Data Analysis | Fuping Gao: Privacy Protection and Data Security—the Duties and Responsibilities of Leading Enterprises
As Chinese society accelerates the advance of networks, data and intelligence, data has become the driving force behind the economic development in society. The key of the data-driven development is the ability to exploit and utilize the data generated by the ubiquitous networks and smart devices, and apply them to the fields such as technology and innovation, economic transformation, social governance, and risk prevention. Data has the immense social and economic value, and therefore is recognized as the new source of energy following the oil. Because of this, many enterprises attempt to collect as much data as possible, and perform various types of data analysis in order to apply them to the promotion of products or services, risk management, etc.
All data has a source, and any data which originates from or is related to individual persons will involve personal dignity and freedom, and thus is tied with personal privacy protection (or personal data protection). The key to pushing forward economic development through data is knowing how to promote data opening, sharing, flowing and usage while maintaining privacy and data security benefits as a premise. This is also the reason that foreign countries have set about constructing a legal system for personal data protection since the 1970s.
At the time when computers had just entered broad use, foreign countries had begun protecting personal data from the perspective of maintaining personal dignity or freedom, preventing the abuse of electronic personal data which violates citizens’ dignity and freedom. The core of such work is to prevent individuals from being “dealt with” without their knowledge, hence, individuals must know and hold necessary rights to participate and control their data.
Contrastingly, China does not have similar traditions. Instead, after computers, and especially the internet, entered widespread use, internal leakage, illegal theft and trade of citizens’ personal information became a societal menace. Not only does it endanger personal privacy, it also becomes an obstacle to the rightful use of data. As the value of data is gradually unearthed, a gray industrial chain of the illegal collection, processing, trade and utilization of personal data has appeared and is difficult to root out; even listed companies fail to obey the bottom line of illegally trading citizens’ personal data. Therefore, the protection of citizens’ personal data against violation has become a political proposition of China, attracting discussion regarding personal information protection plans from different social sectors including public security, the procuratorate, courts, ministry of justice and academics.
Through the discussion, we found that we are facing a different situation and task compared to that of foreign countries. China’s current problem is the illegal usage of personal data, which endangers citizens’ personal and property safety. On the other hand, foreign laws aim to solve the problem of regulating usage of personal data under the premise that it is for a legal purpose, thus preventing violation of personal dignity, freedom and privacy.
However, based on the current personal data protection regulations, the boundary between legal and illegal use of data is still unclear. Therefore, the crackdown on illegal provision and obtainment of personal data has become a bane to China’s economic development through the drive of data, impeding the rightful reuse of data. Establishing clear rules through legislation will require some time; in order to break out of the dilemma, enterprises, especially large enterprises, must take their duties and responsibilities.
Time will wait for no man; the search for a reasonable regulation system for personal data protection under the conditions of new technology has become the duty and mission of data-driven enterprises.
Since 2012, China has begun to adopt personal data protection rules from foreign countries, the core of which was the rule of informed consent.
Based on China’s current laws, consent must be obtained before personal data can be collected or utilized. Any collection or utilization activity without consent is considered illegal and is subject to administrative penalties or criminal liability. Therefore, the main concern in enterprise data compliance is how to obtain consent.
But at the same time, we have discovered that instead of protecting personal rights, consent tends to become a security blanket for abuse of personal data. This is not only because users typically do not carefully read the related authorization terms, but also because they have no freedom to choose even if they have read the related terms. Under the circumstances of a lack of choice, to consent is to “hand your fate” over to the company.
Simultaneously, we found that under the situation where big data and artificial intelligence are in widespread use, there is no way and no need to obtain consent for a large amount of personal data collection, yet the “danger” that lack of consent is illegal constantly threatens enterprises’ use of data. This means consent has become more and more formalized; requiring consent does not necessarily protect individuals, nor does a lack of consent necessarily mean damage to personal privacy.
Therefore, to be satisfied with formalities, or to grant individuals genuine protection, is not only a legislative choice but also an enterprise choice. A dutiful and responsible enterprise should not be satisfied with legal compliance or regulatory requirements, and should not let personal data protection become a mere formality. Instead, it should place importance on the rights and interests of users and fully implement users privacy protection, making it the company’s conscious convention.
The internet has provided immense convenience to individuals. Our basic necessities and work are all reliant on the internet; we are entering a time of connected and digitized survival. Technologies such as cloud computing, the internet of things, and big data all support our convenient way of life.
The result of all this is that individuals find it harder and harder to hold control over themselves and data. The true controllers and users of data are enterprises and internet operators. Therefore, the type of personal information protection system with personal control as its theoretical basis is increasingly not suited for personal data protection in the internet age. No matter how many rights laws give to individuals, if enterprises that actually control the data do not cooperate, these rights will hardly be enforced. Therefore, personal data protection requires enterprises to consciously and thoroughly implement related laws, and turn laws into the enterprise’s policies and actions. This is the purpose of enterprise self-discipline, which is advocated worldwide.
At the current stage, enterprise self-discipline is especially important in China. Because China lacks a specific law for personal data protection, the current laws do not provide enterprises with sufficient guidance on the rightful and reasonable use of personal data. Therefore, we must investigate how to achieve reasonable use of personal data while protecting personal privacy and rights.
The essence of privacy is respect to individuals. Therefore, protecting personal privacy is in essence cultivating a culture of respect to individuals. Clearly, the creation of a privacy-protecting culture relies on the participation of the entire society. One enterprise paying attention to and exploring privacy protection is merely one enterprise’s duty and effort; if the entire society does not participate, the enterprises cannot create a good ecosystem of privacy protection.
Network, data, and intelligence have become unstoppable trends. Under this background, how can the enterprises bring better service to their users while protecting users’ privacy? This is a challenge facing all the internet industries of the world. Privacy protection is an undertaking with a beginning and no end. The author hopes more enterprises and related organizations can join in and push forward the improvement of privacy protection, advancing the development of China’s digital economy.
(Original text source: cnr.cn, some changes made)
The Watson & Band website is intended for informational purposes only. Nothing in this site is to be construed as creating an attorney-client relationship between the reader and Watson & Band or as offering legal advice on any specific matter. Since we are not providing legal advice through this website, you should not act upon any information that you might receive here without first seeking professional counsel. No client or other reader should act or refrain from acting on the basis of any information contained in the Watson & Band website without seeking appropriate legal or other professional advice based on the particular facts and circumstances at issue.