Strengthen the personal information security defense line of minors
Experts believe that the Personal Information Protection Law should give special protection to minors’ information
□ Our reporter Zhao Chenxi
Whether to allow authorization to open the album, whether to authorize to open the address book, whether to authorize to open the location... Nowadays, if you want to use an app normally, people must first enter into a "deal" with the platform. Most people seem to be used to the default platform. After all, if you click Close or Reject, you may not be able to use the service normally, or even the App may crash directly.
Now, there are local legislations that "take action" on this type of behavior.
On June 29, the "Shenzhen Special Economic Zone Data Regulations" (hereinafter referred to as the "Regulations") was voted through at the second meeting of the Standing Committee of the Seventh People's Congress of Shenzhen, Guangdong Province, and will come into force on January 1, 2022.
The "Regulations" say "no" to acts such as collecting personal information arbitrarily and compulsory personalized recommendation, and impose heavy penalties.
Zhang Tao, director of the China Society for Market Regulation, said in a recent interview with a reporter from the Rule of Law Daily that the Regulations, as the first basic and comprehensive legislation in the domestic data field, focus on the protection of personal information, especially strengthening the protection of personal information of minors. Some of these provisions can provide reference for the draft personal information protection law under consideration.
"Inform-agree" rule to curb mandatory app bundling
The issue of App authorization permissions is actually a common topic.
The "Interim Provisions on the Management of Personal Information Protection and Management of Mobile Internet Applications (Draft for Comment)" that were publicly solicited in April this year clarified that the two important principles of "informed consent" and "minimum necessary" should be followed when engaging in personal information processing activities in apps. , And also specifically pointed out that a non-default check method should be adopted to obtain user consent.
The "Regulations" clarified the five basic principles for handling personal data, namely, legality and fairness, minimum necessity, informed consent, accuracy and integrity, and the principles of ensuring safety.
In this regard, Lin Zhengmao, deputy director of the Legal Work Committee of the Standing Committee of the Shenzhen Municipal People's Congress, said that in terms of personal data protection, the provisions of the "Regulations" and the second-review draft of the Personal Information Protection Law have maintained convergence.
In response to the various chaos in the process of personal information collection and use, the second review of the personal information protection law establishes the principles to be followed in the processing of personal information, emphasizing that the processing of personal information should be handled in a legal and proper way, with a clear and reasonable purpose, Restricted to the minimum scope for realizing the processing purpose, the disclosure of processing rules, and the adoption of necessary security measures, etc., these principles should run through the entire process of personal information processing activities.
Regarding the specific connotation of the "least necessary" principle that major App platforms are more concerned about, the second-review draft of the Personal Information Protection Law stipulates that the processing of personal information should be limited to the minimum scope necessary to achieve the processing purpose, and the method that has the least impact on personal rights and interests should be adopted. No personal information processing that has nothing to do with the purpose of processing is prohibited.
Zhang Tao noted that Article 11 of the "Regulations" enumerates the principle of "least necessary", for example, including the establishment of a minimum authorized access control strategy, so that personnel authorized to access personal data can only access the minimum required to complete their duties. Personal data, and only have the minimum data processing authority required to complete the duties.
At the same time, the expression "including but not limited to" was used to leave room for future improvement.
"This is a very good legislative innovation, and it should also be used for reference in the formulation of the Personal Information Protection Law." Zhang Tao pointed out that the second-review draft of the Personal Information Protection Law did not set specific requirements for the minimum necessary principle. Suggestions can be further improved. Refined, and put forward more specific criteria for determining how to judge violations of the principle of minimum necessity, which is more helpful to the implementation of the principle of minimum necessity, and provides better behavioral guidelines for data processors, data providers, law enforcement and supervision departments, etc.
Currently, apps often bundle the collection of personal data with their functions or services through a "package agreement", which makes many users "dare to speak up". With the promulgation of the Personal Information Protection Law, this behavior will be regulated.
The second review of the Personal Information Protection Law establishes personal information processing rules with "information-consent" as the core, and requires that personal information should be processed with full notification in advance to obtain personal consent, and not to refuse to provide products on the grounds of personal disagreement Or service.
The Regulations are also based on this rule that the processing of personal information should obtain personal consent under the premise of full notification in advance, and data processors should provide ways to withdraw consent, and must not impose unreasonable restrictions or impose unreasonable conditions on the withdrawal of consent.
"The notification in the'inform-consent' rule is to fully protect the individual subject's right to know, and consent is to protect the individual's right to make independent decisions about information. Only by protecting these two rights can the security of personal information be fundamentally guaranteed." Zhao Zhanzhu, a special researcher of the E-commerce Research Center, said.
Treat minors' information as sensitive personal information
According to the latest "Statistical Report on Internet Development in China", as of December 2020, the proportion of netizens in my country’s primary school and below has increased from 17.2% in March 2020 to 19.3%. Minors are already the majority of Chinese netizens. An important part of.
As the "age to touch the Internet" continues to decrease, how to protect the personal information security of minors has always been a concern.
Zhao Zhanzhu noted that there are many provisions in the "Regulations" that specifically target the data protection of minors.
The most noteworthy thing is that the "Regulations" treat the personal data of minors under the age of 14 as sensitive personal data, and apply relevant regulations on handling sensitive personal data. This is the first time in domestic legislation.
In Zhao Zhanzhu’s view, the regulations on sensitive personal data have borrowed from the regulations on “Personal Information of Children under the Age of Fourteen are Sensitive Personal Information” in the “Information Security Technology Personal Information Security Regulations” that came into effect on October 1, 2020.
In the second review draft of the Personal Information Protection Law, “sensitive personal information” is also stipulated, which refers to personal information that, once leaked or illegally used, may lead to personal discrimination or serious harm to personal and property safety, including race, Ethnicity, religious beliefs, personal biological characteristics, medical health, financial accounts, personal whereabouts and other information.
For personal information processors handling the personal information of minors under the age of 14, the second review of the draft requires the consent of the minor’s parents or other guardians.
However, the personal information of minors is not protected as personal sensitive information.
"Minors are the future and hope of the country’s development. Their cognitive, discrimination and self-protection abilities are relatively weak. With the emergence of illegal collection and use of personal information, it is even more necessary to strengthen the protection of minors’ personal information. In order to effectively protect the interests of minors.” Zhang Tao believes that it is necessary to learn from the “Regulations” and treat the personal information of minors under the age of 14 as sensitive personal information in the Personal Information Protection Law.
Strengthen the protection of minors' personal information at multiple levels
According to Zang Tiewei, spokesperson for the Legislative Affairs Committee of the Standing Committee of the National People's Congress, after the China National People's Congress website publicly solicited public opinions on the second draft of the Personal Information Protection Law, a considerable number of people suggested further strengthening the protection of minors' personal information.
Zhang Tao also suggested strengthening the protection of minors' personal information.
He said that the current second-review draft of the Personal Information Protection Law only stipulates that the processing of minors’ personal information should obtain the consent of the minor’s parents or other guardians before processing, but it does not clarify the specific method of consent, nor does it stipulate other issues. Ways to protect the personal information of minors.
Liu Deliang, director of the Asia-Pacific Cyber Law Research Center, agrees with this. He believes that personal information has more and more commercial value in the Internet age, which is the main reason for the increasing proliferation of illegal collection, trading, and abuse.
The commercial value behind the personal information of minors is huge, but their ability to distinguish themselves is weak. It should be specially protected by the law. It is necessary to strengthen the regulations on the collection and use of personal information of minors by information processors, and increase the protection against infringements on minors. Strengthen the protection of minors’ personal information at multiple levels, including the crackdown on illegal acts of personal information.
Just search for a certain product or open a certain news, the platform will push similar products or information... While user portraits and personalized recommendations provide accurate services, they also make people feel that privacy is being "watched", especially for lack of For minors with basic cognitive abilities, it is even more difficult to discern whether such recommendations are in their own interests.
For this reason, the "Regulations" make it clear that, except for the purpose of safeguarding the legitimate rights and interests of minors under the age of fourteen and obtaining the express consent of their guardians, no personalized recommendation shall be made to them.
Zhang Tao pointed out that Article 25 of the second review draft of the Personal Information Protection Law regulates the use of personal information for automated decision-making, but this provision is universal and does not follow the special circumstances of the protection of minors’ personal information. Make targeted provisions.
In principle, the "Regulations" prohibit personalized recommendations to minors, and only allow them under exceptional circumstances, reflecting the preferential protection of minors’ personal information.
It is recommended that corresponding regulations be added in the process of formulating the personal information protection law to provide preferential protection.
Liu Deliang also said that personal information protection legislation should pay attention to the direction, not blindly to keep the information secret, and more importantly, how to prevent misuse, especially for the information of minors, which is more important.