Case Description

After the outbreak of the epidemic in 2020, Ms. Yuan worried about a run on medical resources and purchased an oxygen generator herself. In August 2022, the oxygen generator malfunctioned, and Ms. Yuan went to the merchant for treatment. The merchant stated that it was necessary to send it to a professional medical device maintenance unit for repair. Ms. Yuan requested that businesses not provide their personal identification information to maintenance units, and encrypt the serial number of their oxygen generators before providing them to maintenance units for maintenance. The merchant agreed not to provide Ms. Yuan's personal identity information to the maintenance unit, but considered that the oxygen generator serial number was not "personal information" protected by law and did not require encryption, and rejected the request for encryption of the oxygen generator serial number.

Lawyer Analysis

Article 1034 (2) of the Civil Code stipulates that "Personal information is various information recorded electronically or in other ways that can identify a specific natural person individually or in combination with other information, including the name, date of birth, ID number, biometric identification information, address, phone number, email, health information, whereabouts information, etc." The core feature of personal information is "identifiability.", Including both the identification of individual identity and the identification of individual characteristics; The identification of individual identity determines the "who" of the information subject, and the identification of individual characteristics determines the "what kind of person" of the information subject, that is, the information can display individual natural or social traces, outlining the personal personality image.

"Information Security Technology - Personal Information Security Specification" (GB/T 35273-2020) specifies in Appendix A that determining whether a certain item of information belongs to personal information should consider the following two paths: first, identification, that is, from information to individuals, identifying specific natural persons based on the specificity of the information itself, and personal information should help identify specific individuals. The information used to identify individuals can be either individual information or a combination of information. Identifiability needs to be judged from the perspective of information characteristics and information processors in combination with specific scenarios. The second is association, that is, from individuals to information. If a specific natural person is known, the information generated by that specific natural person in their activities (such as personal location information, personal call records, personal browsing records, etc.) is personal information. Information that meets one of the above two conditions should be determined as personal information.

At the same time, Table A.1 in Appendix A of the "Information Security Technology Personal Information Security Specification" (GB/T 35273-2020) provides examples of personal information. The description of the "personal commonly used device information" in the eleventh line is as follows: "It refers to information describing the basic situation of personal commonly used devices, including hardware serial number, device MAC address, software list, unique device identification code (such as IMEI/Android ID/IDFA/OpenUDID/GUID/SIM card IMSI information, etc.).".

The serial number of the oxygen generator is the equipment identification code of the oxygen generator. If the serial number forms a one-to-one correspondence with a specific individual, it conforms to the description of "personal commonly used equipment information" mentioned above. Therefore, the serial number of the oxygen generator sold to a specific individual belongs to personal information protected by Chinese laws and regulations. In the aforementioned case, Ms. Yuan has the right to request the merchant to encrypt the serial number of her oxygen generator before providing it to the maintenance unit for maintenance.