Research on the Draft of China

Shou Bu Dang Yujie

Abstract： In China's Personal Information Protection Law （Draft）， the definition of personal information needs to be revised， and it should be stipulated as "personal information is any kind of information that can identify a living natural person alone or combined with other information， excluding which has been processed via the anonymization". Furthermore， a new clause as a supplement should be added in order to reflect the legislative idea of "identification" + "relevance". The listed operation items of personal information processing should be modified from seven items to eleven items， then that will be： collection， storage， processing， using， transaction， providing， disclosure， consultation， copy， correction and erasure. There is a contradiction between Article 69 and the Clause 2 of Article 24， detailed as： the terms "impossible to identify" and "unable to be recovered" which is mentioned in the definition of anonymization in Article 69， contradicts with the term "re-identify" referred in the Clause 2 of Article 24， and this contradiction should be resolved.

Key words： personal information protection; personal information; personal information processing; anonymization

CLC： D 912 DC： A Article ID： 2096-9783（2021）03-0111-08

China's Personal Information Protection Law （Draft） （hereinafter referred to as the Draft） was published for comments sought on Oct 21， 2020. Now several issues in the Draft will be discussed.

1 Issues about the Definition of Personal Information

1.1 Issues

First， Article 4 Clause 1 of the Draft defines： "personal information refers to any kind of information related to identified or identifiable natural persons recorded by electronic or by other means， excluding which has been processed via the anonymization."

Article 76 of the Cybersecurity Law of the People's Republic of China （hereinafter referred to as the Cyber Security Law） states： "personal information refers to any kind of information that can identify the personal identity of a natural person alone or combined with other information recorded by electronically or by other means， including but not limited to the name， date of birth， identification number， personal biometric information， address， telephone number， etc."

The second paragraph of Article 1034 in the Civil Code of the People's Republic of China （hereinafter referred to as the Civil Code） states： "personal information is any kind of information that can identify a specific natural person alone or combined with other information recorded by electronically or by other means， including the name， date of birth， identification number， biometric information， address， phone number， email address， health information， whereabouts information， etc."

Second， the definition of personal information in the Draft is different from both that in the Cyber Security Law and in the Civil Code. The definition of personal information in the Cyber Security Law is similar to that in the Civil Code. Comparing with the Cyber Security Law， in the personal information definition of the Civil Code， the statements "the personal identity of a natural person" is replaced with "a specific natural person" which has the same meaning. In addition， one kind of personal information which is listed in the definition of personal information in the Cyber Security Law has been replaced by another statement in the Civil Code （details as： "personal biometric information" is replaced by "biometric information"）， and some listed information is supplemented in the Civil Code （details as： "email address， health information， whereabouts information" has been added）. However， the key text in the definition of personal information in the Cyber Security Law "can be identified alone or in combination with other information..." has been adopt by the Civil Code with nothing to change.

Third， the Cyber Security Law has come into force on Jun 1， 2017. The Civil Code was voted and passed in the National People's Congress of the People's Republic of China on May 28， 2020 and has come into force on Jan 1， 2021. The Draft was submitted to the Standing Committee of the National People's Congress for deliberation in mid-October， 2020 and then announced to the public and comments sought.

Compared to the Draft， the Civil Code is the basic law and the upper-level legislation. As the Civil Code has been officially passed and published， one asks why the draft， the lower-level legislation， does not adopt the definite definition in the Civil Code which is the upper-level legislation.

Then we focus on comparing the definition of personal information in the Civil Code with that of the Draft.

1.2 Analysis

First， if we temporarily ignore the following details both in the personal information definition in the Draft and that in the Civil Code， which are： （1） the second statement of the personal information definition in the Draft， seen as "exclusions items"， is referred to "excluding which has been processed via the anonymization"; （2） the types of personal information， which is listed in the second statement of the personal information definition in the Civil Code， details as： a natural person's personal information， "including the name， date of birth， identification number， biometric information， address， telephone number， e-mail address， health information， whereabouts information， etc."; （3） the same adherent adjunct， "recorded electronically or by other means"， both in the first statement of personal information definition in the Draft and the Civil Code. Then， let's see the core of personal information definition， and we will find that the core expressions of the definition in two laws are respectively as following—

（Definition of personal information in the Draft） Personal information is "any kind of information related to a natural person which is identified or identifiable";

（Definition of personal information in the Civil Code） Personal information is "any kinds of information that can identify a specific natural person alone or combined with other information".

In the personal information definition of the Civil Code， a dichotomy is used to divide the information into two kinds. Then， one kind of information "can identify a specific natural person alone" and the other one "can identify a specific natural person combined with other information"; while in the Draft， dichotomy is used to divide the information into two kinds， which are "dentified" nature person and "identifiable" nature person.

Second， in Article 4 of the EU's General Data Protection Regulation （GDPR）， the definition of personal data， which is similar to but not exactly the same as the concept of "personal information"， is described as： "personal data means any information relating to an identified or identifiable natural person （'data subject'）; an identifiable natural person is one who can be identified， directly or indirectly， in particular by reference to an identifier such as a name， an identification number， location data， an online identifier or to one or more factors specific to the physical， physiological， genetic， mental， economic， cultural or social identity of that natural person". It seems that the definition of personal information in the Draft uses the same classification in GDPR for reference.

The problem is that in China there are lots of relevant laws， regulations， judicial interpretations， departmental rules and other normative documents in the aspect of personal information protection， and most of them adopt definitions that are similar to the definition of personal information in the Civil Code， and furthermore the Civil Code as the basic law and the upper-level legislative has already defined personal information.

Therefore， defining personal information of the Personal Information Protection Law， it is advisable to maintain the definition's continuity， stability， consistency and seriousness as we have been doing over these years in China. Under this premise， appropriate legislative techniques could be adopted to achieve the goal of taking into account both China's existing legislative models and GDPR legislative ideas.

Third， the attributive adjunct of "any kind of information" in the definition of personal information in the Draft include the statements "recorded electronically or by other means" in addition to the statements of "related to identified or identifiable natural persons". By using dichotomy to separate "the electronically method" and "the other means"， the terms "recorded electronically or by other means" means that all possible "recording" method have been exhausted. In other words， it has nothing to do with the "recording method" whether "information" is included into the "personal information". Therefore， the attributive adjunct related to the "recording method" of personal information is completely redundant and could be deleted. The definition of personal information in the Draft can be simplified as： "personal information is any kind information related to identified or identifiable natural persons， excluding which has been processed via the anonymization."

Forth， the related legislation of Japan， Act on the Protection of Personal Information （APPI）， which is updated and has been implemented on May 30， 2017， stipulates a clear distinction between the terms of "personal information" and "personal data"， which is different conceptually， furthermore， "personal information database" as a concept is introduced in APPI.

In Article 2 Clause 1 of APPI， it is stipulated that： "personal information in this Act means that information relating to a living individual which falls under any of each following item：…" and the Clause 4 stipulates： "a 'personal information database etc.' in this Act means those set forth in the following which are a collective body of information comprising personal information （excluding those prescribed by cabinet order as having little possibility of harming an individual's rights and interests considering their utilization method）...， and Clause 6 stipulates： "personal data in this Act means personal information constituting a personal information database etc." If the above three clauses are combined and considered comprehensively， it maybe concluded that personal data refers to the information which is related to a living individual and constitutes a set containing personal information.

It is reasonable and desirable for Japanese legislators to distinguish the terms "personal information" and "personal data". However， in China， all the existing normative documents such as laws， regulations， judicial interpretations and departmental rules， even including the Civil Code， use the term "personal information" without using the term "personal data". Under this circumstance， if the concept of "personal data" is introduced， a series of follow-up and complicated operations are required in order to accomplish the whole "retrofit" of the entire legal system of personal information protection.

Fifth， in South Korea's lately revised legislation of Personal Information Protection Act （PIPA）， which has come into enforce on 5 Aug 2020， Article 2 states： "the term 'personal information' means any of the following information relating to a living individual：

（a） Information that identifies a particular individual by his or her full name， resident registration number， image， etc. ;

（b） Information which， even if it by itself does not identify a particular individual， may be easily combined with other information to identify a particular individual. In such cases， whether or not there is ease of combination shall be determined by reasonably considering the time， cost， technology， etc. used to identify the individual such as likelihood that the other information can be procured;

（c） Information under items （a） or （b） above that is pseudonymized in accordance with subparagraph 1-2 below and thereby becomes incapable of identifying a particular individual without the use or combination of information for restoration to the original state （hereinafter referred to as 'pseudonymized information'）;

The term 'pseudonymization' means a procedure to process personal information so that the information cannot identify a particular individual without additional information， by deleting in part， or replacing in whole or in part， such information."

After comparing the personal information definitions of APPI and that of PIPA， it can be concluded that terms "personal information" in the two different Acts both refer to the same meaning that personal information as relating to a living individual that means person alive. These are essentially the same in Chinese and unified in English. In other words， unborn fetuses and people who have died have nothing to do with the term "personal information" in the context of personal information protection.

Sixth， thailand's Personal Data Protection Act （PDPA） was published in 2019. Section 6 of PDPA stipulates： "personal data means any information relating to a person， which enables the identification of such person， whether directly or indirectly， but not including the information of the deceased persons in particular; …" In the definition of personal data， the information of deceased person is not included， which is consistent with the above-mentioned relevant regulations in Japan and South Korea.

Therefore， in China's Personal Information Protection Law， the adjective "living" or similar words should be added into the definition of "personal information" as the attributive of the term "natural persons".

1.3 Suggestions

It is suggested to use the introduction of Appendix A of Examples of Personal Sensitive Information which is the materials annex attached to Information Security Technology—Personal Information Security Specifications （GB/T 35273-2020） （hereinafter referred to as Appendix A） for a reference. The introduction is as follows：

"Personal information refers to information， recorded electronically or by other means， that can， independently or in conjunction with other information， identify the identity of a particular natural person or reflect the activities of a particular natural person， such as their name， date of birth， ID number， personal biometric identification information， address， communications contact method， communication records and content， account passwords， property information， credit investigation information， location tracking， accommodation information， health and physiological information， transaction information， and so forth.

The following two paths should be considered in determining whether a piece of information is personal information： First is identification， from information to individuals， the special nature of the information itself identifies a particular natural person， personal information is that which is helpful to identifying a particular person. Second is relevance， from individuals to information， if the particular natural person is already known， then the information produced by the particular natural person in their activities （such as personal positioning information， personal telephone records， personal browsing records， and so forth） is personal information. Information that meets either of the two situations described above is to be considered personal information."

The specific modification proposal is：

（1） On the basis of the definition of personal information in the Civil Code， delete the attributive statements "recorded electronically or by other means" in the first sentence; delete the second sentence "including the name， date of birth， identification number， biometric information， address， phone number， email address， health information， whereabouts information， etc."; keep the phrase "personal information is any information that can identify the personal identity of a specific natural person alone or combined with other information"; add the expression in the personal information definition of the Draft， which is "excluding which has been processed via the anonymization". The above contents as the first clause of the definition of personal information in the Personal Information Protection Law to reflect the existing legislative model of China. Meanwhile， change the term from "a specific natural person" to "a living natural person". Eventually， the text of the first paragraph is：

"Personal information is any kind of information that can identify a living natural person alone or combined with other information， excluding which has been processed via the anonymization."

（2） Adopt the expression in the second paragraph of the introduction in Appendix A as the second paragraph of the personal information definition of the Personal Information Protection Law， reflecting the GDPR's legislative idea of "identification" + "relevance"

2 Issues about the Listed Operation Items of Personal Information Processing

2.1 Issues

In the Draft， Article 4 Clause 2 provides the definition： "the processing of personal information includes activities such as the collection， storage， use， processing， transmission， provision， and disclosure of personal information." There are seven types of operations listed for personal information processing in the Draft.

In Article 3 Clause 2 of the Data Security Law of the People's Republic of China （Draft） （hereinafter referred to as the Data Security Law Draft）， the definition of data activity referred as data processing is defined as "data activities refers to activities such as the collection， storage， processing， use， provision， transaction， and disclosure of data." There are also seven types of operations listed for data processing.

Personal information， also known as personal data， is one type of data. Therefore， the listed operations of personal information processing should be consistent with that of data processing. But， unfortunately， the names of the seven listed operations in the two drafts of Personal Information Protection Law and Data Security Law are different.

2.2 Comparing the Seven Listed Operations of Personal Information Processing and That of Data Processing

First of all， the first four listed operations respectively in personal information processing and data processing are using the same name but have a little difference in order. In view of the actual sequence of data processing in operation， after the data is "collected" and "stored"， it should be "processed" before it can be "used". Therefore， the sequence of the first four listed operations for personal information processing should be modified to "collection， storage， processing， use..." which will be consistent with the data processing.

Secondly， the last three listed operations respectively in personal information processing and data processing are using different names and in different orders. The last three listed operations of data processing are provision， transaction， and disclosure， but that of personal information processing are transmission， provision， and disclosure.

（1） "Transaction" shall refer to the act of intercommunicating and exchanging the data between the "data processor" and other entities by using currency as the intermediary.

（2） Both "provision" and "disclosure" mean to let others know the relevant data. The target of "provision" is a specific third party; the target of "disclosure" is an unspecified third party. Those comments above for comparing "provision" and "disclosure" can be verified by the following texts stipulated in Article 54 of the Draft： "（3） Entrust processing personal information， provide personal information to a third party， disclose personal information; （4） Provide personal information abroad."

（3） Data "transmission" exists in the whole process of data circulation. In the definition of data processing declared by the Data Security Law Draft， "transmission" is not separately listed as an operation. By regulating the seven listed operations "collection， storage， processing， use， provision， transaction and disclosure"， the regulation of the whole process of data circulation can be realized. It seems that there is no necessity to separately list "transmission" separately. Regarding the legal issues involved in "cross-border data transmission"， they are still related to the same seven types of listed operations of "collection， storage， processing， use， provision， transaction and disclosure" occurring under the circumstances of "cross-border"， rather than new legal issue arise in "transmission" itself.

Therefore， the "transmission" in the last three listed operations "transmission， provision， disclosure" described in the definition of personal information processing can be replaced by the term "transaction" listed in the definition of data processing.

At the last， regarding the logical sequence of the last three operations. Due to that "provision" or "disclosure" only appears after "transaction"， so "transaction" should be in front of "provision" and "disclosure"; the order of "provision" and "disclosure" can be arbitrary. In other words， the logical sequence of the last three operations should be "transaction， provision， disclosure" or "transaction， disclosure， provision".

In summary， the seven listed operations of personal information processing in the Draft should be modified as collection， storage， processing， use， transaction， provision， and disclosure. In other words， firstly， the term "use， processing" should be modified to "processing， use"; secondly， the operation of "transmission" should be replace by "transaction".

2.3 Comparing the Rights of Personal Information Subjects to the Corresponding Listed Operations of Personal Information Processing Respectively

（1） The Relevant Regulations in Chinese and Foreign Legal Documents

About the rights of personal information subjects， Article 1037 in the Civil Code stipulates：

"Natural persons may consult or copy their personal information from any information processor in the light of this law; if any error is found in the information， the natural person is entitled the right to raise an objection and request the information processor to take necessary measures such as corrections in a timely manner.

Where a natural person discovers that an information processor has processed his or her personal information with a violation of laws， administrative regulations， or the agreement between both parties to process his or her personal information， he or she should have the right to request the information processor to erase the information promptly."

——Article 1037 of the Civil Code stipulates the rights of subjects， which are the right to consultation， the right to copy， the right to correction， and the right to erasure.

Article 43 of the Cyber Security Law stipulates： "where an individual discovers network operators have violated the laws， administrative regulations or the agreements between both parties in collecting or using their personal information， he or she has the right to request the network operators to erase his or her personal information; where discovering that there are errors in such personal information collected or stored by network operators， he or she has the right to request the network operators to make corrections， and such network operators shall adopt measures to erase the information or correct the errors.

——Article 43 of the Cyber Security Law stipulates that personal information subjects have the right to correction and the right to erasure.

In GDPR， Article 15 stipulates that the data subject has the right to access personal data including consultation and copy which is referred to the right of access by the data subject; Article 16 stipulates that the data subject has the right to rectify the inaccurate personal data concerning him or her which is referred as right to correction; Article 17 stipulates that the data subject has the right to erasure the personal data concerning him or her which is referred as right to erasure or right to be forgotten.

（2） The Relevant Provisions of the Draft

In Chapter 4 "Rights of Individuals in Personal Information Processing Activities" of the Draft， there are three "operations" related to personal information processing：

Article 45 stipulates the right to consultation and the right to copy：

"An individual is entitled to consult or copy his or her personal information from a personal information processor， except for the circumstances as prescribed in Paragraph 1 of Article 19 herein.

Where an individual requests to consult or copy his or her personal information， the personal information processor shall provide such information in a timely manner."

Article 46 stipulates the individual's right to correction：

"Where an individual finds that his or her personal information is inaccurate or incomplete， he or she is entitled to request the personal information processor to make corrections or supplements.

Where an individual requests for corrections or supplements to his or her personal information， the personal information processor shall make verification and make corrections or supplements to such information in a timely manner."

Article 47 stipulates the right to erasure of individuals：

"Under any of the following circumstances， a personal information processor shall delete personal information on its own initiative or at the request of the individual concerned：

i， where the agreed storage period has expired or the purpose of processing the personal information has been achieved;

ii， where the personal information processor stops providing products or services;

iii， where the individual withdraws his or her consent;

iv， where the personal information processor processes personal information in violation of laws， administrative regulations or the agreement; or

v， any other circumstance as prescribed by laws and administrative regulations.

Where the storage period as prescribed by laws and administrative regulations does not expire， or the deletion of personal information is difficult to be realized technically， the personal information processor shall stop processing personal information."

By the way， there are some argumentations about the stipulation in Article 46. The terms "inaccurate" and "incomplete" is redundant， because the meaning of "inaccurate" includes "incomplete"， and "incomplete" is one of the situation of "inaccurate"; meanwhile， the implication of "correct" includes "supplement"， and "supplement" is one of the operations of "correct".

（3） Reasons for Adding Four Types of Operations in the Listed Operations of Personal Information Processing

Firstly， in the definition of data processing， there are only seven operations listed in the Data Security Law Draft including collection， storage， processing， use， transaction， provision and disclosure， which can be understood easily that the Data Security Law Draft only needs to stipulate the operations applicable to all data， and does not need to specifically stipulate the operations to the processing of personal information.

In addition， Article 49 of the Data Security Law Draft stipulates： "the carrying out of data activities involving personal information shall comply with relevant laws and administrative regulations." In other words， the Data Security Law Draft does not specifically regulate the provisions referred to personal information; personal information protection issues should be regulated by the Personal Information Protection Law and other related laws and regulations.

Secondly， personal information is a special type of data， involving the rights of the subject of personal information. In the processing of personal information， in addition to the seven listed operations regarding general data processing， some unique operations of personal information processing such as consultation， copy， correction and erasure also should be listed. This reflects the relationship of "special and general" between personal information processing and general data processing. Adding these four operations of "consultation， copy， correction and erasure" to personal information processing， is very helpful to achieve the integrity of the internal logic of the personal information protection law.

Thirdly， if consultation， copy， correction and erasure are specified in the operations of personal information processing， it will benefit to deal with the disputes involving these related four rights of consultation， copy， correction and erasure in judicial practice. In fact， litigation concerning the right to erasure （right to be forgotten） has appeared in judicial practice. In the new version of the Regulations on Causes of Action for Civil Cases which came into effect on January 1， 2021， the related causes of action including four-levels， they are： disputes over general personality rights （the first-level cause of action） → disputes over general personality rights （the second-level cause of action） → disputes over right of privacy and protection of personal information （the third-level cause of action） → disputes over protection of personal information （the fourth-level cause of action）， respectively. In the future， with the accumulation of judicial practice， the causes of the disputes over protection of personal information may be further subdivided， and at least there will be eleven kinds of sub-level cause of actions corresponding to the eleven listed operations in personal information processing， which are disputes over personal information collection， disputes over personal information storage， disputes over personal information processing， disputes over personal information use， disputes over personal information transaction， disputes over personal information provision， disputes over personal information disclosure， disputes over personal information consultation， disputes over personal information copy， disputes over personal information correction and disputes over personal information erasure. And then， the forward-looking property of legislation and the leading and guiding effects of Regulations on Causes of Action for Civil Cases in judicial practice will be reflected very well.

2.4 Suggestions

（1） The Article 4 Clause 2 in the Draft should be amended as： "the processing of personal information includes activities such as the collection， storage， processing， use， transaction， provision， disclosure， consultation， copy， correction and erasure of personal information."

（2） Article 46 of the Draft should be revised as：

"Where an individual finds that his or her personal information is inaccurate， he or she is entitled to request the personal information processor to make corrections.

Where an individual requests for corrections to his or her personal information， the personal information processor shall make verification and corrections to such information in a timely manner."

3 Issues about the Definition of Anonymization and the Related Regulations

3.1? Issues

Phrases related to "anonymization" appear three times in the Draft. In addition to the definition in Article 69， it occurs in two other places Articles 4 and Articles 24， details as follows：

First， Article 69 defines： "Anonymization refers to the process in which the personal information is processed so that it is impossible to identify a certain natural person and unable to be recovered."

Second， Article 4 Clause 1 stipulates： "Personal information refers to any kind of information related to identified or identifiable natural persons recorded by electronic or by other means， excluding which has been processed via the anonymization."

Third， Article 24 Clause 2 stipulates： "Where a personal information processor provides anonymous information to a third party， the third party shall not re-identify the individual by such means as technology."

In view of meanings， there are some conflicts between the terms "impossible to identify" and "unable to be recovered" above-mentioned in Article 69 and the term "re-identify" stipulated in Paragraph 2 of Article 24.

3.2 Analysis

The 2017 and 2020 edition of The Information Security Technology—Personal Information Security Specification （GB/T 35273） both have the definition of "anonymization"： "Through the technical processing of personal information， the subject of personal information cannot be identified or associated and the processed subsequent information is unable to be recovered." Referencing with this definition will help us to understand the anonymization definition in the Draft more clearly.

In the Clause 2 of Article 24， since the personal information processor provides anonymous information to a third party， and according to the definition of anonymization in Article 69， it means that the anonymous information refers to the personal information which is processed by using techniques to realize that it is impossible to identify a certain natural person and unable to be recovered. Then， how can a third party "re-identify an individual by using such means as technology"？ In other words， if a third party can really "re-identify an individual by using such means as technology" then what the personal information processor provides to the third party is not truly "anonymous information". The stipulation of Article 24 Clause 2 in the Draft is "the third party shall not re-identify the individual by such means as technology"， and that is to say that there must be some technical possibilities to re-identify the individual as the premise. Scilicet， owing to the technical possibility， it needs to be prohibited by law.

Therefore， in the Draft， the definition of anonymization in Article 69 contradicts the Clause 2 of Article 24.

3.3 Suggestions

There are three amendments proposal： the first one is to modify the expression in Article 24 Clause 2， so that it does not conflict with the definition of anonymization in Article 69; the second one is to modify the definition of anonymization in Article 69 in order to make sure that Article 69 does not contradict Article 24 Clause 2; the third one is to simultaneously modify the definition of anonymization in Article 69 and the expression in Article 24 Clause 2.

4 Conclusion

The Draft provides a basic text for the systematic and standardized construction of China's personal information protection system. However， there are still a series of system design issues that deserve further discussion.

中國(guó)個(gè)人信息保護(hù)法草案若干問(wèn)題

壽? ?步，黨玉潔

（上海交通大學(xué) 法學(xué)院，上海 200240）

摘? ? 要：在個(gè)人信息保護(hù)法草案中，個(gè)人信息的定義應(yīng)修改為“個(gè)人信息是能夠單獨(dú)或者與其他信息結(jié)合識(shí)別有生命的自然人的各種信息，不包括匿名化處理后的信息?！辈⒓右豢铙w現(xiàn)“識(shí)別”+“關(guān)聯(lián)”的立法思路的文字。個(gè)人信息處理的列名操作應(yīng)該由七個(gè)變更為十一個(gè)，即收集、存儲(chǔ)、加工、使用、交易、提供、公開(kāi)、查閱、復(fù)制、更正、刪除等。第六十九條匿名化定義的“無(wú)法識(shí)別”且“不能復(fù)原”與第二十四條第二款規(guī)定的“重新識(shí)別”之間存在矛盾，需要修改。

關(guān)鍵詞：個(gè)人信息保護(hù);個(gè)人信息;個(gè)人信息處理;匿名化