In the future, if you suddenly don't want to use an app, can you get back your personal information such as your profile from this app? Or if you see another app with similar features, can you directly transfer the personal information of the original app to another app?
The Personal Information Protection Act (hereinafter referred to as the "Individual Protection Act") gives a positive answer. On November 1, 2021, the Individual Protection Law came into effect, clarifying the right of access and reproduction of individuals and the right to data portability – the former is aimed at ensuring the right of individuals to know and decide on the handling of their personal information, and the latter gives individuals the right to transfer personal information, which is considered to help solve problems such as data monopoly.
In China, many companies are moved by the wind, and some apps have updated their privacy policies to adapt to the personal insurance law. However, at present, the regulatory authorities have not yet issued specific rules, and still do not clearly stipulate the form and process in which personal information processors should meet the above rights. We tested 50 popular apps to see if we could get personal information back or transfer it from those apps. The results found that although some apps have already included the above rights in their privacy provisions, the actual implementation still requires time and further discussion.
Of the 50 apps tested, only 11 provided copies of their personal information
"The so-called reproduction is to require the personal information processor to provide the individual with the requested copy of his personal information," Cheng Xiao, a professor at Tsinghua University Law School, and Wang Yuan, an assistant researcher at Tsinghua University Law School, once wrote about the right of access to reproduction, and such copies should be in written form, including paper or electronic media.
Why should users be given the right to access reproduction and the right to data portability? Wang Xinrui, a partner at Shihui Law Firm, said in an interview with The Paper that the right to access and copy is to allow users to realize their right to know, that is, to clarify what personal information the app has acquired; the right to data portability is more to realize the right of individuals to self-determination, and the data flow initiated by users can also promote fair competition between enterprises and solve the data monopoly problem of data platforms.
Among the 50 popular apps evaluated this time, 19 apps have privacy policies that explicitly mention that users can copy personal information, and after the reporter issued an application to copy personal information, only 11 apps provided copies of personal information. During the evaluation process, a number of customer service said that they were not aware of this right, and the 6 apps did not reply within 15 days. In addition, some apps have different interpretations of the concept of "copying", for example, Weibo and JD Finance let users view the personal information of the app interface by themselves, while other apps provide separate files.
How is it reasonable to "copy" personal information? The European Union's General Data Protection Regulation (GDPR) provides a reference that considers copies of personal information to be structured, universally available, machine-readable. Wang Xinrui said that the personal insurance law does not stipulate the format of the copy provided by the app to the user, and the landing of this right will be refined in subsequent supporting rules such as the "Network Data Security Management Regulations". At present, the Regulations on the Administration of Network Data Security are in the stage of soliciting comments.
In terms of personal information transfer requests, there are currently fewer apps that offer this service. Among the 50 apps, only 5 apps have privacy policies that explicitly mention services that provide personal information transfer, for example, Douyin's privacy policy reads, "If you need to transfer the personal information we collect and store, we will provide you with a transfer path in accordance with the requirements of laws and regulations."
In the actual testing process, 3 Apps such as Douyin did not reply within fifteen days, Kuaishou said that users need to transfer their personal information by themselves, and Xiaohongshu said that users need to apply according to the corresponding contact information and meet the conditions stipulated by the Internet information department, Xiaohongshu will provide a way to transfer corresponding personal information. In fact, China has not yet issued regulations on the Internet information department supporting the transfer of personal information, which also means that the "meeting the conditions stipulated by the Internet information department" mentioned in the Little Red Book cannot be discussed for the time being.
It should be pointed out that issues such as the relationship between the right of access and the right of data portability still need to be further explored. Cheng Xiao et al. wrote in the article "On the Right of Access and Reproduction in China's Personal Information Protection Law" that there are obvious differences between the two, involving differences in the purpose of rights and the subject of legal relations. Fang Yu, director of the Internet Law Research Center of the China Academy of Information and Communications Technology, believes that the two should be mutually reinforcing, and that personal information that can be accessed and copied is the only one that can be carried, and vice versa.
Most of the copies of personal information obtained are relatively streamlined
Although some apps provide copies of personal information, the content is relatively simple. The paper combed and found that it basically covers five types of personal information, namely personal data, account information, real-name authentication information, device and App information, and usage information. Most apps provide copies of personal information in the first four types, which are a fraction of the money apps collect compared to the sheer amount of personal information they collect.
Relatively speaking, the copy of personal information provided by Vipshop is relatively rich, in addition to the basic personal information, size, etc., Vipshop will also provide order records, collection records and other usage information. During the evaluation process, JD Financial customer service said that for the safety of users' personal assets and other issues, it will not provide users with white strips, order records and other information for the time being.
"At present, except for some of the head apps, most apps are not ready to provide copies of these personal information to users", Wang Xinrui said, at present, the copy content that the App can provide is mainly the information that users fill in themselves, but the personal information comes more from the active acquisition of the App, such as geographical location, voice, photos, device identifiers, etc.
Fang Yu believes that users can only exercise the right to decide on correcting and deleting personal information if they first know what personal information the app has obtained. This is largely due to the obvious information gap between the personal information processor and the individual, the imbalance in technical capabilities and other aspects leads to the unequal status of the two, the personal information processor is processing personal information on a large scale, organized and structured, and the individual "may forget what personal information to give to an app, which is bound to affect the individual's exercise of other rights."
However, there is still no conclusive jury as to whether the app needs to provide all the personal information it collects, even derivative data such as user portraits. Fang Yu said that this involves the structure of the Internet market, if an app does not have another homogeneous opponent in the market, it will not make much sense to transfer the app's derivative data.
In addition, the evaluation results show that the download methods and identity verification processes of personal information copies of different apps are different. There are 7 apps that offer the option to export copies of personal information directly, while the rest require users to apply by email, phone, online customer service, etc. "There is no way but to respond to user requests by email or customer service," said a head Internet enterprise data compliance employee who did not want to be named in an interview with Caijing E law, saying that few users will apply to copy their personal information at present, and if they want to achieve the option of "users can export themselves", it will increase the cost of enterprises.
Authentication is a crucial part of the process of realizing the right to access reproduction and the right to data portability, involving risks such as information leakage. The GDPR stipulates that controllers should use all reasonable measures to verify the identity of data subjects when they request access to data, in particular by using online services and online identifiers. Controllers should not retain personal data solely in response to requests from potential data subjects.
An industry insider engaged in the data compliance industry told The Paper that it is more difficult to achieve personal information transfer, the data interface, mode and content of each enterprise are different, and the cost of data compliance and the risk of data leakage are quite high.
In this review, Vipshop, WPS Office and Kugou Music have different verification methods. Vipshop requires users to provide screenshots of the Vipshop App's "Personal Center -Settings-Account and Security" interface; WPS Office requires users to take photos of the front and back of their handheld ID cards and send them to the App mailbox; Kugou Music has a special authentication form, users need to fill in basic application information and provide at least one authentication information, such as registration time, registration location, mobile phone number, commonly used device models logged in, and frequent login locations.
Kugou Music User Personal Information Copy Application Form