原文始发于微信公众号（瑞中法协）：Chinese Personal Information Protection under Covid-19
In May 2020, China’s National People’sCongress passed the PRC Civil Code, which introduced new provisions to protectprivacy and personal information. About the same time, the new InformationSecurity Technology – Personal Information Security Specification (GB/T35273-2020; the Specification) was also introduced. When they come into effecton 1 January 2021, both laws will become the foundation for personalinformation protection in China, where interest in these rights has increased.Now that more information is being collected and used for the keeping of publicsafety during the Covid-19 pandemic, the question of how to protect citizensfrom abuse is also important. The Civil Code and the Specification will providea new, clearer and more comprehensive structure for such protections. But howwill they actually function during the pandemic?
The Civil Code separates privacy frompersonal information and recognises both as personal rights. Privacy is considered“a natural person’s peace of life and the private space, private activities andprivate information which he/she is unwilling to let others know” (Article 1032,Civil Code). Personal information is defined as “any information recordedelectronically or in other ways [that] independently or in combination withother information allows the identification of a natural person’s individualidentity, including: natural persons’ names, dates of birth, ID numbers,biologically identified personal information, addresses, telephone numbers,email addresses and whereabouts, etc” (Article 1034). Personal information may includeprivate information (like private conversations or photos), and should beprotected under a person’s right of privacy. The processing of other personalinformation must also satisfy the conditions provided in Article 1035, which makeconsent a priority. The Specification further states that consent must be basedon the person’s knowledge of the purpose, method and scope of collection(Article 5.4(a), Specification).
But the new law also makes exemptions.In exceptional cases the processing of personal information is not based on therelevant person’s authorisation, but the “law and administrative regulation”(Article 1035(1) Civil Code). Article 12 of the PRC Law on Prevention andTreatment of Infectious Diseases, for instance, specifically grants medicalinstitutions and disease control and prevention agencies the power to collectinformation relating to infectious disease investigation, testing, sampling andtreatment. Now during the pandemic, Covid-19 has been categorized as a Class-BInfectious Disease. Therefore, the right to personal information privacy mayhave to, to some extent, give way to public need.
Yet our understanding is that suchcollection and use of information must still be carried out within the legalframework. The Civil Code now imposes obligations of information protection onthe information collector. This includes non-disclosure of collected personalinformation, the prevention of information loss and damage (including positiveactions for the prevention of such loss) and informing the party when such lossor damage occurs (Article 1038). Natural persons may also review or copy theirpersonal information and request corrections if any error occurs (Article1037). The Specification provides further control measures, such as internalaccess approval processes, minimum access control mechanisms, encryption andother security measures. Such obligations are borne by all informationcollectors, including those whose permission is granted by law rather than consent.
Medical institutions and diseasecontrol bodies therefore must take necessary measures and meet requirements ofthe Specification. The use of any collected information must also be confined tothe purpose of the collection. Thus, information gathered during the pandemic shouldonly be used for public health purposes and not to be abused by medical institutions.
Afoundation for the future
Together, the Civil Code and the Specificationprovide a comprehensive extension to information protection methods and processes.Nevertheless, one difficulty remains; namely, defining the precise scope ofwhat information can be collected, especially during rare public health crises,like Covid-19. Information collection without the person’s permission isgranted, but it should not mean any information can be collected. The CivilCode stated that the information processing must follow the principles of “legality,legitimacy and necessity”. The Specification, meanwhile, provides standards on informationcollection and gives examples of “personal sensitive information” in Schedule B(including medical information such as medical examination reports, medicalhistory and medication records). Yet, there still appears to be
Variations in how data has beencollected. During Covid-19 there has been instances where informationcollection has been wide in scope and sometimes persons have even be asked toprovide information relating to relatives’ and close associates’ private information.
A clearer definition mechanism istherefore necessary. The Civil Code sets down a basic framework for therecognition and protection of private information as a personal right. TheSpecification is a national standard setting out the safety requirements forthe collection, storage and use of such information. A more detailed and separateprivacy and information protection law may be required for the comprehensiveprotection of these basic rights.