DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · CIVIL CODE (PI CHAPTER)

Civil Code — Personality Rights Book, Chapter on Privacy and Protection of Personal Information.

中华人民共和国民法典 · 人格权编 · 隐私权和个人信息保护章

FILED UNDER · Personal Information

Adopted at the 3rd Session of the 13th National People’s Congress on May 28, 2020. Effective January 1, 2021.

The Civil Code is China’s first codified civil law. Articles 1032 through 1039 appear in Book IV (Personality Rights), Chapter VI (Right to Privacy and Protection of Personal Information). These eight articles provide the civil-law underpinning for personal-information protection in China — they sit alongside PIPL rather than being superseded by it.

Chapter 6 Right to Privacy and Protection of Personal Information

Article 1032. A natural person shall enjoy the right of privacy. No organization or individual may infringe upon the privacy of any other person by spying, invading and harassing, disclosing or disclosing the relevant information or by any other means. Privacy is a natural person’s private life peace and do not want to know for others private space, private activities, private information.

Article 1033. Unless otherwise prescribed by the law or specifically agreed by the rights holders, no organization or individual may carry out any of the following acts: 1. disturbing the private peace of others by means of telephone, text message, instant messaging tools, e-mails, leaflets, etc.;

(II) Entering, shooting or peeping into the private spaces of others’ houses or hotel rooms;

(III) Photographing, peeping, eavesdropping, or making public the private activities of others;

(IV) taking photos of or peeping at private parts of others’ bodies;

(V) Dealing with the confidential information of others;

(VI) infringing upon the privacy of others by other means.

Article 1034. The personal information of a natural person shall be protected by the law. Personal information refers to all kinds of information recorded by electronic or otherwise that can be used to independently identify or be combined with other information to identify specific natural persons, including the natural persons’ names, dates of birth, ID numbers, biometric information, addresses, telephone numbers, e-mail addresses, health information, whereabouts, etc. For the confidential information included in personal information, the provisions on privacy rights shall apply; if no provisions are available, the provisions on personal information protection shall apply.

Article 1035. The handling of personal information shall be subject to the principle of legitimacy, rightfulness and necessity, shall not involve excessive handling and shall meet the following conditions: 1. unless otherwise provided by laws or administrative regulations, with the consent of the natural person or the guardian thereof; and

(II) rules on disclosure of processing information;

(III) to expressly state the purpose, method and scope of information treatment;

(IV) The provision of the laws and administrative regulations and the agreement of both parties shall not be violated. Personal information processing includes the collection, storage, use, processing, transmission, provision and disclosure of Personal information, etc.

Article 1036. Where the handling of personal information falls under any of the following circumstances, the actor concerned shall not bear civil liability: 1. Acts performed reasonably within the scope agreed by the natural person or his or her guardian;

(II) Deal reasonably with the information made public by the natural person himself or herself or other information that has been legally made public, unless the natural person explicitly refuses to do so or deals with the circumstance where such information infringes upon his or her major interests; and

(III) Other reasonable acts performed to protect the public interests or the legitimate rights and interests of the natural persons.

Article 1037. A natural person may consult or copy his/her personal information with any information processor in accordance with the law; if any error is found in the information, the natural person has the right to raise an objection and request the information processor to take necessary measures such as corrections in a timely manner. Where a natural person discovers that an information processor has processed his/her personal information in violation of the provisions of laws and administrative regulations or the agreement between both parties, he/she shall have the right to request that the information processor promptly delete the information.

Article 1038. Information processors shall not divulge or tamper with personal information collected or stored by them; without the consent of a natural person, information processors shall not illegally provide personal information of such person to others, except for information that has been processed and cannot be identified with specific persons and cannot be restored. An information processor shall take technical measures and other necessary measures to ensure the security of the personal information it collects and stores and to prevent the information from being divulged, tampered with or lost; where personal information has been or may be divulged, tampered with or lost, it shall take remedial measures in a timely manner, inform the natural person concerned in accordance with the provisions and report the case to the relevant competent department.

Article 1039. State organs, statutory agencies with administrative functions and their staff shall keep confidential the privacy and personal information of natural persons that come into their knowledge during the performance of duties, and shall not divulge the same or illegally provide the same to others.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

7 briefs reference this law.

  • § 01 · AI-GOVERNANCE

    Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy

    Zhu Xiaofeng (Central University of Finance and Economics Law School) takes on the GenAI causation black hole — when a personal-information harm clearly arises from a GenAI service but specific causation among model designer, model provider, model user, and data provider cannot be established, who pays? Zhu's structural answer: when conventional construction-element-analysis and Article 998 interest-balancing both fail (and they do), apply Civil Code Article 1254's 'unclear-causation' rule by analogy — the same rule used for falling-object-from-building cases. The doctrinal scaffolding: communication-safety theory, gain-and-risk allocation theory, causation proof + harm prevention. Critically: each potential injurer compensates the full damage; among themselves, allocation is proportional, with judges determining specific amounts case-by-case. Highly relevant for multinationals deploying GenAI in China — the proposed framework restructures the operating liability surface.

    ai-governance · genai · personal-information
  • § 02 · PERSONAL-INFORMATION

    Ai Lin — Why Platform Gig Workers Need PI-Protection Tilt and How to Build It

    Ai Lin (Jilin University Law School) takes on the under-attended question of personal-information protection for platform gig workers — the food-delivery couriers, ride-hail drivers, freight drivers, and 'internet marketers' who occupy China's new-employment-form category. The structural problem: PIPL's individual-consent baseline doesn't work in employment relations where the worker has no meaningful bargaining power against the platform's algorithmic management. Ai imports the alienated-labor framework from Marx and the 'scenario fairness' principle from contextual integrity to argue for a tilt-protection regime. Three operational responses: enhanced transparency + tiered PI safeguards; treating algorithmic rules as workplace regulations subject to collective bargaining; full-process regulatory accountability. Highly relevant for multinationals operating platform-gig models in China or contracting with Chinese platform workforces.

    personal-information · platform-economy · gig-economy
  • § 03 · DATA-PROPERTY-RIGHTS

    Wang Nian — Data Source's Rights as a 'Fair Use' Right Alongside the Three Rights

    Wang Nian (Tsinghua Law) takes on the unresolved fourth-right question in the Data 20 Articles framework: what is the data source's right (数据来源者权), and how does it relate to the three rights (hold/use/operate)? Drawing on the 'data symbiosis' (数据共生) framework from the ALI-ELI Data Economy Principles and the EU Data Act, Wang argues that pre-existing legal entitlements — privacy, PI rights, IP, trade secrets — cover only part of the source's interest, leaving a residual that needs an independent legal protection. He frames the data-source right as a 'fair use right' (公平使用权): a contractual-relationship right against the specific data processor, distinct from the property-style three rights, that captures the value contribution of the source's participation in data co-creation. The corporate-data-portability analog DCC flagged in our NDA brief gets its doctrinal foundation here.

    data-property-rights · data-twenty · data-source-rights
  • § 04 · DATA-PROPERTY-RIGHTS

    Who Is the 'Data Processor' Under the Three-Rights Framework — NDA's Farm-Equipment Hypothetical

    NDA's official 政策解读 on the threshold question that every three-rights allocation depends on: who is the 'data processor' and who is the 'information subject'? NDA uses a farm-equipment hypothetical — a farm rents tractor, irrigation, and fertilizer equipment from three different vendors; cultivation data is captured in the process — to work through who collects, who decides processing purposes, and how the property-rights regime balances the data-processor's commercial interest against the information-subject's rights to access copies of relevant data. The piece sketches the basic information-subject vs. data-processor dichotomy that anchors the entire downstream data-element regime, and surfaces the access-to-data right (data portability for commercial entities) that overseas counsel often miss.

    data-property-rights · data-twenty · data-processor
  • § 05 · DATA-PROPERTY-RIGHTS

    Cloud, BPO, and Other Entrusted-Processing Arrangements: Why the Processor Doesn't Get the Rights

    NDA's official 政策解读 on a tactically critical sub-question of the three-rights framework: when a data processor outsources storage, processing, or analysis to a third-party service provider — typical cloud, BPO, or e-government-system arrangements — does the entrusted party acquire any of the three property rights? NDA's clear answer: no. The entrusted processor (受托人) is not a 'data processor' in the property-rights sense — it merely executes instructions on behalf of the data processor (the principal). It cannot use the data outside the entrusted scope, cannot transfer the data into market circulation, and cannot apply the data to its own debt repayment or bankruptcy distribution. The line is anchored to the Civil Code's contract-of-mandate rules — a long-standing piece of Chinese commercial law extended cleanly into the data-element regime.

    data-property-rights · data-twenty · entrusted-processing
  • § 06 · CRIMINAL-LIABILITY

    When PIPL Violation Becomes a Crime — Hong Yanqing on China's Personal Information Criminal Threshold

    Hong Yanqing on the criminal-side analog to PIPL — when does mishandling personal information cross from administrative violation into the crime of 'infringing on citizens' personal information'? His critique: the two key elements ('relevant State provisions' and 'serious circumstances') are too loose, and courts have stretched them in ways that should worry compliance teams.

    criminal-liability · pipl · judicial-interpretation
  • § 07 · CSL

    China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed

    On October 28, 2025, the NPC Standing Committee adopted the first amendment to China's Cybersecurity Law since 2017, effective January 1, 2026. Compliance Talker's global legal policy team walks through what changed across 14 amendments: a new framework provision on AI safety and development, harmonization with PIPL and the Civil Code on personal information, sharply increased penalties (10× cap on top fines), expanded application of the dual-penalty system to individual officers, and broader extraterritorial reach. For overseas teams, the operational takeaway is that cybersecurity compliance is now an executive-level risk, not a documentation exercise.

    csl · csl-2025-amendment · ai-governance
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.