Data Privacy under the PRC Network Security Law and the Draft PRC E-Commerce Law

First, here are some slides for quick reference if you are lazy and don’t want to read.

Capture6

Capture7
Capture8

The PRC Network Security Law (“NS Law”) has come into force on June 1, 2017. This law provides certain provisions in relation to the data privacy. Some of them appear to be beneficial to the individual data owners, whilst some others may be counter-productive to the protection of data privacy.

In parallel, the legislative branch of the Chinese government has published a draft PRC E-Commerce Law (“Draft EC Law”) for public consultation in December 2016.  This draft law has not yet to be passed by the PRC National People’s Congress (NPC) to become effective. However, its provisions have reflected some basic attitudes of the Chinese authority towards the protection of data privacy.

This essay sets out and provides my comments on the key provisions with respect the data privacy under the NS Law and the Draft EC Law.  In order to make readers digesting these laws easily, I will apply Daniel J. Solove’s theory of categorization of the data privacy issues.

1. Data Collection and Aggregation

“Aggregation” means the gathering of a person’s data from different sources and then combining them to form a clearer image of the person.

  • Art. 22.3 of the NS Law: ISP cannot collect its users’ personal information without the expressive consent. Art. 41 of the NS Law: ISP shall publish the rules, purpose, method, and scope of collection of personal information. No collection without users’ consent.[Comments: (i) These provisions do not distinguish “collection” and “aggregation”.  (ii) As a result, although these provisions have clearly required an operator to obtain consent before collecting its users’ information, they did not address the issue whether a third party can search and aggregate personal information (either from the public domain or from the first-hand data collectors.)]

2. Surveillance

Surveillance means the act or system enabling the government or a company to monitor user’s activities (“Big brother is watching you”).

  • Art. 51 of the Draft EC Law obliges E-commerce business operators to provide data to government authority (although it also said that the government authority should adopt “necessary measures” to protect data security).
    [Comments: (i) This provision legitimized (rather than prohibited) the surveillance practice.]
  • Art. 21.3 of the NS Law: ISPs are obliged to monitor and record user’s activities and should keep records for no less than 6 months.
    [Comments: (i) this could be counter-productive to protecting privacy from the individual data owner’s perspective; (ii) the 6 months storage obligation is not new in China, but the NS Law makes the compliance to be a necessity (at least on paper). ]

3. Identification

Identification means to identify a particular person or a particular group of persons by data analysis.

  • Art. 42.1 of the NS Law: No sharing of identifiable personal data without consent. Art. 50 of the Draft EC Law: an E-commerce business entity is obliged to take protection measures to ensure anonymity before it shares the e-commerce data with another E-commerce business entity.[Comments: Article 42 of the NS Law first prohibits business operators from divulging personal information to a third party. Then it says that if the data cannot identify a particular person, then it is fine to transfer without the data owner’s consent. Article 50 of the Draft EC Law has generally kept consistency with the NS Law on this regard. ]
  • Art. 45 of the Draft EC Law confirms that the buyers have autonomy over their personal data; it also defines the personal data with a detailed list, such as name, ID certificates number, address, contact details, information of geographical location, bank card info, transaction records, payment records and records of accepting logistic services.[Comments: The Draft EC Law did not distinguish the “private personal data” and the “business personal data”.  In some countries, use and aggregation of the business contacts (e.g. office telephone numbers, office email address and other info shown on a business card) may enjoy certain exemptions.]
  • Art. 46 of the Draft EC Law first provides that collection of personal data requires user consent; then it prohibits the denial of service due to the user’s refusal of providing personal data.

4. Disclosure and Insecurity

Disclosure means the data holder’s own act of disclosing the private facts. Insecurity means the situation that the data is attacked and stolen.

  • Art. 21. 2 and 21.4 of the NS Law request ISP to take technical measures to protect its system from attack; ISP also needs to classify, backup and encrypt data.
  • Art. 22.1 and 22.2 of the NS Law request ISP to take remedial actions when its system is in risk; provide security maintenance during the term of service. These provisions also generally requested the producer of network security products or services to report the authority about the data breach.
  • Art. 27 of the NS Law generally prohibits hacking acts. It also prohibits the assistance of hacking practice, such as tech support, advertising, and settlement of payment.
    [Comments: The provision did not clarify if the “assistance” means knowingly assistance. It also did not clarify if “constructive knowledge” also applies to this provision.]
  • Art. 42.2 of the NS Law requests ISP to take technical measures to protect data from disclosure, damages or loss. It also mentioned that the data holder shall report the data breach to the relevant authority.
  • Art. 49 of the Draft EC Law provides that e-commerce business entities must establish rules and technologies to prevent disclosure of data. It also provides if there is a data breach, the e-commerce business entity is obliged to (i) take remedial measures, (ii) notify the users and (iii) report to government authorities.

5. Exclusion 

Exclusion means the act/rule disabling/excluding a user from maintenance and deletion of his personal data from the system. The reason for deletion can be either those data are objectively outdated or the data owner simply changed its mind of disclosing the data.

  • Art. 43 of the NS Law: User has right to request deletion if the service provider’s collection or use of personal information in breach of the law/agreement; or there are mistakes in the personal information.[Comments: According to this provision, if there is no mistake in the personal information and the service provider does not breach the contract, then the data owner will not have right to remove the data he/she has provided to the service provider. It is not clear whether “mistake” herein includes “outdated”.  However, it seems clear that data owner would have lost an absolute right of deletion.]
  • Art. 47 of the Draft EC Law: provides that when a user requests correction or supplement of his/her personal information, the E-commerce business entity should correct or supplement the information accordingly.
  • Art. 48(3) of the Draft EC Law: provides that a user has right to delete its personal information. However, such right of deletion only arises (and is only mentioned) upon lapse of agreed / statutory term of preservation of personal data.

6. Increased Accessibility

Increased accessibility means, without the consent of the personal data owner, making the information that is already available to the public EASIER for a wider scope of the audience to access.

E.g., a buyer’s review of a particular product is usually made available to the public.  However, the buyer might not want his friends or colleagues to know that he purchased such product.

Neither the Draft EC Law nor the NS Law has provision preventing increased accessibility of data.

7. Blackmail, which means using a person’s personal data to blackmail him/her.

In e-commerce scenarios, it is possible that an e-commerce vendor may blackmail a buyer with the buyer’s personal records when the vendor gives a negative review of the vendor’s product. The Draft EC Law has no provision preventing such blackmails.

8. Distortion

Distortion: means disseminating false and misleading information to manipulate the way a person is perceived and judged by others.

  • Art. 42.1 of the NS Law provides that service providers cannot distort personal information. But this appears to be too general.
  • Art. 52 of the Draft EC Law stipulates that the state should promote all e-commerce business entities to ensure that information is accurate and reliable etc.

9. Second Use

Second use means the use of data for purposes unrelated to the purposes for which the data was initially collected without the data subject’s consent.

  • Art. 52 of the Draft EC Law provides that the State shall establish public data sharing mechanism. Such mechanism necessarily involves the second use of data. However, no guidance or rules are provided in relation to second use except to the extent that the State should ensure e-commerce business entities shall protect the liability, security, and authenticity of aggregated data.

 

Some Useful Links on China Internet Governance

Internet Governance in China is an aspect of my research topics. The following is a list of some useful publicated materials on the topic. I believe this collection is very copyrightable even it is just a rough version. This list is also contributed by Dr. Zhao Yun, so please at least mention our name (Zhao Yun and Dong Hao) and the URL of this site (www.blawgdog.com) after you use it.
 
Click HERE to see the details.
Internet Governance in China is an aspect of my research topics. The following is a list of some useful publicated materials on the topic. I believe this collection is very copyrightable even it is just a rough version. This list is also contributed by Dr. Zhao Yun, so please at least mention our name (Zhao Yun and Dong Hao) and the URL of this site (www.blawgdog.com) after you use it.
 
Please refer to the links to see the relative materials, which are in English unless followed “CN” after the links.
 
I. Major Structure of Internet and Internet Law in China
Articles:

Legislations:

 
II. Cybercrime Law in China

Articles:

China legislations on cyber crimes:

HK legislation as a Comparison

HK Laws against Hacking

HK Laws against Criminal Damage

Laws relating to Pornography

Laws relating to Internet Gambling

III. Critical Information Infrastructure via Legislation

On 16 April 1996, Chinese Central government set up a temporary unit: Work Group of Informationalization (which was substituted by some organ of the Department of Information Industry), which takes the responsibility of constructing information infrastructure. After that, many governmental documents (both in central and local levels) mentioned the term “Information Infrastructure”. In the newest 2006-2020 National Information Development Strategy, Chinese government proposed some aims of the development of information infrastructure. But in China, the term information infrastructure is mostly appeared as slogans, and it rarely lies in regulative provisions. Click here to see a rare example in a provincial regulation, and here (see Art. 5) is another example.

 

China has promulgated some ordinances on the information safety, apart from the above legislations. The followings are some other focusing on the security of computer, information assurance, information infrastructure, content censorship, and so forth.

l           Implementation Rules for Provisional Regulations of the Administration of International Networking of Computer Information in the People’s Republic of China (Should be visited in the network of City U)

l           Provisions on the Technical Measures for the Protection of the Security of the Internet (Should be visited in the network of City U)

l          Regulations of the People’s Republic of China for Safety Protection of Computer Information Systems (CN)

l          A definition of “nocuous information” that should be prohibited can be find here (CN), and one can find more regulations at here, and here (CN) provides some basic regulation to the information infrastructure.

 

One should remember that besides the legislations, there are some other documents that appeared not in the forms regulatory documents but policy statements, administrative notifications and even slogans in the field of information infrastructure. These documents are also very useful in the empirical research, though legal interpretations and deductive analyses to them may not applicable.

用公司发的电脑与律师联系引发的案件

一、翻译(意译)的案件简述

Curto v. Medical World Communications, Inc., et al.
Decided May 15, 2006, E. District of New York, No. 03 CV 6327 (2006 WL 1318387)
本案资料来源于 Evan Brown的Blawg: cyberlaw central

原告是被告的雇员,并且正与被告处于一个有关“公平就业机会委员会”的纠纷解决程序中(由于被歧视而引发的雇佣关系纠纷,不是法庭程序)。为此,她曾经在她的住宅办公室(home office)里使用公司发给她的两台笔记本电脑与她的律师进行通信。在通信的过程中她使用了公司以外的邮件服务以保证这些通讯不被传送到公司的邮件系统。在她交还电脑的时候,也已经删除了这些文件。被告后来雇佣了一名法律顾问检阅和恢复这两台电脑中的文件。原告于是以“律师和当事人之间的信息披露豁免权”(attorney-client privilege )被侵害为由起诉。地方法院法官支持了诉讼请求,被告上诉。

被告的确曾有一个“所有的电脑都只能被用于公事”的电脑使用政策,并且规定任何在工作电脑上建立、存储或收发的个人数据都不会被作为隐私。但是,被告并没有严格地执行这个政策,从而使雇员对他们在公司电脑上的数据的安全并不担心。

一、翻译(意译)的案件简述

Curto v. Medical World Communications, Inc., et al.
Decided May 15, 2006, E. District of New York, No. 03 CV 6327 (2006 WL 1318387)
本案资料来源于 Evan Brown的Blawg: cyberlaw central

原告是被告的雇员,并且正与被告处于一个有关“公平就业机会委员会”的纠纷解决程序中(由于被歧视而引发的雇佣关系纠纷,不是法庭程序)。为此,她曾经在她的住宅办公室(home office)里使用公司发给她的两台笔记本电脑与她的律师进行通信。在通信的过程中她使用了公司以外的邮件服务以保证这些通讯不被传送到公司的邮件系统。在她交还电脑的时候,也已经删除了这些文件。被告后来雇佣了一名法律顾问检阅和恢复这两台电脑中的文件。原告于是以“律师和当事人之间的信息披露豁免权”(attorney-client privilege )被侵害为由起诉。地方法院法官支持了诉讼请求,被告上诉。

被告的确曾有一个“所有的电脑都只能被用于公事”的电脑使用政策,并且规定任何在工作电脑上建立、存储或收发的个人数据都不会被作为隐私。但是,被告并没有严格地执行这个政策,从而使雇员对他们在公司电脑上的数据的安全并不担心。

地方法院法官采用了判定被披露的文件是否属于疏忽的四要件标准(“律师和当事人之间的信息披露豁免权”要求当事人不能主动地将其与律师之间的通信内容披露给别人,若然该权利将消失)来对本案进行判断。根据这些判断标准的衡量,地方法院法官支持了原告,认定相关文件仍然属于豁免权的范畴——尤其是,原告已经采取了合理的方式(删除)使文件处于私隐状态——尽管被恢复的硬盘卷很少,但原告在获知文件披露后,仍然迅速提出了豁免权诉讼——公共政策鼓励当事人向律师坦陈一切,这也有助于原告在本案中胜诉。

上诉程序集中在“是否地方法官正确地认定被告究竟有没有执行其电脑使用规定”这一事实上。这实际上是判断原告是否“合理地对通讯的披露进行了预防”这一要件的成立与否的一个基础。被告根据(由众多案例而来的)法律认为:当有电脑使用政策的时候,雇员在工作场所的电脑上是没有个人隐私的。但是,这些案例中并没有强调即使丧失了隐私权,“律师和当事人之间的披露豁免权”是否也同时丧失了。

换句话说,原告不能基于对隐私权的保护而反对“法律电脑专家”(这一职业似乎类似法医,不是法律专家,而是电脑专家)从工作用的电脑上对被删除的文件进行分析和恢复。但是,她仍然能以“律师和当事人之间的信息揭露豁免权”作为诉因主张对其中相关的那部分文件的权利。

此外,法院还强调另一个重要事实:这些电脑是在住宅办公室(SOHO)中被使用的。不过,法院没有特别强调是否上述豁免权案件是否可以用于公司办公室的环境中,而是说须要根据个别案件的事实来否系进行认定。

最后,法院维持了一审判决。

二、我的日志

这个案子涉及到“attorney-client privilege ”,作为一种特权,我把它翻译为“律师和当事人之间的信息披露豁免权”——个人认为虽然长了点,但比国内的一些人翻译为“拒绝证言权”清楚一点(常怡教授和张永泉将其翻译为“律师与当事人之间的秘密特权”,也比较准确)。不过这不是重点,重点在于我从这个案子中学到:在美国法上,如果雇主规定了其发放的电脑只能用于公事,那么至少当这些电脑是在办公室里的条件下,雇员的隐私权是被克减乃至消失的。有一本书:Use and Monitoring of E-mail, Intranet and Internet Facilities at Work: Law and Practice, 还没来得及看(也不知道会不会看,汗),里面应该会有相关的资料。

对比我国的立法,首先,没有“律师和当事人之间的信息披露豁免权”,只规定“律师应当保守在执业活动中知悉的国家秘密和当事人的商业秘密,不得泄露当事人的隐私。”(律师法第23条)因此,也就不存在这个案件中涉及的“隐私权”与上述“豁免特权”的关系问题。其次,关于劳动者的隐私权保护,国内立法也不详细。可能会有人说,雇主与雇员如果订立了劳动合同,在其中规定了隐私权的放弃,那么雇员似乎应该遵守这些规定。但是,这个观点一是太笼统,究竟什么是放弃还要case by case(就如同这个案子中一样);二是忽略了雇主和雇员之间的事实上的不平等关系,对劳动法,采用意思自治应该谨慎。