Network Information Office: App needs to set up a "data security responsible person"
139w.com Ding Point Network
At 0:00 on May 28, the State Internet Information Office issued a notice on the "data security management approach (draft)" for public comment. Beijing News reporter access to the "draft" found that the sub-General, data collection, data processing, use, data safety supervision and management, Supplementary chapters, contains a total of forty provisions. "Draft" in the collection of personal information, reptiles crawl, accurate advertising push, App excessive request permission to log off accounts and other difficulties often involve the privacy issues have made it clear that.
App default authorization shall not collect personal information
Beijing News reporter noted that in the "draft" of the data collection chapter, first emphasized App Information Office network must be clear rules of information gathering using the product, not to improve the quality of service, improve the user experience, directional push information, research and development new products and other grounds, the default authorization feature to bundle other forms of coercion, misleading personal information it collects personal data subject's consent.
In this regard, ××× Information Research Center Jiang Qiping Secretary-General believes that the information collection initiative, choice to the consumer, is a matter of principle information services. In order to collect information coercive or misleading conduct, it is determined not to be allowed.
It is noteworthy that, for the clear responsibility of App, "draft" second label use special rules must contain "data security responsibility for the person's name and contact information." Under Article 17 opinion, network operators to operate collect important data or sensitive personal information for the purpose of data security should be clearly responsible. And provides that "persons responsible for data security held by persons with relevant management experience and expertise in data security, data relating to participation in the activities of important decisions, reporting directly to the main person responsible for the network operator."
It is understood that many large companies have provided a similar role. Such as 360 to set up a chief privacy officer, Tencent set up a special data privacy department. The provisions of the "draft" of means "Data Security responsible person" will be extended to every post of a business to collect important data for the purpose of sensitive personal information or App, and the responsibility of the person's name and contact details to be made public.
In addition, the "draft" provisions of Article XVI, network operators adopt automated means to access the site to collect data, shall not impede the normal operation of the site; such behavior seriously affect the operation of the site, such as automated access to the collection site daily traffic flow of more than one-third when one of access to the site to stop automated collection should be stopped.
The provision directed at the popular "web crawler" technology. Beijing News reporter learned that there are a lot of websites have taken measures to cope limiting for web crawler, but at the level of regulatory limits on the "web crawler" technology, the first of its kind.
Beijing News reporter found that "draft" to collect information on minors also made provisions, such as Article XII "minors under the age of 14 to collect personal information, should seek parental consent."
After the user logs information should be promptly removed
Currently, App presence "Logout difficult". As in June 2018, Beijing News reporter has found 35 models popular App found 21 models no cancellation option, you can also log out of options harsh, such as micro-blog written off need to meet seven conditions.
For such a "logout difficult" situation, "draft" to make special provision in Article XX and 20 Next: After the network operator to save personal information collected shall not exceed the shelf life of the use of the rule, users should log off accounts timely delete their personal information; network operators receive inquiries about personal information, correction, deletion and account logout request, the user should be within a reasonable time and cost of range queries, correct, delete or canceled account.
In addition, Article 31 also stipulates that when the party App bankruptcy data is handled; "Network operators merger, reorganization, bankruptcy, undertake data shall undertake data security responsibilities and obligations of the parties undertake no data should be right. data processing for deletion. laws and administrative regulations as otherwise provided, shall prevail. "
"Prominent 'right to be forgotten' protection is a bright spot in the ED." China Information Security Research Institute, left Xiao Dong said, to online shopping, for example, after completion of the transaction in consumer shopping site delete the relevant information, such reasonable demands should be met.
In addition, the "draft" for the first time on the use of intelligent algorithms and directional push technology and artificial intelligence technology-driven aggregation proposed regulatory requirements.
"Draft" Article 23 provides network operators with user data and algorithms push news, commercials, etc., it should be marked "scheduled push" words to clear way for users to stop receiving directional push information functions; when the user chooses to stop receiving the push information orientation, it should stop pushing, and remove the device identification code that has been collected and other user data and personal information.
Article 24 The content is displayed, network operators use big data and artificial intelligence technology to automatically synthesize news, blog, posts, comments and other information, it should be clearly marked with the way the words "synthetic"; not to seek benefits or harm the interests of others Automated synthesis for the purpose of information.
Insiders told Beijing News reporter said that if this provision is determined purposes, or will affect a number of algorithms recommended as the primary mechanism of App.
Applet or micro-channel data leakage occurs bear responsibility for an
In addition, the "draft" also accountability data for third-party application access platform and the platform to make the rules.
Currently, the most widely used platform for third-party access to micro-undoubtedly the letter "applets," Beijing News reporter found that, compared to the current provisions of the App privacy protocols, procedures due to the small "membership" in the micro-channel platform, which in terms of privacy protection requirements and regulations is also more vague.
Tencent team had 3 January 2019 to the Beijing News reporter, said micro-channel service data storage applet body by authorized users get on their servers, micro-channel has been through the relevant service agreements and rules require developers to the platform for user privacy protection. "For example, the needs of users authorized service scene privacy data, we asked developers to prompt the user applet front-end interface 'authorize the use of information', users can own in the applet Home 'Set' revocation related information authorization. "
"Draft" Article 30 of the content is displayed, network operators access to its platform for third-party applications, and data security requirements should be clearly and responsibility, urging operators to strengthen supervision of third-party application data security management. Third-party application data security incidents occur causing damage to the user, the network operators should bear part or all of the responsibility, unless the network operator can prove that no fault.
这意味着,当微信小程序中的第三方应用发生信息泄露事件,微信或也要承担一定责任。对此,左晓栋表示,平台与第三方应用需要共同承担相关责任,这样可以倒逼网络经营者,加强对用户个人信息安全的保护。