Chinanews client, Beijing, November 14th (Reporter Wu Tao) At present, personal privacy information leaks on the Internet occur from time to time. APPs often force users to authorize otherwise they cannot be used. In the case of "can't get in", there will be rules for handling these things in the future.
On the 14th, the National Cyberspace Administration of China issued a notice on the "Regulations on Cyber Data Security Management (Draft for Comment)" (hereinafter referred to as the "Draft for Comments"), which intends to strengthen the building of data security protection capabilities to ensure the order and freedom of data in accordance with the law. Flow, promote the rational and effective use of data in accordance with the law.
How to
deal with
personal information
?
The "Draft for Comments" pointed out that data processors shall not refuse to provide services or interfere with the normal use of services by individuals because they refuse to provide information other than personal information necessary for services.
The picture comes from a screenshot of the "Regulations on Network Data Security Management (Draft for Solicitation of Comments)".
The "Draft for Comments" also pointed out that, according to the type of service, individuals are required to apply for consent to process personal information, and general terms may not be used to obtain consent;
handling personal biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts and other sensitive information Personal information should obtain individual consent
.
"To process the personal information of minors under the age of fourteen, the consent of their guardian shall be obtained; it is not allowed to force individuals to agree to the processing of their personal information on the grounds of improving service quality, enhancing user experience, developing new products, etc.; Obtain individual consent through coercion, etc.; you must not induce or force individuals to consent to bulk personal information by bundling different types of services, batch application for consent, etc.; you must not frequently ask for consent and interfere with the normal use of services after an individual expressly disagrees."
In addition,
when the user proposes to terminate the service or personally cancel the account, the data processor shall delete the personal information or anonymize it within fifteen working days
.
It is worth noting that there have been APPs or community properties that forced user face recognition.
The "Draft for Comments" pointed out that if data processors use biological characteristics for personal identity authentication, they should conduct risk assessments on the necessity and safety, and
must not
use biological characteristics such as
face, gait, fingerprints, iris, and voiceprints as The only way of personal identity authentication to force individuals to agree to collect their personal biometric information
.
Companies can't do these things
In addition to the proposed rules for personal information processing, the "Draft for Comments" also makes various requirements for data processors, stating that any individual or organization carrying out data processing activities shall not illegally sell or illegally provide data to others; it shall not be stolen or otherwise illegally provided. Obtain data; do not infringe on the reputation, privacy, copyright, and other legal rights of others.
Data map.
The user is performing face recognition in the APP.
Photo by Niu Jing of China News Agency
"Any individual or organization that knows or should know that others are engaged in the activities mentioned in the preceding paragraph shall not provide them with technical support, tools, procedures, advertising promotion, payment and settlement and other services."
Data processors shall protect data from leakage, theft, tampering, damage, loss, and illegal use, respond to data security incidents, prevent illegal and criminal activities that target and use data, and maintain the integrity, confidentiality, and availability of data.
"In the
event of a data security incident such as the leakage, destruction, or loss of important data or personal information of more than 100,000 people, the data processor shall also report the
basic information of the incident to the
network information department of the city divided into districts and relevant competent departments within eight hours of the
incident. , Including the amount of data involved, type, possible impact, disposal measures that have been or planned to be taken, etc." The "Draft for Comments" pointed out.
In addition, the "Draft for Solicitation of Comments" regulates some "crawlers" on the Internet, and automated tools to access and collect data violate laws, administrative regulations or industry self-discipline conventions, affect the normal functions of network services, or infringe other people’s intellectual property rights and other legitimate rights and interests. The processor shall stop the access, data collection and take corresponding remedial measures.
(over)