Strengthen the security "golden bell" The era of barbaric nuggets of personal information is over

Following the implementation of the Personal Information Protection Law, the Ministry of Industry and Information Technology requires the establishment of a list of personal information shared with third parties

The era of barbaric Nuggets targeting personal information is over

　　Browsing house purchase information on your mobile phone, turning around and receiving a call for decoration sales; mentioning a product in small chats and opening the shopping app to receive similar advertisements... Similar to the above-mentioned "app-monitored" scenario, for many people, Not unfamiliar.

　　On November 8, the Ministry of Industry and Information Technology interpreted the "Notice on Carrying out Information and Communication Service Perception Improvement Actions" and pointed out that a list of personal information shared with third parties should be established to let users know what information the company has collected, where and where the information will be shared. Where.

　　In the era of the Internet and big data, personal information is a precious digital asset, and protecting the rights and interests of personal information is one of the most direct and practical interests of the people.

In the face of excessive collection, illegal acquisition, illegal transactions, leakage, abuse and other chaos, how to build a "golden bell" for personal information security?

What changes will the "Personal Information Protection Law" bring about after the implementation?

How to balance the relationship between the innovation and development of the digital economy and the protection of personal information?

This reporter interviewed relevant experts.

Personal information security issues have been repeatedly exposed, and there are hidden dangers online and offline

　　QQ Music collects personal information beyond the scope, and Atour uses personal information in violation of regulations... On November 3, the Ministry of Industry and Information Technology notified 38 APPs that there are problems with exceeding the scope and excessive collection of user personal information, and requested that rectification be completed before November 9.

However, APP over-range, frequent requests for permissions, and collection of user personal information in non-service scenarios are the prominent hidden dangers of online personal information protection.

　　The reporter clicked on the relevant policy description of a music application. In the chapter "How to collect and use personal information", in addition to completing registration and login, achieving identity authentication and other purposes of use, it also includes commercial use of some of the collected personal information. For example, extract browsing, search preferences, location information, push personalized advertisements, etc. This is also the potential commercial value of personal information in the digital economy era.

　　Using personal information to make accurate portraits is conducive to improving the user experience and playing an active role in the development of the digital economy, but it also produces the phenomenon of infringement of consumer rights such as big data "killing familiarity".

According to a special survey conducted by the Beijing Consumers Association, 88.32% of the respondents believe that the phenomenon of "killing familiarity" with big data is common or common.

　　"Everyone has a more obvious feeling about the problem of big data'killing familiarity"." Huang Daoli, director and researcher of the Cyber ​​Security Law Research Center of the Third Research Institute of the Ministry of Public Security said. Symmetrical, price discrimination is imposed on users.

It is mainly caused by algorithmic pricing, which is typically manifested in that new and old users are treated differently in price.

　　In addition to improper collection and utilization, some companies or individuals also put personal information on the trading table and sell personal information at clear prices. This breeds various illegal and criminal activities such as network fraud and telecommunication fraud, resulting in personal information leakage, trading, and fraud. Black industrial chain.

　　For example, in a case of infringement of citizens’ personal information uncovered by the police in Huai’an, Jiangsu, a bank employee sold the identity information, phone number, balance and even transaction records of the bank card user at a price of 80 to 100 yuan each for profit. More than 50,000 pieces of personal information were involved; internal employees of a courier company colluded with outside criminals and leaked 400,000 pieces of user personal information, of which approximately 45,000 pieces of effective information were packaged and sold to areas with high incidence of telecommunications fraud at a price of 1 yuan each .

　　The infringement of personal information is not limited to online, and there are also hidden dangers offline, especially the collection and utilization of biological data such as faces, fingerprints, and iris.

In addition to actively "brushing face" for convenience in scenes such as station ticket checking and mobile payment, there is also the risk of passively "brushing face" without knowing it.

　　Some stores use "non-inductive" facial recognition technology to collect consumer facial information without consent.

On October 29, the People's Court of Shangcheng District, Hangzhou City, Zhejiang Province accepted a case involving a consumer suing a shopping mall for facial capture.

When a college student was shopping in a mall in Hangzhou, he found that a face recognition camera was installed outside a store.

As long as consumers arrive at the store, they will be automatically captured and registered as members, and businesses will conduct precision marketing by combining facial information with consumer behavior analysis.

　　There are also sellers who publicly sell facial recognition videos and buying and selling facial information on social platforms. Problems such as "loaning" and infringement of privacy and reputation due to the leakage of facial information and other identity information often occur.

According to the "Face Recognition Application Public Survey Report (2020)" issued by the APP Special Governance Working Group established by the National Information Security Standardization Technical Committee and other organizations, among more than 20,000 interviewees, 30% of the interviewees indicated that they had suffered from facial recognition. Loss of privacy or property due to information leakage or misuse.

"Inform-Consent" is the core rule of the "Personal Information Protection Law", and the collection of personal information should be limited to the minimum scope for the purpose of processing

　　On November 1, my country's first personal information protection special law "Personal Information Protection Law" was formally implemented.

　　"This is an indispensable basic legislation for my country in the digital age, and it meets the legislative needs of the most direct and practical interests of everyone." Long Weiqiu, dean of the Beijing University of Aeronautics and Astronautics Law School, told reporters that personal information is A new and fundamentally important personal interest that has begun to emerge in the information age of the Internet, its value is revealed through data mining and commercial applications.

The relationship between the protection of personal information and the development of digitalization is becoming more and more complex. In particular, unauthorized personal information processing and increasing abuse have become pain points that need to be resolved urgently.

　　"Notification-Consent" is the core rule of personal information protection established by the "Personal Information Protection Law".

"The "Personal Information Protection Law" clarifies that the processing of personal information should have a clear and reasonable purpose, and should be directly related to the purpose of processing, and adopt a method that has the least impact on personal rights and interests. The collection of personal information should be limited to the smallest scope for achieving the purpose of processing. "Yang Heqing, deputy director of the Economic Law Office of the Legal Work Committee of the Standing Committee of the National People's Congress, said that personal information processors can process personal information with personal consent. If important matters of personal information processing change, they should re-inform the individual and obtain consent.

　　In the full text of the Personal Information Protection Law, the word “inform” appears 16 times and the word “consent” appears 27 times.

"The'inform-consent' rule is an inevitable requirement for individuals to have the right to know and make decisions about the processing of personal information. To ensure that individuals are'fully informed' of the processing of information, individuals should be informed in a conspicuous manner and in clear and understandable language. In processing his information, how the information is processed, what kind of impact it may have on him, and how to request corrections, inquiries, and deletion of personal information, etc." said Liu Rui, a professor at the Political and Law Department of the Central Party School (National School of Administration).

　　"Agree" is not a general discussion.

The "Personal Information Protection Law" clearly stipulates two consent mechanisms, one is broad consent, and the other is individual consent.

For example, the law stipulates that personal information processors must obtain individual consent for processing sensitive personal information, providing or disclosing personal information to others, and transferring personal information across borders.

　　"Personal information is of different importance to subjects. Some are sensitive information, some are private information, and some are general information. Therefore, the intensity of notification, the method of consent, and the degree of clarity are also different." Professor of Renmin University of China Law School, Chinese Law Zhang Xinbao, vice president of the Institute of Network Information Law, said that the "Personal Information Protection Law" made a detailed distinction.

　　The "Personal Information Protection Law" has also made a clear response to the phenomenon that the masses reported strong claims for rights, inability to use APP without consent, excessive collection of user information, and big data "killing familiarity".

For example, Article 24 of the law directly refers to the "skilling" of big data, which is conducive to regulating the application of artificial intelligence and other emerging information technologies in the field of personal information processing: personal information processors who use personal information to make automated decisions should ensure that decisions are made The transparency and results are fair and just, and no unreasonable differential treatment shall be imposed on individuals in terms of transaction prices and other transaction conditions.

　　"Personal information protection issues are often wrapped in technology-neutral coats, and even black-boxed by operating systems such as algorithms." Long Weiqiu said that personal information processing activities are essentially scientific and technological application activities, which are different from general behavioral governance. Governance.

The "Personal Information Protection Law" establishes a strong regulatory system and goes deep into the level of technical governance. The ultimate goal is to allow technology to develop for the better.

Misuse of users’ personal information stems from excessive collection of personal information, and “gatekeeper” regulations are forcing Internet companies to standardize their behavior.

　　"We have added a personal information browsing and export mechanism for you, set up system permissions and application authorization management portals, and added a personalized recommendation management channel to disclose in more detail how WeChat handles your personal information." Recently, WeChat, etc. Many apps have sent similar notifications to users.

　　"Apple has prepared for the "Personal Information Protection Act." Apple also promised in the email sent to users "to ensure that users can understand, obtain, and correct their personal data, and can restrict the use of personal data. And can delete this data."

　　An Internet company's legal affairs said, "In order to comply with the "Personal Information Protection Law", the legal affairs of various Internet companies are working overtime. In the face of detailed regulations, there are too many places to be changed.

　　Behind the misuse of users' personal information, it actually started from the excessive collection of personal information.

Liu Dian, an associate researcher at the China Research Institute of Fudan University, told reporters, “For platform companies, user information data is an important asset with commercial value. effect."

　　Taking Alibaba as an example, users' consumption records on Taobao are analyzed through algorithms to form personal credit approval, which in turn gave birth to financial products such as Huabei.

　　"From information collection, processing to value conversion, it is a complete data value chain. Based on this business logic, many Internet companies tend to collect more personal information and form data as much as possible and with wide coverage. This is The reason for excessive collection." Liu Dian said.

　　In contrast, the business models of the consumer Internet industry are almost all based on consumer data based on personal information, and profit from advertising is also the basis for many apps to be free.

By collecting information to "portrait" users, the core data is often highly related to the privacy of personal information.

Risks follow, after all, after data is collected, its specific application scenarios are difficult to predict.

　　The people call something, and the law responds.

Article 58 of the "Personal Information Protection Law" further improved the "Gatekeeper Clause": one is to modify the provision of basic Internet platform services to provide important Internet platform services; The obligation to improve the personal information protection compliance system; third, a separate gatekeeper obligation has been added, that is, to follow the principles of openness, fairness, and justice, formulate platform rules, and clarify the standards and regulations for handling personal information by product or service providers on the platform. Obligation to protect personal information.

　　In order to enhance users’ perception of personal information protection, on November 1, the Ministry of Industry and Information Technology issued a notice requiring companies to establish a “dual list” of personal information protection (ie, a list of collected personal information and a list of personal information shared with third parties), and the application Display in the secondary menu, convenient for users to query.

At the same time, it is required to improve the personal information protection capabilities of APP's key responsibility chains, encourage app stores to provide testing services for apps on this platform, promptly report relevant issues to app developers and urge corrections to prevent illegal apps from being put on the shelves.

Overall consideration of efficiency and fairness, vitality and order, development and safety requires a balance in practice to escort the sustainable and healthy development of the digital economy

　　In the past ten years, my country’s digital economy has developed rapidly. According to the China Academy of Information and Communications Technology, the added value of the digital economy has increased from 9.5 trillion yuan in 2011 to 35.8 trillion yuan in 2019, and its share of GDP has increased by more than 15%. .

In 2020, when the new crown pneumonia epidemic hits, the contactless economy such as online office, video conferencing, and online teaching is booming, effectively hedging economic downturn risks and accelerating the company's digital strategic layout.

A survey of more than 2,000 companies around the world found that the epidemic has advanced the global digitalization process by at least 5 to 7 years.

　　Around the digital economy, many new business formats are still in the development stage.

They are based on the high flow and sharing of information and data as their development premise.

For most users, on the one hand, they hate the risks of information sharing and data leakage, and on the other hand, they do not exclude certain conveniences in life based on information sharing.

Such "privacy paradoxes" are not uncommon.

　　Liu Dian believes that with regard to the protection of personal information rights, the core issue is that the information in the user's personal space is taken out and put into the public and commercial areas for circulation. In this process, individuals should receive reasonable compensation for the transfer of this part of the right.

In addition, there should be a good remedy for the potential impact on other rights of users.

　　In Liu Dian’s view, the "Personal Information Protection Law" has responded positively to this: first, it clarifies the specific content of the protection of personal information rights and interests; second, it clarifies what remedies are available after personal information rights are damaged; The establishment of the responsibility of the platform and the construction of the entire regulatory framework.

In the future, how to coordinate the three relations of efficiency and fairness, vitality and order, and development and security will still need to find a balance in specific judicial and commercial practices.

　　In the past, domestic penalties for collecting personal information in violation of laws and regulations were limited, mainly relying on corporate self-discipline, or the regulatory authorities taking methods such as rectification, interviews, and delisting within a time limit. The supporting laws were still incomplete.

　　The entry into force of the "Personal Information Protection Law" this time has made the abuse of personal information a "sticky drink".

The "Personal Information Protection Law" clarifies that general illegal acts can be ordered to be corrected by the supervisory authority, given warnings, illegal gains are confiscated, and related applications are ordered to suspend or terminate the provision of services; if they refuse to make corrections, a fine of less than 1 million yuan will be imposed. ; The directly responsible person in charge and other directly responsible persons shall be fined 10,000 yuan up to 100,000 yuan.

For serious illegal acts, the supervisory department at or above the provincial level shall order corrections, confiscate the illegal income, and impose a fine of less than 50 million yuan or less than 5% of the previous year's turnover, and may order the suspension of related businesses or suspend business for rectification, and notify the relevant competent authorities Revocation of relevant business permits or revoking of business licenses.

　　From strengthening anti-monopoly to preventing the disorderly expansion of capital, to strengthening the protection of personal information, the era of barbaric growth of Internet companies has passed, and sustained and healthy development has become the theme of the digital economy.

　　Our reporter Guan Xiaopu Chai Yaxin