The definition of personal information in our laws is scattered in different laws, rules and regulations and judicial interpretations, and has not yet formed a unified legal definition.
Personal information means information that can be recorded electronically or otherwise to identify a natural person individually or in combination with other information, including but not limited to the natural person’s name, date of birth, identity document number, personal biometric information, address, telephone number, etc.
Evaluation: Personal information is defined in an enumerated manner as information that personally identifies a natural person, but the extent of the extension is not clear.
2. Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Certain Issues of the Applicable Laws in Handling Criminal Cases of Violation of Citizens’ Personal Information (effective June 1, 2017) – Judicial Interpretation
Article 253, paragraph 1, of the Criminal Code provides that “personal information of citizens” refers to information that can be recorded electronically or otherwise to identify a particular natural person or to reflect the activities of a particular natural person, either alone or in combination with other information, including name, identity document number, means of communication, address, account password, property status, trajectory, etc.
Evaluation: By defining personal information in an enumerated manner as information that identifies a specific natural person + information that reflects the activities of a specific natural person, the definition of personal information in this judicial interpretation is more complete than the cybersecurity law, and is also more consistent with the path of traces of personal information in the era of big data.
3. Information Security Technology: Personal Information Security Code (implemented on 1 May 2018) – Departmental Regulations
Personal information means information recorded electronically or otherwise that identifies a particular natural person or reflects the activities of a particular natural person, either alone or in combination with other information. Such as name, date of birth, identity card number, personal biometric information, address, correspondence contact, communication records and content, account password, property information, credit information, trajectory, accommodation information, health physiological information, transaction information, etc.
Evaluation: This definition follows the definition of personal information in the judicial interpretation of the two High Courts, and the scope and types of personal information are listed in Appendix A, which includes personal Internet records (including web browsing records, software usage records, and notes), information on personal commonly used devices (including hardware serial number, device MAC address, software list, unique device identification number, and other information describing the basic conditions of personal commonly used devices), and personal location information (including track, accurate location information, accommodation information, latitude and longitude, etc.). However, it should be noted that Appendix A of the Code of Information Security Technology for Personal Information Security (hereinafter referred to as “the Code”) is an “informational appendix”, not a “normative appendix”, and its effect is not equivalent to the body of the standard, but a reference standard, and it is not recommended to directly invoke this appendix in practice.
In summary, although the Cybersecurity Law has a higher legal rank, the Code is only a recommended national standard, does not have coercive force and law and evil forces, but in judicial practice, the Code has guidance significance that cannot be ignored. Therefore, the legal definition of personal information should refer to the definition of the Code, which is also relatively more comprehensive and complete and more conducive to the protection of civil rights.