Are you available?

Under China’s new data regulatory framework, how should companies use publicly available personal information in a compliant manner? Douyin Group’s data and privacy protection experts, deputy legal director Li Raojuan and senior legal manager Jiao Yating, shed some light

Item (6) of article 13 of the Personal Information Protection Law (PIPL) includes “personal information disclosed by the individual himself or herself or otherwise lawfully disclosed that is processed within reasonable limits” among the lawful bases for processing personal information. That is to say, if a personal information processing activity satisfies this requirement, there is no need to secure the consent of the user.

Clearly understanding the circumstances under which “processing publicly available personal information within reasonable limits” is applicable, while ensuring that the processing of such information satisfies the principles and requirements of the PIPL, fully protecting the rights and interests of data subjects and realising the use of item (6) of article 13 is of utmost importance.

This article focuses on two steps to assist in analysing the process of applying the above-mentioned lawful basis with a view to assisting companies in their day-to-day compliance work.

Step 1: Determine whether a piece of personal information falls within the scope of publicly available personal information; and

Step 2: Determine whether the processing of such personal information falls within “reasonable limits”.

The definition

Pursuant to the PIPL, publicly available personal information is personal information that has been disclosed by the individual himself or herself, or personal information that has otherwise been lawfully disclosed. With respect to disclosure, there are two scenarios: disclosure by the individual himself or herself; and disclosure by other lawful means, both of which emphasise the lawfulness of the disclosure.

What constitutes publicly available personal information? In this regard, a comprehensive determination is needed by looking at three aspects: the intended target of the published information; the manner in which the information is published; and the manner in which the information is obtained.

(1) Intended target of the published information.
Publicly available personal information is in the public domain, and can be accessed by any third party. Article 3.11 of the Personal Information Security Specification specifies that, “public disclosure” means “the act of releasing information to the public or an unspecified group of people”. The primary prerequisite for publicly available personal information is its public nature, meaning it is released to the public or to an unspecified group of people. Such access or availability is considered not based on a specific relationship or status.

(2) Manner in which the information is published.

(i) Proactive/voluntary disclosure. In many circumstances it is difficult to directly discern whether an individual disclosed information proactively/voluntarily. However, professor Cheng Xiao, who helped draft the PIPL, argues that if a natural person data subject is fully cognisant that he or she is performing an act of disclosing personal information, and of the consequences of this act, then it can be deemed that such disclosure was carried out based on the individual’s own initiative, or free will.

Furthermore, determining whether a disclosure was made proactively/voluntarily additionally requires taking into consideration the functional nature of the information publication platform or channel, the operating mechanism (directed or undirected transmission) etc., to comprehensively discern the individual’s volition and the consequences of the publication of the information.

Where the functional nature of a platform is that of information sharing, neither the direction of transmission nor the scope of restrictions is set, and the function settings include the forwarding links to promote the rapid flow of information, the user should be fully aware that the platform is of a public nature and of the potential consequences of publishing the relevant information.

For example, platforms such as WeChat official accounts and Weibo, which have information sharing as their major product function, provide convenient operational channels to accelerate the information spreading, and such channels clearly are designed to spread information in a non-directed and open manner.

However, if the functional nature of a platform is limited solely to a work setting or home setting and transmission blocking measures are put in place, then if the information posted by the user in such a setting is made available to all comers, that would be a deviation from the user’s understanding of the disclosure of such information, making it difficult to arrive at a finding that this is a proactive/voluntary disclosure.

In practice, the courts will determine the nature of a publication of information in light of the general understanding and life experience of users. With respect to certain platforms or information, it is necessary to think comprehensively due to the information content, processing scenario and processing method, as different user groups have different methods of use, preferences and expectations.

For example, in Sun Changbao v Beijing Sohu Internet Information Service et al, a personality right dispute case, the court, in respect of the plaintiff, Sun Changbao, demanded that the search engine delete his ID photo and name that he had formerly published on the ChinaRen alumni record, and held that the alumni website “had as its main function social interaction among the on-campus community, and users in general uploaded their head portraits to this website in search of classmates, close friends, etc., and engaged in social interaction with a cohort of people with whom they were well acquainted, not making friends with strangers or making public information available network-wide for the purpose of speech dissemination, publicity, promotion, etc.”. Accordingly, it found that the facts asserted by the plaintiff were reasonable.

(ii) Passive/Mandatory disclosure. This type of disclosure includes government information disclosure, lawful news reports, etc. For example, the Regulations on the Disclosure of Government Information provide that where personal privacy is involved, if an administrative authority deems that failure to disclose the same would have a material impact on society, it will disclose the same.

The Several Regulations of the Supreme People’s Court on the Publication of Lists of Delinquent Judgment Debtors provide for the publication of the name, sex, age, ID card number, etc., of delinquent judgment debtors that are natural persons. The Regulations for the Publication of Court Documents on the Internet by People’s Courts provide that when a People’s Court publishes a court document, it may retain names, dates of birth, sex, county/district where residence is located, etc.

The Regulations for the Procedure for Handling Criminal Cases by Public Security Authorities provide that such information as the sex, aliases, former names, nicknames, sex, age, ethnicity, place of origin, place of birth, etc., of wanted persons should be provided to the extent possible on the arrest warrant. The authors argue that this method of disclosure is more of an attempt to find a balance between the public interest and the individual’s interests.

(3) Manner in which the information is obtained.

This is specifically manifested in its being obtained by way of a public channel. It should be noted, in particular, that if information obtained by way of a certain public channel is processed and organised by a third party, such as to give rise to a new information combination that gives it new meaning and value, the access to such information combination does not necessarily constitute publicly available information.

For example, in Shanghai Qiangrenlu Information Service v Shanghai Chenyou Technology Development et al, a trade secret infringement dispute case, the defendant argued that the information in question was public information, whereas the court held that the plaintiff “after recombining a certain quantity of data from its database by way of a specific classification method such as to give rise to a new assemblage, the database presented features unique to the plaintiff and the general public could not easily obtain the above-mentioned information combination through public channels”. In other words, it ceased to constitute publicly available information.

In short, if a piece of information satisfies the following three conditions, it falls within the scope of publicly available personal information: (1) it can be accessed/obtained by an unspecified number of people; (2) the method of publication is based on proactivity/free will or other lawful means such as government information disclosure/lawful news reports, etc.; and (3) it is obtained by way of a public channel.

Does processing of the data fall within reasonable limits?

(1) Balance between “individual rights and interests” and the “public interest”.
In Liang Yabing v Beijing Huifa Zhengxin Technology, an online tort liability dispute, and Suzhou Berta Data Technology v Irike Siqing, a general personality right dispute, the courts, in respect of the further use of published court documents, conducted discussions on the balancing of rights and interests, but ultimately rendered opposite judgments.

In the Liang Yabing case, the court held that the act of further use ensured and facilitated the public’s right to know the relevant information, was conducive to development of the social integrity system, did not run counter to the purpose of judicial disclosure, and in this case, in respect of the individual’s rights and interests versus the public interest, it came down on the side of judicial disclosure.

In contrast, in the Irike Siqing case, the court leaned towards the plaintiff bearing an obligation of tolerance towards judicial disclosure before the plaintiff demanded deletion of the documents but, after the plaintiff made its demand for deletion, the balance tilted completely towards protection of the individual’s rights and interests, and the individual’s control over the extent of dissemination of his or her information.

The court additionally held that, “when weighing whether the collection and use by a network operator of personal information that has been lawfully disclosed complies with the principles of lawfulness, legitimacy and necessity, the relationship between the circulation of personal information that has been lawfully disclosed and control of the dissemination of information by the personal information subject needs to be properly balanced, requiring that protection of the rights and interests of natural persons in their personal information be given due weight, while also giving due consideration to the positive effect that the improvement of information technology, innovation in business models and development of the big data industry have on social progress”.