Under China’s new data regulatory framework, how should companies use publicly available personal information in a compliant manner? Douyin Group’s data and privacy protection experts, deputy legal director Li Raojuan and senior legal manager Jiao Yating, shed some light

Item (6) of article 13 of the Personal Information Protection Law (PIPL) includes “personal information disclosed by the individual himself or herself or otherwise lawfully disclosed that is processed within reasonable limits” among the lawful bases for processing personal information. That is to say, if a personal information processing activity satisfies this requirement, there is no need to secure the consent of the user.

Li Raojuan, Douyin Group
Li Raojuan

Clearly understanding the circumstances under which “processing publicly available personal information within reasonable limits” is applicable, while ensuring that the processing of such information satisfies the principles and requirements of the PIPL, fully protecting the rights and interests of data subjects and realising the use of item (6) of article 13 is of utmost importance.

This article focuses on two steps to assist in analysing the process of applying the above-mentioned lawful basis with a view to assisting companies in their day-to-day compliance work.

Step 1: Determine whether a piece of personal information falls within the scope of publicly available personal information; and

Step 2: Determine whether the processing of such personal information falls within “reasonable limits”.

The definition

Pursuant to the PIPL, publicly available personal information is personal information that has been disclosed by the individual himself or herself, or personal information that has otherwise been lawfully disclosed. With respect to disclosure, there are two scenarios: disclosure by the individual himself or herself; and disclosure by other lawful means, both of which emphasise the lawfulness of the disclosure.

Category

Type

Example

By method of disclosure

Proactive/voluntary disclosure Articles, photos and videos that an individual publishes of his or her accord on an online platform
Passive/mandatory disclosure (1) Court documents and lists of delinquent judgment debtors published on wenshu.court.gov.cn; and
(2) Personal information of legal representatives, directors, supervisors, senior executives, etc., of companies included in companies’ registration information recorded in the National Enterprise Credit Information Publicity System
By information type Personal information (1) Personal name, contact information, educational and work history voluntarily disclosed by individuals on recruitment websites; and
(2) Names and photos of individuals published for the purpose of finding people
User-generated information Videos, photos, articles, personal publicly streamed content and interactive information during live streaming published by individuals on online platforms
By separability Separable Articles and comments published by an individual on an online platform that can be separated from personal identifying information such as name, facial portrait, etc., while only retaining the articles and comments
Non-separable (1) Identifying information of the individual in videos, photos, etc., published on an online platform that cannot be separated from it (e.g., separation cannot be carried out on a head portrait); and
(2) If a video or photo published online by an individual is forwarded to another platform by a third party with the name and figurehead watermark removed, and without attribution to the individual in question, this can harm the individual’s right of attribution

What constitutes publicly available personal information? In this regard, a comprehensive determination is needed by looking at three aspects: the intended target of the published information; the manner in which the information is published; and the manner in which the information is obtained.

(1) Intended target of the published information.
Publicly available personal information is in the public domain, and can be accessed by any third party. Article 3.11 of the Personal Information Security Specification specifies that, “public disclosure” means “the act of releasing information to the public or an unspecified group of people”. The primary prerequisite for publicly available personal information is its public nature, meaning it is released to the public or to an unspecified group of people. Such access or availability is considered not based on a specific relationship or status.

(2) Manner in which the information is published.

(i) Proactive/voluntary disclosure. In many circumstances it is difficult to directly discern whether an individual disclosed information proactively/voluntarily. However, professor Cheng Xiao, who helped draft the PIPL, argues that if a natural person data subject is fully cognisant that he or she is performing an act of disclosing personal information, and of the consequences of this act, then it can be deemed that such disclosure was carried out based on the individual’s own initiative, or free will.

Furthermore, determining whether a disclosure was made proactively/voluntarily additionally requires taking into consideration the functional nature of the information publication platform or channel, the operating mechanism (directed or undirected transmission) etc., to comprehensively discern the individual’s volition and the consequences of the publication of the information.

Where the functional nature of a platform is that of information sharing, neither the direction of transmission nor the scope of restrictions is set, and the function settings include the forwarding links to promote the rapid flow of information, the user should be fully aware that the platform is of a public nature and of the potential consequences of publishing the relevant information.

For example, platforms such as WeChat official accounts and Weibo, which have information sharing as their major product function, provide convenient operational channels to accelerate the information spreading, and such channels clearly are designed to spread information in a non-directed and open manner.

However, if the functional nature of a platform is limited solely to a work setting or home setting and transmission blocking measures are put in place, then if the information posted by the user in such a setting is made available to all comers, that would be a deviation from the user’s understanding of the disclosure of such information, making it difficult to arrive at a finding that this is a proactive/voluntary disclosure.

In practice, the courts will determine the nature of a publication of information in light of the general understanding and life experience of users. With respect to certain platforms or information, it is necessary to think comprehensively due to the information content, processing scenario and processing method, as different user groups have different methods of use, preferences and expectations.

For example, in Sun Changbao v Beijing Sohu Internet Information Service et al, a personality right dispute case, the court, in respect of the plaintiff, Sun Changbao, demanded that the search engine delete his ID photo and name that he had formerly published on the ChinaRen alumni record, and held that the alumni website “had as its main function social interaction among the on-campus community, and users in general uploaded their head portraits to this website in search of classmates, close friends, etc., and engaged in social interaction with a cohort of people with whom they were well acquainted, not making friends with strangers or making public information available network-wide for the purpose of speech dissemination, publicity, promotion, etc.”. Accordingly, it found that the facts asserted by the plaintiff were reasonable.

(ii) Passive/Mandatory disclosure. This type of disclosure includes government information disclosure, lawful news reports, etc. For example, the Regulations on the Disclosure of Government Information provide that where personal privacy is involved, if an administrative authority deems that failure to disclose the same would have a material impact on society, it will disclose the same.

The Several Regulations of the Supreme People’s Court on the Publication of Lists of Delinquent Judgment Debtors provide for the publication of the name, sex, age, ID card number, etc., of delinquent judgment debtors that are natural persons. The Regulations for the Publication of Court Documents on the Internet by People’s Courts provide that when a People’s Court publishes a court document, it may retain names, dates of birth, sex, county/district where residence is located, etc.

The Regulations for the Procedure for Handling Criminal Cases by Public Security Authorities provide that such information as the sex, aliases, former names, nicknames, sex, age, ethnicity, place of origin, place of birth, etc., of wanted persons should be provided to the extent possible on the arrest warrant. The authors argue that this method of disclosure is more of an attempt to find a balance between the public interest and the individual’s interests.

(3) Manner in which the information is obtained.

Jiao Yating, Douyin Group
Jiao Yating

This is specifically manifested in its being obtained by way of a public channel. It should be noted, in particular, that if information obtained by way of a certain public channel is processed and organised by a third party, such as to give rise to a new information combination that gives it new meaning and value, the access to such information combination does not necessarily constitute publicly available information.

For example, in Shanghai Qiangrenlu Information Service v Shanghai Chenyou Technology Development et al, a trade secret infringement dispute case, the defendant argued that the information in question was public information, whereas the court held that the plaintiff “after recombining a certain quantity of data from its database by way of a specific classification method such as to give rise to a new assemblage, the database presented features unique to the plaintiff and the general public could not easily obtain the above-mentioned information combination through public channels”. In other words, it ceased to constitute publicly available information.

In short, if a piece of information satisfies the following three conditions, it falls within the scope of publicly available personal information: (1) it can be accessed/obtained by an unspecified number of people; (2) the method of publication is based on proactivity/free will or other lawful means such as government information disclosure/lawful news reports, etc.; and (3) it is obtained by way of a public channel.

Does processing of the data fall within reasonable limits?

(1) Balance between “individual rights and interests” and the “public interest”.
In Liang Yabing v Beijing Huifa Zhengxin Technology, an online tort liability dispute, and Suzhou Berta Data Technology v Irike Siqing, a general personality right dispute, the courts, in respect of the further use of published court documents, conducted discussions on the balancing of rights and interests, but ultimately rendered opposite judgments.

In the Liang Yabing case, the court held that the act of further use ensured and facilitated the public’s right to know the relevant information, was conducive to development of the social integrity system, did not run counter to the purpose of judicial disclosure, and in this case, in respect of the individual’s rights and interests versus the public interest, it came down on the side of judicial disclosure.

In contrast, in the Irike Siqing case, the court leaned towards the plaintiff bearing an obligation of tolerance towards judicial disclosure before the plaintiff demanded deletion of the documents but, after the plaintiff made its demand for deletion, the balance tilted completely towards protection of the individual’s rights and interests, and the individual’s control over the extent of dissemination of his or her information.

The court additionally held that, “when weighing whether the collection and use by a network operator of personal information that has been lawfully disclosed complies with the principles of lawfulness, legitimacy and necessity, the relationship between the circulation of personal information that has been lawfully disclosed and control of the dissemination of information by the personal information subject needs to be properly balanced, requiring that protection of the rights and interests of natural persons in their personal information be given due weight, while also giving due consideration to the positive effect that the improvement of information technology, innovation in business models and development of the big data industry have on social progress”.

The authors argue that, in its routine compliance work, a company can refer to the balancing test for corporate interests versus the individual’s rights and interests, found in the EU’s Genereal Data Protection Regulation, for determining the legitimate interests of a company, establish internally the relevant tools for the balancing test of the public interest versus the individual’s rights and interests ‒ such as questionnaires and compliance assessment procedures ‒ and conduct balancing tests to encourage reasonable use while fully ensuring individual rights.

By such means, and while protecting personal information, the circulation and application of data are promoted in certain fields in an orderly manner, and a system of controlling the purpose and quantity of data used can be further explored so as to promote technological development.

(2) Objective and consistent purpose that is in keeping with the individual’s reasonable expectation of privacy.
The criterion of an objective and consistent purpose was set out in article 28 of the Personal Information Protection Law (Draft) (Second Review Draft), namely: “The processing of publicly available personal information by a personal information processor shall be consistent with the purpose for which the personal information was disclosed.” But this was removed in the third review draft. In the Liang Yabing case, the court expressly stated that commercial use did not signify that further use constituted an improper act, for example, in the case where a further disclosure of a written judgment would be conducive to the development of the social integrity system and would not run counter to the purpose of judicial disclosure.

With respect to the determination of consistency with the individual’s reasonable expectation of privacy, as acclaimed legal scholar Zhang Xinbao, who also helped draft the PIPL, states in his book titled Explanation of the Personal Information Protection Law of the People’s Republic of China, if further processing by a processor runs counter to the usual understanding of the limit on the use of publicly available personal information by the average rational person, the above-mentioned inference is untenable. When a personal information processor further processes such information, it is required to ensure that its processing act is lawful, fair and transparent, and to consider the individual’s reasonable expectation in respect of the further use of his or her data so as to ensure that the further processing is fair and reasonable.

(3) Should not have a material impact on the individual’s rights and interests.
Article 27 of the PIPL provides that where the processing of publicly available personal information by a personal information processor has a material impact on the individual’s rights and interests, it is required to secure the individual’s consent in accordance with the PIPL. The question then becomes, how is the material impact on the individual’s rights and interests caused by the further processing to be determined and quantified?

Reference can be made to schedule D of the Guidance for Personal Information Security Impact Assessment, a technical national standard jointly issued by the State Administration for Market Regulation and Standardisation Administration of China, to determine the seriousness of the impact on an individual’s rights and interests. A serious impact on an individual’s rights and interests may manifest as the personal information subject suffering a material, lasting and potentially insurmountable impact.

Professor Cheng Xiao, argues in his recent paper that a material impact not only affects the individual’s legal status and economic status, but also includes the impact on his or her social, cultural and political status in terms of job seeking, promotions, study, going abroad, applying for social welfare, etc. This would include losing child welfare or housing benefits, refusal by an insurance company to pay insurance compensation for medical expenses, etc. The authors agree with this position.

In Wang Hong v Beijingwan Owners’ Committee, an online tort liability dispute, the plaintiff argued that the defendant’s act of sending a written judgment containing his personal information to the internet and the community owners’ group resulted in a leak of his personal information, causing him distress and inconvenience. Accordingly, he took the case to court.

In the trial, the court stated that, pursuant to the dynamic system theory provision in article 998 of the Civil Code, it was objectively difficult to find that the act by the defendant infringed the plaintiff’s rights and interests in his personal information, as the plaintiff’s claim lacked a factual and legal basis. Accordingly, while actually determining whether there is a material impact on an individual’s rights and interests, the dynamic system theory can be relied on to determine whether a further disclosure or a relevant processing act infringes the person’s material interests.

Conclusion

“The processing of publicly available personal information within reasonable limits”, as one of the lawful bases expressly stated in article 13 of the PIPL, powerfully promotes the purpose immediately expressed in chapter 1 of the PIPL: “Regulate personal information processing activities and promote the reasonable use of personal information.”

In its day-to-day compliance work, a company needs to fully protect the rights and interests of personal information subjects, satisfy all of the principles and requirements set out in the PIPL and, on this basis, duly handle the balance between the rights and interests of individuals and the public interest arising from the act of further processing information. Only in this way can public trust be built and a multi-win situation for the development of the industry and the public interest can be achieved.