use of existing knowledge;
  • using the welfare theory to argue that, because it is hard to identify the ownership of traditional culture, creating new laws for them will not provide welfare to the whole society; and
  • using the autonomy theory under the culture school to argue that people should not be bound to choose a particular traditional culture.

By observing the above arguments, one may find that arguers on both sides appear to flip their positions on various IP theories and cite “useful” ones to support their arguments respectively. In particular, a very interesting phenomenon is that the “public domain” theory, whose arguers are generally opposing restriction of the public use of the traditional knowledge, is controversially preferred by developing countries in their arguments in favor of the exceptional IP rules for the traditional knowledge. In my view, this flipping of positions per se shows that the arguers are largely base their arguments with utilitarianism.

Then, if people are indeed mostly relying on the welfare theory, why different people have conflicting views on the protection/restriction/exception of the traditional knowledge? The answer can be found from the culture version the IP theory. Different countries have different interest given their regime, geographic location, and history. Within one country, a different group of people also have different interest as well as the preference for good life. Such matrix of diversity makes debates on the traditional knowledge complicated.

Copyright Reform

Similar to the debates on traditional knowledge, the discussion (and legislative practice in many countries) for copyright reform is also complicated due to diversity of interest and the different culture traditions, but on its surface, arguers tend to not acknowledge this reason but like to utilize the social welfare theory (as a tool but not a guiding philosophy), the fairness theory and the personhood theory to justify their positions.

This leads to flips among theories too. For example in the recent discussion on amendments to the PRC Copyright Law, arguers for a stronger power of collective management societies cite the theory of social welfare to support their points. In the meantime, the same group of people may utilize the personhood theory to support the right of lending and the right of withdrawing (with an updated version of work). The fairness theory is particularly popular in arguing that the “remuneration” right is more important than the right to prohibit public from using a work (i.e. the injunctive reliefs).

There are researches showing that even in European countries, incentive theory, instead of the “personhood rights”, is the main power driving the creation and development of copyright laws. Respect to moral rights is largely a tradition derived from the logic of the continental civil acts. In other words, traditions and cultural factors are more important in forming the social views on copyright protection and the scope of fair use.

This is also the case in China, historical evidence shows that Chinese culture does not have a tradition of “property” that stresses the prohibition rights. In the meantime, providing high remunerations to the authors (either by the government or private users) is a continuous tradition. This explains why the injunctive reliefs are less supported in Chinese courts and why China has developed remuneration rules even during the years of 1960s-1970s. This also explains why in the regulations on protection of the right of communication through information networks, the law makers have provided generous fair use exceptions to use of works for remote education and for poor regions.


By observing the debates in traditional knowledge and the driving force in copyright reform, this essay concludes that the social welfare theory derived from utilitarianism is the actual driving power in the legal reform.  In addition, diversity of culture and tradition brings different views on the function of the IP regime.  Acknowledging these two points will bring all the arguers to the same table and thus enable us to find the essence of debates more efficiently.

Important cases for lawyer-client privilege

Three Rivers DC v Bank of England (Disclosure) (No.3) [2003] EWCA Civ 474;

• the American case Upjohn Co v United States (1981) 449 U.S. 383 (Sup Ct (US));

• Judgment of the Honourable Mr Justice Barma, delivered on 19 August 2009, in James Daniel O’Donnell (directed by the SFC) v Lehman Brothers Asia Ltd (In Liq) (HCMP 1081/2009, unreported); and

• The judgment of the Honourable Mr Justice Wright, delivered on 18 March 2011, in CITIC Pacific Ltd v Secretary for Justice and Commissioner of Police [2011] HKCU 563 (CITIC).

The Official English Translation of the CNNIC ccTLD Domain Dispute Resolution Policy is NOT Consistent with the Original Binding Chinese version


As you may know, there are generally two approaches to resolve a domain name dispute: one is to take file a civil action with a court; the other more common approach is to go through the alternative dispute resolution proceeding (ADR), i.e., file a complaint with a domain name dispute resolution center appointed by the registry.

For the administrative resolution by expert panels, the parties and the expert panels rely on the domain name resolution regulations as issued by the Registry of the relevant domain names. For the “.com” top-level domain names, such ADR proceeding is called “UDRP” proceeding. For the domain names registered under the country codes (e.g., “.cn”), the ADR policy will be provided by the registry.

The registry for the “.cn” domain names is China Internet Network Information Center (“CNNIC”). It has published its UDRP-like policy to resolve the “.cn” domain names since 2002. The policy has been amended and re-issued in 2006, 2012 and 2014.

The full name of the CNNIC’s policy reads CNNIC Country Code Top-Level (ccTLD) Domain Dispute Resolution Policy (“CNDRP”). Besides CNDRP, CNNIC also published a CNNIC Procedural Rules for the Country Code Top-Level (ccTLD) Domain Dispute Resolution (“Procedural Rules”).

Article 6 of the CNDRP (also see Article 8 of the Procedural Rules) provides that language used in the “.cn” dispute resolution proceedings shall be Chinese, whilst if parties have an agreement or the expert panel has a decision otherwise, other languages can also be used in the proceeding. In other words, English or other languages can be formally used in the panel decision for a “.cn” domain name dispute. In practice, using English in the CNDRP cases is not uncommon. In the circumstances where (i) both parties are not native Chinese speakers, (ii) the complainant can prove that the respondent can speak English and the respondent does not oppose it, or (iii) most claims and original evidence materials are in English, the complainant may request using English in the proceeding. In many cases, the expert panels have accepted such request.

In this connection, we may conclude that, although the Chinese version remains the binding document, English translations of the CNDRP and the Procedural Rules are very important tools for parties and panel experts in practice.  Given the domain names are accessible globally, CNNIC should ensure the accuracy of the translations of its policy documents.

Unfortunately, if one compares the original language in Chinese, he/she will find that the English version of the CNDRP, as published at the CNNIC official website (click here), is disturbingly inconsistent with the binding Chinese version.

Briefly, I set out some most obvious defects of the English translation below.

1. Inaccurate translation of the document title


If it is a novel, the title used in the official English translation of the CNDRP would generally be fine, as “CNNIC” and “ccTLD” have been used widely to represent “China Internet Network Information Center” and “Country Code Top-Level Domain”. However, It would be better to avoid abbreviations in a formal translation of a legal document.

This is the least serious issue of the translation — you will see distrubing issues soon.


The English title of the Procedural Rules is more problematic. If you read Chinese, you would see that its accurate translation should be “CNNIC Procedural Rules for the Country Code Top-Level (ccTLD) Domain Dispute Resolution”. However, the translation at CNNIC official website missed the term “Procedural”, which is a key word of the document’s title.

2. Incorrect version of the documents

At the CNNIC official website, the currently published English version of the CNDRP is a 2012 version, which has been revoked and replaced by the currently effective 2014 version already. Although the difference between the two versions are not much (three Articles were amended), it is certainly necessary to ensure the official English translation of the CNDRP to be the latest binding version, or the foreign parties and domain name registrants will be confused (They may have already been confused in the past 3 years).

3. Inconsistent meanings between Chinese and English

While you will find more places of inconsistency, I will only highlight two:

(a) Article 9(3) of the CNDRP reads (Chinese): 

第九条 被投诉的域名持有人具有下列情形之一的,其行为构成恶意注册或者使用域名:……


Its English translation at the CNNIC official website is:

Article 9   Any of the following circumstances may be the evidence of the registration and use of a domain name in bad faith: …

(3) The disputed domain name holder has registered or acquired the domain name for the purpose of damaging the Complainant’s reputation, disrupting the Complainant’s normal business or creating confusion with the Complainant’s name or mark so as to mislead the public; …

First, please read the opening sentence. the subject of the original Chinese sentence of this Article is “the activity of the domain name registrant”; the verb (predicate) of the original sentence is “constitute(s)”; and the object of the sentence is “registration and use of a domain name in bad faith”. However, in the English translation, the subject becomes “circumstances”, the verb becomes “may be”, while the object of the sentence is “evidence”. Although the meanings of the two versions are largely similar, the accuracy of translation apparently cannot fulfill the requirements to legal documents.

Furthermore, please read the translation of the item (3). In the original Chinese version, the term after “or” is to describe the circumstance where the disputed domain name registrant “confuses the difference between the registrant and the complainant”. However, in the English translation, the sentence becomes “creating confusion with the complainant’s name or mark…” The terms “name” and “mark” are actually not existing in the original Chinese language. In this situation, the English translation has a substantial difference with the original Chinese provision: According to the original Chinese provision, bad faith will be found when the purpose of the registration/acquisition of a domain name was to “confuse the registrant with the complainant”. However, in the English translation, the confusion of the “marks” also constitutes bad faith.  The scope of finding bad faith becomes wider.  More importantly, such wider scope is indeed a misunderstanding of the term “confusion” in the intellectual property context. In short (sorry I won’t cite theories but this should be a common sense), “confusion” means “the consumer’s confusion on the origin of goods/service”, but not the “similarity” between two names or logos.

(b) Article 10 of the CNDRP

第十条 被投诉人在接到争议解决机构送达的投诉书之前具有下列情形之一的,表明其对该域名享有合法权益:

The English translation at CNNIC’s official website:

Article 10      Before receiving the complaint, any of the following circumstances may be evidence of the rights to and legitimate interests in the domain name:
(1) Your use of the domain name or a name corresponding to the domain name in connection with a bona fide offering of goods or services;
(2) You have been commonly known by the domain name, even if you have acquired no trademark or service mark rights;
(3) You are making a legitimate noncommercial or fair use of the domain name, without intent of or commercial gain to misleadingly divert consumers.

While the aforesaid problems can be excused with the English proficiency of the translator or the limited knowledge to the relevant laws, the translation in this Article 10 deserves to be criticized from the perspective of the translator’s attitude. Without a definition or explanation, the translator used the term “you” to replace the term “Respondents” in the original Chinese version. Also, the contents of the three items in this Article are not consistent with the original Chinese. Comparing with Section 4(c) of ICANN’s Uniform Domain Name Dispute Resolution Policy (“UDRP”), which is made for the resolution of the top level domain names (such as “.com”), one would realize that language in the above translation came directly from the UDRP. However, the translator ignored that the CNDRP language (and even the structure of the provision) has been significantly modified.

There are other inconsistent places in this “official” translation, while I think the above is sufficient to justify that CNNIC should update the translation of legal documents as published on its website. Not just the CNDRP and the Procedure Rules, but also other documents. It is quite bizarre that foreign complainants are actually referring to incorrect documents in their “.cn” domain name disputes, for such a long period of time.

(Image credits: Chris Radley)