The PRC Civil Code (the Civil Code) was recently passed by China's top
legislature, the National People's Congress, and has come into effect on January
1, 2021. This is the first time
codified legislation has been passed, and it
includes a wide range of rights and concerns, including property rights,
contracts, marriage and family law, tort responsibility, and personal and
personal dignity rights.
The Civil Code has incorporated new laws and terminology on the right to privacy
and the protection of personal information, in addition to the methodical
codification of elements from current legislation. Apart from the specific data
privacy and cyber security provisions set out in existing legislation (e.g., the
PRC Cyber Security Law, the PRC Consumer Rights Protection Law, and the
Information Security Technology - Personal Information Security Specification,
among others), the Civil Code details more broadly applicable provisions as well
as introducing additional personal information protection requirements.
GENERAL PROVISIONS [1]
Article 110: A person's general right to privacy.
A natural person enjoys the right to life, the right to corporeal integrity, the
right to health, the right to name, the right to likeness, the right to
reputation, the right to honor, the right to privacy, and the right to freedom
of marriage. A legal person or an unincorporated organization enjoys the right
to entity name, the right to reputation, and the right to honor.
Article 111: A general right to protection of personal information.
A natural person's personal information is protected by law. Any organization or
individual that needs to access other's personal information must do so in
accordance with law and guarantee the safety of such information, and may not
illegally collect, use, process, or transmit other's personal information, or
illegally trade, provide, or publicize such information.
Article 994-1000: Various general rights to seek liability claims against
privacy and personal information-related infringement.
Article 994: Where the name, likeness, reputation, honor, privacy, remains, or
the like, of the deceased, is harmed, the spouse, children, and parents of the
deceased have the right to request the actor to bear civil liability in
accordance with the law. Where the deceased has no spouse or children, and the
parents of the deceased have already died, other close relatives of the deceased
have the right to request the actor to bear civil liability in accordance with
the law.
Article 995: A person whose personality rights are infringed upon has the right
to request the actor to bear civil liability in accordance with the provisions
of this Code and the other laws. Where the said person exercises his right to
request the actor to stop the infringement, remove the nuisance, eliminate the
danger, eliminate the adverse effects, rehabilitate his reputation, or extend
apologies, the provisions on limitation periods shall not apply.
Article 996: Where the personality rights of a party are harmed by the other
party's breach of contract and the injured party is thus suffered severe
emotional distress if the injured party elects to request the other party to
bear liability based on breach of contract, his right to claim for compensation
for pains and suffering is not be affected.
Article 997: Where a person of the civil law has evidence to prove that an actor
is committing or is about to commit an illegal act that infringes upon his
personality rights, and that failure to timely stop the act will cause
irreparable harm to his lawful rights and interests, the person has the right,
in accordance with the law, to request the people's court to order the actor to
stop the act.
Article 998:
In determining the civil liability an actor is to bear for
infringing upon other's personality rights, other than the right to life, the
right to corporeal integrity, or the right to health, consideration shall be
given to the occupations of the actor and the injured person, the scope of
impact of the act, the degree of fault, as well as the factors such as the
purposes, methods, and consequences of the act.
Article 999: The name, entity name, likeness, personal information, and the
like, of a person of the civil law, may be reasonably used by those engaged in
news reporting, supervision of public opinions, or the like, for public
interests, except that civil liability shall be borne in accordance with law
where the use unreasonably harms the personality rights of the person.
Article 1000:
Where an actor shall bear civil liability such as elimination of
adverse effects, rehabilitation of reputation, or extension of apologies for
infringing upon other's personality rights, the civil liability to be born shall
be commensurate with the specific way the act is done and the scope of its
impact. Where an actor refuses to bear civil liability as provided in the
preceding paragraph, the people's court may take such measures as making an
announcement, publishing the final judgment, or the like, through media, such as
newspapers, periodicals, or online websites, and any expenses thus incurred
shall be borne by the actor.
SPECIFIC PROVISIONS:
Chapter 6- Right to privacy and protection of personal
information[2]
Article 1032: Definition of privacy rights and privacy.
A natural person enjoys the right to privacy. No organization or individual may
infringe upon the other's right to privacy by prying into, intruding upon,
disclosing, or publicizing other's private matters. Privacy is the undisturbed
private life of a natural person and his private space, private activities, and
private information that he does not want to be known to others.
Article 1033: Specific action conduct that will constitute an infringement of
privacy rights
Unless otherwise provided by law or expressly consented to by the right holder,
no organization or individual shall do the following acts:
- Intruding upon another person's private life through making phone calls,
sending text messages, using instant messaging tools, sending emails and
flyers, and the like means;
- entering into, taking photographs of, or peeping into other's private
spaces such as the residence or hotel room of another person;
- taking photographs of, peeping into, eavesdropping, or disclosing the
private activities of another person;
- taking photographs of or peeping at the private parts of another
person's body;
- processing another person's private information; and
- infringing upon another person's privacy through other means.
Article 1034: General principle and definition of personal information
protection.
A natural person's personal information is protected by law. Personal
information is the information recorded electronically or in other ways that can
be used, by itself or in combination with other information, to identify a
natural person, including the name, date of birth, identification number,
biometric information, residential address, telephone number, email address,
health information, whereabouts, and the like, of the person. The provisions on
the right to privacy, or, in the absence of which, the provisions on the
protection of personal information, shall be applied to private personal
information.
Article 1035: Conditions under which processing/handling of personal information
are permitted.
The processing of personal information shall be in compliance with the
principles of lawfulness, justification, and within a necessary limit, and shall
not be excessively processed; meanwhile, the following conditions shall be
satisfied:
- Consent has been obtained from the natural person or his guardian unless
otherwise provided by laws or administrative regulations;
- The rules for processing information are publicized;
- The purpose, method, and scope of the information processing are clearly
indicated; and
- It is not in violation of laws or administrative regulations or against
the agreement of both parties.
The processing of personal information includes the collection, storage, use,
refinement, transmission, provision, disclosure, and the like, of personal
information.
Article 1036: Grounds for exemption of liability
When processing personal information, an actor shall not bear civil liability in
any of the following situations:
- The actor reasonably performs the act to the extent that the natural
person or his guardian consents to;
- The actor reasonably processes the information disclosed by the natural
person himself or the other information that has already been legally
disclosed, unless the said person explicitly refuses or the processing of
the information infringes upon a significant interest of the person; and
- The actor reasonably performs the other acts to protect the public
interest or the lawful rights and interests of the person.
Article 1037-1039: Rights of data subject and obligations of data processors
1037: A natural person may retrieve or make copies of his personal information
from the information processers in accordance with the law. Where the person
discovers that the information is incorrect, he has the right to raise an
objection and request corrections or other necessary measures to be taken in a
timely manner. Where a natural person discovers that an information processer
has violated the provisions of laws or administrative regulations, or breached
the agreement between both parties while processing his personal information, he
has the right to request the information processor to delete it in a timely
manner.
1038: An information processor shall not disclose or tamper with the personal
information he collects and stores, and shall not illegally provide to others
the personal information of a natural person without the latter's consent,
unless the information, after being processed, cannot be used to identify any
specific individual and cannot be restored to its original status. An
information processor shall take technical measures and other necessary measures
to ensure the security of the personal information he collects and stores, and
prevent the information from being leaked, tampered with, or lost. Where a
person's personal information has been or is likely to be leaked, tampered with,
or lost, he shall take remedial measures in a timely manner, notify the natural
persons concerned in accordance with the regulations, and report to the relevant
competent authorities.
1039: State organs and the chartered institutions assuming administrative
functions as well as their staff shall keep confidential the privacy and the
personal information of natural persons known to them during the performance of
their responsibilities, and shall not disclose or illegally provide it to
others.
PROVISIONS THAT ARE INDUSTRY SPECIFIC[3]
Article 1030: Handling of information by credit agencies
The provisions of this Book on the protection of personal information and the
relevant provisions of other laws and administrative regulations shall be
applied to the relationship between persons of the civil law and the credit
information processors such as a credit reporting agency.
Article 1226: Provisions governing the protection of patients' privacy rights
and personal information by medical institutions and their medical personnel.
Medical institutions and their medical staff shall keep their patient's private
information and personal information confidential. Anyone who divulges the
private information or personal information of a patient or discloses his
medical records without the patient's consent shall bear tort liability.
INDIAN LAWS FOR CYBERSPACE
Information Technology Act, 2000 [4]
The Information Technology Act, which was enacted in 2000, governs Indian cyber
legislation. The main goal of this Act is to provide e-commerce with trustworthy
legal protection by making it easier to register real-time records with the
government. However, as cyber attackers became more cunning, coupled with the
human tendency to misuse technology, a number of adjustments were made. The ITA,
which was passed by India's Parliament, emphasizes the severe punishments and
penalties that protect the e-governance, e-banking, and e-commerce sectors. The
scope of ITA has now been expanded to include all of the most recent
communication devices.
The IT Act is the salient one, guiding the entire Indian legislation to govern
cyber crimes rigorously:
- Section 43 - Applicable to people who damage the computer systems
without permission from the owner. The owner can fully claim compensation
for the entire damage in such cases.
- Section 66 - Applicable in case a person is found to dishonestly or
fraudulently commit any act referred to in section 43. The imprisonment term
in such instances can mount up to three years or a fine of up to Rs. 5 lakh.
- Section 66B - Incorporates the punishments for fraudulently receiving
stolen communication devices or computers, which confirms a probable three
years imprisonment. This term can also be topped by Rs. 1 lakh fine, depending upon
the severity.
- Section 66C - This section scrutinizes the identity thefts related to
imposter digital signatures, hacking passwords, or other distinctive
identification features. If proven guilty, imprisonment of three years might
also be backed by Rs.1 lakh fine.
- Section 66 D - This section was inserted on-demand, focusing on
punishing cheaters doing impersonation using computer resources.
Indian Penal Code (IPC) 1980 [5]
The Indian Penal Code (IPC), 1860, and the Information Technology Act of 2000
are both used to prosecute identity theft and related cyber offenses.
The primary relevant section of the IPC covers cyber frauds:
- Forgery (Section 464)
- Forgery pre-planned for cheating (Section 468)
- False documentation (Section 465)
- Presenting a forged document as genuine (Section 471)
- Reputation damage (Section 469)
The Companies Act of 2013 [6]
The Companies Act of 2013 is referred to by corporate stakeholders as the legal
requirement for the refinement of daily operations. This Act's directives
consolidate all required techno-legal compliances, putting less compliant
businesses in a legal bind.
The Companies Act of 2013 gave the SFIO (Serious Frauds Investigation Office)
the authority to prosecute Indian corporations and their directors. Also,
after the notification of the Companies Inspection, Investment, and Inquiry
Rules, 2014, SFIOs have become even more vigilant and stern in this regard.
All regulatory compliances, including cyber forensics, e-discovery, and cyber
security diligence, are well-covered by the legislature. The Companies
(Management and Administration) Rules, 2014 establishes stringent requirements
for corporate directors and leaders in terms of cyber security obligations and
responsibilities.
NIST Compliance [7]
The Cyber Security Framework (NCFS), accredited by the National Institute of
Standards and Technology (NIST), provides a harmonized approach to cyber
security as the most reliable global certifying body. The NIST Cyber Security
Framework includes all necessary rules, standards, and best practices for
effectively managing cyber-related risks. The flexibility and cost-effectiveness
of this system are top priorities. It increases resilience and safety.
Right to Privacy [8]
Article 21 of the Constitution of India states that “No person shall be deprived
of his life or personal liberty except according to procedure established by
law”. After reviewing Article 21, it can be determined that the term 'life'
encompasses all parts of existence that contribute to a man's life being
significant, complete, and worthy.
In the Indian Constitution, the right to privacy was not listed as a fundamental
right. Then, in the case of
Puttuswamy v. Union of India, a nine-judge Supreme
Court bench decided that the right to privacy is a fundamental right protected
under Part III of the Indian Constitution.
The key points of the judgment are:
- Right to Privacy - A Fundamental Right
The Supreme Court ruled that the right to privacy is a fundamental right that
doesn't need to be expressed explicitly and may be drawn from Articles 14, 19,
and 21 of the Indian Constitution. It is a natural right that is intertwined
with the rights to life and liberty. It is a fundamental and inherent right that
belongs to a person and encompasses all information about that person as well as
the decisions he or she takes. It shields a person from state surveillance in
their homes, over their movements, and over their reproductive decisions,
partners, and eating habits, among other things. As a result, any government
action that infringes on the right to privacy is subject to judicial review.
- Not an Absolute Right - Subject to Reasonable Restrictions
The Supreme Court was careful to point out that the fundamental right to privacy
is not absolute, and that it will always be subject to reasonable limitations.
It was held that the state can limit the right to privacy to defend legitimate
state objectives, but only if it follows the three-pronged test outlined below:
- Existence of a legal framework that justifies a breach of privacy.
- A valid state objective or need that assures that the type or content of
this law falls within the reasonableness zone and serves to prevent
arbitrary government action.
- The tools used by the government are proportional to the goals and needs
that the law is attempting to address.
Personal Data Protection Bill (PDPB) [9]
The proposed Personal Data Protection Bill (PDPB) aims to replace India's
present data protection rules in a comprehensive manner. The previous regulating
law, the Information Technology Act of 2000 (IT Act), has been unable to cope
with the significant improvements in technology. Cybercriminals have been
continuously developing new ways to access personal information in India, which
has recently seen a tremendous spike in cyber attacks. To make matters worse,
the pandemic has accelerated the digital ecosystem by years, and virtual work
has increased hackers' attack fields.
It would be India's first law completely dedicated to data privacy and security.
It includes the following topics:
- Notice and prior consent requirements for the use of personal data.
- There are constraints on the types of data that can be collected or
processed, as well as requirements to guarantee that just the data needed to
provide a service is collected.
- Requirements for data localization necessitate the hiring of data
protection officers within organizations.
- To secure and govern the use of citizens' personal data, a separate
regulator named the Data Protection Authority of India (DPA) is to
be established.
The proposal, recommended in 2019, is presently being analyzed by a joint
parliamentary committee after several stakeholders, including social media
firms, privacy experts, and even ministers, objected to a few of its
regulations.
Author's Opinion.
In my opinion, I believe that China has come up with more specific legislation
for the privacy and protection of personal information of its individuals
regardless of having specific legislation for cyber security e.g. The PRC Cyber
Security Law, the PRC Consumer Rights Protection Law, and the Information
Security Technology - Personal Information Security Specification. The PRC Civil
Code details more broadly applicable provisions as well as has introduced
additional personal information protection requirements.
The pandemic has now caused the world to shift from an offline work mode to an
online work mode. With the increase in dependence of the world on the virtual
world and the personal information of individuals being on every website or
social media platform, and also a drastic advance in technology, it feels very
necessary to have specific provisions or specific legislation that deals with
Privacy and protection of personal information related issues.
On the contrary, India no doubt has laws that deal with Cyber protection and
security but these laws and provisions have been formulated more than 2 decades
ago when the technology wasn't this advanced as it is now. I personally have
come across so many cyber frauds and crimes happening all around, and not just
impersonating somebody or hacking of accounts or computer systems but also a
breach in privacy and personal information of Individuals. As of now, India is
firstly in dire need to introduce new regulations for cyber attacks and crimes.
The information technology act of 2000 has been unable to deal with current
improvements of technology thus seeing advanced cyberattacks that couldn't have
been thought of 20 years ago. A new formulated need for cyber laws keeping in
view the current technological advancements is necessary. Talking about Privacy
rights, India has only Article 21 of the Indian constitution which is the Right
to life and liberty, which can be interpreted as a privacy right that isn't
enough. India, as such, doesn't have a particular right to privacy and no
provisions for the protection of personal information. There is a dire need for
privacy rights and protection of personal information provisions or a different
regulation for the same.
The formulation of privacy laws and personal information protection provisions
in the PRC's new civil law code is a great piece of work and much required in
these digital times.
End-Notes:
- National People's Congress, Civil Code of the People's Republic of
China (2020) <http://www.npc.gov.cn/englishnpc/c23934/202012/f627aa3a4651475db936899d69419d1e/files/47c16489e186437eab3244495cb47d66.pdf>
accessed January 10, 2022.
- National People's Congress, Civil Code of the People's Republic of
China (2020) <http://www.npc.gov.cn/englishnpc/c23934/202012/f627aa3a4651475db936899d69419d1e/files/47c16489e186437eab3244495cb47d66.pdf>
accessed January 10, 2022.
- National People's Congress, Civil Code of the People's Republic of
China (2020) <http://www.npc.gov.cn/englishnpc/c23934/202012/f627aa3a4651475db936899d69419d1e/files/47c16489e186437eab3244495cb47d66.pdf>
accessed January 10, 2022.
- Vinit Verma, Importance of Cyber Law in India (legalserviceindia.com)
<https://www.legalserviceindia.com/legal/article-1019-importance-of-cyber-law-in-india.html#:~:text=Cyber%20Laws%20In%20India>
accessed February 14, 2022.
- Harshit Agarwal, Cybersecurity Laws in India (www.appknox.com)
<https://www.appknox.com/blog/cybersecurity-laws-in-india>.
- IBID
- Harshit Agarwal, Cybersecurity Laws in India (www.appknox.com)
<https://www.appknox.com/blog/cybersecurity-laws-in-india>.
- Hina Iliyas, Right to Privacy under Article 21 and the Related
Conflicts (www.legalservicesindia.com) <http://www.legalservicesindia.com/article/1630/Right-To-Privacy-Under-Article-21-and-the-Related-Conflicts.html>.
- Angelina Talukdar, Key Features of the Personal Data Protection Bill,
2019 - Privacy - India (www.mondaq.comMarch 16, 2020) <https://www.mondaq.com/india/data-protection/904330/key-features-of-the-personal-data-protection-bill-2019>
accessed February 14, 2022.
Please Drop Your Comments