The "Personal Information Protection Law of the People's Republic of China" is released, which provides targeted regulations on issues such as excessive collection of personal information, automated decision-making and differentiated pricing——


  The company's handling of personal information is delineated

  Reading tips

  In the information age, the protection of personal information has become one of the most direct and practical interests of the people.

On August 20, the 30th meeting of the Standing Committee of the 13th National People's Congress passed the Personal Information Protection Law.

The Personal Information Protection Law further refines and perfects the principles and personal information processing rules to be followed in the protection of personal information, clarifies the boundaries of rights and obligations in personal information processing activities, and draws a red line for enterprises to process personal information activities.

  According to statistics, as of the end of last year, my country's Internet users had reached 989 million, and the number of Internet websites and applications exceeded 4.4 million and 3.4 million respectively.

Some enterprises, institutions and even individuals have serious problems such as random collection, illegal acquisition, excessive use, and illegal trading of personal information, and the use of personal information to invade the people’s peace of life and endanger the lives and health of the people and the safety of their property.

  After three deliberations, on August 20, the Thirtieth Session of the Standing Committee of the 13th National People's Congress officially passed the Personal Information Protection Law, which will come into effect on November 1, 2021.

The Personal Information Protection Law further refines and perfects the principles and personal information processing rules to be followed in the protection of personal information, clarifies the boundaries of rights and obligations in personal information processing activities, and draws a red line for enterprises to process personal information activities.

  "Inform-agree" is the core rule

  For a long time, the problem of excessive collection of personal information by applications has been a major focus of social concern.

In practice, the apps launched by Internet companies usually check the "privacy agreement" to obtain the user's package authorization, and users often face the dilemma of "disagreement is unavailable".

  The Personal Information Protection Law establishes the principles to be followed in the processing of personal information, emphasizing that the processing of personal information should follow the principles of lawfulness, fairness, necessity, and integrity, have a clear and reasonable purpose and be directly related to the purpose of processing, and adopt a method that has the least impact on personal rights and interests , Limited to the minimum scope to achieve the processing purpose, disclose the processing rules, ensure the quality of the information, take safety protection measures, etc.

  "These principles should run through the entire process and all links of personal information processing." On August 20, Yang Heqing, deputy director of the Economic Law Office of the Legal Work Committee of the Standing Committee of the National People's Congress, said when he interpreted the Personal Information Protection Law.

  The Personal Information Protection Law focuses on regulating personal information processing activities and protecting the rights and interests of personal information to build a personal information protection legal system.

"'Inform-consent' is the core rule of personal information protection established by the law, and it is an important means to protect the right of individuals to know and make decisions about the processing of their personal information." Yang Heqing said.

  The Personal Information Protection Law requires that the processing of personal information should be fully informed in advance to obtain personal consent. If important matters of personal information processing change, the individual should be notified and consent should be obtained again.

  Xue Jun, a professor at Peking University Law School, said that this kind of consent is a valid consent based on notification, including "individual consent" and "written consent", which can be "withdrawn" after "agreement".

This fully reflects the legislative recognition that personal information is protected by law.

  Emphasizes the prohibition of "big data killing"

  Currently, more and more companies use big data to analyze and evaluate consumers' personal characteristics for commercial marketing.

Some of these companies use information such as consumers’ economic conditions, consumption habits, and price sensitivity to discriminate against consumers in terms of transaction prices, misleading and defrauding consumers. The most typical of these is the society. Reflects the prominent "big data".

  "The act of'big data' is a violation of the principle of good faith and the right of consumers to enjoy fair trading conditions stipulated by the Consumer Rights Protection Law. It should be prohibited by law." Yang Heqing said.

  In this regard, the Personal Information Protection Law clearly stipulates that when personal information processors use personal information to make automated decisions, they shall ensure the transparency of the decisions and the fairness and impartiality of the results, and shall not impose unreasonable differential treatment on individuals in terms of transaction conditions such as transaction prices.

  On the one hand, operators should follow the law and follow the principles of openness, fairness and justice to set up algorithm models and formulate automated decision-making rules, and must not impose discriminatory and unfair treatment on consumers; on the other hand, personal information processing Consumers should protect consumers’ right to know and choose. When pushing information and commercial marketing to individuals, they should also provide options that are not specific to their personal characteristics, or provide individuals with convenient ways to refuse.

  Strictly protect sensitive personal information

  It is worth noting that the Personal Information Protection Law lists biometrics, religious beliefs, specific identities, medical and health, financial accounts, whereabouts and other information, as well as the personal information of minors under the age of 14 as sensitive personal information.

  "This is mainly considering that once such information is leaked or used illegally, it is very easy to cause the personal dignity of natural persons to be infringed or personal and property safety to be endangered, and the activities of processing sensitive personal information should be more strictly restricted." Yang Heqing said.

  In this regard, the Personal Information Protection Law requires that sensitive personal information can only be processed when it has a specific purpose and sufficient necessity and strict protection measures are taken. At the same time, an impact assessment should be carried out in advance and the individual should be informed of the need for processing. Sex and its impact on personal rights.

  Considering that children are not yet mature physically and psychologically, their cognitive abilities and ability to control their own behavior are weak, and they are easily induced by information push and commercial marketing, and lack the need to deal with violations of their legitimate rights and interests. In order to protect the personal information rights and physical and mental health of minors, the Personal Information Protection Law specifically identifies the personal information of minors under the age of 14 as sensitive personal information and strictly protects them.

At the same time, in line with the relevant provisions of the Juvenile Protection Law, the Personal Information Protection Law requires that the processing of the personal information of minors under the age of fourteen should obtain the consent of the minor’s parents or other guardians, and special personal information should be formulated for this. Processing rules.

  Reinforce the obligations of personal information processors

  The personal information processor is the first person responsible for the protection of personal information.

Accordingly, the Personal Information Protection Law emphasizes that personal information processors should be responsible for their personal information processing activities and take necessary measures to ensure the safety of the personal information processed. On this basis, a special chapter has been set up to clarify the personal information processors’ Obligations such as compliance management and protection of personal information security.

  It is worth noting that the Personal Information Protection Law sets special personal information protection obligations on large-scale network platforms.

  "In terms of personal information processing, the Internet platform provides basic technical services and sets basic processing rules for operators on the platform to process personal information. It is a key link in the protection of personal information." Yang Heqing pointed out that the provision of important Internet platform services has a huge number of users. Personal information processors with complex business types have strong control and dominance over transactions and personal information processing activities within the platform, so they should assume more legal obligations in terms of personal information protection.

  The executive director of the Digital Economy and Legal Innovation Research Center of the University of International Business and Economics emphasized that in addition to state agencies, the Internet platform is currently the largest personal information collector and the most important market entity for personal information protection.

Establishing and improving personal information protection regulations through large-scale Internet platforms and restricting platform operators is an important part of improving the personal information protection law in the future.

  "The Personal Information Protection Law uses strict systems, strict standards, and strict responsibilities to establish a system and rules for personal information processing and protection with clear rights and responsibilities, effective protection, and standardized use. All sectors of society should strengthen personal information protection publicity and education to improve Awareness of the rule of law for personal information protection, promote the implementation of the personal information protection law, and help the construction of a network power, a digital China, and a smart society.” Yang Heqing said.

  Reporter: Lu Yue