A flurry of legislation has completed the initial stage of the protection of personal information, covering all aspects of this developing area. First, there was the Civil Code, which came into effect on 1 January 2021, and provides the basics of the personal information protection regime.
On the same day, the Provisions on Causes of Action in Civil Cases by the Supreme People’s Court added the cause of action for personal information protection disputes.
Then, on 1 November 2021, the Personal Information Protection Law (PIPL) took effect, providing comprehensive coverage of the rules for processing personal information, individuals’ rights, information processors’ obligations and legal responsibilities, as well as establishing a relatively strict global legislative framework.
At this point, China’s personal information protection legal system, which is composed of the Criminal Law, the Civil Code, the Cybersecurity Law, the PIPL and other legal norms, has been completed.
On this basis, infringing personal information will be subject to criminal or administrative penalties depending on the type of behaviour and the severity of the case. Procuratorial authorities and consumer organisations can file civil public interest litigation against the acts that infringe the rights and interests of many individuals. Individuals can also file civil litigation on personal information protection.
China’s digital economy has developed at an unprecedented speed and scale. Benefiting from the country’s huge population base and large-scale market, new industries, new businesses and new models based on big data are continually emerging, bringing a multitude of platforms dealing with large amounts of personal information.
Some of these platform enterprises form trading advantages through “data + algorithm + platform rules”, which damage the rights and interests of consumers and hinder fair competition.
After the implementation of the PIPL, personal information processors, especially platform enterprises, face not only correction and standardisation from regulatory agencies, but also the challenge of civil litigation on personal information protection.
Although civil disputes over personal information protection have occurred from time to time, for a long time before the promulgation of the Civil Code disputes were mostly tried based on reputation and privacy rights. However, just before the promulgation of the Civil Code, the courts started to treat personal information differently from privacy rights, and protected personal information as an independent legal interest in trials.
Now, many personal information protection disputes appear with the following characteristics.
Diversification of the parties concerned and litigation purposes. Some plaintiffs are lawyers, law students and other legal professionals. They make infringement allegations against the personal information processing behaviour of some Internet service platforms, such as the cases of personal information protection brought against WeRead of Tencent and Tik Tok. Some plaintiffs have filed lawsuits against telecom companies, airlines and financial institutions because their personal information is improperly collected, illegally disclosed or wrongly processed. Among them, litigation cases involving the credit records of financial institutions account for a relatively large proportion. It is worth noting that this year, there have been claims made by professional claimants.
The balance between personal and public interests in the determination of infringement. Based on past cases, courts not only consider personal authorisation and the principles of “legality, legitimacy and necessity”, but also public interests such as “social and economic development” and “free flow of information” when determining the legality of personal information processing, especially when identifying new business models involving big data. The PIPL restricts the processing of personal information based on public interest. It is foreseeable that in future litigation on personal information protection, the courts will adopt stricter standards to examine the legality of the commercial use of personal information.
Remedies applying protection of personality rights. Personal information falls under personality rights and interests. Therefore, infringement of personal information shall bear the civil liability of personality rights infringement, namely, stopping infringement, compensating for losses, apologising, eliminating influence, restoring reputation and so on.
The damage consequence is also a factor in determining the methods and amount of compensation for civil liability. At present, the courts generally do not support high monetary compensation, but generally support stopping infringement, apologising and paying reasonable expenses for rights protection. Although infringement is identified in some cases, the plaintiff’s claim is rejected as the damage consequence does not reach a certain degree.
Although the compensation amount of personal information protection cases is not high, it may have a significant impact on the original information processing rules and even the business model of the platform. Some cases have caused widespread concern in the society, and the judgment of the court not only forces the relevant platforms to improve relevant rules or practices, but also promotes the improvement of the subsequent supporting norms for personal information protection.
The principle of presumption of fault applies. Before the promulgation of the PIPL, the court determined in some cases, based on the ability and possibility of collecting evidence, that the information processing party should produce evidence for not having revealed personal information. Otherwise, it should bear tort liability. The PIPL formally establishes the principle of presumption of fault for infringement of personal information, That is, if the personal information processing infringes on the rights and interests of personal information and causes damage, and the personal information processing party cannot prove that it is not at fault, it shall bear tort liability such as damage compensation.
With the completion of the legal system for personal information protection in China, there has been a proliferation in the number and variety of lawsuits. More stringent and comprehensive legal norms have given greater protection to personal information, and at the same time compliance requirements have been raised for internet platforms, telecom enterprises, financial institutions and other entities that handle a large amount of personal information.