This article is written by Sudisha Mukherji, pursuing Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho. The article has been edited by Zigishu Singh (Associate, LawSikho) and Smriti Katiyar (Associate, LawSikho).
Identity theft can be defined as the illegal obtaining of a person’s personal information which defines one’s identity for illegal economic benefits and committing acts such as fraud, theft etc. Identity theft can occur either on or off cyberspace. In recent times, due to the rapid growth and evolution of technology, identity thefts in cyberspace such as creating a fake social media account/ email id, for instance, have become one of the most common forms of cybercrimes around the world. Hacking, Phishing, E-mail/SMS spoofing etc. are examples of cyber identity theft, wherein the cybercriminal gains access to one’s personal information which can be used to impersonate the person and steal money or gain other illegal benefits such as tax-related identity theft, medical identity theft, identity cloning for concealment, online purchase scams etc.
China has always grappled with criminal activities related to identity theft and theft of personal information. Recently, in June of 2020, Chinese media revealed that several universities had discovered graduates between 1999 and 2006, who had stolen another person’s identity and score to get admitted to the university. Apart from this, foreigners and citizens alike have faced many situations of identity and credit card information being stolen. In light of this and other incidents of identity theft, the year 2020 has been an active year for developments in China’s cybersecurity and data protection regimes.
History of Chinese data protection law
China did not have a single comprehensive ‘data protection’ law until 2017. Prior to the introduction of the People’s Republic of China Cybersecurity Law (“Cybersecurity Law 2017”), there were various laws and rules which are a part of a complex legal framework pertaining to the protection of personal information and data security.
Under the Criminal Law of China, cyber crimes are mainly classified as “Crimes Disturbing Public Order”. Articles 285, 286 and 287 of the Criminal Law are the main provisions relating to cybercrimes. Articles 285 and 286 are mainly focused on new crimes targeting computers and the internet, such as illegal access, damaging a computer information system etc. while on the other hand, Article 287 deals with the traditional/ conventional crimes facilitated by computers and the internet.
Though these Articles try to cover cybercrimes, they seem inadequate in light of emerging technology and crimes. The Amendment Nine of 2015, introduced various changes further expanding the meaning of the Articles and strengthening them. The Amendment extended the scope of the criminal liabilities under the Chinese Law in an effort to address various emerging issues. In particular, the Amendment clarified issues related to bribery and data privacy. In relation to data privacy, the Amendment added provisions on the illegal sale of a citizen’s personal information and further prescribed punishments for such crimes.
The Cybersecurity Law of 2017 was the first Chinese law to address cybersecurity and data protection. Thereafter, there were various rules and guidelines which were introduced under the Cybersecurity Law such as- National Standard of Information Security Technology – Personal Information Security Specification (PIS Specification), 2020; Guidelines on Internet Personal Information Security Protection, 2019; and National Standard of Information Security Technology – Guidelines on Personal Information Security Impact Assessment, 2021.
In 2020, a draft Personal Information Protection Law (“PIPL”) was published for consultation, which came into effect on 20th August 2021. This law is China’s first all-encompassing legal attempt to define personal information and regulate the processing of personal information.
PRC Personal Information Protection Law, 2021
The PRC Personal Information Protection Law (PIPL), offers a detailed definition of the term “Personal Information” and further clarifies the concept of “sensitive” personal information. It further sharpens the focus on the transfer of such personal information/ sensitive personal information. Article 1 of the PIPL reads “This Law is enacted in accordance with the Constitution to protect personal information rights and interests, regulate the processing of personal information, and promote the reasonable use of personal information”.
Objective of PIPL
Article 3 provides that the PIPL shall be applicable for the processing of the personal information of natural persons within the territory of the People’s Republic of China. It further mentions that it shall also be applicable for activities which are carried out outside the territory of PRC where personal information of natural persons within PRC is processed in circumstances such as- (i) the purpose is to provide products or services to domestic natural persons; (ii) the purpose is to analyse and evaluate the activities of domestic natural persons; and (iii) other circumstances provided by laws and administrative regulations.
Definition of ‘Personal Information’ and ‘Sensitive Personal Information’
Article 4 of the PIPL defines ‘Personal Information’ and “Processing of Personal Information. According to Article 4, Personal Information refers to “various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.” It further provides that processing of personal information shall include collection, storage, use, transmission, publication and erasure of personal information. Similarly, Article 28 of the PIPL defines ‘Sensitive Personal Information’ as “personal information that, if leaked or used illegally, may easily cause harm to the dignity of natural persons, or serious damage to the safety of individuals and properties, including information relating to biometric identification, religious beliefs, specific identities, healthcare, financial account, individual location tracking, etc., as well as personal information of minors under the age of 14”.
Disclosures by the processors
The PIPL objectively lays down that there should be specific reasons for the collection and processing of information. Article 13 categorically mentions that Processors shall only process the information in situations prescribed by the PIPL, which are:
(i) When individuals’ consents have been obtained;
(ii) For the performance of a contract;
(iii) For fulfilling legal duties/obligations;
(iv) Or news reporting in the public interest; and
(v) When one’s personal information has been disclosed publicly by the individual themselves or was otherwise legally disclosed.
As per Article 31, the Processors are also bound to disclose when processing information of minors below the age of 14 and obtain consent from parents/ guardians. Further, it requires Processors to formulate special personal information processing rules for handling the personal information of minors under the age of 14.
Article 17 ensures that the following things are explicitly disclosed to the individuals prior to collection/ processing of information- (i) the name and contact information of the processor; (ii) the purpose, method and period of retention; (iii) method and procedure for the individual to exercise their rights and (v) any other matters mandated by laws.
Consent for collection of ‘Personal Information’ and ‘Sensitive Personal Information’
Article 14 provides that if personal information is collected with the prior consent of the individual, then such consent given must be voluntary and explicit. Further, if the purpose or method of processing the information changes, additional consent for the same must be given by the individual.
As per Article 27, Processors may reasonably process information disclosed by an individual except where the individual explicitly refuses. It further adds that if the processing of such disclosed information has a major impact on the rights and interests of individuals, then the processors are bound to obtain consent from the individuals for the same.
Article 29 and 30 of the PIPL provide that, Processors collecting Personal Information must obtain separate consent from the individuals while processing Sensitive Personal Information and must inform the individual of the needs/ necessity for processing of sensitive personal information (save and except those mentioned under paragraph one of Article 17).
Articles 23, 25, 26 and 31 mention that Processors must obtain consent for- providing personal information to other processors of personal information, publicising personal information, personal images and identification information collected in public venues are used for purposes other than public security and for transferring personal information out of the country.
Retention of information
Article 19 provides that the information must be stored for the shortest time necessary and only for fulfilling the purpose save and except where the retention period is otherwise provided by law. Further Article 47 provides that the Processors must erase the information for the following reasons: (i) when the retention period ends; (ii) the purpose if fulfilled/ cannot be fulfilled and/or information is no longer required for fulfilling the purpose; (iv) if the processors have stopped providing the products/ services.
Processors and internet platforms
The responsibility under the PIPL is mainly imposed on personal information processors. Under Article 59 of the PIPL, processors are required to implement necessary measures to protect the personal information entrusted to them in accordance with the PIPL and other relevant laws and regulations. The PIPL ensures that entities that provide important internet platform services, have a large number of users and act as Processors must comply with certain obligations such as the establishment of a good compliance system to monitor the use of personal information. The entities must establish an independent body composed of external members to supervise the processing of the personal information, establishment of rules of platforms, specifying practices and obligations of personal information processing for platforms and publication of responsibility reports on personal information protection on a regular basis.
Article 57 provides that in the event of any leak or tampering with the personal information, the Processor shall take remedial actions immediately and notify the concerned protection authorities and individuals. This notification must include the categories of personal information involved and causes of potential incidents. And two, it must include the remedial measures taken.
In the event of a violation of the law, the authorities may issue an order for rectification and further confiscate any unlawful income generated from the illegal processing of the information. If the Processor refuses to rectify, then the processor shall be liable to a fine of RMB 1,000,000 and the person directly in charge/ responsible shall also bear a fine.
In case of grave and serious violations, in addition to the above-mentioned penalties, impose a fine up to RMB 50,000,000 or 5% of annual turnover for the previous year and further may also issue an order of suspension of business or operation for rectification, notify authorities in-charge for cancellation of business permits or licenses. Further, if the violation amounts to public security offences or criminal offences then the processor shall be liable for public security or criminal laws. Individuals are also entitled to claim damages and other civil reliefs.
The provisions of the PIPL sufficiently provide protection for individuals in case of crimes such as identity thefts. The Law ensures that individuals know the details of who is collecting the information, why they are collecting the information and what their rights are with respect to the same. It further safeguards individuals by mandating consent and permissions before collecting the information. It also sufficiently protects sensitive information like biometrics, specific identities, medical health, financial accounts, and whereabouts etc. which are key elements in identity thefts. The PIPL also appears to be the strictest personal data protection law implemented to date.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: