The PRC Civil Code (the Civil Code) was recently passed by China's top legislature, the National People's Congress, and has come into effect on January 1, 2021. This is the first time codified legislation has been passed, and it includes a wide range of rights and concerns, including property rights, contracts, marriage and family law, tort responsibility, and personal and personal dignity rights.

The Civil Code has incorporated new laws and terminology on the right to privacy and the protection of personal information, in addition to the methodical codification of elements from current legislation. Apart from the specific data privacy and cyber security provisions set out in existing legislation (e.g., the PRC Cyber Security Law, the PRC Consumer Rights Protection Law, and the Information Security Technology - Personal Information Security Specification, among others), the Civil Code details more broadly applicable provisions as well as introducing additional personal information protection requirements.

GENERAL PROVISIONS [1]
Article 110: A person's general right to privacy.

A natural person enjoys the right to life, the right to corporeal integrity, the right to health, the right to name, the right to likeness, the right to reputation, the right to honor, the right to privacy, and the right to freedom of marriage. A legal person or an unincorporated organization enjoys the right to entity name, the right to reputation, and the right to honor.

Article 111: A general right to protection of personal information.

A natural person's personal information is protected by law. Any organization or individual that needs to access other's personal information must do so in accordance with law and guarantee the safety of such information, and may not illegally collect, use, process, or transmit other's personal information, or illegally trade, provide, or publicize such information.
Article 994-1000: Various general rights to seek liability claims against privacy and personal information-related infringement.

Article 994: Where the name, likeness, reputation, honor, privacy, remains, or the like, of the deceased, is harmed, the spouse, children, and parents of the deceased have the right to request the actor to bear civil liability in accordance with the law. Where the deceased has no spouse or children, and the parents of the deceased have already died, other close relatives of the deceased have the right to request the actor to bear civil liability in accordance with the law.

Article 995: A person whose personality rights are infringed upon has the right to request the actor to bear civil liability in accordance with the provisions of this Code and the other laws. Where the said person exercises his right to request the actor to stop the infringement, remove the nuisance, eliminate the danger, eliminate the adverse effects, rehabilitate his reputation, or extend apologies, the provisions on limitation periods shall not apply.

Article 996: Where the personality rights of a party are harmed by the other party's breach of contract and the injured party is thus suffered severe emotional distress if the injured party elects to request the other party to bear liability based on breach of contract, his right to claim for compensation for pains and suffering is not be affected.

Article 997: Where a person of the civil law has evidence to prove that an actor is committing or is about to commit an illegal act that infringes upon his personality rights, and that failure to timely stop the act will cause irreparable harm to his lawful rights and interests, the person has the right, in accordance with the law, to request the people's court to order the actor to stop the act.

Article 998:
In determining the civil liability an actor is to bear for infringing upon other's personality rights, other than the right to life, the right to corporeal integrity, or the right to health, consideration shall be given to the occupations of the actor and the injured person, the scope of impact of the act, the degree of fault, as well as the factors such as the purposes, methods, and consequences of the act.

Article 999: The name, entity name, likeness, personal information, and the like, of a person of the civil law, may be reasonably used by those engaged in news reporting, supervision of public opinions, or the like, for public interests, except that civil liability shall be borne in accordance with law where the use unreasonably harms the personality rights of the person.

Article 1000:
Where an actor shall bear civil liability such as elimination of adverse effects, rehabilitation of reputation, or extension of apologies for infringing upon other's personality rights, the civil liability to be born shall be commensurate with the specific way the act is done and the scope of its impact. Where an actor refuses to bear civil liability as provided in the preceding paragraph, the people's court may take such measures as making an announcement, publishing the final judgment, or the like, through media, such as newspapers, periodicals, or online websites, and any expenses thus incurred shall be borne by the actor.

SPECIFIC PROVISIONS:
Chapter 6- Right to privacy and protection of personal information[2]

Article 1032: Definition of privacy rights and privacy.
A natural person enjoys the right to privacy. No organization or individual may infringe upon the other's right to privacy by prying into, intruding upon, disclosing, or publicizing other's private matters. Privacy is the undisturbed private life of a natural person and his private space, private activities, and private information that he does not want to be known to others.

Article 1033: Specific action conduct that will constitute an infringement of privacy rights
Unless otherwise provided by law or expressly consented to by the right holder, no organization or individual shall do the following acts:

1. Intruding upon another person's private life through making phone calls, sending text messages, using instant messaging tools, sending emails and flyers, and the like means;
2. entering into, taking photographs of, or peeping into other's private spaces such as the residence or hotel room of another person;
3. taking photographs of, peeping into, eavesdropping, or disclosing the private activities of another person;
4. taking photographs of or peeping at the private parts of another person's body;
5. processing another person's private information; and
6. infringing upon another person's privacy through other means.

Article 1034: General principle and definition of personal information protection.
A natural person's personal information is protected by law. Personal information is the information recorded electronically or in other ways that can be used, by itself or in combination with other information, to identify a natural person, including the name, date of birth, identification number, biometric information, residential address, telephone number, email address, health information, whereabouts, and the like, of the person. The provisions on the right to privacy, or, in the absence of which, the provisions on the protection of personal information, shall be applied to private personal information.

Article 1035: Conditions under which processing/handling of personal information are permitted.

The processing of personal information shall be in compliance with the principles of lawfulness, justification, and within a necessary limit, and shall not be excessively processed; meanwhile, the following conditions shall be satisfied:

1. Consent has been obtained from the natural person or his guardian unless otherwise provided by laws or administrative regulations;
2. The rules for processing information are publicized;
3. The purpose, method, and scope of the information processing are clearly indicated; and
4. It is not in violation of laws or administrative regulations or against the agreement of both parties.

The processing of personal information includes the collection, storage, use, refinement, transmission, provision, disclosure, and the like, of personal information.

Article 1036: Grounds for exemption of liability
When processing personal information, an actor shall not bear civil liability in any of the following situations:

1. The actor reasonably performs the act to the extent that the natural person or his guardian consents to;
2. The actor reasonably processes the information disclosed by the natural person himself or the other information that has already been legally disclosed, unless the said person explicitly refuses or the processing of the information infringes upon a significant interest of the person; and
3. The actor reasonably performs the other acts to protect the public interest or the lawful rights and interests of the person.

Article 1037-1039: Rights of data subject and obligations of data processors
1037: A natural person may retrieve or make copies of his personal information from the information processers in accordance with the law. Where the person discovers that the information is incorrect, he has the right to raise an objection and request corrections or other necessary measures to be taken in a timely manner. Where a natural person discovers that an information processer has violated the provisions of laws or administrative regulations, or breached the agreement between both parties while processing his personal information, he has the right to request the information processor to delete it in a timely manner.

1038: An information processor shall not disclose or tamper with the personal information he collects and stores, and shall not illegally provide to others the personal information of a natural person without the latter's consent, unless the information, after being processed, cannot be used to identify any specific individual and cannot be restored to its original status. An information processor shall take technical measures and other necessary measures to ensure the security of the personal information he collects and stores, and prevent the information from being leaked, tampered with, or lost. Where a person's personal information has been or is likely to be leaked, tampered with, or lost, he shall take remedial measures in a timely manner, notify the natural persons concerned in accordance with the regulations, and report to the relevant competent authorities.

1039: State organs and the chartered institutions assuming administrative functions as well as their staff shall keep confidential the privacy and the personal information of natural persons known to them during the performance of their responsibilities, and shall not disclose or illegally provide it to others.

PROVISIONS THAT ARE INDUSTRY SPECIFIC[3]
Article 1030: Handling of information by credit agencies
The provisions of this Book on the protection of personal information and the relevant provisions of other laws and administrative regulations shall be applied to the relationship between persons of the civil law and the credit information processors such as a credit reporting agency.

Article 1226: Provisions governing the protection of patients' privacy rights and personal information by medical institutions and their medical personnel.

Medical institutions and their medical staff shall keep their patient's private information and personal information confidential. Anyone who divulges the private information or personal information of a patient or discloses his medical records without the patient's consent shall bear tort liability.

INDIAN LAWS FOR CYBERSPACE
Information Technology Act, 2000 [4]
The Information Technology Act, which was enacted in 2000, governs Indian cyber legislation. The main goal of this Act is to provide e-commerce with trustworthy legal protection by making it easier to register real-time records with the government. However, as cyber attackers became more cunning, coupled with the human tendency to misuse technology, a number of adjustments were made. The ITA, which was passed by India's Parliament, emphasizes the severe punishments and penalties that protect the e-governance, e-banking, and e-commerce sectors. The scope of ITA has now been expanded to include all of the most recent communication devices.

The IT Act is the salient one, guiding the entire Indian legislation to govern cyber crimes rigorously:

• Section 43 - Applicable to people who damage the computer systems without permission from the owner. The owner can fully claim compensation for the entire damage in such cases.
• Section 66 - Applicable in case a person is found to dishonestly or fraudulently commit any act referred to in section 43. The imprisonment term in such instances can mount up to three years or a fine of up to Rs. 5 lakh.
• Section 66B - Incorporates the punishments for fraudulently receiving stolen communication devices or computers, which confirms a probable three years imprisonment. This term can also be topped by Rs. 1 lakh fine, depending upon the severity.
• Section 66C - This section scrutinizes the identity thefts related to imposter digital signatures, hacking passwords, or other distinctive identification features. If proven guilty, imprisonment of three years might also be backed by Rs.1 lakh fine.
• Section 66 D - This section was inserted on-demand, focusing on punishing cheaters doing impersonation using computer resources.

Indian Penal Code (IPC) 1980 [5]
The Indian Penal Code (IPC), 1860, and the Information Technology Act of 2000 are both used to prosecute identity theft and related cyber offenses.

The primary relevant section of the IPC covers cyber frauds:

• Forgery (Section 464)
• Forgery pre-planned for cheating (Section 468)
• False documentation (Section 465)
• Presenting a forged document as genuine (Section 471)
• Reputation damage (Section 469)

The Companies Act of 2013 [6]
The Companies Act of 2013 is referred to by corporate stakeholders as the legal requirement for the refinement of daily operations. This Act's directives consolidate all required techno-legal compliances, putting less compliant businesses in a legal bind.

The Companies Act of 2013 gave the SFIO (Serious Frauds Investigation Office) the authority to prosecute Indian corporations and their directors. Also, after the notification of the Companies Inspection, Investment, and Inquiry Rules, 2014, SFIOs have become even more vigilant and stern in this regard.

All regulatory compliances, including cyber forensics, e-discovery, and cyber security diligence, are well-covered by the legislature. The Companies (Management and Administration) Rules, 2014 establishes stringent requirements for corporate directors and leaders in terms of cyber security obligations and responsibilities.

NIST Compliance [7]
The Cyber Security Framework (NCFS), accredited by the National Institute of Standards and Technology (NIST), provides a harmonized approach to cyber security as the most reliable global certifying body. The NIST Cyber Security Framework includes all necessary rules, standards, and best practices for effectively managing cyber-related risks. The flexibility and cost-effectiveness of this system are top priorities. It increases resilience and safety.

Right to Privacy [8]
Article 21 of the Constitution of India states that �No person shall be deprived of his life or personal liberty except according to procedure established by law�. After reviewing Article 21, it can be determined that the term 'life' encompasses all parts of existence that contribute to a man's life being significant, complete, and worthy.

In the Indian Constitution, the right to privacy was not listed as a fundamental right. Then, in the case of Puttuswamy v. Union of India, a nine-judge Supreme Court bench decided that the right to privacy is a fundamental right protected under Part III of the Indian Constitution.

The key points of the judgment are:

1. Right to Privacy - A Fundamental Right
   The Supreme Court ruled that the right to privacy is a fundamental right that doesn't need to be expressed explicitly and may be drawn from Articles 14, 19, and 21 of the Indian Constitution. It is a natural right that is intertwined with the rights to life and liberty. It is a fundamental and inherent right that belongs to a person and encompasses all information about that person as well as the decisions he or she takes. It shields a person from state surveillance in their homes, over their movements, and over their reproductive decisions, partners, and eating habits, among other things. As a result, any government action that infringes on the right to privacy is subject to judicial review.
    
2. Not an Absolute Right - Subject to Reasonable Restrictions
   The Supreme Court was careful to point out that the fundamental right to privacy is not absolute, and that it will always be subject to reasonable limitations. It was held that the state can limit the right to privacy to defend legitimate state objectives, but only if it follows the three-pronged test outlined below:
   
   • Existence of a legal framework that justifies a breach of privacy.
   • A valid state objective or need that assures that the type or content of this law falls within the reasonableness zone and serves to prevent arbitrary government action.
   • The tools used by the government are proportional to the goals and needs that the law is attempting to address.

Personal Data Protection Bill (PDPB) [9]
The proposed Personal Data Protection Bill (PDPB) aims to replace India's present data protection rules in a comprehensive manner. The previous regulating law, the Information Technology Act of 2000 (IT Act), has been unable to cope with the significant improvements in technology. Cybercriminals have been continuously developing new ways to access personal information in India, which has recently seen a tremendous spike in cyber attacks. To make matters worse, the pandemic has accelerated the digital ecosystem by years, and virtual work has increased hackers' attack fields.

It would be India's first law completely dedicated to data privacy and security.

It includes the following topics:

• Notice and prior consent requirements for the use of personal data.
• There are constraints on the types of data that can be collected or processed, as well as requirements to guarantee that just the data needed to provide a service is collected.
• Requirements for data localization necessitate the hiring of data protection officers within organizations.
• To secure and govern the use of citizens' personal data, a separate regulator named the Data Protection Authority of India (DPA) is to be established.

The proposal, recommended in 2019, is presently being analyzed by a joint parliamentary committee after several stakeholders, including social media firms, privacy experts, and even ministers, objected to a few of its regulations.

Author's Opinion.
In my opinion, I believe that China has come up with more specific legislation for the privacy and protection of personal information of its individuals regardless of having specific legislation for cyber security e.g. The PRC Cyber Security Law, the PRC Consumer Rights Protection Law, and the Information Security Technology - Personal Information Security Specification. The PRC Civil Code details more broadly applicable provisions as well as has introduced additional personal information protection requirements.

The pandemic has now caused the world to shift from an offline work mode to an online work mode. With the increase in dependence of the world on the virtual world and the personal information of individuals being on every website or social media platform, and also a drastic advance in technology, it feels very necessary to have specific provisions or specific legislation that deals with Privacy and protection of personal information related issues.

On the contrary, India no doubt has laws that deal with Cyber protection and security but these laws and provisions have been formulated more than 2 decades ago when the technology wasn't this advanced as it is now. I personally have come across so many cyber frauds and crimes happening all around, and not just impersonating somebody or hacking of accounts or computer systems but also a breach in privacy and personal information of Individuals. As of now, India is firstly in dire need to introduce new regulations for cyber attacks and crimes.

The information technology act of 2000 has been unable to deal with current improvements of technology thus seeing advanced cyberattacks that couldn't have been thought of 20 years ago. A new formulated need for cyber laws keeping in view the current technological advancements is necessary. Talking about Privacy rights, India has only Article 21 of the Indian constitution which is the Right to life and liberty, which can be interpreted as a privacy right that isn't enough. India, as such, doesn't have a particular right to privacy and no provisions for the protection of personal information. There is a dire need for privacy rights and protection of personal information provisions or a different regulation for the same.

The formulation of privacy laws and personal information protection provisions in the PRC's new civil law code is a great piece of work and much required in these digital times.

End-Notes:

1. National People's Congress, Civil Code of the People's Republic of China (2020) <http://www.npc.gov.cn/englishnpc/c23934/202012/f627aa3a4651475db936899d69419d1e/files/47c16489e186437eab3244495cb47d66.pdf> accessed January 10, 2022.
2. National People's Congress, Civil Code of the People's Republic of China (2020) <http://www.npc.gov.cn/englishnpc/c23934/202012/f627aa3a4651475db936899d69419d1e/files/47c16489e186437eab3244495cb47d66.pdf> accessed January 10, 2022.
3. National People's Congress, Civil Code of the People's Republic of China (2020) <http://www.npc.gov.cn/englishnpc/c23934/202012/f627aa3a4651475db936899d69419d1e/files/47c16489e186437eab3244495cb47d66.pdf> accessed January 10, 2022.
4. Vinit Verma, Importance of Cyber Law in India (legalserviceindia.com) <https://www.legalserviceindia.com/legal/article-1019-importance-of-cyber-law-in-india.html#:~:text=Cyber%20Laws%20In%20India> accessed February 14, 2022.
5. Harshit Agarwal, Cybersecurity Laws in India (www.appknox.com) <https://www.appknox.com/blog/cybersecurity-laws-in-india>.
6. IBID
7. Harshit Agarwal, Cybersecurity Laws in India (www.appknox.com) <https://www.appknox.com/blog/cybersecurity-laws-in-india>.
8. Hina Iliyas, Right to Privacy under Article 21 and the Related Conflicts (www.legalservicesindia.com) <http://www.legalservicesindia.com/article/1630/Right-To-Privacy-Under-Article-21-and-the-Related-Conflicts.html>.
9. Angelina Talukdar, Key Features of the Personal Data Protection Bill, 2019 - Privacy - India (www.mondaq.comMarch 16, 2020) <https://www.mondaq.com/india/data-protection/904330/key-features-of-the-personal-data-protection-bill-2019> accessed February 14, 2022.