Original title: Improve the protection of personal information and promote the construction of the rule of law on the Internet
Recently, the 6th "Internet Rule of Law Thirty Forum" sponsored by the Network and Information Law Research Association of the China Law Society and undertaken by the Internet Law Research Center of the China Academy of Information and Communications Technology was held in Beijing. Nearly 40 representatives and senior experts and scholars from the Policy and Regulation Bureau of the Central Cyberspace Administration, the Network and Information Law Research Society of the China Law Society, the Institute of Policy and Economics of the Chinese Academy of Information and Communications Technology, the Research Department of the China Law Society, a number of universities and enterprise think tanks attended the meeting. With the theme of "Governing Cyberspace According to Law", the meeting discussed the protection of personal information, the governance of cyberspace, and the rules of international governance.
Professor Zhang Xinbao, Law School of Chinese Min University:
The special obligation of the "gatekeeper" needs to be further refined
The formulation of the Personal Information Protection Law has caught up with the new stage of the development of the Internet and the Internet economy, ending the stage of barbaric growth and entering a new period of development. Strengthening the governance of large online enterprises such as online platforms and allocating special obligations for personal information protection that are commensurate with their control and influence are forming a global consensus. At present, China has formulated the "Personal Information Protection Law", and it is timely to adapt to this trend, and make special provisions on the personal information protection obligations of these enterprises.
The addition of a special obligation of "gatekeeper" to the Personal Information Protection Act has experience in legislation that can be used as a reference, and has technical feasibility and economic rationality. The establishment of platform rules cannot be fully covered by the E-commerce Law and the Anti-Unfair Competition Law. Further clarification is needed in the consideration of the specific legality of the conduct, including how to determine the violation of laws and regulations of the actor in the investigation, the writing guidelines and institutional arrangements for the social responsibility report, etc.
Professor Wang Xizin of Peking University Law School:
The right to process personal information is essentially a public law right
The core of the Personal Information Protection Law is to prevent and control risks in the large-scale and continuous processing of personal information. The rights of individuals in the handling of personal information stipulated in Chapter IV, together with the processing rules and cross-border provision rules provided for in Chapters II and III, constitute a set of regulatory rules. The object of control of an individual's rights in personal information processing activities is not personal information, but an information processing integration tool for controlling a strong party in a strong asymmetric power structure, and the rights of individuals in the processing of personal information are essentially a right under public law.
Functionally, the rights of individuals in the processing of personal information are instrumental rights that can be understood from the perspective of procedural justice and distributive justice. In terms of procedural justice, it is mainly manifested as defensive rights in rights litigation against strong personal information processors; in terms of distribution justice, competitive rights such as the right to portability and the right to erase put forward new requirements for the allocation of resources. The requirement that data be highly structured can incur exorbitant costs for small businesses and do the opposite.
In terms of remedies, the Personal Information Protection Law adds that "where a personal information processor refuses an individual's request to exercise his or her rights, the individual may file a lawsuit with the people's court in accordance with law." "A new question has been raised about the remedies channels for when the rights and interests of personal information are infringed, and whether administrative remedies need to be exhausted for the filing of civil lawsuits? The nature of the right and the means of remedy matched to it should be followed.
Professor Zhou Xuefeng, School of Law, Beihang University:
The obligations of personal data processors need to be refined
The rights of the personal data subject depend on the fulfillment of the obligations of the personal information processor. In regulating the obligation to handle personal information, on the one hand, for small personal information processors, the state internet information department is authorized to formulate special personal information protection rules and standards for small personal information processors; on the other hand, for general personal information processors, that is, to meet the quantitative standards stipulated by the internet information department, it is required to designate the person responsible for personal information protection to achieve a differentiated design.
There may also be some questions in the future application of the law, for example, how to understand "important Internet platform services" and what types are included? How are fair and impartial standards judged? How to remedy misjudgments in the process of platform management? When the platform fails to fulfill such public law obligations, does the individual have a civil claim? While exerting responsibility on the platform, it has also made a mandate to manage the users of the platform, and it is not enough to rely solely on judicial means for relief, and special rules need to be formulated.
Zhi Zhenfeng, a researcher at the Institute of Law of the Chinese Academy of Social Sciences:
How to regulate the one-way manipulation of individuals by the platform
In the process of social science innovation, a large amount of knowledge fails. Modern jurisprudence or knowledge, born in the Industrial Age of the West, is increasingly inadequate to explain the new type of society and more difficult to solve China's problems, and the rethinking of the times and the world has not been simultaneously enhanced. In the context of the times, the law should be viewed in the sense of function, and the rule of law should be understood in the sense of dynamic evolution and scenarioization. The information age places new demands on rule of law mechanisms, such as national security. The great changes in mankind are embodied in the creation of new space, that is, the theme of this forum: cyberspace.
The most fundamental change brought about by the information age to human society is manipulation, that is, the one-way transparent manipulation relationship between the platform and the individual. Therefore, it is necessary to rethink the relationship between people and how to use the rule of law as the last refuge of human dignity and freedom to get "people" back.
Professor Zhang Gong of the Law School of Chinese Min University:
The Personal Information Protection Act and the Civil Code should be applied in parallel
The relationship between the two laws of the Personal Information Protection Act and the Civil Code is neither the relationship between the superior law and the inferior law, nor the relationship between the general law and the special law.
Cyberspace is not a simple virtual space, but a combination of virtual space and physical space. The Civil Code is the law of physical space, in which the state is the unit of basic order. In the era of physical space, the boundaries between public and private law are clear, while the status of the state in cyberspace is not clear, and the boundaries between public and private are not clearly demarcated. Therefore, the nature of the Personal Information Protection Law is more complex, and it is neither public nor private law, but a transitional law. Because cyberspace is still in the process of formation.
As the saying goes, "Once a law is enacted, it becomes obsolete." The Civil Code is the product of legislation in the era of physical space and belongs to the more typical private law. The Personal Information Protection Law is a product of legislation in the cyberspace era, and the basic principle is that the purpose is necessary, that is, to take into account the protection of personal information and the development of the Internet. At present, the Personal Information Protection Law should be applied in parallel with the Civil Code, and the two will be integrated in the future.
Liu Jinrui, researcher at the Rule of Law Research Institute of the China Law Society:
Include the collection of personal information that affects national security into important data
The era of data economy has brought new challenges, and the paradigm of data security has changed from the previous three natures of data to data utilization security, that is, the requirements of controllability and legitimacy have been increased, and risk management and control have been centered on it.
Personal information not only involves personal interests, but may also affect national security and may be used in ways that threaten national security. In this regard, the European Union imposes restrictions in the name of "protection of rights", while the United States includes sensitive personal data in foreign security reviews. China's Personal Information Protection Law and Data Security Law put forward rules for the cross-border provision of personal information, and there is room for further tightening. It is recommended that the collection of personal information that affects national security be included in important data; pay attention to the division of labor in the Personal Information Protection Law and the Data Security Law; establish a highly transparent data security assessment and review system; and establish an important data export control system instead of data export control.
Zhang Linghan, Associate Professor, School of Grammar and Law, University of Science and Technology Beijing:
"Penetrating Regulation" of Platform Algorithms
After the 2008 financial crisis, the IMF proposed that "good regulation" should be intrusive, comprehensive, adaptable, questionable, proactive, and decisive. The U.S. Investment Company Act proposes a "see-through rule." In this context, "penetrating supervision" was first formally proposed as a policy concept in the 2016 Implementation Plan for the Special Rectification of Internet Financial Risks by the General Office of the State Council, requiring regulators to identify the nature of business in accordance with the principle of "substance over form".
How to do the "penetrating supervision" of platform algorithms? First, it penetrates the technical veil of "only providing network connectivity", involving user behavior and safe haven rules; second, it penetrates the veil of "Internet innovation business model", involving control, platform employment, and recommended content; third, it penetrates the veil of "legal person enterprises", only pursues the results, and involves algorithm design and operation behavior.
Associate Professor of the Faculty of Law of the University of International Business and Economics licensed:
Relationship between the Personal Information Protection Act and relevant laws
Relationship between the Personal Information Protection Law and other laws: the relationship with the Constitution is the parent law and the sub-law; the relationship with the Civil Code, which involves the content of the provisions of equal subjects, is a special law derived from Chapter VI of Title IV of the Civil Code, "Protection of Personal Information"; the relationship with the Cybersecurity Law is a new law that replaces the provisions of Chapter IV "Personal Information Security"; the relationship with the Data Security Law is a supplementary law to data processing activities involving personal information; and the Relationship with the Consumer Rights and Interests Protection Law, The relationship between specialized laws such as the Commercial BankIng Law is that of special laws and general laws in the field of personal information.
The relationship between the Personal Information Protection Law and international laws includes: the handling of personal information of natural persons in China outside China (Article 3, Paragraph 2); the provision of personal information by information processors abroad (Articles 38, 39, 40 and 42); the export of personal information due to judicial or administrative law enforcement assistance (Article 41); trade reciprocal measures against foreign countries or regions (Article 43); and exceptions to international treaties and agreements (Article 41, Paragraph 2).
Dr. Liu Shuangyang, School of Law, Southeast University:
The protection of disclosed personal information by criminal law shall be examined as reasonable
Proceeding from the position of actively preventing the risk of misuse of personal information, the judicial interpretation identifies informed consent as the key criterion for judging whether it constitutes the crime of infringing on citizens' personal information, resulting in China's judicial practice tending to criminalize the sale or provision of disclosed personal information to others without authorization on the grounds that the "secondary authorization" consent of the information subject has not been obtained. At present, the preceding law has made major adjustments to the rules for the handling of personal information that have been disclosed, aiming to avoid excessive regulation of personal information handling behavior and promote the rational use of personal information, so criminal law needs to timely explain and respond to changes in the rules for the handling of personal information that have been disclosed.
The information subject has a limited right to self-determination of information, and the information processor has the right to data property. From the perspective of balance of interests, examining the judicial boundaries of the crime of infringing on citizens' personal information shall be reasonably handled based on the principle of proportionality. During the validity review stage, it is judged whether it is consistent with the purpose of personal information disclosure; the appropriateness and necessity review stage is used to determine whether the use of personal information is changed when it is disclosed; and the balance review stage is used to determine whether the major interests of the information subject are infringed.
Ding Daoqin, Director of the Legal Research Center of Beijing ByteDance:
Timely think about personal disclosure information protection rules
There are more and more litigation-related cases involving the use of personal disclosure information, such as whether reprinting judgments disclosed on the judgment documents network infringes on privacy rights and personal information interests, whether it is possible to collect and handle personal information disclosed in accordance with law such as open government information, whether it can collect and handle personal information disclosed by individuals themselves, and whether it can collect and handle personal information disclosed by enterprises.
Attitudes towards individual disclosure of information vary from country to country. The United States and California directly exclude public information from the definition of personal information, the European Union, Singapore, etc. use "publicly available" as a defense against certain types of illegal data processing, and Japan, Canada and other countries directly use public information as an exception that does not require the consent of the subject. China's Cybersecurity Law and Criminal Law also stipulate some public law rules for the protection of personal disclosure information, the Civil Code stipulates the "reasonable use" of personal disclosure information, and articles 13 and 27 of the Personal Information Protection Law clearly stipulate that the handling of personal information disclosed by themselves or that has been legally disclosed within a reasonable range is the basis for legality. (□ Jincan)
Source: Economic Reference Newspaper