On May 25, the work report of the Standing Committee of the National People’s Congress pointed out in the main work arrangements for the next step that, focusing on national security and social governance, the biosecurity law, the personal information protection law, and the data security law were formulated, and the Criminal Law Amendment (11) was passed. Administrative Punishment Law, People’s Armed Police Law, etc.
During the epidemic, the collection of information was not standardized, users sued Hangzhou Wildlife World for “the first case of face recognition”, and Xu Yuyu was included in the top ten criminal cases of the people’s court in 2017 by the telecommunications fraud case… The frequent occurrence of personal information protection issues has caused serious problems to the public. Great insecurity, some people seem to have become “transparent people”. Related topics have become hot topics during the “two sessions” since 2018.
What content is closely related to you and me in the formulation of this law? How to pass legislation to end the “streaking” of personal information? What specific suggestions do the delegates have?
Case: frequent personal information leaks, how much responsibility is the platform
During the epidemic prevention and control period, most people left their mobile phone numbers, ID numbers, home addresses, etc. in different places more than once. While complying with the prevention and control regulations, many people worry that the collection of this information is not standardized. Once leaked, it will be used by criminals.
This concern is not groundless. According to a CCTV report, as many as 160 million pieces of citizens’ personal information were leaked from 2010 to 2016 confirmed by the Beijing District Court alone. The “Investigation Report on Leakage of APP Personal Information” released by the China Consumers Association in September 2018 also shows that 80% of the respondents have had personal information leaked.
Previously, Xu Yuyu was involved in a telecommunication fraud case because of information leakage.
In August 2016, when Xu Yuyu, a girl from Shandong Province, was about to enter the university, she received a fraudulent call and was defrauded of 9,900 yuan in the cost of going to college. After learning that she had been deceived, Xu Yuyu felt unwell on the way home because of excessive sadness. , the rescue failed and died.
Not only traditional information such as names, occupations, and communication records are leaked, but biometric data such as faces, fingerprints, and voiceprints are also being collected and used even illegally.
In September 2019, the face-changing social software “ZAO” quickly became a popular application on the Internet. Soon after, the software development company Beijing Momo Technology Co., Ltd. was responsible for the alleged failure to collect and use face information in accordance with laws and regulations, and the risk of data leakage. People were interviewed by the Ministry of Industry and Information Technology.
Coincidentally, in October 2019, Guo, a doctor of law, could only enter the park normally because the annual card purchased at Hangzhou Wildlife World canceled the fingerprint recognition and changed it to the registered face recognition. He believes that the face recognition is personal sensitive information and does not agree This move also required the refund of the card, but the negotiation failed, so Hangzhou Wildlife World was sued to the People’s Court of Fuyang District, Hangzhou City. It can be seen from public reports that the court has officially registered the case, and the verdict has not yet been seen.
Who is “collecting” our information? Some platforms such as e-commerce and social software “cross the border”, collect consumers’ personal information excessively, and even illegally steal user information.
The investigation report of the China Consumers Association shows that the phenomenon of excessive collection of consumers’ personal information by e-commerce, social software and other platforms has become a new hot spot for complaints. Unauthorized collection of personal information and intentional disclosure of information by operators are the main ways of personal information leakage, accounting for 62.2% and 60.6% of the survey samples, respectively.
In July 2019, The Paper reported that Harbin netizen Mr. Wang found in the process of using Tencent’s “Weishi” APP that when he logs in with his WeChat account, WeChat will obtain all his WeChat friends’ information and push WeChat to him. Videos posted by friends. The same thing happened when he logged in with his QQ account. He believes that he only authorized the login, and “Weishi” has no right to collect and use his gender, region and friend relationship, so he sued Shenzhen Tencent Computer System Co., Ltd. for violation of privacy. The court ruled that Tencent immediately stopped using Mr. Wang’s WeChat or QQ friends’ information in “Weishi” and recommending his related information to other users.
On May 9, 2020, the Consumer Rights Protection Bureau of the China Banking and Insurance Regulatory Commission issued a notice: In March 2020, China CITIC Bank provided third parties with personal bank account transaction details without the authorization of the customer. The China Banking and Insurance Regulatory Commission has initiated investigation procedures on China CITIC Bank. This is not an exception. According to the information on China Judgment Documents Network, it is not uncommon for bank “ghosts” to participate in reselling personal financial information.
Traceability: Weak awareness of personal information security protection and unsound laws and regulations
What happened to the excessive leakage of information? During the national “two sessions” in 2018, a number of representative members said in an interview that it is no exaggeration to say that almost every mobile phone or Internet user has encountered fraudulent information intrusion.
According to the survey results of the China Consumers Association, after consumers’ personal information was leaked, about 86.5% of the respondents had received harassment by sales calls or text messages, about 75.0% of the respondents had received fraudulent calls, and about 63.4% of the respondents had received harassment. Visitors receive spam, ranking in the top three.
There are various cases of telecommunications fraud caused by the leakage of citizens’ personal information: from lottery and rent remittance, to online banking upgrades, postal parcels hiding drugs, to impersonating public officials such as public prosecutors, forging online wanted orders, and receiving grants, etc., according to media analysis, communication information The characteristics of fraud have changed from the initial “casting net” to today’s “precision”.
Why was the information leaked? In public reports, many representatives mentioned similar reasons.
Yang Guiping, deputy to the National People’s Congress and secretary of the Party Group of the Jiangxi Provincial Department of Industry and Information Technology, and Yin Xingshan, member of the National Committee of the Chinese People’s Political Consultative Conference, secretary of the Party Committee and President of the Hangzhou Central Branch of the People’s Bank of China, believe that the lack of awareness of citizens’ personal information security protection is one of the reasons for information leakage.
The lack of awareness includes filling in personal information at will, downloading and installing software at will, connecting to WiFi and scanning QR codes at random, uploading sensitive personal information for convenience, and exposing a large amount of personal information online for showing off.
The common view also includes the lack of norms and constraints for operating entities. Yang Guiping also pointed out that some system designs have potential security risks, which is also a problem.
In addition, both Yang Guiping and Yin Xingshan agree with the view that personal information protection laws and regulations are not sound. At present, there is a lack of a special and authoritative law, which restricts the comprehensive protection of personal information. Yin Xingshan also believes that there is a lack of competent authorities for personal information protection.
In October 2019, the organizing committee members of the CPPCC Proposal Committee went to Hunan and Guizhou for special research. During the investigation, the committee members found that the current judicial assistance mechanism for personal information protection is imperfect, it is difficult to identify the infringer and the responsibility for the infringement, and it is difficult to obtain and present evidence.
For those who have been found to have violated citizens’ personal information, there is also the problem of insufficient punishment. Yang Guiping said that, for example, in the relevant regulations issued by the Ministry of Industry and Information Technology, only warnings and fines of less than 30,000 yuan are set for such illegal acts. penalty. “Compared to the huge benefits obtained from selling and selling personal information, the cost of illegality is obviously too low.” This is the predicament of personal information protection.
It is not only a dilemma, but there are also disputes over the protection of personal information, including whether the protection of personal information affects the development of the data industry, whether the data belongs to the user or the collection platform, etc.
Recommendation: Obligation boundaries for data collection, processing and use need to be clarified
The reporter noticed that in recent years, a number of representatives have suggested to speed up the formulation of the Personal Information Protection Law.
Li Dajin, a member of the National Committee of the Chinese People’s Political Consultative Conference and director of Beijing Tianda Republican Law Firm, said in an interview that my country currently has nearly 40 laws, more than 30 regulations and nearly 200 regulations involving personal information protection. However, due to the lack of top-level legislation, existing regulations are scattered in various laws, making it difficult to play a deterrent effect.
“Although our country has promulgated some laws and regulations on the protection of information security, it has not yet issued special legislation for the protection of personal privacy. The punishment for divulging personal privacy is relatively light, resulting in too low illegal costs of violating personal privacy and extremely limited protection of personal privacy. ” said Gao Zicheng, deputy to the National People’s Congress and president of the Beijing Lawyers Association.
The need to clarify the obligatory boundaries of data collection, processing, and use is the consensus of the committee members who make recommendations. They argue that there should be clear rules about what personal information can and cannot be collected. For the collection behavior of the operator, Yin Xingshan believes that it must have a clear and legitimate purpose, meet the “minimum and necessary” requirements, and have the express consent of the information subject.
“Personal information should be raised to the basic rights of individuals.” Cui Ronghua, deputy to the National People’s Congress and chairman of Century Ronghua Investment Holding Group Co., Ltd., appealed. She also proposed informed consent, clear purpose, use restrictions, information quality, and security management for personal information protection. , the eight principles of prohibition of leakage, retention time limit and free circulation, strict information protection responsibilities of enterprises and institutions, and increased penalties.
She believes that legislation should clarify the responsibility for infringement of personal information rights. If personal information is leaked due to improper storage of the information collection subject, the information collection subject shall bear corresponding responsibilities in accordance with the law; if a staff member leaks personal information privately, in addition to the personal responsibility, the information collection subject industry shall also bear the responsibility according to the specific circumstances according to law; If the subject of information collection does not keep personal information properly, and at the same time, a third party illegally obtains and uses personal information, the subject of information collection and the third party shall be jointly liable for compensation.
Lian Yuming, a member of the National Committee of the Chinese People’s Political Consultative Conference and president of the Beijing International Urban Development Research Institute, who has been paying attention to data security legislation for many years, suggested that the Personal Information Protection Law should fully consider the classification and grading protection of personal information according to application scenarios. Information collection, use and processing by public agencies should also be regulated.
Action: Multiple documents are in place to protect personal information
Although there is no top-level legislation on personal information protection, the relevant departments have always dealt with the violation of users’ personal information with an iron fist and severe blows.
Last year, the Central Cyberspace Administration of China, the Ministry of Industry and Information Technology and other four departments jointly issued an announcement, deciding to organize a nationwide special treatment of illegal collection and use of personal information by apps from January to December 2019. The “Special Governance Report on the Illegal Collection and Use of Personal Information by APPs (2019)” shows that over the past year, the special governance work has achieved remarkable results.
Among them, the Ministry of Industry and Information Technology launched the “Special Rectification Action for APP Infringement on User Rights and Interests” to promote the completion of self-inspection and rectification of a number of APPs, issued rectification notices to 236 APP operators, publicly notified 56 APPs, and removed 3 from the shelves. APP.
The Ministry of Public Security has also cracked down on illegal and criminal acts infringing on citizens’ personal information in accordance with the law in the “Cleaning the Net 2019” special campaign. Some media commented that a distinctive feature of personal information data protection in 2019 was the significant increase in criminal means, and a series of special law enforcement actions put a distinct law enforcement brand on personal information data protection in 2019.
Since 2018, personal information protection has been a hot topic during the “two sessions”. After the national “two sessions” in 2019, “strengthening personal information protection in the era of big data” has become one of the key series of proposals of the National Committee of the Chinese People’s Political Consultative Conference.
The laws and regulations related to personal information protection are gradually being implemented. In recent years, my country has accelerated the process of legislation and revision of personal information security protection, and successively issued the “Decision of the Standing Committee of the National People’s Congress on Strengthening the Protection of Network Information”, “Regulations on the Protection of Personal Information of Telecommunications and Internet Users”, and “Registration of the True Identity Information of Telephone Users”. Regulations, etc.
In 2019, the “Regulations on the Protection of Children’s Personal Information Online” and “Personal Information Security Specifications” were released, and the “Measures for Data Security Management (Draft for Comment)” and the “Measures for Security Assessment of Personal Information Exiting the Country (Draft for Comment)” were released to the public for comments. .
Now, the “Personal Information Protection Law” will be enacted to end the “streaking” of personal information or it may not be expected.