Papers
Dilemma and Breakthrough: Personal Information Protection Models and Righting in China
Abstract
China has implemented a comprehensive legal framework to safeguard personal information. However, there still needs to be more clarity regarding the status and characteristics of personal information within private law. This lack of clarity in the regulatory provisions of the Civil Code and the Personal Information Protection Law has resulted in this predicament. Scholars have thoroughly debated classifying personal information as belonging to public authority or private ownership, civil interest, or civil right. They have subsequently formulated China's framework for protecting personal information rights, drawing on the principles of information self-determination and specific scenarios. This framework establishes the right to personal information as an "independent personality right." From an international standpoint, developed countries are increasingly adopting a rights-based approach to regulating personal information. China is expected to follow this trend. Furthermore, China acknowledges that in the era of big data, personal information includes individual and public aspects, necessitating its analysis and comprehension in a scenario-based approach. Simultaneously, legislation and regulation should be based on the inherent value contained within personal information, with a focus on protecting both the individual's unique qualities and the practical utility of such information. It is necessary to specify the characteristics and worth of information in various formats and to categorize and enhance a more stringent and precise framework for safeguarding information by employing a model of coordinated protection under both private and public law.
1. Status of Personal Information Protection in China
The beginnings of "personal information protection" in Chinese regulation can be traced back to the Internet Electronic Announcement Service Management Regulations, issued by the Ministry of Information Industry (now the Ministry of Industry and Information Technology) in 2000. According to Article 12, providers of electronic bulletin services are required to keep the personal information of Internet users confidential and cannot share it with others without the users' consent unless permitted by law. Article 19 states that if an electronic bulletin service provider unlawfully discloses users' personal information without their consent, the telecommunication administration agency of the relevant region will order them to correct the situation. If this disclosure causes harm or loss to the users, the provider will be held legally responsible. Nevertheless, this section lacks a specific or explicit definition of "personal information" and only briefly mentions it. Following then, several rules and regulations have been enacted pertaining to the safeguarding of "personal information"; however, none of them provide a clear explanation or definition of the idea.[1] In 2012, China implemented a personal information protection policy that prioritizes individual control. In that same year, the Standing Committee of the National People's Congress (NPC) issued the Decision on Enhancing the Safeguarding of Network Information, which established an initial interpretation of personal information and introduced the notion of "Personal Identifying Information (PII)," referring to information that can identify the personal identity of individuals and pertains to their privacy. In 2013, the Ministry of Industry and Information Technology officially released the Provisions on the Protection of Personal Information of Telecommunications and Internet Users. This document introduced a comprehensive definition of personal information and its categorization. It stated that personal information is "data that can identify the user, either on its own or when combined with other information." The document also included examples to illustrate this definition. Since then, this legislative model, known as concept and enumeration, has been widely adopted in Chinese laws and regulations to define personal information. This model offers an abstract definition of the concept and enhances its practicality by providing specific and tangible examples. In 2017, China's Cybersecurity Law officially acknowledged and confirmed the fundamental definition of PII as personal information. It explicitly states that personal information can be identified on its own or in combination with other information. This marked the official recognition of the definition of personal information at the Law level. In 2020, China implemented its first Civil Code, which incorporates the concept of "personal information" within Chapter 6, titled "Privacy and Personal Information Protection". Article 1034 of the Code provides a definition for personal information, which includes the criteria of being individually identifiable and identifiable when combined with other information:
Article 1034 The personal information of natural persons is protected by law.
Personal information is various information recorded electronically or in other forms that can identify a specific natural person separately or in combination with other information, including a natural person's name, date of birth, identity card number, biological recognition information, address, telephone number, e-mail address, health information, and whereabouts information, among others.
……
In 2021, China implemented its first legislation specifically aimed at safeguarding personal data, the Personal Information Protection Law. This law maintains the use of "identifiability" as a standard for determining personal information. However, to avoid oversights and accommodate societal advancements, the law also includes a broader provision encompassing "various types of information pertaining to individuals." Additionally, for the first time, the law stipulates that personal information "excludes data that has undergone anonymization":
Article 4 “Personal information” means all kinds of information related to identified or identifiable natural persons that are electronically or otherwise recorded, excluding information that has been anonymized.
……
Nevertheless, both Article 1034 of the Civil Code and Article 4 of the Personal Information Protection Law, along with several other legal laws, fail to provide a detailed explanation of the concept of "identifiability" and do not address the critical factors associated with it. While the degree of identification is broadly described and generalized, it is essential to note that the degree and probability of identification fluctuates greatly depending on the circumstances. Additionally, the criterion of identifiability is vast, which results in a need for more clarity regarding its meanin. Chinese academics generally agree that personal information can be categorized into two dimensions: static identification and dynamic identification.
The Chinese legislation aims to define personal information by adopting a static identification viewpoint, wherein legislators seek to limit the extent of personal information by listing specific categories. For example, Article 2 of the Notice on Punishing Criminal Activities Infringing on Citizens' Personal Information in accordance with law promulgated by the Supreme People's Court, the Supreme People's Procuratorate, and the Ministry of Public Security in 2013 stipulates that: "Citizens' personal information includes citizens' names, ages, valid identification numbers, marital statuses, workplaces, academic qualifications, curriculum vitae, home addresses, telephone numbers, and other information and data information capable of identifying citizens' identities or relating to their privacy." Article 4 of the Provisions on the Protection of Personal Information of Telecommunications and Internet Users, article 12 of the Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law to the Trial of Cases of Civil Disputes Over the Use of Information Networks to Infringe on the Rights and Interests of Persons, and article 104 of the Civil Code all attempt to enumerate personal information in terms of static identification.
In our modern society, characterized by advanced technology and extensive data collection, each individual possesses a vast amount of personal information. This personal information lacks clear boundaries and can be considered to exist in an open space. Moreover, such information can have different levels of value in different contexts and situations. Consequently, particular academics have suggested an approach to regulation that is rooted in behaviorism and is based on scenarios, taking into account the fluid and ever-changing nature of personal information. As the utilization of information technology advances, an increasing amount of information is being revealed and made accessible through public channels. Consequently, what was formerly considered non-personal information may now be classified as personal information. Simultaneously, government authorities and prominent Internet corporations are more inclined to recognize information compared to the general public, owing to their proficient capacity to gather information. This characteristic enhances the complexity of identifying personal information, as it necessitates evaluating the probability of the information being identified, considering multiple aspects, rather than simply categorizing it as a "yes or no" determination. Determining personal information relies on various factors, such as the information processor's capacity to gather and utilize the data, the court's assessment of the information's sensitivity, and the potential repercussions of disclosing the information. These specific scenarios are taken into account to ascertain whether a piece of information qualifies as personal information. The uncertainty of personal information arises from converting personal information to non-personal information, the fluctuating nature of "identifiability," and the dynamic process of determining the "identifiability" of personal information in various situations.[2]
2. Challenges and Legal Predicaments in Safeguarding Personal Information in China's Private Law System
2.1 Ambiguity of the legal attributes of personal information protection
The legislature has acknowledged the importance of safeguarding and overseeing personal information. However, before delving into strategies for enhancing the protection of personal information, it is imperative to establish a clear understanding of its legal status. Nevertheless, there are still numerous debates surrounding the legal position of personal information. According to normative jurisprudence, personal information has not been explicitly designated as a legal right in any legislation and regulations enacted in China since 2012. Instead, these provisions employ the terminology "protection of personal information" or "protection of personal information interests" to refer to the safeguarding of personal information. The Personal Information Protection Law (Draft) in China initially included a dedicated chapter on the "right to personal information." However, this chapter was later removed from the officially enacted Personal Information Protection Law. Instead, the term "personal information interest" is used throughout the law, indicating that there is still ambiguity regarding the legal classification of "personal information" within civil law.[3] China's laws and regulations do not explicitly include the "right to personal information." However, the expression "right to personal information" is directly used in the judicial interpretations of the Supreme People's Court and the Supreme People's Procuratorate, which are considered legal sources in China.[4] In concrete judicial practice, the protection of personal information is typically achieved by the judge’s decision. This is done by considering the specific background and scenario of the case and by invoking the rules that safeguard privacy interests or by determining tort liability. Within the framework of China's statutory law, the courts must adhere strictly to the provisions of laws and regulations when making judgments in cases. Consequently, a conflict arises between the current provisions, which do not recognize personal information protection as a legal right, and the usage of the term "personal information rights" in judicial interpretations and adjudicative documents. This also exemplifies the ambiguity and contradiction present in China's current legal framework and implementation regarding the safeguarding of personal information. Furthermore, given that private law predominates in China regarding the protection of personal information, it is imperative that the law clarifiesthe characteristics of the rights of data owners. The entitlement to personal information possesses the qualities of a natural absolute right, distinguished by its preeminence and exclusivity, concerning the regulatory framework safeguarding such information. With regard to the right to redress, the current protection of personal information primarily necessitates the aggrieved party to initiate legal proceedings in a court of law, where private law serves as the foundational mechanism and public law functions as a complementary component. As an illustration, the Cybersecurity Law clearly stated that obtaining the "consent of the person being collected" is a crucial requirement Tfor gathering and handling personal information. This requirement serves as the foundation for legality and has the distinct characteristic of empowering individuals against the illegitimate gathering of personal data.
2.2 Dilemma of the traditional protection model of personal information and privacy rights
The issue of privacy violation has posed challenges for traditional tort law in the context of today's contemporary information society. In conventional privacy violations, the infringing party often consists of an individual or a distinct entity. The act of infringement is readily identifiable, and the proof of infringement is very straightforward to gather. However, in contemporary privacy violations, the target of infringement often involves multiple or unspecified entities. The online realm further complicates the detection of such infringements, particularly when it comes to information packaged for resale. It becomes challenging to identify the specific entity responsible for the infringement, as well as the exact process involved. Consequently, current acts of infringement exhibit a greater level of secrecy and complexity. Furthermore, the traditional notion of privacy violation requires the presence of harm or loss as a prerequisite. In contrast, the context of the contemporary information society, privacy infringement may not directly impact the individual, but rather manifest as an indirect or potential violation. Currently, it is widespread for certain entities to gather, bundle and sell personal data to third parties. This practise primarily involves the collection and packaging of information through specific procedures. Although this behaviour does not directly and significantly harm individuals, it becomes problematic when the third parties misuse the personal data for harassment or malicious manipulation, that become evident only after the infringement has occurred. Furthermore, some academics have proposed that the absolute rights of personal information be used to actively oppose the right to self-determination or the property rights of unidentified third parties over their personal information; however, this strategy may run into issues concerning overprotection of privacy interests.[5] If the narrow concept of "information self-determination" was applied to the real society, then any subject who was willing to obtain personal information of an individual would need to obtain the consent and authorization of the person concerned, while any other situation would consist in illegal or unlawful collection of personal information. In this case, group communication in society would be impossible, because normal social interactions will inevitably involve and refer to other people's personal information. If laws and regulations regulate social life in accordance with the principle of "information self-determination" in the strict sense of the term, that would lead to the normalization of the phenomen of personal information infringement and its inevitability. In a sense, the narrow meaning of "information self-determination" does not have the conditions and foundation to be established in real life.[6] However, suppose that the United States' free market system is implemented in China to safeguard personal information by treating it as property and imposing a "inform-and-choose" approach on corporations. This framework will likely not provide adequate protection for personal information.[7] This flows from the general lack of public awareness regarding the importance of safeguarding personal information and privacy. Based on a survey conducted on Chinese Internet short video users (excluding Hong Kong, Macao, and Taiwan), it was found that 50.4% of users consider privacy agreements to be inconsequential and have no interest in them[8]. Additionally, 55.6% of users do not attach much importance to these agreements due to their limited understanding of privacy. Currently, users have a limited understanding of the importance of safeguarding their personal information, and the privacy policies of various platforms are highly technical, making it difficult for users to comprehend. For instance, WeChat, a popular social software in China, has a privacy policy of 4,357 words, which requires users to spend at least ten minutes scrolling the terms and conditions. Consequently, many users tend to disregard the privacy agreement. This demonstrates that the majority of privacy agreements and terms and conditions encountered in our daily lives have little effect on increasing users' understanding of safeguarding personal information.[9] Researchers posit that this situation arises from the disparity in people's understanding of various risks. Specifically, the infringement of personal information and privacy is considered a relatively less perilous and detrimental risk in everyday life. Therefore, groups of individuals exhibit a lower level of awareness regarding this particular type of risk.[10] Consequently, users frequently lack the necessary seriousness and thoroughness when reading privacy agreements and terms and conditions, making it challenging to make genuinely rational choices and decisions.
3. Jurisprudential Considerations for the Protection of Personal Information
3.1 Underlying Logic of Personal Information Protection - Protection of Personality Values
Winfried Veil, a German scholar, has condensed the legal interests that the law and regulations aim to safeguard regarding personal information. He has done so by examining the data and personal information laws and regulations of the European Union, the OECD, and Germany. These interests include "the right to determine one's information", "the ability to control information", "the basic rights and freedoms of individuals", and "protection of human dignity from data processing".[11] “Information self-determination” refers to the principle that individuals possess the authority to decide whether their personal information should be gathered and, if so, for what specific objective. However, some scholars argue that the right to self-determination does not directly provide the power to decide whether or not to disclose personal information. Instead, it indicates a lack of control rather than a right to exercise authority. Therefore, the underlying significance of “information self-determination” is the interpretation of personal data in relation to individual rights, or more precisely, it is a mean to advancing personal independence. The legislation on personal information and privacy not only safeguards an individual's private rights, such as the right to determine how their information is used, but it also protects the rights and interests of individuals who may face risks and harm during the exchange and processing of personal information. These protections primarily include personal autonomy as defined by the Constitution, as well as fundamental rights and interests related to equality and personal security, which are inherent in personal autonomy.[12] This is evident in EU legislation, including the "right to data protection," which consistently highlights the idea that "protection" extends beyond safeguarding personal information from individual control, as it also encompasses the protection of personal information from external threats. Particularly when the objective risks are greatly disproportionate to the individual's status and size, the protection is specifically designed and safeguarded due to the power imbalance between the subject of the legal assumption and the risk creator. Thus, the focus of the theory of information control is not on individuals' specific private rights to control information, but rather on safeguarding "fundamental rights and interests centered on human dignity and personal freedom" in order to prevent the violation of personal dignity and freedom resulting from the improper use of information. Thus, as previously stated, the fundamental principle of safeguarding personal information is rooted in preserving individual autonomy and integrity. However, such protection is built from a passive standpoint, meaning that the consequences of inadequately protecting personal information are used to determine the value of that information.. Indeed, personal information possesses significant worth in promoting human dignity and freedom under favorable circumstances. Erving Goffman, a social psychologist, coined the term "self-expression" to refer to the entirety of an individual's social interactions and interpersonal relationships.[13] Without a doubt, individuals will unavoidably encounter the sharing of personal information when engaging in social interactions. This means that individuals will acquire the information of others or groups they interact with while revealing their information to others. Consequently, the process of self-realization will inevitably involve the utilization of personal information to generate new personal information.[14] The formation and consolidation of an individual's personality is examined and solidified through the process of self-realization, which involves the acquisition, utilization, exchange, and contemplation of personal information. Hence, safeguarding personal information has become integral to preserving an individual's identity, and ensuring the security of personal information should align with safeguarding one's identity.[15]
3.2 External Forms of Personal Information Protection - Protection of Use Value
Personal information is an essential requirement for individuals to engage in social interaction and achieve personal growth. It is also a significant component of one's identity, reflecting their personality's value. From a dynamic standpoint, the utilization and transfer of personal information is an ongoing process. According to the theory of the information life cycle, the flow, analysis, and utilization of information can yield certain advantages for individuals or groups. These benefits are subject to the individual-specific law of value decay, which determines the diminishing value of personal information over time.[16]
The utility of personal information lies in its ability to generate various advantages for an individual, such as financial gains and other related benefits. Individuals can utilize personal information on their own or grant permission to others to utilize personal information in order to acquire property benefits. The advancement of information technology has significantly transformed both the utilization and significance of personal information. Within the realm of big data technology, the commercialization of personal information has evolved from individual usage to group usage. Individual personal information is no longer solely utilized, and this shift is most evident in the fact that the use of personal information is now primarily determined by the information collectors in the big data industry.[17] Personal information is monetized by information collectors who utilize information processing technologies to gather and evaluate personal data based on specific objectives for its use. During this process, the personal subjective worth of individuals is disregarded due to the programmatic assumptions of information processing. Information processing, as an algorithm, is primarily concerned with the information and its constituent elements rather than the individual entity itself. However, the value of big data lies in the integration and analysis of data, whereas individual data holds less value than group data. In the era of big data, personal information is characterized by aggregation and decentralization. Protecting this information necessitates the establishment of a protection logic that starts from the individual and extends to the group, from the provider of personal information to the collector, and even to the industry.
3.3 Extraterritorial experience in the protection of personal information
Various countries have developed distinct models for safeguarding personal information, which are based on different values and legal policies. The European Union's model focuses on protecting individual rights, while the United States follows a market-oriented approach to protection.
In accordance with the principle of personality rights, the European Union (EU) has elevated the safeguarding of personal data to a constitutional level. It recognizes the right to personal information as a fundamental constitutional right, aiming to mitigate the harm caused by unauthorized information processing to individuals. In contrast, the United States prioritizes the independence of the market and views personal information as commodities that can be freely exchanged. This approach disregards essential rights, such as personal dignity, which is a significant characteristic inherent in personal information.[18]
Many proponents of personal information protection, particularly those who advocate for personality rights, contend that personal privacy encompasses spiritual aspects such as individual privacy, personal dignity, and self-esteem, which economic or material possessions cannot substitute. Considering personal information as property would result in the objectification of privacy and individual self-worth, consequently undermining the safeguarding of privacy rights and societal values.[19] Furthermore, if personal information is exchanged without restrictions in a market-driven manner, it will result in inadequate safeguards for personal information, ultimately leading to increased violations of personal privacy.[20] Moreover, the disparity in the social and legal standing of individuals and corporations poses challenges for users in safeguarding their personal information through property rights or contracts, as they are compelled to comply with the privacy policies dictated by companies.[21] Advocates of free market protection of personal information argue that the market is the most effective way to regulate information. They believe that establishing personal information as property not only guarantees individuals' control over their information but also promotes the unrestricted exchange of personal information. According to the "Framework of Calabresi and Melamed" theory,[22] certain scholars argue that the property rule safeguards individual autonomy, while the liability rule safeguards the exchange of information. Furthermore, certain academics argue that relying solely on legislation is insufficient to ensure the safeguarding of personal data and propose that implementing a property-based framework can be a potent tool in this regard. Lawrence Lessig, a Harvard University scholar, argues that treating personal information as a property right can motivate businesses to prioritize user preferences, invest in privacy protection technology, and empower users to have greater control over their own information.[23]
The European model of personality rights protection and the American model of free marketization face numerous theoretical and practical challenges. The complex nature of personal information, which possesses both personal and public attributes, is the primary factor contributing to this dilemma.
4. The Path to Rightsizing Personal Information Protection in China
4.1 Discussion of options for rightsizing personal information in China
China has encountered two significant challenges in its endeavor to regulate personal information: firstly, determining whether the ownership of personal information falls under the jurisdiction of public law or private law, and secondly, discerning whether personal information should be classified as an interest or a right within the framework of private law.
In 2003, the State Information Office (SIO) appointed Zhou Hanhua, a professor specializing in administrative law at the Institute of Law of the Chinese Academy of Social Sciences, to oversee the creation of the Personal Information Protection Law (Expert Recommendation Draught). In 2006, Zhou Hanhua's research report classified the right to personal information as a "novel form of public law right." Additionally, most of his proposed draughts for expert recommendations are public law provisions that possess attributes of administrative law.[24] However, Chinese academics have not generally accepted this interpretation of the right to personal information as a public law right. They believe it is more effective to safeguard the right to personal information by establishing it as a civil right, specifically a private right, based on the inherent characteristics and qualities of the right. The fundamental principle underlying the right to personal information is the concept of information self-determination. This means that every individual has the authority to determine whether their information should be gathered, stored, and used by others. The unrestricted development of one's personality can only occur if one’s inherently private sphere remains free from any suspicion of intrusion.[25] The principle of information implies the potential for self-management and self-determination. Self-determination represents the manifestation of the principle of autonomy within the civil law framework. Furthermore, safeguarding personal information necessitates striking a balance between safeguarding individual interests and facilitating the reasonable flow of market information. In the era of the Internet and big data, personal information will inevitably be exchanged and circulate in the information market. Therefore, it is crucial to objectively acknowledge the nature of personal information circulation and establish laws and regulations accordingly. This requires the recognition of the right to personal information as a civil right; only then, transactions involving personal information would be conducted under contract law, the fundamental law of the market economy.[26]
Accordingly, scholarly discourse has revolved around the classification of personal information protection as either a right or an interest within the realm of private law. Certain academics hold the view that personal information is a synthesis of personality rights and interests, and as such, it ought to be safeguarded and governed in alignment with the legal structure and principles governing personality rights.[27] Other academics hold the view that personal information constitutes a novel category of civil rights, which ought to be explicitly delineated in legislation as such and subject to regulation and protection.[28] The controversy at hand stems from the two main characteristics of personal information: firstly, it is inextricably linked to an individual's privacy and privacy rights as it pertains to the individual information of a natural person; secondly, it is not an absolute private good due to its public nature. Accordingy, completely restricting the circulation of personal information is neither feasible nor necessary. As a significant participant in social interconnection in the era of big data, the obstruction of the circulation and interaction of personal information will not only hinder the advancement of science and technology but also be detrimental to our society. Consequently, the advancement of contemporary society and the prioritization of safeguarding personal information are driven by the objective of overseeing and regulating the lawful and compliant dissemination of such data in order to mitigate the potential hazards associated with its circulation.
Presently, the majority of scholars in China who study the protection of personal information recognize that such information is a form of individual private right and employ private law to safeguard it.[29] Several scholars argue that the ability to identify personal information signifies that it holds substantial "evidence" of personal identity and possesses significant worth in terms of human dignity and individuality. Similar to how civil law safeguards the rights to privacy and a name, the components of personal information within personal data can also be subject to civil rights, specifically the right to personal information.[30] Furthermore, personal information is considered a fundamental right endowed with comprehensive and unambiguous rights. In accordance with legal provisions and established judicial practices, personal information currently holds the authority to provide informed consent, request access and rectification, object to processing, request deletion, and demand portability. These powers can mirror the characteristics of the right to personal information as an unconditional entitlement, establishing a distinct boundary for actions that are off-limits for a large but unspecified group of individuals.[31] From the standpoint of comparative law and experience outside of national borders, developed countries have been increasingly enacting legislation to safeguard and control personal information in a manner that is based on individual rights. Since the 1960s, the United States has shifted its focus from protecting the general concept of privacy to specifically safeguarding individuals' personal information. The European Union, and specifically Germany, have undergone a comparable transformation. Before the 1970s and 1980s, the legislation in Germany and several European nations safeguarded personal information under personality rights. However, with the rise and widespread acceptance of the notions of personal information and the right to control one's own personal data, personal information has progressively evolved into an independent civil right. During the evolution of European Union and German law, it is evident that safeguarding and controlling personal information has progressed from being a part of the right to privacy to becoming a distinct and fundamental right in itself.[32]
4.2 Evidentiary reasoning on civil rights to personal information
The safeguarding of personal information is based on the reverence for individuals' private lives and the principle of autonomy in personal matters. Any unauthorized handling of personal information may encroach upon the human dignity of individuals. Nevertheless, personal information rights and interests are granted a different level of protection compared to personality rights. . Infringement upon personal information rights and interests does not necessarily result in moral harm, such as damage to personal dignity, particularly in cases where no significant harm has been inflicted. Thus, within the realm of safeguarding personal information through private law, researchers have examined the methods of protecting personal information. Currently, there are two prevailing viewpoints, namely the monistic and binary models.
The monistic model encompasses the safeguarding of personal information through either the personality right model or the property right model. According to the monistic model, the property right of information is a novel form of property right, distinguished by its value and ability to be exchanged.[33] However, this perspective blatantly disregards the presence of spiritual concerns. In the aforementioned scenario, the spiritual significance of personal information to the involved parties surpasses its material value. Consequently, applying the property rights model in this context needs more persuasiveness. Furthermore, the most crucial point is that, based on the legal development of personal information protection worldwide, personality interests—that is, the recognition and defense of an individual's privacy and human dignity as the fundamental role of the state—must form the basis of any legal framework governing the protection of personal information. The property rights model manifestly contradicts this idea. In addition, the property rights model acknowledges the legal issue of "unequal pricing for identical information about different individuals," which would undermine the principle of equality.[34] These inequalities can result in unequal access to and control over people's personal data, which can breed bias and discrimination in data and ultimately create a digital divide. According to the personality model, certain scholars argue that the right to personal information is a distinct personality right. Consequently, safeguarding the spiritual well-being associated with personal information takes precedence, followed by protecting the secondary interests related to the property it generates.[35] Additionally, some scholars propose alternative concepts, such as "constitutional human rights," "general personality rights," "new types of rights," and "the right to privacy."[36]
The binary model posits that personal information possesses the dual attributes of personality and property rights, necessitating separate protection for the personality and property interests associated with personal information. In the binary model, personal information is divided into personality and property interests, which are then protected by personality rights and property rights, respectively. Nevertheless, this model needs to be improved by a notable deficiency that precludes the simultaneous existence of personality and property interests in the context of personality rights. The value of personal information is derived from the close connection between the information and the individual. Consequently, the property interest associated with personal information is closely tied to the individual as well. Therefore, the property rights associated with personal information are solely determined by individual interests, in contrast to the previous dualistic model, which rejected this connection and was thus theoretically flawed.
Currently, the concept of "independent personality rights" is widely acknowledged in Chinese academic circles.[37] According to the theory of "independent personality rights," the right to personal information is a dominant personality right of a natural person to personal information that can exclude others from infringing upon it, and this right is erga omnes.[38] German scholars Larenz and Canaris identify three critical attributes of rights: attributional efficacy (Zuwiesungsgehalt), exclusionary efficacy (Aussehlussfunktion), and socially typical openness.[39] The introduction of China's personal information protection regulations clarifies that China adopts the concept of "identifiability" to define personal information. In this context, identifiability refers to the ability to attribute the personal information to a specific individual. Furthermore, while the public nature of personal information does not confer a robust control over the information itself, certain rights attributed to the right holders—such as the right to access, the right to know, and the right to make decisions—can provide exclusionary efficiency to the right to personal information. In other words, it can fulfil the exclusivity requirement and has the force of exclusion. Ultimately, implementing the "identifying" approach to personal information can establish a distinct boundary for rights. While this boundary may not be entirely definitive, it does not impede the freedom of other individuals. Therefore, the right to personal information also possesses the characteristic of being public in nature within society.[40] It is important to recognize that while personal information is considered a fundamental right in civil law, it does not grant ownership rights. This means that individuals cannot have complete control over their personal information, as such an approach lacks legitimacy and necessity.[41] Some Chinese scholars, with reference to the protection of intellectual property rights, have creatively proposed a "behavioral regulation rights-based" approach to the protection of personal information. The crux of the matter is not in owning or fully controlling the personal information itself but rather in having exclusive authority over the processes of gathering, sharing, storing, and other forms of utilization, with a system of rights centered around these processes.[42] In this mode of protection, the focus is not on the information itself, but on how it is used. This dynamic form of protection prevents the rigid control of personal information from impeding the flow of information in society and enhances the practicality of safeguarding personal information.
4.3 Rule of law approach to synergistic protection of personal information under public and private law
As previously mentioned, the advancement of information technology in contemporary society has presented new obstacles in safeguarding personal data. Precisely, the consolidation and dispersal of personal information have rendered the conventional legal framework, centered around civil law, inadequate in effectively preserving personal privacy. The principle of personal autonomy has progressively lost its efficacy in safeguarding personal information,[43] leaving individuals lacking the capacity for rational decision-making and self-governance in the presence of the expansive data industry. Simultaneously, the ambiguous characteristics of personal information rights and interests have also led to conflicts regarding specific rights in practice, resulting in confusion and hindrance to the progress of the information society.[44] Personal information is an integral aspect of an individual's identity, and safeguarding it should be prioritized and enhanced without hesitation, regardless of whether the focus is on proactive or reactive measures. Nevertheless, the complex requirements for safeguarding personal information and privacy challenge individuals to fully comprehend the social and legal risks associated with these issues. Additionally, advancements in big data technology raise the bar for individuals to actively engage in and make decisions regarding managing their personal information. Consequently, this situation partially undermines the rights and interests of individuals in relation to their information. Conversely, the conventional "inform-choose" model poses challenges for individuals. Suppose the informed consent mechanism for personal information data is overly strict, meaning that the use and processing of all personal information necessitates explicit authorization from the individual information holder. In that case, it will significantly impede the flow of information data. This will create challenges for information collectors and processors in gathering and processing relevant information, ultimately impacting the overall societal benefit.
Given the progressive shift of personal information from individual to group and from single to industry, the integration of private law and public law has been incorporated into the legal framework to safeguard personal information. Public security and social peace are essential public goods that the government and authorities should provide. Similarly, in the information age, ensuring information security and peace should be the responsibility of relevant departments. Therefore, it is reasonable for public law to intervene in the mechanism of personal information protection and share the responsibility of safeguarding personal information with private law.[45] However, in the era of big data, there is a significant disparity in information capacity and influence between those who collect and process information and those who provide it. As a result, the principles of equality and autonomy that are emphasized in traditional private law cannot be applied in this particular context. Thus, it is imperative to incorporate the tenets of public law, such as proactive safeguarding and communal safeguarding, to ensure the protection of individual personal information effectively.[46]
Furthermore, it is imperative to incorporate the notion and mechanism of "scenario-based protection" in safeguarding personal information. This entails granting individuals distinct and specific rights in various scenarios, enabling them to proactively safeguard themselves and counteract potential infringements resulting from the dominant influence of big data. The "scenario-based protection" mechanism relies on the open and dynamic nature of personal information. It suggests a regulatory approach that is behaviorist and scenario-based, resembling the dynamic identification of personal information discussed in this paper.
It is evident that the concept of personal information today no longer aligns with the traditional notion of "privacy" or its components. The exchange of information now possesses a bilateral nature, representing various values. Even in identical circumstances involving different subjects, there will inevitably be varying values, rights, and conflicting interests. Therefore, when establishing a new mechanism for safeguarding personal information, it is crucial to consider the bilateral characteristics of information rights and interests. Furthermore, the theory of the information life cycle has elucidated the dynamic structure and characteristics of information in circulation. Therefore, it is necessary to clarify the attributes and values of information in various forms and categories and refine the structure for information protection in a more rigorous and precise manner.
[1] Gaodeng Xuexiao Jisuanji Wangluo Dianzi Gonggao Fuwu Guanli Guiding (高等学校计算机网络电子公告服务管理规定) [Regulations on the Administration of Electronic Bulletin Service for Computer Networks in Colleges and Universities] (promulgated by the Ministry of Education, Nov. 21, 2001, effective Nov. 21, 2001), CLI.4.68490(CN) (Lawinfochina); Zhonghua Renmin Gongheguo Jumin Shenfenzheng Fa(中华人民共和国居民身份证法) [Law of the People's Republic of China on the Identity Card of Residents] (promulgated by the Standing Committee of the National People's Congress, Jun. 28, 2003, effective Jan. 01, 2004), CLI.1.47120(EN) (Lawinfochina); Weishengbu Guanyu Guifan Chengxiang Jumin Jiankang Dangan Guanli De Zhidao Yijian (卫生部关于规范城乡居民健康档案管理的指导意见) [Guidelines of the Ministry of Health on Standardizing the Management of Health Records of Urban and Rural Residents] (promulgated by the Ministry of Health, Dec. 01, 2009, effective Dec. 01, 2009), CLI.4.124318(CN) (Lawinfochina).
[2]S.Wei (石巍), W. Xue (王雪), Geren Xinxi Xinxing Baohu Kuangjia Zhi Goujian: Lujing Jiexian Yu Niming Falv Biaozhun (个人信息新型保护框架之构建:路径、界限与匿名法律标准) [Construction of a New Protection Framework for Personal Information:Path,Boundary and Anonymity Legal Standard], Xueshu Jiaoliu (学术交流) [Academic Exchange] (2021).
[3] Wen Shiyang (温世扬), Minfadian Rengequan Caoan Pingyi (民法典人格权编草案评议) [Comment on the Section of the Personality Right of the Civil Code(Draft)], Zhengzhi Yu Falv (政治与法律) [Political Science and Law] (2019).
[4] Zuigao Renmin Fayuan Fabu Liuqi Chengzhi Dianxin Zhapian Fanzui Dianxing Anli (最高人民法院发布六起惩治电信诈骗犯罪典型案例) [Six Model Cases on Punishing Telecommunication Frauds Issued by the Supreme People's Court] (promulgated by the Judicial Comm. Sup. People’s Ct., Sep. 30, 2016, effective Sep. 30, 2016), CLI.3.281442(EN) (Lawinfochina); Zuigao Renmin Fayuan Guanyu Fabu di 35 Pi Zhidaoxing Anli De Tongzhi (最高人民法院关于发布第35批指导性案例的通知) [Notice by the Supreme People's Court of Issuing the Thirty-Fifth Group of Guiding Cases] (promulgated by the Judicial Comm. Sup. People’s Ct., Dec. 26, 2022, effective Dec. 26, 2022), CLI.3.5146622(EN) (Lawinfochina); Zuigao Renmin Jianchayuan Fabu 8 Jian Geren Xinxi Baohu Jiancha Gongyi Susong Dianxing Anli (最高人民检察院发布8件个人信息保护检察公益诉讼典型案例) [Eight Model Cases of Procuratorial Public Interest Litigation for Personal Information Protection Published by the Supreme People's Procuratorate] (promulgated by the Sup. People’s Proc., Mar. 30, 2023, effective Mar. 30, 2023), CLI.3.5161315(EN) (Lawinfochina)
[5] Ding Xiaodong (丁晓东), Geren Xinxi Sifa Baohu De Kunjing Yu Chulu (个人信息私法保护的困境与出路) [Predicament of Civil Law Protection of Personal Information and Its Solution], 40 Faxue Yanjiu (法学研究) [Chinese Journal of Law] (2018).
[6] D. J Solove, The future of reputation: Gossip, rumor, and privacy on the Internet (Yale University Press. 2007).
[7] L. Lessig, Privacy as property, 69 Social Research: An International Quarterly (2002).
[8] Wang Dan (王丹), Duanshipin Yonghu De Yinsi Renzhi Yu Baohu Yishi Yanjiu (短视频用户的隐私认知与保护意识研究) [Research on Privacy Cognition and Protection Awareness of Short Video Users] (2020) Shuoshi Dalian Ligong Daxue (硕士, 大连理工大学) [Master Degree of Dalian University of Technology].
[9] O, Ben-Shahar & C. E Schneider, The failure of mandated disclosure, Russian Journal of Economics and Law (2017).
[10] R. H Thaler & C. R Sunstein, Nudge: improving decisions about health, wealth, and happiness. 2008, Newhaven: Yale (2009).
[11] W. Veil, The GDPR: The Emperor’s New Clothes-On the Structural Shortcomings of Both the Old and the New Data Protection Law, 10 Neue Zeitschrift für Verwaltungsrecht (2018).
[12] W. Xixin (王锡锌), Geren Xinxi Guojia Baohu Yiwu Ji Zhankai (个人信息国家保护义务及展开) [State’s Obligation of Personal Information Protection], Zhongguo Faxue (中国法学) [China Legal Science] (2021).
[13] E. Goffman & P.Weber-Schäfer, Wir alle spielen Theater: die Selbstdarstellung im Alltag (Piper. 2004).
[14] Xiang Jinqiao (项金桥), Geren Xinxi Sifa Baohu (个人信息私法保护) [ Protection of Personal Information in Law] (2020) Boshi, Wuhan Daxue (博士, 武汉大学) [Doctor Degree, Wuhan University].
[15] Wang Liming (王利明), Lun < Geren Xinxi Baohufa> Yu <Minfadian> De Shiyong Guanxi (论《个人信息保护法》与《民法典》的适用关系) [Application Relationship between “Personal Information Protection Law” and “Civil Code”], 1 Huxiang Faxue Pinglun (湖湘法学评论) [Huxiang Law Review] (2021).
[16] Zhang Chunying (张春颖), Xinxi Shengming Zhouqi Guanli Yanjiu Shuping (信息生命周期管理研究述评) [Review of Information Lifecycle Managment Research], 30 Qingbao Kexue (情报科学) [Information Science] (2012).
[17] Xiang Jinqiao (项金桥), Geren Xinxi Sifa Baohu (个人信息私法保护) [ Protection of Personal Information in Law] (2020) Boshi, Wuhan Daxue (博士, 武汉大学) [Doctor Degree, Wuhan University].
[18] Yuan Quan (袁泉), Lun Geren Xinxi De Sifa Dingwei Yu Baohu (论个人信息的私法定位与保护) [The Private Law Positioning and Protection of Personal Information], 2 Dalian Ligong Daxue Xuebao Shehui Kexue Ban (大连理工大学学报社会科学版) [Journal of Dalian University of Technology(Social Sciences)] (2020).
[19] A. L Allen, Privacy-as-data control: Conceptual, practical, and moral limits of the paradigm, 32 Conn. L. Rev. (1999).
[20] P. M Schwartz, Internet privacy and the state, 32 Conn. L. Rev. (1999).
[21] Os. H Gandy, The panoptic sort: A political economy of personal information (Oxford University Press. 2021).
[22] G. Calabresi & A Douglas Melamed, Property rules, liability rules, and inalienability: one view of the cathedral, in Modern Understandings of Liberty and Property (2013).
[23] L.Lessig, Code: And other laws of cyberspace (ReadHowYouWant. com. 2009).
[24] Zhou Hanhua (周汉华), Zhonghua Renmin Gongheguo Geren Xinxi Baohufa Zhuanjia Yijiangao Ji Lifa Yanjiu Baogao (中华人民共和国个人信息保护法 (专家建议稿) 及立法研究报告) [Law of the People's Republic of China on the Protection of Personal Information (Expert Recommendation Draft) and Legislative Research Report] (法律出版社. 2006).
[25] Chen Qixing (陈起行), Zixun Yinsiquan Fali Tantao Yi Meiguo Fa Wei Zhongxin (资讯隐私权法理探讨——以美国法为中心) [Exploring the Jurisprudence of Information Privacy--Centered on U.S. Law], 64 Zhengfa Faxue Pinglun (政大法学评论) [Chengchi Law Review] (2000).
[26] Yan Hongyan (严鸿雁), Lun Geren Xinxi Quanyi De Minshi Quanli Xingzhi Yu Lifa Lujing Jianping Geren Xinxi Baohufa Zhuanjia Yijiangao De Buzu (论个人信息权益的民事权利性质与立法路径——兼评《个人信息保护法》(专家建议稿)的不足) [On the Nature and Legislation Path of Civil Rights of Personal Information Rights and Interests], 36 Qingbao Lilun Yu Shijian (情报理论与实践) [Information Studies:Theory & Application] (2013).
[27] Luo Kun (罗昆), Geren Xinxiquan De Sifa Shuxing Yu Minfa Baohu Moshi (个人信息权的私权属性与民法保护模式) [The Private Attributes of the Right to Personal Information and the Civil Law Protection Model], 37 Guangxi Daxue Xuebao Zhexue Shehui Kexueban (广西大学学报哲学社会科学版) [Journal of Guangxi University(Philosophy and Social Science)] (2015).
[28] Wang Liming (王利明), Lun Geren Xinxiquan De Falv Baohu Yi Geren Xinxiquan Yu YinsiquanDe Jiefen Wei Zhongxin (论个人信息权的法律保护——以个人信息权与隐私权的界分为中心) [Legal Protection of Personal Information:Centered on the Line between Personal Information and Privacy], 35 XIandai Faxue (现代法学) [Modern Law Science] (2013).
[29] Zhang Lian (张里安) & Han Xuzhi (韩旭至), Dashuju Shidai Xia Geren Xinxiquan De Sifa Shuxing (大数据时代下个人信息权的私法属性) [The Private Law Nature of Personal Information Right in the Big Data Era], 31 Faxue Luntan (法学论坛) [Legal Forum] (2016).
[30] Ye Mingyi (叶名怡), Geren Xinxi De Qinquanfa Baohu (个人信息的侵权法保护) [Protection of Personal Information by Tort Law], 40 Faxue Yanjiu (法学研究) [Chinese Journal of Law] (2018).
[31] Jin Zhen (金真), Sifa Shiyu Xia Geren Xinxiquan De Shuxing Bianxi (私法视域下个人信息权的属性辨析) [Analysis of the attributes of the right to personal information in the context of private law] (2020) Shuoshi Nanjing Daxue (硕士, 南京大学) [Master Degree Nanjing University].
[32] P. Litang (彭礼堂) & R. Chuanping (饶传平), Wangluo Yinsiquan De Shuxing Cong Chuantong Rengequan Dao Zixun Zijuequan (网络隐私权的属性: 从传统人格权到资讯自决权) [Attributes of Internet Privacy: From Traditional Personality Rights to Information Self-Determination], 24 Faxue Pinglun (法学评论) [Law Review] (2006); Qi Aimin (齐爱民), Zhengjiu Xinxi Shehui Zhong De Renge Geren Xinxi Baohufa Zonglun (拯救信息社会中的人格:个人信息保护法总论) [Saving Personality in the Information Society: A General Introduction to the Law on the Protection of Personal Information] (北京:北京千赢千赢社. 2009).
[33] L. Xiaohua (陆小华), Xinxi caichan quan Minfa Shijiao Zhong De Xin Caifu Baohu Moshi (信息财产权: 民法视角中的新财富保护模式) [Information Property Rights: A New Wealth Protection Model from a Civil Law Perspective] (法律出版社. 2009).
[34] L. Kun (罗昆), Geren Xinxiquan De Sifa Shuxing Yu Minfa Baohu Moshi (个人信息权的私权属性与民法保护模式) [The Private Attributes of the Right to Personal Information and the Civil Law Protection Model], 37 Guangxi Daxue Xuebao Zhexue Shehui Kexueban (广西大学学报哲学社会科学版) [Journal of Guangxi University(Philosophy and Social Science)] (2015).
[35] D.Shengxian (刁胜先), Lun Geren Xinxi De Minfa Baohu Jichu Jianlun Geren Xinxi Minfa Baohu De Jingshen Liyi Yu Wuzhi Liyi (论个人信息的民法保护基础——兼论个人信息、民法保护的精神利益与物质利益) [On the Basis of Civil Law Protection of Personal Information--An Introduction to Personal Information, Moral and Material Interests of Civil Law Protection], 32 Neimenggu Shehui Kexue Hanwenban (内蒙古社会科学汉文版) [Inner Mongolia Social Sciences] (2011).
[36] Z. Lian (张里安) & Han Xuzhi (韩旭至), Dashuju Shidai Xia Geren Xinxiquan De Sifa Shuxing (大数据时代下个人信息权的私法属性) [The Private Law Nature of Personal Information Right in the Big Data Era], 31 Faxue Luntan (法学论坛) [Legal Forum] (2016).
[37] W. Liming (王利明), Lun Geren Xinxiquan Zai Rengequan Fa Zhong De Diwei (论个人信息权在人格权法中的地位) [The Status of Individual Information Right in Person Right Law], 33 Suzhou Daxue Xuebao Zhexue Shehui Kexue Ban (苏州大学学报: 哲学社会科学版) [Journal of Soochow University(Philosophy & Social Science Edition)] (2012).
[38] Y. Lixin (杨立新), Geren Xinxi Fayi Yihuo Minshi Quanli Dui Minfa Zongze Di 111 Tiao Guiding De Geren Xinxi Zhi Jiedu (个人信息: 法益抑或民事权利——对《民法总则》 第 111 条规定的 “个人信息” 之解读) [Personal Information: Legal Interest or Civil Rights——An Interpretation of " Personal Information" in Article 111 of the General Provisions of Civil Law], 33 Faxue Luntan (法学论坛) [Legal Forum] (2018).
[39] Y. Fei (于飞), Qinquanfa Zhong Quanli Yu Fayi De Qufen Fangfa (侵权法中权利与利益的区分方法) [Method to Distinguish between Right and Interest in Tort Law], 4 Faxue Yanjiu (法学研究) [Chinese Journal of Law] (2011).
[40] L.Bingbin (吕炳斌), Geren Xinxiquan Zuowei Minshi Quanli Zhi Zhengcheng Yi Zhishi Chanquan Wei Canzhao (个人信息权作为民事权利之证成: 以知识产权为参照) [Justifying the Right to Personal Information as a Civil Right:Taking Intellectual Property as the Reference], 4 Zhongguo Faxue (中国法学) [China Legal Science] (2019).
[41] V. Janeček, Ownership of personal data in the Internet of Things, 34 Computer law & security review (2018).
[42] L.Bingbin (吕炳斌), Geren Xinxiquan Zuowei Minshi Quanli Zhi Zhengcheng Yi Zhishi Chanquan Wei Canzhao (个人信息权作为民事权利之证成: 以知识产权为参照) [Justifying the Right to Personal Information as a Civil Right:Taking Intellectual Property as the Reference], 4 Zhongguo Faxue (中国法学) [China Legal Science] (2019).
[43] D. Xiaodong (丁晓东), Geren Xinxi Sifa Baohu De Kunjing Yu Chulu (个人信息私法保护的困境与出路) [Predicament of Civil Law Protection of Personal Information and Its Solution], 40 Faxue Yanjiu (法学研究) [CHINESE JOURNAL OF LAW] (2018).
[44] Y. Quan (袁泉), Lun Geren Xinxi De Sifa Dingwei Yu Baohu (论个人信息的私法定位与保护) [The Private Law Positioning and Protection of Personal Information], 2 Dalian Ligong Daxue Xuebao Shehui Kexue Ban (大连理工大学学报社会科学版) [Journal of Dalian University of Technology(Social Sciences)] (2020).
[45] Z. Xiang (张翔), Geren Xinxiquan De Xianfaxue Zhengcheng Jiyu Dui Qufen Baohulun He Zhipeiquan Lun De Fansi (个人信息权的宪法 (学) 证成——基于对区分保护论和支配权论的反思) [Constitutional Justification of the Right to Personal Information——Based on the Reflections on the Differential Protection Theory and the Dominance Theory], 44 Huanqiu Falv Pinglun (环球法律评论) [Global Law Review] (2022).
[46] Y. Quan (袁泉), Lun Geren Xinxi De Sifa Dingwei Yu Baohu (论个人信息的私法定位与保护) [The Private Law Positioning and Protection of Personal Information], 2 Dalian Ligong Daxue Xuebao Shehui Kexue Ban (大连理工大学学报社会科学版) [Journal of Dalian University of Technology(Social Sciences)] (2020).
