The privacy rights supported and protected by the Cybersecurity Law
As the date of the enforcement of the Cybersecurity Law (CSL), 1 June 2017, is getting closer, we will continue our analysis to support companies in their compliance and understanding of the law. In our previous article we covered the issue of Shadow IT with regard to the CSL, in particular the importance for network operators in thwarting the development of parallel networks and to offer solutions to employees that are both efficient and privacy wise. In this article we will further discuss the concept of privacy rights present in the CSL. To this extend we will cover three main privacy rights provided by the CSL, the right to confidentiality, the right to correction and the right to erasure.
1The right to confidentiality and its boundaries
As a core component of privacy and data protection, the obligation of confidentiality set by Article 40 of the CSL is also to be understood as a right for data subjects to see their privacy preserved and their information kept confidential. By requiring “Network operators to strictly keep confidential users’ personal information they have collected, while establishing and improving personal information protection system”, the law has the intention to require both that network operators will take significant measures to preserve the confidentiality of the collected and used personal information, but also that data subjects understood that relevant measures will be taken to avoid their personal information to spread across the web due to a lack of confidentiality and without their consent.
However this right is bound to certain limits as the obligation to confidentiality must be tempered with the obligation of the network operators to assist relevant governmental authorities in their investigation, or the consent of the data subject to further share or sale the collected personal information. Would the personal information be required by relevant authorities, the network operator in virtue of Article 28 should provide their “assistance to public security organs and state security organs in safeguarding national security and investigating crimes”,which could take the form of disclosing collected and used personal information or to some extent, providing decryption of personal information as technical assistance to the authorities.
2The right to correction over modification
The right to correction as per Article 43 of the CSL should not be understood as a wildcard right allowing data subject to make any modification to their personal information. The article states that “Network operators at the request of the data subject where they find that their personal information gathered or stored by network operators is subject to any mistake, they have the right to request the network operators to make corrections”, clearly providing a right subject to specific cumulative conditions that are as follows:
1. The personal information gathered or stored should be subject to mistake
2. The personal information should have been gathered or stored by the network operator
3. The data subject should actively request the modification of the personal information
As such this right must be understood as a recourse granted to the data subject to correct any discovered mistake among gathered and used personal information. For example, a man named “Jön” could request correction of his name would his name be processed as “Jon” due to a charset compatibility issues. However, would the same man request his name in the system to be modified from “Jön” to “John”, such demand could be refused as it would not constitute as a request to correct any mistake, but as a request to modify a correct information into a false or incorrect information. In fine the right to correction set by the CSL is not a right to modify, but to correct existing personal information that are incorrect.
3The right to erasure and not to be forgotten
The right to erasure as stated in Article 43 of the CSL is an active right given to data subjects allowing them to request network operators gathering or using their personal information in violation with the law to delete such personal information. To this aspect it is greatly differing form the right to be forgotten, which is a privacy right allowing data subject to request relevant search engine to delete entries related to them when such entries are not deemed to be relevant or infringe on their privacy. To this regard, the Chinese right to erasure has a wider range of network operators requested to comply, but a smaller scope in term of personal information that can be requested to be deleted by the data subject.
Similar to the right to correction, the right to erasure is subject to several cumulative conditions following the wording of Article 43which are as follows:
1. Individual should discover collection or use of personal information in violation of the law, administrative regulations or the agreements between them and the network operator
2. Those personal information should be their personal information and not a third party personal information
3. Individual should actively request to the network operator that their personal information be deleted
One of the flagrant characteristic of this right is that it is a deeply individual right that cannot be used by a third party on behalf of the original data subject. Would a friend of a data subject, or a non-governmental organizations discover that his/her personal information is collected and used in violation of the laws or relevant agreements, they cannot directly request the erasure of such personal information. They should first inform the data subject that then will have to make personally the request to the network operator.
Therefore we can conclude that privacy rights are components of the CSL under the data protection umbrella despite the name of the law. It is to be noted that those rights are also supported by a range of sanctions set by Article 64 of the CSL that include warning, request for rectification, financial sanctions and for the most serious circumstances suspension of relevant business or ultimately revocation of relevant business permits or licenses.
