Chapter 4: Privacy interests – Internet Law in China


Privacy interests


This chapter first introduces the concepts of privacy and the right to privacy, and the development of privacy law. It then examines how traditional invasion of privacy claims have been applied to speech in cyberspace. In the final section, the chapter focuses on several specific issues crucial to the protection of online privacy, including data collection, online profiling, and data protection paradigms.

Key words


privacy law


intrusion on seclusion

disclosure of private facts

data collection

data protection

online profiling

With the rapid development of information technology, human society has entered into an era of unprecedented information explosion. People avail themselves of the Internet to communicate and connect with one another; meanwhile, the collection of personal information has become easier than ever before, due to the abundance of such information in cyberspace. As long as one’s personal information is available on the Internet, it will spread around the world rapidly, and can be downloaded and copied without limit. Therefore, while the Internet provides numerous and substantial benefits to individuals, it also imposes a huge challenge for the protection of their privacy. This chapter begins with a brief introduction to privacy law, including the definition of privacy, the definition of the right to privacy, and the development of privacy law. It then investigates how existing laws on invasion of privacy have been applied to the Internet. Finally, it examines the numerous ways that courts, legislatures, regulators, and businesses have attempted to protect individuals from threats to privacy imposed by online data collection and disclosure.

Introduction to privacy law

Privacy and the right to privacy

Privacy can be defined as personal secrecy unrelated to matters of public interest. It includes the three aspects of private information, private activities, and private space.1 Private information refers to all data and information about a person, such as his name, pictures, domiciles, weight, height, income, life experience, phone numbers, and medical records. Private activities refers to all individual activities that a person is reluctant to publicize, such as his/her daily schedule, social interaction, sexual life with spouse, and extramarital sexual life. Private space refers to the secret space of a person, such as the secret parts of his/her body, his/her habitation, diaries, correspondence, travel luggage, and nowadays virtual space.

The right to privacy refers to the right of a person to keep private his personal information, personal activities, or personal space that is not of legitimate public interest or concern. The purpose of protecting the right to privacy is to ensure that everyone has a right to live in society without being disturbed. The core of the right to privacy arguably lies in a person’s right to determine how to deal with his privacy. Therefore, it is an invasion of privacy to spy on or publicize the personal secrecy of any person, if such an act is against his will.

Generally speaking, the right to privacy includes the following four aspects: (a) the right to live a quiet and peaceful life. Everyone shall have the right to live quietly and peacefully. For instance, his personal life should be free from illegal prying and harassment; and his house should be free from illegal surveillance, monitoring or photographing; (b) the right of control over personal information. Everyone shall have the exclusive right to collect, store, protect, and disseminate his personal information, such as about his health, life experience, religious beliefs, marital status, financial status, and social relations; (c) the right to privacy of communication and correspondence. Everyone shall have the right to privacy of correspondence, telephone communication, mail, e-mail, cable, and other communications; and (d) the right to make use of one’s own privacy. Everyone shall have the right to make use of his privacy for commercial or non-commercial purposes, unless otherwise prohibited by law. For instance, he may use his life experience to create literary works in order to obtain economic benefit. However, the use of his own privacy shall not violate the law or harm the public interest. For example, he is not allowed to take make use of his body to produce obscene works for dissemination; such an act will constitute a criminal offense in serious circumstances.

In accordance with Chinese law and social norms, Chinese citizens have at least nine specific rights related to privacy. They include: (a) citizens have the right to keep their names, portraits, addresses, home telephone numbers, and other personal information private. Such information shall not be spied on, publicized, or disseminated without their permission; (b) citizens’ personal activities, especially in their houses, shall not be monitored, spied on, or pried into, except as monitored in accordance with law; (c) citizens’ residences shall not be unlawfully entered, pried into, or harassed; (d) citizens’ sexual lives shall not be intervened into, pried into, investigated, or publicized; (e) citizens’ savings and property conditions shall not be investigated or publicized, except as required by law; (f) citizens’ correspondence, dairies, and other personal documents (including private information stored on computer) shall not be pried into or publicized; citizens’ personal data shall not be unlawfully gathered, transmitted, processed, and utilized; (g) citizens’ social relationships, including friendships and family relationships, shall not be unlawfully investigated or publicized; (h) citizens’ archival materials shall not be unlawfully publicized or made known to people who have no right to know; and (i) citizens’ previous or current personal experience shall not be collected or disclosed, even if it has already been publicized elsewhere.2

Development of privacy law

The concept of privacy was first put forward in 1890 by two American scholars, Samuel D. Warren and Louis D. Brandeis, in their article “The Right to Privacy,” which was published in the Harvard Law Review. Mainly concerned with the news media’s invasion into personal privacy, they argue that news reporters sometimes make great efforts to create rumors so as to cater to the poor taste of their readers, and that these rumors often cross the sacred boundary of personal privacy and violate social norms. In their view, everyone has a right to live undisturbed, i.e., “the right to be let alone.” Any infringement on this right shall be considered an invasion of privacy. With the advance of human society, the concept of privacy was gradually expanded to include many other personal aspects such as property, genes, health, and physiological information. But the right to privacy was still considered a defensive and passive right, which was felt only after being violated. In the current information era, personal details are not merely exposed by the news media; they may be also gathered, provided, or publicized by private or public entities. Therefore, legal scholars have proposed an alternative concept of privacy, namely, “the right to control one’s own privacy,” and they argue that individuals should have the right to determine whether and how to publicize and utilize their own private information. From this perspective, the right to privacy can be considered a positive right.3 Over time, it has become much easier for individuals or organizations to obtain access to personal information because of the development of information technology, and the scope of privacy protection is expected to be expanded accordingly.

Although Chinese law has not established privacy as an independent right, many laws suggest the recognition and protection of privacy. Article 38 of the current Constitution stipulates that the personal dignity of citizens is inviolable; Article 39 stipulates that the residences of citizens are inviolable: unlawful searching of, or intrusion into, a citizen’s residence is prohibited; Article 40 provides that the freedom and privacy of citizens’ correspondence are protected by law: no organization or individual may, on any grounds, infringe upon citizens’ freedom and privacy of correspondence, unless otherwise stipulated by law. These constitutional provisions provide the basis for the protection of privacy in other law sectors.

In the field of civil law, the NPC passed the General Principles of the Civil Law in 1986. Since law makers lacked understanding of the concept of privacy at that time, this civil law established only such personal rights as the right of name, portrait, reputation, honor, and life and health, and left out the right of privacy. This defect in the legislation was corrected to a certain degree in two subsequent judicial interpretations. In 1988, the Supreme Court issued the Opinions on Several Issues Concerning the Implementation of the General Principles of the Civil Law (for Trial Implementation). This judicial interpretation stipulated two types of privacy-related tort, i.e., infringement of a citizen’s right of portrait, and the act of unlawfully disclosing a citizen’s private facts in oral, written, or other forms. In 1993, the Supreme Court promulgated the Interpretation on Several Issues about the Trial of Cases Concerning the Right of Reputation, of which Article 7 provides that acts of disclosing or disseminating a person’s private materials without his consent shall be handled as an infringement of the right of reputation. This provision clearly includes the disclosure of private facts as an infringement of privacy. In 2009, the NPC Standing Committee passed the Tort Liability Law, of which Article 2 explicitly stipulates that privacy is a civil right and the invasion of one’s privacy shall bear tort liability. This means that privacy as a fundamental human right has been officially written into Chinese law.

In accordance with Chinese criminal law, anyone who intentionally violates others’ right to privacy and thereby causes serious consequences shall be criminally punished. Specifically, Article 245 of the Criminal Law states that “a person who unlawfully subjects another person to a bodily search or a search of his residence or unlawfully intrudes into another person’s residence shall be sentenced to a fixed term of imprisonment of not more than three years or criminal detention”; Article 252 provides that “a person who conceals, destroys or unlawfully opens another person’s letters, thus infringing upon the citizen’s right to freedom of correspondence, shall be sentenced to a fixed term of imprisonment of not more than one year or criminal detention if the circumstance is serious”; and Article 253 stipulates that “a postal worker who opens, conceals or destroys mail or telegrams without authorization shall be sentenced to a fixed term of imprisonment of not more than two years or criminal detention.” This shows that China’s criminal law mainly focuses on preventing a citizen’s residence and correspondence from being trespassed on or intruded into, while many other serious invasions of privacy have not yet been criminalized.

Chinese procedure law also provides protection for citizens’ right to privacy. Article 152 of the Criminal Procedure Law clearly stipulates that cases of first instance in a court shall be heard in public, but cases involving citizens’ private affairs shall not be heard in public. In a similar vein, Article 120 of the Civil Procedure Law provides that civil cases in a court shall be heard in public but civil cases involving citizens’ private affairs shall not be heard in public; Article 66 provides that evidence shall be presented in the court and cross-examined by the parties but evidence that involves citizens’ private affairs shall not be presented in an open court session. As far as the Administrative Procedure Law is concerned, Article 45 states that administrative cases in a court shall be tried in public, but those that involve the private affairs of individuals shall be an exception. Article 30 proposes that a lawyer who serves as an agent may consult materials pertaining to the case, and may also investigate among, and collect evidence from, relevant individuals and organizations; if the information involves individuals’ private affairs, he shall keep it confidential; and the involved parties may consult the materials relating to the court proceedings of the case, but shall not consult the involved individuals’ private affairs.

Other Chinese laws, such as the Administrative Reconsideration Law, the Administrative Punishment Law, the Law on the Protection of Minors, the Law on the Protection of Women’s Rights and Interests, the Law on the Protection of Disabled Persons, the Law on the Protection of Rights and Interests of the Aged, and the Law on the Protection of Consumers’ Rights and Interests have also provided protection for privacy. All of the above-mentioned laws provide a framework for us to understand China’s protection of privacy in cyberspace. The next section will explore how these laws are used to deal with the issue of Internet privacy.

Invasion of privacy claims

American legal scholar William L. Prosser divided all cases concerning invasion of privacy into four categories: (1) “appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness”; (2) “intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs”; (3) “public disclosure of embarrassing private facts about the plaintiff”; and (4) “publicity which places the plaintiff in a false light in the public eye.”4 The four categories of invasion of privacy have been adopted by U.S. tort law, and by most of U.S. state laws. In China, the first category involves the issue of infringing on one’s rights to name and portrait, which have been individually protected by law. In fact, the right to personal name and portrait is closely related to the right to privacy, so that the former is discussed as an integral part of the latter in this chapter. The second and third categories are widely recognized as invasion of privacy by Chinese law, and so both of them are examined in detail in this chapter. The last category is often treated as an infringement of reputation, which has already been covered in Chapter 3.


Appropriation of name or portrait occurs when a person uses the name or portrait of another person without permission and for personal gain or commercial purposes. In China, Article 99 of the General Principles of the Civil Law provides that citizens shall have the right of personal name and shall be entitled to determine, use, or change their personal names in accordance with relevant provisions. Article 100 provides that citizens shall have the right of portrait, and the use of a citizen’s portrait for profit without his consent shall be prohibited. These articles arguably recognize appropriation of name or portrait as a form of invasion of privacy.

Appropriation of name

A name is a word or a symbol by which a person is commonly and distinctively known. The right of name refers to a citizen’s right to choose, use, and change his name. The General Principles of the Civil Law prohibits interference with, usurpation of, and false representation of personal names, which can be viewed as three forms of appropriation of names. Interference herein refers to the act of interfering with another person’s choosing and use of his names, which can be real name, pseudonyms, and stage names. Usurpation of personal names refers to the act of using another person’s name without his consent. False representation refers to the act of engaging in economic and civil activities in the name of others. All these acts are conducted without the consent of the name holder, and probably for commercial benefit.

Case 4.1   The Luo Caixia case: appropriation of personal name5

An influential case involving appropriation of personal name is the Luo Caixia case. In 2004, Luo Caixia of Shaodong County, Hunan Province failed to enter college after the college entrance examination, but her classmate Wang Jiajun was admitted to Guizhou Normal University under her name. Luo studied for another year and then enrolled in Tianjin Normal University. She was supposed to graduate in 2009. Since her name had been appropriated, however, she encountered a series of problems with graduation, and her certificate of qualification as a teacher was also cancelled. The court found that Wang’s father was a senior official at the Police Department of Shaodong County and he had unlawfully managed to get his daughter into college under Luo’s name. The case was eventually mediated. Both Wang and her father were required to bear tort liability. Luo also graduated successfully with her teaching certificate.

5.The case information was obtained from the website

In addition, Chinese civil law provides protection for enterprise names equal to that provided for personal names. Like individuals, enterprises are also entitled to choose, use, and change their names. However, commentators point out that the protection of personal names should be treated differently from the protection of enterprise names. The purpose of protecting personal names is to ensure that a citizen’s personal rights cannot be infringed, while the purpose of protecting enterprise names is to preserve an enterprise’s economic interests and also to maintain fair competition. The right of personal name essentially concerns the protection of citizens’ privacy, and the right of enterprise name is mainly to do with the protection of intellectual property rights, which will be covered in detail in Chapter 5.

Appropriation of portrait

Portrait refers to a likeness of a person that is created by a photographer, painter, or sculptor and fixed on certain materials such as photographic paper, paper, wood, stone, mud, and electronic media. One important feature of a portrait is its distinctiveness. A person is often distinctively recognized according to his portrait, especially his facial image. Thus, as long as an image or picture can help to distinguish one person’s appearance from another person’s, it should be considered a portrait.6 Another feature of portrait is its exclusivity. A portrait directly originates from a particular person. No matter where he is, whether he is still alive, or whether he has assigned his portrait to another person for ownership purposes, he is always the subject of his portrait. Nobody can transform the subject of his portrait into that of another person.7 The third feature of portrait is its property value. A portrait can be produced, used, sold, or transferred for economic profit. This is particularly evident for the portraits of celebrities, which often have a high market value.

The right of portrait mainly refers to the right of a citizen to produce and use his portrait. The right to produce means that a citizen has the right to produce his portrait according to his will, including the right to determine whether and how to produce his portrait, and who can produce his portrait and who cannot. Similarly, the right to use means that a citizen has the right to use his portrait according to his will, including the right to determine whether and how to use his portrait, and who can use his portrait and who cannot. It should be noted that currently only the right to use a portrait is protected by Chinese civil law.

Article 100 of the General Principles of the Civil Law clearly stipulates that the use of a citizen’s portrait for profit without his consent shall be prohibited. In other words, an invasion of a citizen’s right of portrait consists of two elements: one is to use his portrait without permission, and the other is to use his portrait for profit. While it is easy to determine the first element, it is relatively hard to identify the second. In judicial practice, whether the defendant intends to pursue economic profit by appropriation of the plaintiff’s portrait is often a key factor in determining whether or not the defendant’s act constitutes a tort. The most commonplace appropriation of portrait occurs in marketing activities. Focusing on this problem, Article 130 of the Opinions of the Supreme People’s Court on Several Issues Concerning the Implementation of the General Principles of the Civil Law (for Trial Implementation) mandates that using one’s portrait to produce advertisements, trademarks, window dressing, etc. for profit without his consent shall be considered an infringement of his right of portrait (Case 4.2).

Case 4.2   Zhuo Xiaohong v. Sun Dexi and Chongqing Dairy Product Company: infringement of right of portrait8

A representative case in this regard is Zhuo Xiaohong v. Sun Dexi and Chongqing Dairy Product Company. Defendant Sun was a photographer working for a photography company. In April 1983, he took a photo of the plaintiff, based on their agreement that the photo would be used only as a sample inside the sales counter. Without the plaintiff’s permission, however, Sun and Chongqing Dairy Product Company later edited the picture and used it as a trademark for the company’s bottled products. The plaintiff therefore filed a lawsuit for portrait infringement. The court ruled that the two defendants had used the plaintiff’s portrait for commercial purposes without the plaintiff’s permission, thus infringing on the plaintiff’s right of portrait. The court determined that defendant Chongqing Diary Product Company should immediately stop using the trademark and pay the plaintiff compensation of 300 yuan for economic loss; and defendant Sun compensated the plaintiff 150 yuan for economic loss.

8.See the case of Zhuo Xiaohong vs. Sun Dexi and Chongqing Dairy Co., published in the first issue of the Gazette of the Supreme People’s Court in 1987.

It should be pointed out that using a citizen’s portrait for matters of public interest is not regarded as an infringement in China. This includes at least the following situations: (1) using a citizen’s portrait for protecting his own interest. For example, public security organs publicizing and disseminating the portrait of a lost child; (2) using a citizen’s portrait for protecting public interests. For example, public security organs using the portrait of a criminal in a “wanted” poster, judicial organs taking pictures of criminal suspects for the compilation of relevant evidence, and university professors using the portraits of other people in their research and teaching activities; and (3) using a citizen’s portrait in news coverage. In many cases, news articles inevitably involve the use of others’ portraits. As long as such use is related to the content of news and is beneficial to society, it does not constitute any tort. Some kinds of news report do not concern public welfare but can attract public attention, such as reports about entertainment and sports celebrities. Due to the ambiguity of the concept of public interest, these kinds of report can easily spark off controversy and lead to lawsuits.9

Appropriation in cyberspace

The rapid development of the Internet and related information technology has imposed new challenges on the protection of citizens’ rights of portrait and name. For instance, many Internet users post pictures of their friends or favorite public figures on their own home pages or blogs without permission. Does this infringe upon the portrait right of those people? As discussed above, an infringement of the right of portrait must meet both of the following two conditions: one is “without consent”; the other is “for commercial use.” As long as one of the conditions is not met, it does not constitute infringement. This leads to the conclusion that if Internet users do not use others’ images for commercial purposes, they shall not be subject to an infringement charge. The question is how to define the commercial use of Internet activities. For example, posting film stars’ portraits on personal online space may not generate direct income, but it may help to increase the popularity of the space among Internet users, which can eventually lead to social or economic gain. In this situation, portraits are used indirectly for commercial purposes, and they are often uploaded without permission. If this kind of action is considered as an infringement, the circulation of public figures’ images in cyberspace will be significantly limited, and the advantage of openness inherent to the Internet will not be fully realized. One possible solution is to provide a strict definition of the scope of “commercial use.” It has been proposed that a portrait can be considered for “commercial use” only when it is used directly for commercial purposes. In cyberspace, many people in fact post others’ portraits for non-commercial purposes, but they may still risk infringing on others’ rights. This may occur when the owner of the portrait asks the poster to delete the picture for reasons of privacy, but the poster refuses to do so.

Under Article 36 of the Tort Liability Law, Internet users or Internet service providers (ISPs) should bear tortious liability in the event that they infringe upon the civil rights or interests of an individual through the Internet. This provision confirms that Internet users or Internet service providers should not post others’ portraits online for commercial profit without their consent; otherwise they will be subject to an infringement charge. Article 36 states that where an Internet user engages in tortious conduct through the Internet, the injured party shall have the right to notify the ISP and request that it take necessary measures. Where an ISP fails to promptly take necessary measures after being notified, it shall be jointly and severally liable with the Internet user for additional damage. Therefore, if a citizen asks an ISP to delete his picture which has been posted on the ISP’s website by others, the ISP should act upon the request, no matter whether or not the posting is for commercial use; otherwise the ISP will be subject to tort liability. In addition, these two provisions of the Tort Liability Law basically apply to the protection of the right of name. No one is allowed to infringe on the right of a citizen’s name; and ISPs must take effective measures in a timely manner when they are informed of infringing activities on their websites.

Case 4.3   Zhao Benshan v. Hainan Tianya Company and Google China Company: infringement of right of portrait10

In May 2009, Hainan Tianya Company and Google China Company released a flash ad on the website Tianya Community to promote their joint web-based product Tianyan Q&A. This ad used a cartoon portrait of Chinese comedy star Zhao Benshan without Zhao’s consent. Zhao sued both companies for infringing on his right of portrait. The court found that, without Zhao’s consent, Hainan Tianya and Google China had publicized a cartoon image that was highly similar to Zhao’s portrait, as well as a complementary narrative from No Lack of Money, which came directly from Zhao’s performance work. The court held that as long as a cartoon portrait can distinguish a person’s appearance from that of others, it should enjoy equal protection to that enjoyed by a portrait. In this case, Hainan Tianya had used Zhao’s cartoon image for commercial purposes without his permission, thus infringing upon Zhao’s right of portrait; Google China was mainly engaged in technical support for the website involved. It was not at fault, so it did not assume tort liability. The court determined that defendant Hainan Tianya should cease its infringing activities and publish a statement of apology in “Tianya Community,” and pay plaintiff Zhao compensation of 120,000 yuan for economic loss.

10.See “Zhao Benshan Compensated 120,000 yuan for Picture Infringement, and the Disgruntled Website Appealed to a Higher Court,” Legal Evening News, March 3, 2011.

Intrusion on seclusion

Intrusion on seclusion refers to the intentional interference with a person’s solitude or private concerns in a manner that would be highly offensive to a reasonable person. The intrusion may be physical, such as entering unlawfully into someone’s property, or technological, such as using a miniature camera. Intrusion is arguably an information gathering tort; legal wrong occurs at the time of intrusion; no publication is required.11 The purpose of the intrusion tort is “to preserve individuals’ dignity by preventing unwanted encroachment into their physical space and private affairs.”12

A typical intrusion is to trespass, steal, or intrude by electronic means into the precincts of another’s home. Chinese criminal law stipulates that anyone who unlawfully intrudes into another’s home may commit a crime. Chinese administrative law provides that intrusions which are insufficient to constitute a crime may be subject to administrative penalty. According to early Chinese civil law, the home is a type of property, and the freedom of the home should be protected by property law. Under modern civil law, however, the home is considered a private living space, and so it should be protected by privacy law. In terms of property law, intruding into another’s home usually causes little actual damage to property, and so the legal remedies awarded to the victim could be negligible. Under privacy law, the victim could claim mental anguish compensation, thus obtaining much more and better remedies. Commentators thus argue that the change to privacy law protection against intrusion into one’s home signifies the increasing respect of Chinese law for personal dignity; it also reflects the development of Chinese legal culture.13

With the progress of human society, the protection of privacy has expanded from the home to public space. Commentators point out that when a person appears in public he is assumed to give up some of his privacy. Thus, taking a picture of a person in a public meeting cannot be considered an invasion of his privacy. Even in public space, however, a person has not completely abandoned his privacy, such as his bodily secrecy and private activities in public places.14 For instance, it is not permitted to put a camera in public toilets or in the fitting rooms of clothing stores. It is thus argued that citizens can have claims to privacy even in public space, as long as such expectation of privacy is reasonable.

The emergence of the Internet has given rise to the concept of private cyberspace, which refers to the private space that is built on computers or cell phones, has functionality for information storage and exchange, and remains subject to human control.15 This so-called private cyberspace includes but is not limited to the computer memory of end users and the server space of ISPs that are used or occupied by Internet users, such as personal websites, home pages, blogs, and online accounts.16 From 2006 to 2007, China witnessed a nationwide prevalence of two computer viruses, Worm Nimaya and Grey Dove, which unlawfully intruded into the virtual space of millions of Internet users. The chief reason for the frequency of illegal invasion of private cyberspace arguably is that China has not yet established an effective legal system to curb it. Commentators have proposed that China should acknowledge the legal existence of private cyberspace so that the privacy law on traditional “physical space” can be expanded to people’s activities in cyberspace. In other words, both kinds of space, physical and virtual, if private by nature, should enjoy the equal protection of privacy law.17 The intentional intrusion into an Internet user’s cyberspace without authorization should constitute infringement of his right of privacy.

Another important intrusion on seclusion is to infringe upon a citizen’s freedom and privacy of correspondence. Freedom of correspondence refers to the right of a citizen to correspond with others through all kinds of communication tools. Any organization or individual should not interfere with the exercise of this right, unless the interference is in accordance with the law. Interference herein includes such acts as seizing, concealing, or destroying others’ letters; or interfering with the use of communication tools by others. Privacy of communication means that the content of a citizen’s correspondence by letter, telephone, telegram, teletypewriter exchange, e-mail, or other tools should be private. Any organization or individual should neither unlawfully open others’ letters, telegrams or teletypewriter exchanges, nor eavesdrop on or record others’ phone conversations, unless this is performed in accordance with the law. An offender who infringes on others’ freedom and privacy of correspondence shall bear tort liability; if the circumstance is serious, he may be subject to criminal liability.

In cyberspace, the matter of infringement upon citizens’ freedom and privacy of correspondence is becoming increasingly complicated. For instance, a hacker may use various technological means to steal, change, or destroy the personal information of Internet users, while the injured party can almost never discover the identity of the hacker. An ISP may transfer or close its customers’ e-mail accounts, thus causing the loss of customers’ e-mails and the disclosure of personal privacy or commercial secrets. What is more, some network owners or administrators may intentionally monitor the computers and e-mail systems operating in local area networks through network centers.18 All these actions constitute serious infringement of the privacy of Internet users. China has therefore extended the traditional protection for personal correspondence to people’s online communication. The Administrative Measures for Safeguarding the Safety of International Connecting of Computer Information Networks, enacted in 1997, stipulates that no organization or individual may use the Internet to violate a citizen’s freedom and privacy of correspondence. The Telecommunication Regulations of the PRC, enacted in 2000, reaffirms protection for the freedom and privacy of telecommunications users, which includes Internet users. Under this law, such acts as deliberately prying into others’ correspondence, intruding into others’ personal files, or changing/ destroying others’ data all constitute invasion of privacy. The infringing parties may be Internet users (Case 4.4); they may also be ISPs.

Case 4.4   Xue Yange v. Zhang Nan: freedom and privacy of e-mail correspondence19

China saw its first case of infringement of the freedom and privacy of correspondence via e-mail in 1996. Both plaintiff Xue Yange and defendant Zhang Nan were graduate students in the psychology department of Beijing University. In April 1996, Xue received an e-mail from the University of Michigan informing her that she was being offered a full scholarship to study at its school of education. Upon learning this, defendant Zhang sent a reply to the sender in the name of Xue without her knowledge, stating that plaintiff Xue had decided to turn down the scholarship. Xue thus lost a precious opportunity to further her studies in the United States. In June 1996, Xue filed a lawsuit against Zhang for infringing on her right of name. After mediation, the plaintiff was awarded a certain amount of economic compensation. Although this case was filed for the violation of a citizen’s right of name, the infringed object was in fact a citizen’s freedom and privacy of correspondence.

19.The case is adapted from Xiuping Li (1997) “China’s First Electronic Mail Case,” Law and Life, 9.

In almost all cases, permission is the only defense for intrusion lawsuits. Newsworthiness is not a defense because publishing is not an element of the tort. If the victim permits the offender to collect and disseminate his personal information online, then the offender will not bear any civil liability. The permission should reflect the victim’s will, rather than being obtained by force or deception. In addition, permission can be implied. So if a reporter enters a private property and the property owner responds to the reporter’s questions, this implies that the interview can proceed.20


The development of the Internet brings a unique, destructive, and recurring means of intrusion into others’ privacy, namely, e-mail spam. According to a survey by the Internet Society of China, from August 2004 to April 2005, Chinese netizens received an average of 16.8 unsolicited e-mails per week; spam e-mails constituted 60.87% of the total number of e-mails they received. China is one of the countries that are most affected by junk e-mail. Responding to this problem, the MIIT promulgated the Administrative Measures for Electronic Mail Services (hereinafter referred to as the Measure) in 2006. This is an administrative regulation but has arguably paved the way for the future enactment of an anti-spam law by the NPC.

The targets of the Measure mainly include senders of e-mail, e-mail service providers, and Internet access providers. This is partially identified in Article 2: the Measure shall apply to the provision of Internet e-mail services as well as the provision of access services to Internet e-mail services and the transmission of Internet e-mails within the territory of mainland China. The term “Internet e-mail services” herein refers to the activities of establishing Internet e-mail servers to provide tools for Internet users to send and receive Internet e-mails. One major goal of the Measure is to enhance the protection of citizens’ privacy of communication. As Article 3 provides, citizens’ privacy of correspondence in using e-mail services shall be protected by law. Unless a procuratorial organ or a public security organ is making a legal inspection of the content of correspondence for the purposes of national security or crime investigation, no organization or individual shall infringe upon any citizen’s privacy of correspondence on any pretext.

In the view of Chinese law makers, strengthening the administration of e-mail services can be the first step in fighting spam on the Internet. The Measure includes: (a) establishment of a permit system for e-mail services. Article 4 of the Measure stipulates that whoever intends to provide e-mail services shall obtain a permit for operating value-added telecommunication businesses or go through the record-filing procedure for operating non-commercial Internet services in advance. Without such a permit or record-filing, no organizations or individuals shall provide Internet e-mail services; (b) establishing an IP registration system for e-mail services. Article 6 states that the government is taking the registration-based measure of administering the IP address of ISPs’ e-mail servers, asking ISPs to register the IP addresses of their e-mail servers with the MIIT or its local subordinates in advance; (c) strengthening the security settings for e-mail services. Article 7 provides that Internet e-mail service providers shall build up an Internet e-mail service system according to the technical standards of the MIIT, cancel the anonymous forwarding functionality of the e-mail server, and strengthen the safety administration of the e-mail service system; and (d) specifying the obligations of e-mail service providers to their users. Article 8 prescribes that e-mail service providers shall clearly inform users of the contents of the services and rules for use. Furthermore, Article 9 stipulates that e-mail service providers have the obligation to keep confidential users’ personal registered information and Internet e-mail addresses; no e-mail service provider or any of its employees is allowed to use or publicize any user’s personal information without the consent of the user, unless otherwise prescribed by any law or administrative regulation.

There is no disagreement that spam should be prohibited, but the issue of how to define spam remains controversial. The Measure does not offer a definition of spam, but it suggests a list of actions that may be considered to be spamming. These include: sending to a recipient an e-mail containing commercial advertising content without the recipient’s clear consent; not marking “advertisement” or “AD” in the title of an e-mail that contains commercial advertising content; and continuing to send e-mails containing commercial advertising content to a recipient who initially consents to receive such e-mails but later declines to continue receiving them. In addition to unsolicited e-mails with commercial advertising content, the Measure also prescribes the following actions as spamming: intentionally concealing or forging such important sender information as the sender’s e-mail address; using another person’s computer system to send e-mails without his authorization; selling, using, sharing, or disseminating another person’s e-mail address that has been obtained by automatic online collection, arbitrary alphabetical/ digital combination, or other means; creating, reproducing, publishing, or disseminating e-mails that contain unlawful or harmful content as stipulated by relevant laws; and using e-mails to engage in activities endangering network safety or information safety and prohibited by relevant laws.

Commentators argue that while the Measure provides a set of operational standards for identifying and fighting spam, it confuses e-mails that contain unlawful content with e-mails that contain commercial advertising content. The former are directly prohibited by law, while the latter may sometimes be welcomed by consumers. According to the Measure, all commercial e-mails sent to a recipient without his consent will be considered spam. The problem is that some commercial e-mails may be exactly what a recipient wants to see and receive. Therefore, it is argued that whether or not an e-mail is spam should be determined by the recipient, i.e., only e-mails sent to a recipient against his wishes can be considered spam.21 This does not mean that the recipient can freely accuse the sender of sending spam. The recipient must provide proof that the sender deliberately sent the commercial e-mail against the recipient’s wishes. Under the Measure, any organization or individual who sends spam will be subject to administrative or criminal punishment (Case 4.5).

Case 4.5   Administrative punishment for sending spam e-mail22

In August 2006, the Guangdong Communication Administration found that a company was sending bulk e-mails that contained commercial advertising content to a considerable number of Internet users. This regulatory agency therefore implemented administrative punishment pursuant to the Administrative Measures for Internet Email Services, ordering the company to immediately stop sending spam and also to pay a fine of 5,000 yuan.

22.The case is adapted from: Wu Wei and Liu Quan (2006) “Guangdong Publicly Punished Spam Senders,” Nanfang Daily, August 15, retrieved December 8, 2010 from

However, spam is increasingly being regarded as a tort, particularly as an infringement of others’ privacy. As discussed above, the real problem with spam is that the offender sends messages to the recipient’s private cyberspace (i.e. e-mail box) against his wishes. Subjectively, the offender forces the recipient to read the e-mails, so he is infringing on the recipient’s right of correspondence; objectively, the unsolicited e-mails occupy the space of the recipient’s e-mail box, and the recipient has to spend time deleting those e-mails, thus leading to loss of time and money.23 Due to these factors, in China a person who sends spam is now more likely to bear tort liability.

Disclosure of private facts

Disclosure of private facts arises where one person publicizes truthful private information that is not of legitimate public concern, and the release of which would be highly offensive to a reasonable person.24 The tort of private facts aims at protecting a citizen’s dignity and peace of mind by discouraging the publication of intimate facts.25 Unlike defamation, truth is not a defense for invasion of privacy. If private facts are publicized, the victim may receive monetary compensation for the resulting emotional injury.

Private facts

The key consideration in a disclosure of private facts lawsuit is whether the matter being publicized is public or private. If the matter is one of public concern, there is no invasion of privacy. However, if the matter is not one of public concern, and it is one that people would find offensive, there is an invasion of privacy. In reality, “there are many facts a person wants to keep private simply because they are not for public knowledge.”26 Private facts suits can relate to a person’s sexual information, domestic difficulties, medical information, financial condition, and similar facts.

“Sex” is private by nature. Publicizing a person’s sexual activities, sexual organs, sexual features, sexual psychology, sexual habits, and sexual defects through text or image often constitutes an invasion of privacy. In addition, when reporting sex crimes or sexual harassment, the reporter usually should not disclose the victim’s name, identity, address, and other identifying information; otherwise, he may invade the victim’s privacy. Unethical practice in one’s sexual life, such as adultery and extra-marital sex, should also be regarded as private, as long as such behavior does not cause harm to the public.27

Love, marriage, and family situations also fall within the scope of privacy and are legally prohibited from being disclosed (Case 4.6).

Case 4.6   Violation of right to privacy: the case of Mrs. Shi Liling28

An influential case in this regard involved Mrs. Shi Liling, who fell in love with Chiang Wei-kuo and had a son with him in 1937.29 Later, Chiang went to Taiwan, while Shi stayed in mainland China and married another man. Her son with Chiang grew up and also worked in mainland China. In 1995, a book titled The Secret History of the Chiang Family published the romance between Shi and Chiang. This caused Mrs. Shi to file a lawsuit. She claimed that the book had disclosed her romance with Chiang without her consent, thus violating her privacy; in addition, the book’s statement that she had died in the 1940s was seriously false and damaged her reputation. Her claim was supported by the court.

28.See Xuelu Ren (1998) “A Dispute Caused by ‘The Secret History of the Chiang Family,’” Law and Life, 2.

29.Chiang Wei-kuo is an adopted son of Chiang Kai-shek, who was a political and military leader of 20th-century China. He is known as Jiang Jieshi in Mandarin.

There are many other types of personal information viewed as private, such as an individual’s names, photos, phone numbers, home address, savings and property status, health status, social relations, diaries, and other private information or files that the individual is unwilling to expose to the public. Such personal information has been protected by various laws. For instance, the Statistics Law stipulates that survey data concerning any private individual or his/her family should not be divulged. The Commercial Banking Law provides that commercial banks should adhere to the principles of voluntary deposit and confidentiality for their depositors. The Lawyer Law requires that a lawyer should not divulge the private affairs of the parties concerned in a case. The Law on Medical Practitioners requires that patients’ private information shall not be divulged. In addition, the Regulation on the Prevention and Treatment of HIV/AIDS prescribes that any person or organization shall not disclose the personal information of patients or their families; such information includes the name, address, employment, photograph, medical history, and any information that may identify the person concerned.

In addition, crimes or other misconduct by a minor should also be treated as private facts. Under the Minors Protection Law and the Criminal Procedure Law, crimes committed by a minor shall not be tried publicly. Furthermore, the Minors Protection Law specifies that, with regard to cases involving a minor’s crime, the name, home address, photos, and other identifying information of the minor may not be disclosed in news reports, films, TV programs, and in any other publicly circulated documents prior to the judgment. The Prevention of Juvenile Delinquency Law goes further and deletes the restrictive term “prior to the judgment,” requiring that news reports, television programs, and other publications should not disclose the minor’s name, address, photograph or any other information that can be used to discover the minor’s identity. This shows that China’s judicial protection for the privacy of minors is very strict, mainly in order to create a favorable environment for minors to grow up in.


In Chinese judicial practice, most infringement of privacy cases concern the news media. As for defenses in such cases, China has formed the following mechanisms.


If a person has given his consent to the publication of the information concerned, this consent can be a defense for the media, even if the person later claims that his right to privacy was infringed. In other words, once the person has provided the information, or permitted its publication, the media shall bear no liability for invasion of privacy. However, the following three points should be considered: (a) the subject of the information should give explicit consent for the publication of his private information by news media. Disclosure to journalists, particularly in a private interview, does not equal permission for publication; (b) the person should voluntarily disclose the private information; disclosure under coercion or violence cannot serve as a valid defense; (c) a person only has the right to disclose his or her own private information. News reporting involving a third person’s privacy must have the third person’s consent; otherwise, it will constitute an invasion of the third person’s privacy.30

Public records

If the information is obtained from public records, the publication of such information does not constitute an act of infringement. Public records refers to information already available to the public in the form of official documents, notifications, judgments, notices, etc. that are approved for publicity and reference by the Party and state organs. In such cases, the information has been so widely published as to destroy its confidentiality; the citation of such information will not constitute a breach of confidence. However, in closed-door hearings, even if there is a reference to relevant private information in the judgment, the right to privacy shall still be protected.31

Public places

Reporting on people in public places shall not be an act of infringement, for there is no expectation of privacy in such places. Once a person appears in a public place, he agrees, by default, to give up some rights to privacy; he shall therefore allow others to observe his demeanor, even to make audio and video recordings. Journalists are free to report on and take photos of traffic accidents, crimes, or even a public kiss. However, it should be noted that a person’s rights to privacy are not completely denied in public spaces. Privacy should still be considered in terms of private space in public places, such as toilets in public places. Thus, public places as a defense bear restrictions; they are subject to being weighed by the judge on a case-by-case basis.32

Public interest

If personal information is somehow related to the public interest, it is no longer a private matter in a general sense, and thus is not subject to privacy protection. News coverage in such cases is, therefore, not an intrusion of privacy. For example, Chinese law generally does not protect private information concerning a crime. A criminal thus cannot claim for invasion of privacy by the media in matters of criminal fact. What is more, for people who have been implicated in a crime, such as the victim of the crime or the family of the criminal, their rights to privacy may also be partially restricted, due to the public interest aspect of the case.33

Public figures

Public figures refers to those people “who have assumed special prominence in the resolution of public issues or the character of public events.”34 Public figures can be government officials, writers, artists, film stars, sports stars, scientists, entrepreneurs, social activists, even criminals, defendants, or criminal suspects, and others who have entered the public spotlight. These people often become the focus of public attention and news coverage, and their privacy is much more limited than that of the average person. Therefore, news reports of their personal information do not constitute an invasion of privacy. However, this does not mean that public figures do not have any right to privacy. It is widely accepted that unlawful intrusion into their residences should be prohibited; surveillance or monitoring of their private and family lives should be prohibited; their marriage affairs should not be interfered in; their freedom of communication should not be restricted; and their activities and matters unrelated to the public interest should not be intervened in.

Online dissemination of private facts

Disseminating another person’s private facts online without authorization is also considered as an infringement of privacy. However, infringement of privacy in cyberspace seems to be more complicated than in the context of traditional media. The infringer in the traditional media environment often has certain social relations with the infringed person, and is thus easily identified. In cyberspace, anyone can be the sender of information, but he can also be the receiver of information; anyone can be the victim, but he can also be the perpetrator; moreover, there may be no real social relations between the perpetrator and the victim.35 The infringing parties include not only Internet users but also Internet service providers, and the courts often find it difficult to identify infringers. In addition, web-based communication is particularly rapid and open. This means that the consequences of invasion of privacy in cyberspace can be significant. If an infringement in cyberspace cannot be stopped in a timely manner, it may cause huge damage to the victim.

Based on the Tort Liability Law and relevant laws and regulations, where the victim finds that his personal privacy has been violated on the Internet, he has the right to request the related ISP to remove, block, or disconnect the links to the infringing information. If the ISP fails to take such necessary measures in a timely manner after being notified of the infringement, it should bear collateral responsibility for additional damage. A major consideration herein is that if an ISP is required to bear more responsibility, the development of the Internet industry and thus the dissemination of information may be hindered. The Tort Liability Law thus adopts the internationally prevailing “notice-delete” mode to protect people’s privacy in cyberspace, while reducing the burden on service providers. However, the Law also stipulates that if an ISP knows that an infringement on privacy is occurring but fails to take necessary measures, it should still bear tort liability for additional damage. The remaining issue is that there should be a well-established standard for the definition of privacy, and that the standard can be understood and implemented by an ISP.

Case 4.7   Infringement of privacy in cyberspace: the case of “maritime woman”36

An influential case of privacy infringement in cyberspace concerns the nude pictures of a “maritime woman.” Plaintiff Ms. Yin was a student of Shanghai Maritime University. She broke up with her boyfriend Mr. Zhu, who then uploaded a great deal of private (and even nude) pictures of the plaintiff to the Internet for purposes of revenge. The pictures were then accessible and searchable on, China’s largest search engine. The plaintiff claimed that by June 2, 2009, the search engine had not taken any measures to deal with her private pictures; furthermore, its encyclopedia section dedicated a specific entry to her private information under the title of “maritime woman.” The plaintiff thus sued for infringement of privacy. The defendant argued that it was functioning only as an index of information; it had not published or disseminated any of the plaintiff’s information by itself; and moreover, it had disconnected the links to such information after receiving the plaintiff’s complaint. The court determined that the defendant had dedicated an encyclopedia entry to the plaintiff’s private information and also kept the infringing information, and so it should be liable for infringement of privacy.

36.The case is adapted from Li Hongguang and Zhou Kai (2010) “‘Maritime Woman’ Won the Lawsuit against Baidu,” China Youth Daily, retrieved January 12, 2011 from

Case 4.8   Infringement of privacy in cyberspace: the Edison Chen photo scandal37

Another case involves the scandal of Hong Kong actor Edison Chen’s photo. In early 2008, a man named “Kira” distributed over the Internet hundreds of intimate and private photographs of Chen with various women, including actresses Gillian Chung, Bobo Chan, Rachel Ngan, and Cecilia Cheung. According to the investigation, the pictures were originally stored on Chen’s laptop; when Chen took his laptop to be repaired, the pictures were illegally copied and then uploaded to the Internet. The scandal shook the Hong Kong entertainment industry and received high-profile media attention both locally and around the world. Following the scandal, the police arrested an IT professional who they suspected might have initially released Chen’s sex pictures on the Internet. Later, Chen admitted publicly that the pictures disseminated on the Internet were his, and apologized to all the actresses involved and to the public.

In terms of privacy protection in cyberspace, the Chen photo scandal raised the following critical issues: whether Chen had infringed on the privacy of the actresses when he took pictures of them; whether the computer repairmen had infringed on Chen’s privacy; and whether the public who helped to spread Chen’s sex pictures had infringed on the privacy between Chen and the actresses. It is argued that the first question mainly concerns whether the actresses agreed to be photographed or voluntarily assumed any possible risk. If they agreed or voluntarily assumed risk, Chen would not bear any infringement liability. The second question essentially involves the invasion of privacy in cyberspace. Chen had privacy rights over the pictures saved on his laptop, and he did not want the pictures to be viewed or copied by others. Therefore, commentators argue that the computer repairmen should be considered as having violated Chen’s privacy. As for the third question, commentators hold that even if the victims in this case were public figures, such sex pictures had no public value, and so they should not be disclosed to the public. The key to determining whether the public had infringed the privacy of Chen and of the actresses was the scope of the dissemination of information. If a person had sent the pictures only to another person via e-mail, he would not be viewed as committing an infringement. If he had uploaded the pictures to a website or sent them to others via bulk e-mail, however, his acts would constitute infringement.

37.Kai Wang (2008) “On the Protection of Privacy Rights and the State Regulation of Indecent Speeches: The Case of the Edison Chen Photo Scandal,” Today’s Media, 5.

Specific online privacy issues

The rapid development of the Internet in China has generated a variety of privacy violation cases, and the corresponding establishment of related regulatory mechanisms. This section focuses on three specific online privacy issues: data collection, human-flesh searching, and data protection models.

Data collection

As society enters the information age, personal information is becoming increasingly valuable. It can bring the users of such information not only tangible economic benefits but also intangible social capital. Meanwhile, the development of the Internet makes it much easier for people to collect and use data. As long as the data are uploaded to the Internet they can, theoretically, be shared by all users of the resource. Indeed, online data collection has become a focus of public concern. Various business organizations, government agencies, and even individuals are trying to collect, process, and manage online data for commercial or other purposes. In practice, the most common ways to collect personal data via the Internet include the following.

The first way is to obtain personal data through user registration. When Internet users apply for online accounts, personal home pages, free e-mail, and other services, Internet service providers often require them to provide personal information, such as home address, e-mail address, age, phone numbers, credit card numbers, and work unit. While service providers can legally collect such information, they should be obliged to keep the information confidential. In late 2005, a website named UCLOO was publicly selling the personal information of 90 million people. This immediately became the focus of attention and criticism nationwide. China’s media later disclosed that the personal information came from China’s largest student portal site,, which requires its registered users to provide the said information. After the incident, claimed that it had not intentionally sold such information to UCLOO; instead, it was the vulnerability of the data management that had caused the disclosure of user information.38

The second way is obtain users’ personal data is through cookies. This refers to a technology that allows the web server to store small amounts of data on a client’s computer hard drive or memory, or to read data from a client’s hard disks. It means that when a user visits a website, the web server may place a small text file on the user’s hard disk; the text file is often used to record the user’s ID, password, viewed pages, downloaded information, and other information related to the user’s online activities. The web server can then use the information collected through cookies to build a large database. When the user again visits the site, the site will read the cookies, retrieve the user’s previous information, and then make corresponding responses, such as allowing the user to log in without providing his ID and password. It is acknowledged that cookies may facilitate people’s online activities. The problem is that cookies involve a great deal of personal information; once such information is stolen by or transferred to another person, it may constitute a violation of users’ privacy. Therefore, some countries, such as Sweden, have legislation on cookies, requiring web servers to state the properties of cookies used and also to provide instructions on how to disable cookies.

The third way is to use search engines to collect information. A search engine is a website that specializes in providing searching services; it automatically searches for and processes information available on the Internet. The results are presented in the form of an information database and an index database. With these databases, the search engine then responds to different requests and provides the needed information. The searching methods include full-text search, keyword search, and classification search. Among these, the most popular and effective method is keyword-based retrieval. Users type in keywords and then give a search command; the engine will find all information containing the keywords in its database and display a list of hyperlinks for the search results. According to a report released by the China Internet Network and Information Center (CNNIC) in 2006, over 30% of cyber-users surveyed used search engines to search for their own names. Among these users, nearly 30% succeeded in finding their personal information, which could be phone number, address, e-mail address, and other private information. Such information was often stored in and retrieved from personal blogs, podcasts, alumni databases, online forums, and other sources.

Finally, personal data can be obtained via information collecting devices installed in computer software or placed in hardware. For instance, Intel has included the processor serial number (PSN) in its new processors. A PSN is a series number that is used to identify the user of the computer concerned; indeed, it is often used to monitor the information received or sent by the user. Intel claimed that this effort was to enhance e-commerce security. But critics pointed out that, due to the uniqueness of a PSN, a person who is using a processor with a PSN installed is in fact inviting Intel to track and monitor all of his online activities. A similar problem has also occurred with Qihoo 360, a leading Internet security software company in China. Many users accused this company of using its software to collect clients’ private information without authorization. According to a media report, for example, a user was recorded 268 times in 23 of the company’s logs from December 8 to 26, 2010. All the activities of this user, such as visiting QQ space, downloading software, and watching online movies, had been recorded in great detail; moreover, all online buyers’ names, mail boxes, phone numbers, delivery destinations, delivery fees, order quantities, order times, and so on had all been recorded with great precision.39

From the perspective of privacy protection, the concerned person has the right to control his private information. It means that he can choose whether and how to use or process his private information. Without legal authorization, any individual, business organization, or government agency has no right to collect, process, and administer others’ personal information. With the popularization of computers and the development of Internet technology, however, the gathering of private information is becoming easier than ever before. In particular, Internet service providers are able to access a huge amount of personal data about their users. Indeed, all the online activities of an Internet user may be subject to direct or indirect monitoring by his service providers without his knowledge. Furthermore, the collected data may be used for commercial purposes or against the interests of the information owner. According to Chinese law, any people or parties who breach others’ right to privacy should bear relevant civil and even criminal liability.

Case 4.9   Protection of online privacy: the Qihoo 360 and Tencent QQ dispute40

The dispute between Qihoo 360 and Tencent QQ occurred in 2010. In essence, the dispute was about identifying, collecting, and protecting private information through software. In February 1999, Tencent, one of the largest Internet companies in China, introduced Tencent QQ, which has become the most popular instant messaging tool in China. As of July 11, 2011, active user accounts for QQ instant messaging totaled 812.3 million.41 However, many users accused Tencent of privacy infringement for scanning personal data stored in their hard drive on a large scale. Users also raised doubts about QQ’s recording and monitoring of their chat and other online activities, and its right to ban their online accounts. Qihoo is the largest security software company in China. In July 2006, the company released the anti-virus software 360 Safeguard. About one year later, 200 million people were using this software.42

In September 2010, Qihoo released Qihoo 360 Privacy Protector and Qihoo Koukou Guard, claiming that these new products could be used to protect the privacy of QQ users. Qihoo declared on its official website that Qihoo 360 Privacy Protector can expose any spyware installed on users’ computers. As for Qihoo Koukou Guard, it could provide comprehensive protection for QQ users, including preventing QQ from scanning users’ hard drives, preventing QQ accounts from being hacked, disabling unnecessary plug-ins, closing QQ ads, deleting temporary files, deleting QQ-related products such as QQ Media, and so on. It also promised that Koukou Guard would not modify any default QQ settings, so that users would be able to determine the settings for all functions. A few days later, Tencent responded with the rebuttal that QQ did not breach users’ privacy, and alleged that Qihoo was defaming QQ by conducting an unfair competition.

A core issue of the dispute was how to define online privacy. To sign up for a QQ account, users are required to agree to such terms as the following: “We will ask you to provide your identifying information or allow us to contact you … personal information collected by Tencent is usually limited to your name, gender, age, birthday, ID number, address, educational level, employer, occupation, hobbies and so on.” According to these terms, the information related to users’ online activities will not be considered private, and can be collected, processed, and used by the website without users’ consent. This is what caused the dispute in which Qihoo 360 charged QQ with privacy infringement but QQ denied any such charge.

As the situation was getting worse, Tencent issued a letter to QQ users, stating that it would stop providing services to those users who were using any of Qihoo 360’s software. In other words, users had to choose between Qihoo 360 or QQ. In response, on the next day Qihoo released an open letter announcing the withdrawal 360 Koukou Guard.

The battle between the two companies continued for several weeks. In the end, the Chinese government stepped into the dispute. It ordered Tencent to stop asking users to make a choice between QQ and Qihoo 360, while requiring Qihoo to withdraw its 360 Koukou Guard. Commentators argue that this dispute revealed the fragility of the current laws for protection of people’s online privacy and their right to choose services, thus calling for an intensification of efforts to protect the rights of Internet users.

40.The case information is adapted from (2010) “The Qihoo 360 and Tencent dispute,” retrieved March 1, 2011 from (2010) “About Tencent,” retrieved August 20, 2010 from

42.360 Safeguard (2011) “The Major Events of 360,” retrieved September 11, 2011 from

Human-flesh searching

In recent years, Chinese Internet users have created the so-called human-flesh search engine. The searching method is so called because it makes use of human power to filter information that is available online. This is fundamentally different from traditional machine-driven engines such as Google and Baidu. Human-flesh searching first appeared on, a social networking site. On this site, a user can pose questions and reward the answers with mp—a virtual currency of the site. When another user sees the post, he may actively look for clues. If he succeeds, he will post his findings and claim a reward. This process is called human-flesh searching. When hundreds and even thousands of Internet users work together to collect information about a specific person, using various methods, almost everything about that person may soon be revealed.43

Since its inception, human-flesh searching has become a highly controversial issue. Opponents believe that such searching disrespects the privacy of the people concerned and is an abuse of freedom of speech. Moreover, the participants in the searching process may become Internet mobs who may violate state laws and rob the searched-for person of his dignity. Many Chinese are therefore opposed to human-flesh search engines. According to a survey by China Youth Daily, nearly two-thirds (64.6%) of the interviewees agreed that human-flesh searching may infringe on people’s right to privacy and deprives people of their sense of safety. This has been confirmed by many real cases (Cases 4.10 and 4.11).

Cases 4.10 and 4.11   Two instances of abuse of human-flesh searching

In June 2010, Ping Qijun, deputy director of Jiangxi Flood Control and Drought Relief Office, failed to give a direct answer to questions about “the safety of the people living in the down-stream” in a CCTV interview; he instead repeated “the important instructions” of officials at higher levels. Ping was criticized on the Internet for speaking in a bureaucratic tone, and a human-flesh search campaign was then launched against him. Soon, personal information concerning Ping’s family, spouse, and son was made public. His family information was dug up to such an extent that his son dared not go to school.44

A similar case happened on December 27, 2007, when CCTV broadcast a news item about curbing violence and pornography in cyberspace.45 In the news item, a Beijing student named Zhang Shufan spoke to the reporter, and stated: “Last time when I was surfing the Internet, a window popped out all of a sudden, and it was very pornographic and very violent. I closed the window immediately.” After the news was broadcast, many posts appeared on the Internet, attacking Zhang’s comment “very pornographic and very violent.” Some posts even used pornographic cartoon figures to make insinuations against Zhang. These two cases show that although the human-flesh search engine can be a useful tool for aggregating information, it can also be abused, and escalate into Internet violence.

44.The case information is adapted from (2010) “A Jiangxi Official Was Human-Flesh Searched for His Speech on CCTV,” retrieved May 15, 2011 from

45.The case information is adapted from (2007) “Zhang Shufan,” retrieved July 18, 2010 from

Advocates of human-flesh searching argue that it is an effective tool for people to exercise freedom of speech and supervision of public opinion. The subjects of human-flesh searching are often wrongdoers, or events against social norms or state laws. To some extent, it provides a platform for people to freely express their opinions and vent their anger. Commentators thus argue that human-flesh searching, when properly used, can promote social progress and protect the public interest (Case 4.12).

Case 4.12   The case of Zhou Jiugeng: a typical human-flesh searching case46

A typical case concerns Zhou Jiugeng, director of Real Estate Administrative Bureau of Jiangning District in Nanjing. On December 10, 2010, Zhou appeared on TV, saying that real estate developers were selling houses below cost, and so they would soon be investigated. Zhou’s claim deeply enraged those citizens who were plagued by soaring house prices. A human-flesh search campaign was then launched against Zhou and received an immediate response. One post revealed that the cigarette Zhou was seen smoking at a public meeting was worth 1,500 yuan, which was equal to three months’ allowances for a laid-off worker. Another post said that the watch Zhou wore was a Vacheron Constantin that cost 100,000 yuan. Some even disclosed that Zhou’s younger brother was a real estate developer and Zhou’s son was a vendor of building materials. All of this personal information was exposed to the public and later proved to be true. Within one month, Zhou was removed from office and subjected to a judicial investigation. On October 10, 2010, the court decided that Zhou was guilty of accepting bribes, sentenced him to 11 years in prison, and confiscated his illegal property of 1.2 million yuan.

46.The case information is adapted from (2008) “Zhou Jiugeng, Director of Nanjing Jiangning Housing Administration, Dismissed,” retrieved December 12, 2010 from; and (2009) “Zhou Jiugeng, Director of Nanjing Jiangning Housing Administration, Sentenced to 11 Years in Jail,” retrieved December 12, 2010 from

Whether human-flesh searching should be legally allowed is a rather complex issue. Commentators argue that an important factor in determining the legitimacy of human-flesh searching is whether or not it involves the public interest. They hold that where the person or event being searched relates to the public interest, human-flesh searching should be allowed; otherwise, it should not be allowed. According to this principle, an action of maliciously launching human-flesh searching on the basis of purely private issues constitutes a breach of privacy, and the victims have the right to request the offender to assume legal liability. In addition, commentators point out that human-flesh searching often involves multiple parties, including the search initiators, the information providers, the participants in the discussion, and the Internet service providers; and different parties should bear different liability. This has been shown in the case of Wang Fei v. Zhang Yile,, and (Case 4.13).

Case 4.13   Wang Fei v. Zhang Yile,, and China’s first human-flesh searching case47

On December 29, 2007, Jiang Yan, 31, killed herself by jumping from the 24th floor of an apartment building. Her suicide was arguably caused by the infidelity of her husband. Later, Jiang’s college classmate Zhang Yile opened a website called Migratory Bird Flying Northward (, claiming it to be a place to pay tribute to and seek justice for Jiang. Jiang’s relatives and friends and numerous netizens began publishing articles about the event on Zhang’s website. These articles were then republished by two mainstream websites, and Tianya. com. In these articles, Jiang’s husband, Wang Fei, became the focus of public criticism and even the subject of a hate campaign. Exhausted by this harassment, Wang sued Zhang,, and at a local court. It was the first case in China related to human-flesh searching.

The court held that, under Chinese marriage law, a husband and a wife should be faithful to each other. Plaintiff Wang’s confession in the court and the consensus between Wang and Jiang’s parents proved Wang’s infidelity. Also, Jiang’s diary proved that she had suffered a tremendous trauma in consequence of the infidelity. The plaintiff’s infidelity did not violate state law, but it was against social norms. The court thus condemned Wang for his infidelity.

The court also held that defendant Zhang had intentionally disclosed the plaintiff’s affair, name, employer, and other personal information on the Internet. The disclosure had led to large-scale human-flesh searching for the plaintiff’s identity; and the search had eventually escalated into an intensive, long-lasting personal attack against the plaintiff and his family. The court found that the influence of the disclosure had gone beyond virtual space, as the plaintiff and his parents had been personally harassed and defamed in real life. The court concluded that, by intentionally disclosing the plaintiff’s private facts, Zhang had infringed on his right of privacy. The court adjudicated that Zhang should stop the infringement and delete three infringing articles (“Totally Disheartened”, “Quietly”, and “In the Heart of the Moon”) and one photo of Wang and his alleged lover, Dong, from the website; Zhang should also apologize to the plaintiff in an open letter on the website and compensate the plaintiff with 5,000 yuan for mental damages.

The court found that when it covered this event, defendant Daqi. com did not delete the plaintiff’s personal information such as his name and photographs, and thus risked the plaintiff’s privacy and reputation. The court determined that should stop violating Wang’s privacy, delete the column concerning Jiang’s suicide from its website, make an open apology to the plaintiff, and compensate the plaintiff with 3,000 yuan for mental damages. In addition, the court found that had deleted posts relating to Jiang’s suicide before the plaintiff filed the lawsuit; it had fulfilled its legal obligations, and thus was not subject to any legal liability.

47.The case information is mainly adapted from Yan Shi (2008) “The First Case of Internet Violence: Plaintiff Wang Fei Compensated 8,000 yuan for Mental Damage,” retrieved May 1, 2010 from

Data protection models

While online privacy is becoming the focus of public discussion, the Chinese government and relevant industries have taken certain measures to strengthen the protection of Internet privacy. These measures can be divided into three categories: legal regulation, industry self-regulation, and technical protection. Among the three categories, legal regulation has become the major type, while industry self-regulation and technical protection have played an ancillary role.

Legal regulation

China has established a series of laws and regulations to protect personal data that is available online. The Decision of the NPC Standing Committee on Safeguarding Internet Security enacted in 2000 provides that anyone who intercepts, tampers with, or deletes another person’s e-mails or other data will be investigated for criminal responsibility if his act constitutes a crime. Also, the Criminal Law revised in 2009 stipulates that the actions of selling or illegally providing others’ personal information and illegally obtaining others’ personal information constitute a crime, and the offender will be subject to criminal investigation. In addition, the Tort Liability Law enacted in 2009 explicitly includes the right to privacy as one of the civil rights, and clearly defines the liability of Internet users and Internet service providers. To sum up, these laws provide a legal basis for protecting people’s privacy in cyberspace.

In January 2011, the MIIT promulgated the Interim Measures for Supervision and Management of Internet Information Service Market (Draft Memoranda for Comment), which clearly defines ISPs’ responsibility for the protection of online privacy. First of all, the Draft stipulates how ISPs should collect and process users’ data. Article 12 states that ISPs should respect the privacy of their users, assure the security of users’ data, and standardize the procedures for processing users’ data. Without legal authorization, ISPs shall not collect and process the personal information of their users. In cases of necessity, the personal data collected should be directly associated with the services provided, and users should be clearly informed about the data collection behavior and purposes of data collection. Moreover, Article 14 provides that ISPs should assure the security of users’ data and preserve users’ right to modify and delete their own data. Unless otherwise specified by laws and regulations, ISPs are not allowed to modify or delete users’ data, or to provide users’ data to a third party.

The Draft also stresses that ISPs have the obligation to keep users’ data confidential. Article 13 states that ISPs should keep users’ information confidential; unless otherwise specified in laws, no individuals or organizations may review users’ information for any reasons. Article 12 states that in the case of disclosure of personal information, the ISP concerned should immediately inform the relevant regulatory agencies; meanwhile, it should not publicize any unconfirmed information.

In addition, the Draft provides specific regulations on the operation of end-user software by network service providers. Article 9 stipulates that where ISPs need to install, run, upgrade, or uninstall software on subscribers’ computers, they should provide clear and unambiguous reminders to subscribers and also obtain the consent of subscribers. Article 10 prescribes that where ISPs bundle end-user software with other software, they should explicitly inform subscribers of such bundling and allow subscribers to decide whether to install it or use other such software.

In April 2009, the MIIT also promulgated the Mechanism for Monitoring and Handling Trojans and Botnets to respond to the security risks caused by Trojans and botnets. A Trojan is a remotely controlled program installed on the victim’s computer by a hacker in order to steal the victim’s information. A botnet is a collection of compromised computers connected to the Internet, controlled via standard-based network protocols such as IRC and HTTP. Both Trojans and botnets constitute substantial threats to network information security, and they are the major causes of the disclosure of private information, the wide spread of spam messages, and the massive dysfunction of Internet services.

According to the Mechanism, CNCERT is responsible for monitoring the activities of any malicious software within China.48 Specifically, it collects, verifies, analyzes, and publishes Trojan- and botnet-related information, such as the scale, type, and consequences of the infection. It also provides Internet security service and technology support for handling the problems caused by Trojans and botnets, such as malicious IP addresses and domain names. The Mechanism also stipulates that telecommunications service providers are responsible for monitoring the activities of Trojans and botnets within their network systems and also for handling all Trojan and botnet issues reported by CNCERT. The administrative organizations for Internet domain names are responsible for handling the malicious domain names reported by CNCERT. In addition, all organizations related to Internet services should inform users of the responsibility for Internet security on the users’ side and also include this information in their contracts with users. Through the above-mentioned measures, the MIIT hopes to establish a comprehensive system for effectively handling Trojan and botnet problems.

It should be added that there are several other laws and regulations that also provide direct or indirect protection for people’s privacy in cyberspace. These mainly include: the Telecommunications Regulations, the Administrative Measures for Internet Information Services, the Administrative Measures for the Security of International Connecting of Computer Information Network, and the Implementation Measures for the Reporting of Internet Security Information, and so on.

Industry self-regulation

While enhancing legal regulation, China also advocates the strengthening of industry self-regulation for the protection of online privacy. First of all, industry self-regulation is demonstrated by the privacy policy statement published by network service providers. Many websites set up a link to their privacy policy statement on the home page. The statement usually includes the following: the definition of personal information; the basic principles for collecting and processing personal information; the obligation to inform users before the website gathers, discloses, and transfers users’ information; the use of cookies; how to adjust the privacy settings and update personal information; the contact information of the network operator, and so on.

For example, the privacy statement of Baidu states: “In the following circumstances, Baidu will disclose your personal information according to your wishes or in accordance with the law, and any possible liability should be borne by you, with your authorization in advance; the requested products and services can only be received with disclosure of your personal information; the disclosure is required by the law and regulations; the disclosure is requested by the relevant government authorities; the disclosure is to safeguard Baidu’s legitimate interests; you consent to sharing the information with third parties; any breach of our service terms on your side; and we need to provide information to companies that provide our products or services.”49

In addition, the privacy policy of Tencent states: “Tencent will not disclose users’ private information to any third parties other than its cooperators, except with users’ consent or as required by the law. However, when a user registers for an account, if he consents to disclose his private information, or agrees to the disclosure of users’ private information in the contract between users and Tencent or Tencent’s collaborating parties, the user should assume any risks that may arise. Meanwhile, in order to improve its service, Tencent will collect users’ non-personal information for its own use and may also provide such information to a third party.”

The problem is that there are too many ambiguities and loopholes in these privacy statements, and such problems are very disadvantageous to the protection of user privacy. For example, the privacy statements often contain the following two mandatory elements: first, no matter whether the user consents or not, the ISP can provide the user’s personal information to any of its collaborating parties; second, as long as the user agrees to the privacy policy when registering for an account, his personal information can be disclosed to any third party. These mandatory terms do not appear only in Baidu’s and Tencent’s privacy statements; they occur in the privacy statements of most other Internet companies that require users to register for services. When users register for an account, they tend to ignore such privacy terms, allowing the ISP to infringe on their privacy without bearing any liability.

China’s Internet companies have also followed practice in Western countries50 and established the Internet privacy certification program. In March 2009, six of China’s largest Internet companies (Baidu, Tencent, Sina, Sohu, Netease, and Phoenix) and the Internet Society of China jointly established the ITRUST, an organization that is devoted to promoting the credibility of Internet companies in China. The ITRUST will review and verify the chief information about a website, such as its authenticity and legitimacy, the phone number for customer service, and assess user privacy protection and the level of user satisfaction. After this review and verification, the website can obtain an electronic Web Trust Certificate issued by the ITRUST. The website can then post the certificate on its home page so that users can identify it as a trusted site. So far, nearly 200 Internet companies have obtained this certificate, which arguably helps to strengthen users’ confidence in the privacy protection provided by the website.

In addition to the privacy certification system, China is also trying to establish industry guidance to improve the protection of online privacy. In 1998, more than 80 global companies and associations jointly founded the Online Privacy Alliance with the aim of fostering the protection of individuals’ privacy online and in electronic commerce. The Online Privacy Alliance issued an industry guideline which stated that: “upon joining the Alliance, each member organization agrees that its policies for protecting individually identifiable information in cyberspace will address at least the following elements … adoption and implementation of a privacy policy … notice and disclosure … choice/consent … data security … data quality and access.”51

China has a similar industry association, i.e., the Internet Society of China. In June 2004, this society issued the Public Pledge of Self-Regulation and Professional Ethics for China Internet Industry, which states: “we pledge to respect the lawful rights and interests of consumers and we shall protect the confidentiality of their information. We pledge not to use the information provided by users for any activity other than those as promised to users, and no technology or any other advantage may be used to infringe upon the lawful rights and interests of the consumers or users.” However, commentators argue that this guideline may be too general to guide the privacy protection practice of China’s websites.

Technical protection

Technical solutions have also been used to enhance users’ control over their private information. One of the most common technical measures is encryption, which refers to the conversion of data into a form that cannot be easily understood by unauthorized persons. Encryption consists of two elements: algorithm and key. An algorithm is the process of combining general information with a string of numbers (keys) to produce a cipher text that cannot be understood. A key is the algorithm used for data encoding and decryption. In many cases, encryption can be an effective tool for protecting individuals’ privacy online. However, hackers have improved their skills, and nowadays they can easily decode and steal data by invading other computer systems and obtaining relevant transaction information. Many users have thus adopted firewalls to reduce the possibility of being hacked. Firewalls are the most important security technology developed in recent years; their main function is to check information coming from the Internet and then to block it or allow it to pass through to the computer concerned.

Also, more and more users are adopting software with privacy preferences to enhance the protection of their private information. With this type of software, users can identify websites that meet the online privacy protection requirements and then decide whether to visit them or not; users can also browse a website anonymously so as to avoid the possible leakage of personal information during the browsing process; in addition, users can learn what information they have to provide when conducting transactions online and ensure that the provision of such information will not lead to the infringement on their privacy by others. Currently, the major software in this regard is the Platform for Privacy Preferences Project, or P3P. It was a protocol developed by the World Wide Web Consortium (W3C), designed to provide privacy protection for Internet users. The problem is that some application software may be able to bypass the P3P platform when collecting and processing users’ personal information.

In addition, such technologies as access control, information flow control, software protection, virus detection and removal, content classification and filtering, and system security monitoring can also help to enhance the protection of individuals’ personal information in cyberspace. But no technology is perfect. Technical solutions to the problem of privacy infringement are, essentially, supplementary means, and cannot replace the leading role of legal regulation. Also, many commentators argue that if users can raise their awareness about self-protection, the possibility of privacy violation will be much reduced.

1.Xupei Sun (2008) The Study on the Law of Journalism and Communication, Shanghai, China: Fudan University Press.

2.Xingwu Feng, Dengqiao Liu, and Jing Zhang (2011) “The Legal Analysis of China’s Privacy Rights,” retrieved March 15, 2011 from

3.Xupei Sun (2008) The Study on the Law of Journalism and Communication, Shanghai, China: Fudan University Press.

4.William L. Prosser (1960) “Privacy,” California Law Review 48(3), 383– 423, p. 389.

6.See Yongzheng Wei (2006) Lectures on Journalism and Communication Law, 2nd edition, Beijing, China: Renmin University of China Press.

7.See Yongzheng Wei (2006) Lectures on Journalism and Communication Law, 2nd edition, Beijing, China: Renmin University of China Press.

9.See Yongzheng Wei (2006) Lectures on Journalism and Communication Law, 2nd edition, Beijing, China: Renmin University of China Press.

11.See Paul Siegel (2008) Communication Law in America, 2nd edition, Lanham, MD: Rowman & Littlefield Publishers.

12.Robert Trager, Joseph Russomanno, and Susan D. Ross (2010) The Law of Journalism and Mass Communication, Washington, DC: CQ Press, p. 241.

13.See Liming Wang (2009) “The New Development of Privacy Rights,” The Law Review of Renmin University, 1.

14.See Liming Wang (2009) “The New Development of Privacy Rights,” The Law Review of Renmin University, 1.

15.See Deliang Liu (2009) “The Infringement in Cyberspace and the Responses of the Civil Law System,” retrieved January 10, 2011 from

16.See Deliang Liu (2009) The Infringement in Cyberspace and the Responses of the Civil Law System, retrieved January 10, 2011 from

17.See Liming Wang (2009) “The New Development of Privacy Rights,” The Law Review of Renmin University, 1.

18.For example, some Chinese institutions recently introduced a so-called Network Access Authentication Management System, which could be used to strengthen the monitoring of Internet activities in network terminals, including controllable ones (e.g., desktops, laptops, network servers) and non-controllable ones (e.g., external visitors, the networks of partners and customers). This system has been heavily criticized for intruding into Internet users’ privacy.

20.Robert Trager, Joseph Russomanno, and Susan D. Ross (2010) The Law of Journalism and Mass Communication, Washington, DC: CQ Press.

21.See Deliang Liu (2008) New Perspectives on Civil and Commercial Law in the Internet Era, Beijing, China: The Court Press.

23.See Deliang Liu (2009) “The Infringement in Cyberspace and the Responses of the Civil Law System,” retrieved January 10, 2011 from

24.Restatement (Second) of Tort § 652D (1977), The American Law Institute.

25.Robert Trager, Joseph Russomanno, and Susan D. Ross (2010) The Law of Journalism and Mass Communication, Washington, DC: CQ Press.

26.Robert Trager, Joseph Russomanno, and Susan D. Ross (2010) The Law of Journalism and Mass Communication, Washington, DC: CQ Press, p. 248.

27.See Yongzheng Wei (2006) Lectures on Journalism and Communication Law, 2nd edition, Beijing, China: Renmin University of China Press.

30.Fei Wu (2004) “The Cause of Lawsuits for Media Invasion of Privacy,” Journalistic Practice, 11.

31.See the article “A Discussion on the Breach of Privacy by News Media,” which can be retrieved from

32.See the article “A Discussion on the Breach of Privacy by News Media,” which can be retrieved from

33.See Yongzheng Wei (2006) Lectures on Journalism and Communication Law, 2nd edition, Beijing, China: Renmin University of China Press.

34.John D. Zelezny (2011) Communications Law: Liberties, Restraints, and the Modern Media, Wadsworth: Cengage Learning, p. 149.

35.See Liming Wang (2009) “The New Development of Privacy Rights,” The Law Review of Renmin University, 1.

38.Li Meng (2006) “From ‘Rob Privacy’ to See the Lack of the Protection for Personal Data Online,” China Economic Weekly, January 19.

39.Xiaoping Xie (2011) “Qihoo v. Jinshan: Revealing the Underlying Rules Governing the Internet Industry,” National Business Daily, January 15.

43.Human-flesh searching is basically similar to the term “online profiling” used by the international community. The startling phrase was coined by Chinese users.

48.Founded in 1999, CNCERT is a national-level organization mainly responsible for the coordination of activities among all computer emergency response teams within China relating to incidents on national public networks. It provides Internet security services and technology support in the handling of security incidents for national public networks and major national Internet application systems.

49.Baidu, Inc. (2011) “Baidu Privacy Protection Statement,” retrieved September 27, 2011 from

50.For example, the United States has long ago established the online privacy certification program. The most influential organizations granting certificates include TRUSTe and BBBonline.

51.Online Privacy Alliance, “Guidelines for Online Privacy Policies,” retrieved December 7, 2011 from