The “Personal Information Protection Law” is implemented today. What should operators and consumers pay attention to?

Personal information refers to various information related to identified or identifiable natural persons recorded electronically or in other ways, excluding anonymized information. Personal information generally includes name, date of birth, ID number, biometric information, address, phone number, email address, health information, whereabouts information, etc. At present, in daily consumption activities and other social activities, people inevitably keep personal information in various operators and organizations. Due to the weak awareness of responsibility for protecting personal information, insufficient protection measures, and some operators being driven by interests, personal information has been illegally collected and leaked, which is shocking.

In recent years, the China Consumers Association (hereinafter referred to as the “China Consumers Association”) has found in its consumer rights protection work that the most prominent personal information problems reported by consumers are mainly concentrated on excessive claims on mobile APPs, consumers’ personal information being leaked, illegal Pushing commercial information, “big data killing” and illegal processing of sensitive personal information. For example, in February 2019, a facial recognition company suffered a large-scale data breach, and 6.8 million pieces of personal information including personal names, ID numbers, gender, home addresses, and photos were leaked; in May 2020, the Huaian police in Jiangsu uncovered a violation Citizen personal information case, a bank employee sold the identity information, phone number, balance and even transaction records of bank card users for profit at a price of 80-100 yuan each, involving more than 50,000 pieces of personal information; CCTV 3 in 2021 The 15th party was shocked to reveal that many well-known stores have installed face recognition cameras, and a large amount of face information has been collected, but no business has clearly informed consumers, and it is impossible to obtain consent.

On November 1, 2021, the “Personal Information Protection Law” was officially implemented, which is a special law to protect citizens’ personal information. The Law on the Protection of Consumer Rights and Interests and other laws are jointly woven into a “protection net” for consumers’ personal information.

The China Consumers Association urges operators to effectively implement the relevant provisions of the “Personal Information Protection Law”, study the law in depth, respect and abide by the law, improve the rules of personal information processing in accordance with the law, perform the obligation of publicity and notification, standardize the personal information processing procedures, and take necessary measures to protect consumers. Personal information security.

(1) It is necessary to effectively implement the “notification-consent” rule, and expressly state the purpose, method and scope of processing personal information. Operators should formulate rules for handling consumers’ personal information, follow the principles of openness and transparency, disclose personal information processing rules, express the purpose, method and scope of processing, and provide a convenient way to withdraw consent. No organization or individual may illegally collect, use, process, or transmit consumers’ personal information, nor may they illegally buy, sell, provide or disclose consumers’ personal information. When collecting personal information of consumers, consumers should be informed and consent should be obtained under the premise of full notice in advance. Operators shall not use blanket authorization, compulsory consent, etc. to process consumers’ personal information; without consumers’ consent, operators shall not push commercial information to consumers.

(2) To meet the two “minimum” and one “shortest” for personal information processing, and not to collect consumers’ personal information excessively. Operators should have clear and reasonable purposes for collecting and using personal information, and limit them to the method that has the least impact on personal rights and the smallest scope to achieve the purpose of processing, and should not excessively collect consumer personal information. Unless otherwise stipulated by laws and administrative regulations, the retention period of personal information shall be the shortest time necessary to achieve the purpose of processing. Except for the personal information necessary to provide products or services, operators shall not refuse to provide products or services on the grounds that consumers do not agree to process their personal information or withdraw their consent. Mobile APPs and other services shall not refuse users to use their basic functions because users do not agree to provide non-essential personal information.

(3) The handling of sensitive personal information shall be strictly restricted, and communities and business premises cannot force owners or consumers to perform facial recognition. Sensitive personal information is personal information that, once leaked or used illegally, may easily lead to violation of the personal dignity of a natural person or endanger the personal and property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts and other information, and personal information of minors under the age of fourteen. The law sets special processing rules for it, that is, the second paragraph of Article 28 stipulates that “personal information processors can only process sensitive individuals if they have a specific purpose and sufficient necessity and take strict protective measures. information.” As a kind of sensitive personal information, once the face recognition is leaked, it is easy to cause great harm to the personal and property safety of individuals, and may even threaten public safety. It is not necessary for community properties and business sites to use face recognition as the only verification method for entry and exit, and it is difficult to take strict protective measures. Other alternative verification methods should be provided for owners or consumers to choose independently. Operators are also not allowed to illegally collect consumers’ face recognition information for commercial purposes.

(4) The use of personal information to make automated decision-making must be legal, and behaviors such as “big data killing” are prohibited. The “Personal Information Protection Law” stipulates that personal information processors use personal information to make automated decision-making, and shall ensure the transparency of decision-making and the fairness and impartiality of the results, and shall not impose unreasonable differential treatment on individuals in terms of transaction prices and other transaction conditions. Pushing information and commercial marketing to individuals through automated decision-making methods should also provide options that are not tailored to their personal characteristics, or provide individuals with a convenient way to refuse. Therefore, operators cannot use their own information such as consumers’ economic status, consumption habits, and price sensitivity to discriminate against consumers in terms of transaction prices, etc. Carry out precision marketing through user portraits.

(5) Large-scale Internet platforms should also pay attention to fulfilling special obligations, and need to be good “gatekeepers” for personal information protection. Personal information processors that provide important Internet platform services, have a large number of users, and have complex business types should also establish and improve a personal information protection compliance system in accordance with national regulations, and establish an independent organization mainly composed of external members to supervise the protection of personal information. . Follow the principles of openness, fairness and impartiality, formulate platform rules, and clarify the norms of product or service providers on the platform for handling personal information and the obligation to protect personal information. Stop providing services to product or service providers on the platform that deal with personal information in serious violation of laws and administrative regulations. Regularly release personal information protection social responsibility reports and accept social supervision.

The China Consumers Association also reminds consumers that in order to make the “Personal Information Protection Law” more effective, they must study the law seriously and take the initiative to use it:

(1) Actively study the “Personal Information Protection Law” and other legal provisions. Through the study of personal information protection laws such as the “Personal Information Protection Law”, you can understand the processing rules of personal information and sensitive personal information, your own rights in personal information processing activities, the obligations that personal information processors should undertake, and personal information. Relief methods when information rights are violated, etc., further enhance the awareness and ability of personal information protection, and use legal weapons to guide consumption practices.

(2) It is necessary to develop the good habit of “not providing if it is not necessary”. When consumers receive services, they should carefully read the privacy agreement and other terms involving personal information, clarify the method, scope, purpose and basis of the operator’s processing of personal information, and consider the adequacy of the operator’s reason for processing personal information and the personal information provided by consumers. The necessity of information, it is recommended to provide personal information or authorize operators only when it is really necessary.

(3) To keep track of the personal information authorized or provided by them. After consumers accept the terms of personal information or provide personal information to operators, they should also pay attention to whether the operators’ personal information terms are revised, whether the operators have the ability to protect the security of personal information, and whether the operators have illegally processed personal information, etc. When consumers do not agree with operators to continue processing their personal information, they should actively exercise the right to “withdraw consent” and require operators to stop processing or delete their personal information in a timely manner.

(4) Pay attention to the destruction of documents and materials with personal information. Consumers should protect documents and materials with personal information to prevent personal information from being leaked due to random discarding or improper use. If you properly handle documents and materials with personal information such as non-desensitized express documents, they should be destroyed in time after use, or the key information should be smeared and then discarded; when providing copies of important documents such as ID cards to others, It is best to clearly identify the purpose of this copy; some Electronic data with sensitive personal information, such as ID photos, etc., are recommended to be deleted or stored in an encrypted way.

(5) Take the initiative to take up legal weapons to safeguard legitimate rights and interests. Consumers should actively exercise the right to supervise operators’ personal information processing activities. When their own personal information rights and interests are infringed or they are found to have illegally handled consumers’ personal information, they must take the initiative to file complaints and reports with the personal information protection management department or consumer association, provide case clues and relevant evidence, and protect themselves and other consumers the legitimate rights and interests of the person.

The Links:   TP1351 LM80C031X