Zheng Haoran
Graduate student in litigation law of Liaoning Normal University
Objectives
1. The need to distinguish between privacy and data
Second, personal privacy in the data age
Third, the right to enterprise data in the data age
Fourth, the boundaries between enterprise data rights and user privacy
epilogue
Different aspects of big data technology include data collection and preprocessing, data storage and management, data processing and analysis, data security and privacy protection. Each layer needs the support of user data, but at present, there are excessive collection or improper storage of information by enterprises, causing trouble to users' lives, and the boundaries of privacy are analyzed through the theory of the right to be alone, and the boundaries of enterprise data rights and user privacy under the "Fair Information Practice Principle" should be dynamic, and the boundaries of not disturbing the user's peaceful life, the user's non-discriminatory service and ensuring the security of user data should be dynamic.
The development of science and technology on the Internet has entered thousands of households, and people continue to appreciate the benefits brought about by the development of the Internet. Internet companies have achieved accurate services to users by collecting various information from users, involving all aspects of life. All kinds of enterprises recognize the importance of user data for the operation of enterprises, and try to collect more comprehensive and rich user personal information to serve enterprises. At the same time, not only enterprises, but also individual users experience the benefits of accurate services after providing personal information to enterprises, but after personal information is taken away by enterprises, it also brings some problems to personal lives such as information leakage, excessive collection of information and discriminatory services.
After the advent of the era of big data, the technology related to the collection and use of big data has not been regulated, and it has been questioned in operation, which has gradually made people pay attention to this field. The People's Court Daily mentioned in the short commentary of the "first case of Chinese face recognition" in 2019 that "biological information such as faces is unique and unchangeable, and once leaked, it is in an irreversible state." While face recognition is convenient for enterprise management, it may infringe on personal rights and interests, and face recognition cannot be at the expense of security, at least users should be given the right to know and choose. "Not only is external information easy to be abused by enterprises, more and more applications are collecting user usage data to accurately push interesting content for users, but they have also thought about the issue of collecting user data. What data is collected? Where is the threshold between the collection of data and the privacy of users? At present, issues related to data, personal information, and privacy are beginning to be noticed by scholars in cutting-edge fields, and in fact, after the emergence of emerging rights, not only their specific meaning needs to be defined, but also the distinction between similar issues is also worth noting. In the data age, enterprises need to collect user data, and whether user data is personal privacy or corporate data needs to be demarcated, the specific boundaries are rarely discussed, this article will combine the definition of privacy, data characteristics and fair information practice principles to divide the boundaries of data and user personal information.
The app's prompt is unknown
App service providers should indicate and prompt by logging in to the "License Service Agreement" or "Privacy Policy" of the registration and use page. However, the problem is that some applications do not explain the information to be collected, so that the user submits the data without knowing it, so that the service provider does not have the right to know whether to collect the information and the choice of whether the information can be collected. If it is a thing of the past that applications do not prompt enough, then the fact that enterprises now list a large amount of content in such service agreements makes people have no intention of reading each article of the box carefully, or important information is drowned in a large amount of useless text, which is another form of insufficient prompting.
In order to understand the collection of information about the various applications on the market, we select one of each type and analyze its electronic agreements such as the User Use Agreement or the Privacy Policy. The main types of applications that are used as samples for analysis include social, payment, shopping, short videos, reading, and image beautification, and statistical analysis of electronic protocols from word count, main content, content of collecting user information, how information is protected, and how key content is prompted. What many apps have in common is that the User Agreement and Privacy Policy are at the bottom of the login page, and the blue font indicates that the content is a link content that can be clicked to jump. Some applications can see the "User Use Agreement" and "Privacy Policy" after downloading depends on the user's device, when the user is using the IOS client, only click on the personal center in the lower right corner to the login page to see a line of small print under the login method "Registration or use means that you agree to our terms of use and privacy policy". The Terms of Use and Privacy Policy do not use links that can be accessed when different color-coded agreements are used, but only the same color is not obviously bolded to indicate that the corresponding link can be entered after a tentative click. When a user logs in to the app using an Android client, the app will pop up with a pop-up description, and if the user continues to use the app, it is considered to accept the User Agreement and Privacy Policy. Many applications of the two indicative documents word count is 7000 words to 13,000 words, in the "User Agreement" and "Privacy Policy" may also include two to three link files to explain the protection of minor children, equipment list, SDK and other information, some applications for keywords of large-scale explanation problems, can be made into the meaning of the keywords of the hyperlink user has doubts to open the view to solve, not occupy too much space and can play an interpretive role. The content of such electronic agreements mainly includes user use specifications, collection, use, storage and sharing of user information, as well as disclaimers. Although the various applications are located in different fields, these applications collect user use information during the use process, including rough location information, service logs, etc., to achieve the purpose of providing accurate personalized services. The above is the commonality of electronic protocols, and the collection, use and protection of other user information will vary from enterprise to enterprise.
On March 22, 2021, the State Administration for Market Supervision, the Ministry of Public Security, the Ministry of Industry and Information Technology, and the Cyberspace Administration of China jointly issued the Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, and Article 3 of the document stipulates that "the necessary personal information referred to in these Provisions refers to the personal information necessary to ensure the normal operation of the basic functional services of the APP, and the basic functional services cannot be realized without the information APP." Specifically, it refers to the personal information of users on the consumer side, excluding the personal information of users on the service supply side. That is to say, in the regulations jointly issued by the four departments, it is detailed what information is necessary to run the application, and enterprises cannot excessively collect user information beyond the prescribed scope, and also prevent the application from excessively collecting user information and then using user information to replace resources or even make profits to cause trouble to users. In this provision, the provisions stipulate the user information on the consumer side of the enterprise mobile phone, but there is no mention of how to deal with the data generated by the user when using the corresponding application, in the electronic agreement of the above application, the browsing information and usage data generated by the user are mentioned, and the corresponding service provider only indicates in the electronic agreement in the form of a notification that the user will collect the service logs when using its application, and through the analysis of the service logs to achieve accurate service. It will even anonymize such service logs and share them with other service providers to achieve accurate advertising push. When using these applications, some do not ask the user whether to agree to the corresponding User Use Agreement or Privacy Policy, or pop up a prompt in the form of a pop-up window to ask whether to agree to the User Use Agreement and Privacy Policy, once the user chooses not to agree, the application will automatically exit, and the user will not be able to use the application. To sum up, whether the service provider can collect the service logs during the user's use, the service provider uses the application by default to upload the service logs for enterprise operations and advertising push. Whether the data generated by the user's use of the corresponding application can be taken away by the service provider should be through the user's knowledge and consent, a person's use of an application record can best reflect the truest thoughts of a person's heart, but also an extremely private record, the service provider collects such information is the right of enterprise data or the user's privacy is worthy of our further analysis.
Users' awareness of privacy protection is not strong
Personal information has long been bought and sold between companies, and it is not uncommon for people to disclose information. The use of various applications will add detailed targeting to the content sent, once it is excavated by people with hearts, personal residences will be exposed, and there will be regional advertising pushes that are dangerous. There are also forwards of various false tests in the circle of friends, but click on the link but need to fill in the name, telephone, date of birth, city, etc. to get the results. These phenomena reflect the weak awareness of citizens' privacy protection, and it is urgent to carry out publicity and education and formulate laws and regulations.
In the field of civil law, there have been many discussions on the definition of privacy and the determination of privacy infringement, and edward M. Lee of New York University in the United States has been discussed. Professor Edward J. Bloustein, in "The Right to Privacy as a Manifestation of Human Dignity: A Response to Professor Prosser's Article On The Right to Privacy," discusses in detail the right to privacy as justified by human dignity. It also questioned Prosser's belief that there is no single type of privacy infringement, and the interests protected by these types of infringement are not one, and none of these interests can be completely named in the name of privacy. Professor Edward, after refuting Professor Prosper's views one by one, made it clear that "privacy infringement is a type of infringement that infringes on the same kind of interests, that is, human dignity and personality. Scholar Lauren Henry Scholz expressed his understanding of the nature of privacy in the article "Privacy as a Quasi-Property Right", arguing that in the information age, privacy should be regarded as a quasi-property right, and in order to judge whether there is an exclusivity based on quasi-property rights, he puts forward the criteria for judging the relationship, context, and nature. In the data age, for the right to privacy, the method of judging quasi-property rights includes the obligation of the actor not to obtain or use the data of others, depending on the relationship between the parties, the context of the behavior and whether the parties have committed any illegal acts in certain circumstances. The author believes that the right to privacy represents the dignity of the human person and also exists in the form of property rights. In the pre-information age, people communicated with each other face-to-face, and the invasion of people's privacy was also physical, just like the privacy tort quartet proposed by Professor Prosper: first, it invaded the tranquility and quiet of the plaintiff's residence or invaded its private affairs; second, it publicly disclosed the plaintiff's embarrassing private facts; third, it used the plaintiff's name or portrait without authorization for the benefit of the defendant; and fourth, it defamed the plaintiff in public. It can be summed up as ensuring that others live in peace and not be disturbed. Personal data is replicable and easily disseminated, and by using a computer, hundreds of pieces of information can be copied and pasted in seconds to each other's mailboxes. The goods in normal circulation in the market are that the more times they circulate, the more their value will be reduced, and the product itself will be depleted. However, the products of the new era such as information data are not the same, they are transmitted through the network, and will not produce losses, and even some basic information can achieve value-added effects after the processing of several service providers. It is based on such special attributes that companies that own data are very willing to exchange data and even buy and sell user data. The speed of network dissemination and the wide range of dissemination are not within the reach of the past beacon smoke and flying pigeon books, usually when users realize that their private information has been leaked to their lives and cause certain troubles, it is difficult to take corresponding remedial measures, and the cost of recovering losses is also very expensive. While making it clear that privacy represents the user's personal dignity, it also has a certain quasi-property right attribute, so as to comprehensively protect the personal dignity of the user in the true sense of the human dignity and the user's data being taken by the enterprise to make a profit and be damaged by the form of quasi-property rights.
The division of privacy is also a matter of opinion, including not only Professor Proser's quartile and Gary S. Thompson's division of the law. The privacy trichotomy proposed by Gary L. Bostwick divides privacy into the right to tranquility, the right to live alone, and the right to privacy to decide privacy. But I argue that too granular divisions can make the already ill-defined right to privacy more obscure, and these scholars argue that these divisions are based on the U.S. Federal Constitutional Amendment, which directly or indirectly protects citizens' privacy rights. The mainland does not have relevant provisions on privacy in the Constitution, and the newly promulgated Civil Code includes privacy rights in the personality rights section, and the provisions on privacy rights are also few numbers: "The private life of natural persons is peaceful and private spaces, private activities, and private information that are unwilling to be known to others." "It is more appropriate to define the scope of privacy in terms of the doctrine of the right of celibacy in light of the current state of mainland legislation. The first to propose the theory of the right to be alone was Judge Cooley, "The right to be alone is the right to be alone without outside interference. "The pursuit of privacy is not a unique phenomenon of human behavior, and different kinds of animals want to demarcate their own lives with the outside world, and all have basic needs to restrict others from entering their personal spheres. Therefore, when people ask for solitude, they require that the body and spirit be able to have the freedom to be alone, and the solitude of the body is not disturbed by others in the physical sense, such as personal life will not be disturbed by others, the mailbox will not be filled with spam, the mobile phone will not receive continuous sales calls and text messages, etc.; the spiritual solitude is that the individual itself is mentally relaxed at any time, and will not be able to relax because of the fear of not having the freedom to be alone and always in a tense state. For example, individuals can browse the web at will without worrying about the browsing records being seen by others and causing others to have positive or negative comments on themselves, and there is no need to worry that the data submitted to others will be maliciously used by people with ulterior motives. Previously mentioned in the application's electronic protocol regarding the collection of service logs for users, enterprises do not give users a choice. In the civil sphere, both parties to the market transaction are on an equal footing, but users are still at a disadvantage in the face of service providers such as applications. As long as the user wants to use the application to accept this unequal treaty, and in the use of the time will keep in mind their own use records, will be packaged and uploaded, and at the beginning of registration also filled in the mobile phone number, name and other identification information, if known by others, especially acquaintances will have a variety of evaluations of themselves and corresponding troubles. The user creates a psychological burden while using the application and does not reach a state of mental solitude. When an individual can obtain physical and mental solitude can be said to have real privacy, so enterprises in the collection and use of user information should also pay attention not to disturb the tranquility of the user's life, as well as excessive collection of user use information, enterprises in the process of operation to ensure that the user's solitary space is a major principle to be observed by enterprises.
The term big data has gradually entered people's daily lives after 2010, and there are big data figures in all walks of life such as manufacturing, finance, Internet, and automobiles. Data-driven decision-making, information intelligence has been greatly enhanced. Just as all kinds of applications now analyze the user's usage data and then recommend other content that the user may like. This behavior is known in the field of big data as recommendation algorithms. Recommendation algorithms include 5 categories: (1) expert recommendation, which is the traditional recommendation method, which is essentially filtered and recommended by senior professionals; (2) recommendation based on statistics, such as popular recommendation, the concept is intuitive and easy to implement but the ability to describe the user's personalized preferences is weak; (3) content-based recommendation, content-based recommendation is the continuation and development of information filtering technology, more through machine learning methods to describe content features, and based on the characteristics of the content to find similar content ;(4) Collaborative filtration, which is one of the earliest and most successful techniques in the recommendation system. Generally using adjacent technology, the use of the user's historical information to calculate the distance between users, and then the use of the target user's nearest neighbor user evaluation information on the product to predict the target user's preference for a specific product, and finally according to this degree of preference to the target user to recommend; (5) mixed recommendation, in practical applications, a single recommendation algorithm often can not achieve good recommendation effect, so most recommendation systems will be a variety of recommendation algorithms for organic combination, such as in the collaborative filtering on top of the content-based recommendation. From the recommended method, it can be seen that no matter which algorithm needs to be based on the user's use information, so the enterprise is necessary for the user's use of information and service information, etc., if the enterprise is completely prohibited from collecting user use data, it is also unrealistic, and it is not conducive to the healthy and orderly development of the market. In his book The Age of Big Data: The Great Change in Life, Work and Thinking, Victor Mayer Schönberg clearly points out that the biggest shift in the era of big data is the three shifts in mindset: total rather than sampling, efficiency rather than precision, and correlation rather than causation. Big data brings great convenience in operation, reverses people's way of life, work and thinking, and regulates big data and its related technologies within a reasonable range, and strives to achieve a win-win situation between enterprise operation and user privacy protection.
In the previous article, the definition and scope of privacy have been delineated, and it is determined that user privacy is that the peaceful life is not disturbed, and the enterprise should ensure that the user's peaceful life is not disturbed when exercising the right to data. Then the operation principle of big data is analyzed, and the necessity of data for the operation of the enterprise is determined, and the data collection behavior of the enterprise cannot be completely prohibited. In order to enable enterprises to use data to better promote scientific and technological progress, enterprises should comply with some restrictive principles of collecting and using data.
In terms of user data processing, the relevant U.S. agencies comply with the "Fair Information Practice Principles", which was established in 1973 by the U.S. government and the departments of health, welfare and education to study the handling of personal information and an organization dedicated to the handling of personal information " On the "Recommendation Group on Automated Systems for The Processing of Personal Data". The Principles had five articles when they were promulgated in 1973, and later extended the Principles of Fair Information Practice to eight by the Privacy Protection Learning Committee in 1977:
(1) The principle of openness prohibits all confidential personal data files from being kept in the system, and the institution shall formulate policies on the preservation, practice and disclosure of personal data files.
(2) The principle of personal access, for the relevant information stored by the archival institution in a personally identifiable form, it must be ensured that the individual has the right to view and copy.
(3) The principle of individual participation, for the archival institution, it must be ensured that the individual has the right to correct or modify the substantive information recorded by the archival institution.
(4) The principle of collection restriction, there should be some kind of restriction on the type of personal information that an institution can collect and the method of collection.
(5) The principle of restriction of use, the use of personal information by the archives retention institution shall be restricted.
(6) The principle of disclosure restrictions shall be restricted from the possible disclosure of personal information by archives preservation institutions.
(7) Information management principles, the archives preservation institution shall formulate reasonable and appropriate information management policies and practices to ensure that the collection, maintenance, use and dissemination of information about individuals is necessary and legal, and the information itself is up-to-date and accurate.
(8) The principle of accountability, the archival institution shall be responsible for the policies, practices and systems for the preservation of personal data archives.
The "Principle of Fair Information Practice" basically has provisions from all aspects, and enterprises should strictly abide by this principle in the process of operation to create a good market atmosphere. First, under the principle of openness, enterprises cannot keep secret information, and they must formulate policies for the collection, use and disclosure of enterprises. Policy formulation on collection, use and disclosure should be spearheaded by governments or industry associations, and such policies are more binding. While complying with the principle of disclosure, companies cannot keep users' secret information or use user data for profit, but they can set up databases. The data collected by the enterprise is put into the database, and other enterprises can obtain the relevant data when they need it, and if they do not comply with the established collection and use policy or violate the disclosure principle, they cannot obtain the data. The disclosure of some information between enterprises is conducive to benign business cooperation, and the smooth flow of information can provide users with better services and is conducive to the development of the mainland market economy. Adhering to the principle of disclosure restrictions can prevent the formation of a "personal portrait" of users after the information is merged, and effectively avoid service providers from taking different services or even discriminatory services based on different user profiles after learning about the "user portraits". Obtaining more data is the right of enterprises to data, but enterprise data merger should also comply with the corresponding restriction principles, once because of unreasonable data merger has an impact on users, especially discriminatory services, then this data merger is no longer the data rights of enterprises but the invasion of users' private information. Second, under the principle of personal access and personal participation, users can consult, copy and modify their own information. This relationship is like the relationship between the photographer and the photographed, the copyright of the photograph belongs to the photographer, and the photographed person has the right to have the right to demand that his portrait not be scandalized or disclosed. After the user's information is collected by the enterprise, the user has the right to consult, copy and modify. "Information that is not in the public domain has the right of access, rectification and deletion, while the right of access, rectification and deletion of information entering the public domain and personal information of public interest will be subject to relevant restrictions." Third, information collection shall comply with the principle of collection restriction and reasonable collection and use. According to the Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications jointly issued by the four departments on March 22, all types of applications can only collect necessary information within their own business scope, and cannot excessively collect user information beyond the scope of their own business activities. Obtaining information between enterprises can provide more accurate services for the enterprise to obtain more information, but it is also necessary to limit the information consolidation of some enterprises, and only the information in related fields can be merged, and it cannot be merged across fields without restrictions. For all kinds of applications, supervision should be strengthened to prevent the impact on users due to different systems, different user stickiness, and unreasonable information merging. Fourth, the use of information by enterprises should also be restricted, and enterprises should ensure that the user's peaceful life will not be disturbed when using information, which includes physical peace and mental relaxation. Enterprises have the right to collect and use user information, but enterprises must also respect the privacy of users. Fifth, strengthening the principle of accountability is the most effective way to ensure that corporate data rights are not violated while protecting user privacy. When the property rights of enterprise data are determined, it is convenient to pursue responsibility after problems with relevant data, and it can also prompt enterprises to set up more comprehensive security measures to protect data. Data breaches are not only the use of trojans to sell user data, but also the use of Trojan viruses by third parties to steal user data. In the risk society, users who give their information to service providers comply with the principle of tolerance, but service providers cannot live up to this trust and must bear the responsibility of protecting data security.
Collecting and making user data is the exercise of the right of the enterprise to data, and the corresponding obligation is to protect the user's data security. Enterprises in the process of operation can not disturb the user's life tranquility, tranquility includes physical tranquility and mental relaxation of the state, if the enterprise uses user data to cause trouble to the user, so that the user's peaceful life is no longer peaceful is an invasion of the user's privacy. A positive attitude should be adopted towards the information consolidation of enterprises, encouraging enterprises to achieve the purpose of innovative technology by merging as much information as possible, and at the same time limit unreasonable information mergers to prevent users from being troubled by the use of information and being discriminated against by enterprises. Therefore, to determine whether the enterprise violates the user's privacy when exercising the right to data, it depends on whether it disturbs the user's tranquility, and the discriminatory service provided by the enterprise to the user is also a kind of infringement of the user's privacy. When a user submits personal data based on trust in corporate data processing, the company should do its part to maintain the security of the user's data.
Through the analysis of the criteria for judging the invasion of privacy rights and the necessity of restricting the merger and protection of enterprise data and protecting user data, it is concluded that the boundary between enterprise data rights and user privacy is dynamic. If an enterprise cannot infringe on the user's peaceful life and will not cause the user to be discriminatoryly served by the data merger, the data rights of the enterprise include collecting and using the user data, and the enterprise has the obligation to protect the security of the user's data.
