The four departments review the privacy clauses of various network products and services. Photo courtesy /CFP
In order to ensure the effective implementation of the relevant requirements for personal information protection in the Cyber Security Law and improve the personal information protection level of network operators, the Central Network Information Office, the Ministry of Industry and Information Technology, the Ministry of Public Security and the National Standards Committee jointly held the launching meeting of the "Personal Information Protection Promotion Action" and the establishment meeting of the expert working group to launch the special work on privacy clauses. The first batch will review the privacy clauses of ten online products and services such as WeChat and Taobao.
Privacy clause is the window for users to know about the collection and use of personal information of products or services, and it is the primary channel for users to exercise the right of choice and consent given by law. Network operators should, in accordance with legal requirements, standardize the content, presentation form and location of privacy clauses, and obtain users’ consent through privacy clauses. At the same time, some people have doubts about the special work of privacy clauses. They think that on the one hand, the privacy policy is too long for users to read at all; On the other hand, the special work of privacy clause is aimed at personal information collection, but in the era of big data and Internet of Everything, it is impossible to control personal information collection. With the gradual spread of the special work of privacy clauses, the author believes that the review of privacy clauses is helpful to improve the level of personal information protection and should not give up the control of personal information collection.
The special work of privacy clause can improve the effect of notification
The most important purpose of privacy clause is to inform users. And notification is a clear requirement of China’s current laws. Whether it is the Decision of the National People’s Congress Standing Committee (NPCSC) on Strengthening the Protection of Network Information in 2012, the Law on the Protection of Consumers’ Rights and Interests in 2013, or the Cyber Security Law implemented in June 2017, individual consent is always regarded as the main legitimate reason for personal information controllers to collect and use personal information. "Agree" must be the expression of the user’s true will. In order to ensure this, notification becomes a very necessary step.
Some scholars have suggested that the framework of "inform-agree" is that the privacy policy is long and obscure, and the user is eager to use the product or service, and may directly click "agree" or "next". However, since personal information can identify specific individuals and reflect their thoughts, opinions, preferences and actions, individuals will be concerned about how their personal information is collected and used. Then, the reason why individuals show "indifference" now is that the content of privacy policy is not well displayed.
In fact, the special work on privacy clauses has made detailed consideration on how to effectively improve the effect of notification:
The first is the privacy policy, whose function is to completely and clearly describe the practices of product and service providers in collecting, saving, using and providing personal information to the outside world. Although this text is often criticized for its length, the readers of privacy policy are not only users, but also regulators and consumer protection groups. Generally speaking, the privacy clause is a public statement of network operators on their personal information processing behaviors such as collection, storage, use, sharing and transfer, which is not only a legal commitment to users, but also an important basis for network operators to carry out law enforcement and social supervision.
The second is enhanced notification, that is, registering an account, installing a program, and prompting the user about personal information when using it for the first time. It is not a text of privacy policy, but it condenses the core content of privacy policy, or highlights the information that users are most concerned about, such as what personal information is collected and to whom it will be provided. Many times, the enhanced notification contains a link to the complete privacy policy text. The advantage of this is that even if users don’t read the text of privacy policy, they can know the key core content of privacy policy and the high-risk personal information processing behavior through enhanced notification.
The third is instant prompt, that is, prompt about personal information processing behavior displayed immediately during the user’s use. It is often used to inform personal sensitive information before the second authorization. Personal sensitive information refers to personal information that may endanger personal and property safety and easily lead to personal reputation, physical and mental health damage or discriminatory treatment once leaked, illegally provided or abused. Generally speaking, personal privacy information belongs to personal sensitive information. Then, before these personal sensitive information are collected, used or provided to others (including sharing, transfer and public disclosure), users need to be reminded again, because such information is of great significance to users. From the user’s point of view, the behavior of handling personal sensitive information should not only be buried in the text of privacy policy, but should be highlighted and highlighted, with the consent of users. This is a good way to practice the concept of "user-centered".
In addition to these three forms, there are also platform-based apps. There are more single-function apps abroad, and platform-based apps are very common in China, so it is necessary to integrate many other functions. These functions may be subject to the same privacy policy, or they may have their own special provisions. Therefore, when users click on these additional functions, the providers of products and services should provide a separate notice to inform users in a targeted manner what the additional functions will do to personal information that is different from the unified privacy policy.
In fact, notification can not only be achieved through long privacy policy texts, but also through various paths in reality. If enterprises really adhere to the concept of "user-centered", they should be more creative so that ordinary users can truly feel the sincerity and temperature of products and services.
We should not give up the control of personal information collection.
Comply with the trend of the times and give up the control of the collection link, which is a typical embodiment of the supremacy of technical logic and growth. Scholars who hold this view often think that the development of artificial intelligence should be domesticated through the power of ethics and law. In fact, this debate is not unique today. In 1980, the Organization for Economic Cooperation and Development (OECD) issued a "Privacy Guidelines" guide. After entering 2000, OECD hopes to update this guide according to the characteristics of the times and technological development. Many experts convened by the OECD suggested that the 1980 guide had requirements for collection, but whether it was suitable for future development needed to be re-evaluated. After the debate, experts reached a consensus that the collection of personal information needs to be controlled. Therefore, in the updated Privacy Guidelines issued in 2013, the "collection restriction principle" was placed at the top of the eight principles of personal information protection.
It is generally believed that the protection of personal information in the United States is relatively loose, so the Internet has developed rapidly in the United States. The protection of personal information in Europe is too strict, so there are basically no decent Internet companies in Europe. But the complexity of the reality far exceeds the above simple comparison. Taking the "Privacy Protection Rules for Broadband Service Providers" formulated by the Federal Communications Commission (FCC) as an example, a framework is established in this rule: personal sensitive information should adopt the opt-in mode, and personal non-sensitive information can adopt the opt-out mode; Both personal sensitive information and non-sensitive information need to be clearly informed, and users should be provided with the right to withdraw their consent. It can be seen that the framework formulated by FCC is to strengthen the control of the collection link.
However, this rule was overturned by the US Congress not long ago. The important reason is that the framework of FCC for broadband service providers is actually stricter than the privacy protection framework of FTC for non-broadband service providers (such as Google and Facebook). Therefore, it will cause discrimination against broadband service providers in competition. However, at least ten states in the United States then tried to pass legislation at the state level to restore the framework established by the FCC.
A few days ago, Nevada also passed legislation to formally require website operators and network service providers to provide privacy policies on their websites, and put forward specific requirements for the content of privacy policies. The bill will take effect on October 1, 2017.
To sum up, the biggest market for the idea of "abandoning the collection of personal information and controlling the use of it" is in the United States, but by simply tracking the development of news and legislation, it can be found that even in the United States, such a view has not been fully accepted by legislators and regulators. (Hong Yanqing: Peking University Internet Development Research Center)