foreword
Data protection should follow the requirements of "four full coverages": covering the entire life cycle of data; covering all data in business operations, risk management and internal control processes; covering internal and external data; covering all branches and affiliates.
Specifically, in order to ensure that data-related operations are legal and compliant, enterprises should implement the data protection system throughout the data life cycle, cooperate with the establishment of various systems required by laws and regulations related to network security, and comply with laws and regulations on the protection of personal information Require. Make compliance arrangements for the entire life cycle of personal information with reference to the detailed requirements of relevant national standards.
Back to the topic of this article, what is personal information collection?
Regarding this issue, Article 3.5 of the "Personal Information Security Specification", Article 5.1 of the "Guidelines for Informing and Consenting Personal Information", and Article 41 of the "Network Security Law" all explain the collection of personal information. Let's take a look at the "Personal Information Security Article 3.5 of the Specification, and other relevant laws and regulations, please refer to the readers themselves.
Article 3.5 of the "Personal Information Security Regulations" stipulates that personal information collection refers to the act of obtaining control over personal information, including direct collection of personal information and indirect collection of personal information. Among them, the direct collection of personal information refers to the behavior of the personal information subject actively providing, interacting with the personal information subject, or recording the behavior of the personal information subject; the indirect collection of personal information refers to the indirect acquisition of personal information through sharing, transferring, and collecting public information. the behavior of.
Next, I will discuss the legality of personal information collection from six aspects, including the legality and necessity of personal information collection, the consent of the recipient, exceptions to the consent of the recipient, optimization of privacy policies, and requirements for indirect acquisition of personal information. regularization.
1. Legitimacy
Article 5.1 of the "Personal Information Security Specification" stipulates the legality requirements for collecting personal information, and we can refer to its requirements for implementation in practice:
1. Personal information should not be collected in a fraudulent, deceptive or misleading manner
It is not allowed to mislead users to agree to collect personal information or to open the permission to collect personal information by fraud, deception or other improper means, such as deliberately deceiving or concealing the real purpose of collecting personal information.
In actual implementation, actual technical tests can be used to determine whether there is misleading behavior. However, for the behavior that claims to collect information only for A function but actually used for B function, in addition to passing the packet capture test, you can also interview and inquire with the developer. For example, the realization of B function definitely requires personal information as support, but It does not collect on the surface, so where does the personal information here come from?
2. The function of collecting personal information in products or services should not be concealed
First of all, the words "etc., such as" cannot exist in the "Privacy Policy", which is a regulation. In other words, we need to comprehensively sort out business functions, instead of using the words "etc., such as" in the privacy policy because of laziness, so as to avoid the behavior of claiming that the information collected is only used for A function but actually used for B function .
In actual supervision, packet capture tests can find all clues. Regulators also use this method to test, and then report and rectify non-compliant apps. In addition to regulators, customers with stricter compliance will also conduct due diligence audits.
3. Personal information should not be obtained from illegal channels
This behavior refers to obtaining personal information from unknown sources through illegal channels such as the black market. This behavior does not exist in general formal companies.
It should be noted that, except that you should not obtain personal information from illegal channels such as the black market. For partners who share or authorize personal information data to us, they should also conduct necessary due diligence on the source of their data, whether they have been authorized by users, and the scope of authorization, so as to prevent joint and several legal liabilities.
2. Necessity
According to Article 4 of the "Methods for Determination of App Violations of Laws and Regulations" and Evaluation Item 7 of the "APP Self-Assessment Guidelines", we can practically meet the necessity requirements for personal information collection, which include:
1. The type of personal information collected or the permission to collect personal information opened should be necessary for existing business functions or have reasonable application scenarios
The type of personal information collected or the permission to collect personal information that can be opened must not be irrelevant to the application scenarios of existing business functions, and excessive collection or excessive claiming of rights shall not be allowed.
Typical problems in practice generally include:
1) Excessive collection of user address books, text messages, call records, etc., or collection of ID numbers, faces, fingerprints, etc. as a prerequisite for opening and using the application.
2) Induce users through points, rewards, etc., and collect information such as ID numbers, faces, and fingerprints.
3) Before the user uses the relevant functions or services, the APP applies in advance to open the permissions of the address book, location, SMS, camera, etc.
It should be noted that "existing business functions" refer to existing business functions rather than new business functions that have been or are to be developed in the past.
2. Do not refuse to provide business functions because users do not agree to collect non-essential personal information or open non-essential permissions
In practice, there are many behaviors that force users to agree to collect unnecessary personal information or open unnecessary permissions by refusing to provide business functions in disguise. The most typical problem is that the APP asks the user for permissions irrelevant to the current service scenario when it is running. After the user refuses, the application directly exits or closes.
The reason for this phenomenon is generally that developers adopt a one-size-fits-all approach to solve compliance requirements due to laziness. At this time, it is necessary to safely popularize the compliance requirements in products and development, so as to make products move toward compliance.
3. When the personal information collected by the new business function application exceeds the scope of the user's original consent, if the user does not agree, the original business function shall not be refused, except for the new business function replacing the original business function
In practice, it is very common for an application to be updated with new functions. At this time, it is necessary to avoid continuing to use a one-size-fits-all model for claiming new functions. If users do not agree to claiming new functions, the entire application cannot be used. The solution to this problem is the same as the previous one. It is necessary to popularize the compliance requirements in the product and development, so that the product can become compliant.
4. The frequency of collecting personal information shall not exceed the actual needs of business functions
A typical problem in practice is to collect location information, IMEI or frequently read contacts, text messages, pictures, etc. according to a certain frequency. Under normal circumstances, if the company has business needs in this area, there is no big problem, because there is no standard for how to count it as frequent. But what we need to focus on is the situation where business functions do not need these data at all, but they are collected frequently.
5. Do not force users to agree to collect personal information just for the sake of improving service quality, enhancing user experience, pushing information in a targeted manner, developing new products, etc.
As we said earlier, the personal information collected must have corresponding business functions. Therefore, in practice, APP can combine the purposes of improving service quality, improving user experience, targeted push information, and developing new products with other business functions. Combined, so as to ensure that the type of use of personal information corresponds to the specific business function.
6. Do not require the user to agree to open multiple permissions that can collect personal information at one time. If the user does not agree, it cannot be used
There is a special case for the problem of package collection. Before Android 6.0, the APP needs to obtain all permissions before installation, and can only be installed after obtaining the user's consent. Android 6.0 and later Google developed the instant permission acquisition function, which uses this permission Apply again at the time, no longer get a package before installation. At present, most of the APPs on the market still support versions before Android 6.0, which is a force majeure factor.
However, for Android 6.0 and later systems, it is our own responsibility to collect them in a package. In practice, we can judge whether it is compliant through a simple test. At the same time, in the actual test, we should pay attention to that the user's disagreement should only affect the business functions related to the personal information refused to be provided, and cannot affect the normal use of other business functions, and should not refuse to provide any single service on the grounds of not agreeing to a package authorization .
7. Do not continue to frequently ask for permissions or disturb users after the user explicitly refuses
In practice, after many users explicitly reject the permission application, they still ask the user to pop up frequently to apply for permissions such as address book, location, SMS, camera, etc. that are not related to the current service scenario, which seriously affects the user experience. The Ministry of Industry and Information Technology and provincial regulatory agencies have repeatedly notified apps with such problems.
This kind of problem can be found with a simple test, so before the APP goes online, you can do a compliance test first.
3. The recipient agrees
Regarding the consent of the collected person, according to the analysis of Article 41 of the "Network Security Law", the specific requirements include:
1. Do not start collecting personal information or open the permission to collect personal information before obtaining the user's consent
Common problems in practice include that when the APP is running, it lacks a link to expressly inform the user and ask for the user's consent, and collects personal information such as IMEI, device MAC address, and address book. Or when the APP is running, although there is a link to the user and the user's consent, the collection of personal information occurs before the user's consent.
In actual supervision, packet capture tests can be used to detect whether personal information is sent to the server before obtaining user consent. For non-compliant areas, developers can be required to make repairs and improvements.
2. After the user expressly expresses their disapproval, they shall not collect personal information or open the permission to collect personal information
In practice, there are many cases where users still collect personal information or open the permission to collect personal information after expressing their disapproval. Network operators should respect the wishes of users. , do not collect personal information or turn on permissions that can collect personal information.
In addition, it should be noted that after the user explicitly refuses the request to collect personal information or open the permission to collect personal information, it should only affect the business functions related to the refusal to provide personal information or open the permission to collect personal information, and shall not affect the normal use of other services by the user. Business functions.
3. The actual collected personal information or the opened permission to collect personal information should be consistent with the collection rules declared and agreed by the user
The role of the privacy policy is not only to inform users and obtain their consent, but also to restrict the collection of personal information by network operators themselves. After users know and agree to the privacy policy, they will form reasonable expectations for network operators in collecting and processing personal information.
In practice, you can first understand the actual business, optimize the privacy policy to make the privacy policy compliant, and then judge whether the application is compliant through technical testing. For places that do not conform to the privacy policy, you can work with product, development and other personnel to carry out compliance Improve.
4. It is not allowed to solicit user consent in non-express ways such as choosing to agree to the personal information protection policy by default
Common non-compliance phenomena currently on the market include: consent is checked by default, registration means consent, etc. Most of those notified by regulatory agencies also fall into this category.
In practice, the way of compliance should be that users take affirmative actions independently. Affirmative actions include active checking, active clicking, active filling or input, active opening, active signature, etc. For compliance, a conclusion can be drawn through a simple test.
5. Do not change the permission status of the personal information that can be collected without the consent of the user. For example, when the APP is updated, the permission set by the user will be automatically restored to the default state
For the behavior of using APP update and other methods to secretly modify the permission status of the user to collect personal information without the user's consent, it is difficult to find the change without specifically checking the permission status. In the actual test, you can manually verify whether the permissions have changed by updating the APP.
The app shall obtain the consent of the user for calling the permission to collect personal information. It is not allowed to change the user permission setting without the user's consent, and it is not allowed to use the system update to change the original system permission setting.
6. Special requirements for collecting personal biometric information
Article 5.4 of the "Personal Information Security Regulations" stipulates: Before collecting personal biometric information, the personal information subject should be informed separately of the purpose, method and scope of the collection and use of personal biometric information, as well as storage practices and other rules, and obtain personal information Subject's express consent.
In practice, three main points should be focused on:
1) Notification method: separate notification;
2) Notification content: the purpose, method and scope of collection and use of personal biometric information, as well as storage practices and other rules;
3) Consent method: express consent.
4. Exceptions to Obtaining the Consent of the Collected Person
For the exceptions to the collection of the consent of the subject, let’s take a look at what is stipulated in Article 5.6 of the Personal Information Security Specification:
a) It is related to the fulfillment of the obligations stipulated by laws and regulations by the personal information controller;
For example: For example, the state stipulates that taxes must be paid, and the collection of personal information when paying taxes does not require your consent
b) Directly related to national security and national defense security;
Example: I can't reach this height and can't give an example
c) Directly related to public security, public health, and major public interests;
Example: For example, during the COVID-19 period, it is necessary to investigate the collection of personal information during the movement of people, without your consent
d) Directly related to criminal investigation, prosecution, trial and execution of judgments;
Example: For example, when you violate the law and the public security organ collects personal information when investigating you, your consent is not required
e) It is difficult to obtain the authorization and consent of the person for the purpose of safeguarding the life, property and other major legal rights and interests of the personal information subject or other individuals;
For example: For example, if the doctor gives you medicine when you are in a coma, your biological personal information needs to be collected without your consent
f) The personal information involved is disclosed to the public by the personal information subject itself;
Example: Personal information posted by yourself
g) It is necessary to sign and perform a contract according to the requirements of the personal information subject;
Example: For example, when you are required to perform the obligations of the xx contract, the collection of personal information does not require your consent
h) Personal information is collected from legally disclosed information;
For example: such as collecting personal information from legal news reports, government disclosure and other channels
i) Necessary to maintain the safe and stable operation of the products or services provided;
Example: such as discovering and handling product or service failures
j) The personal information controller is a news unit, and it is necessary for it to carry out legal news reports;
For example: Regarding the news unit, no examples
k) The personal information controller is an academic research institution, and it is necessary to carry out statistical or academic research for the public interest, and when it provides the results of academic research or description to the outside world, it de-identifies the personal information contained in the results.
For example: Regarding scientific research institutes, no examples
5. Privacy policy optimization
Let’s start with a little knowledge. The emergence of privacy policy mainly comes from the GDPR of the European Union. At that time, there was no relevant law in China. Therefore, in order to unify business compliance, most multinational companies also use privacy policies in their domestic business. Now, It is stipulated in the "Personal Information Security Specification" as a personal information protection policy. But because the name Privacy Policy has been used for so long, we still refer to it as the Privacy Policy today.
Enterprises should design privacy policies in line with their own basic conditions and the characteristics of the industry they operate in, and cannot apply them mechanically.
First of all, users must be clearly informed of the ways in which the company collects, utilizes, and protects personal information; secondly, users must be clearly informed of the type of data collected and the purpose of use in an easy-to-understand manner, and must obtain the explicit consent of the user. Relevant data operations; thirdly, provide channels for users to delete data and cancel accounts, clarify the sharing and publishing methods of user data, and ensure that personal privacy will not be violated; finally, clearly inform users of the inquiry and complaint channels in case of disputes, and dispute resolution mechanisms.
In addition, enterprises should also actively explore innovative ways of displaying privacy clauses, for example, using pop-up notifications for privacy clauses, instant reminders for sensitive information collection, etc.
The role of the privacy policy is twofold:
1) Explain to the subject of personal information the relevant rules for the collection and processing of personal information by network operators, ensure the effective realization of the right to know personal information, and at the same time constrain the behavior of network operators themselves;
2) An important basis for the network operator to obtain the authorization of the personal information subject. After the consent of the personal information subject, it can be used as an important mechanism for the network operator to cooperate with supervision and management, and an important certificate to prove the authorization to reduce or exempt liability.
According to domestic laws and regulations, the specific requirements of the privacy policy are as follows:
1. The privacy policy should meet the requirements of independence and legibility
In practice, the privacy policy should be published in a separate written form, rather than existing as part of user agreements, user instructions, and other documents.
At the same time, the privacy policy should be easy to access. After entering the main interface of the APP, you should be able to access the privacy policy within 4 clicks, and the link position of the privacy policy should be prominent and unobstructed. There should be no invalid privacy policy link, text Situations that cannot be displayed.
In addition, the privacy policy should be easy to read, and should not be a uniform and undifferentiated text. There should be no problems such as too small or dense text, too light color, blurred, lengthy and cumbersome, etc., resulting in a mess of reading.
2. The privacy policy should clearly explain the various business functions and the types of personal information collected
1) Expressly indicate the business functions that collect personal information and the types of personal information collected by each business function
In the privacy policy, the business functions that collect personal information and the types of personal information collected by each business function should be listed one by one, and the words "etc., for example" should not be used because of laziness in sorting out or leaving room for additional collection. I won't say more about this.
2) Significantly identify the type of personal sensitive information
In the privacy policy, the type of personal sensitive information should be marked additionally (such as bold font, underline, color, etc.). It should be noted that all collected personal information cannot be clearly marked. , On the contrary, the collected personal sensitive information has not been marked additionally.
3. The privacy policy should clearly state the personal information processing rules and the protection of user rights and interests
1) The basic situation of the company's operating entity should be explained
The basic information of the operating entity should at least include the entity's identity and contact information. The contact information can be a private email address or a customer service phone number, etc.
2) The method of personal information storage and overdue processing shall be explained
The following information about personal information should be stated in the privacy policy: 1) storage location, if it is outside the country, which country or region outside the country should be stated; 2) storage period, a clear storage period should be stated, or the shortest period within the scope of the law; 3) Overdue processing methods, such as deletion or anonymization.
3) The rules for the use of personal information should be explained
The privacy policy should clearly state the purpose, method, scope, etc. of collecting and using personal information. If personal information is used for user portraits, personalized display, etc., it should explain its application scenarios and possible impact on users.
4) The export of personal information should be explained
If personal information is exported abroad, the types of personal information to be exported should be listed item by item and prominently marked, such as bold font, underline, color, etc.
5) Personal information security protection measures and capabilities should be explained
The privacy policy should explain the measures and capabilities of network operators in terms of personal information protection, such as identity authentication, data encryption, access control, security auditing, etc.
6) The rules for external sharing, transfer, and public disclosure of personal information should be explained
If there is any external sharing, transfer, or public disclosure of personal information, the privacy policy should specify the following: 1) the purpose of external sharing, transfer, or public disclosure of personal information; 2) the type of personal information involved; 4) respective security and legal responsibilities.
It should be noted that for the description of the third party, direct use of such overly broad expressions as "provided to a third party" should be avoided.
7) The user rights protection mechanism should be explained
The following user operation methods should be clearly explained in the privacy policy: 1) Personal information query; 2) Personal information correction; 3) Personal information deletion; 4) User account cancellation; 5) Withdrawal of the consented authorization.
It should be noted that these methods should be convenient for users to operate and can effectively guarantee the effective realization of users' rights, so as to avoid the situation of a dead letter.
8) The user complaint channel and feedback mechanism should be explained
At least one of the following complaint channels is provided in the privacy policy: 1) email; 2) telephone; 3) fax; 4) online customer service; 5) online form. Normally, faxes and forms are not used.
9) It should be time-sensitive
The date of publication, effective or update of the privacy policy shall be clearly identified. According to general practice, this logo is generally at the beginning or end of the privacy policy.
10) Privacy Policy Update
Generally, when there are changes in business functions, changes in the export of personal information, changes in the purpose of use, changes in contact information, etc., the privacy policy must be updated. After the privacy policy is updated, the user can be reminded to read it again through a pop-up window, and the user's re-authorization can be obtained through the user's manual click to confirm, manual check, etc.
4. Unreasonable clauses such as exemption from liability should not be set in the privacy policy
In the privacy policy, there should be no clauses exempting oneself from responsibility, aggravating user responsibilities, or excluding users' main rights. Intentionally) take full responsibility".
Exemption from its own liability here means that the operator is exempted from the mandatory legal obligations that should be borne in accordance with the law; the aggravated user responsibility here means that the operator requires the user to bear the responsibility or loss beyond the scope of obligations stipulated by the law; the exclusion of the user The main rights refer to the main rights that operators should enjoy according to the law or according to the nature of the contract.
6. Requirements for indirect acquisition of personal information
When obtaining personal information indirectly, you should do it 有限尽调! Because you don't know where the data shared or authorized by the partner comes from.
In practice, limited due diligence includes:
1) The personal information provider is required to explain in writing the source of the personal information and the scope of the authorization and consent obtained for the processing of personal information, and provide the personal information authorization text such as its privacy policy;
2) Require the personal information provider to sign a letter of commitment or set up special clauses in the cooperation agreement, requiring them to promise compliance with laws and regulations and to obtain the user's consent to obtain and have the right to provide personal information;
3) Conduct necessary online search for the personal information provider, the search content includes personal information related to lawsuits, administrative penalties, notifications, news reports, user complaints, etc.;
4) Continue to pay attention to the data compliance of the personal information provider, such as regularly checking the authorization text of the personal information and other user authorization.
If it is found that the personal information provider has non-compliance, it should be required to correct within a time limit or terminate the relevant cooperation according to the degree of violation!