Economic Observer Online reporter Ivan Chen at 0:00 on May 28, the State Internet Information Office issued a "data security management approach" draft (hereinafter referred to as "the draft"), proposes to carry out data collection, storage, transmission and use of the network in the territory of People's Republic of China , processing, use and other activities (hereinafter referred to as data activity), as well as data security protection, supervision and management, application of this approach. While the provisions of the Personal Information Protection refinement of network behavior such as "reptiles" and so the first time a legal definition, the draft or will become relevant personal information protection law promulgated by reference.
Change and Pathfinder
Earlier, in the protection of personal information, it is the main basis of the relevant legal provisions based network security law, as well as other relevant documents, such as "personal information security information security technology norms", "Internet Personal Information Security Guide" and so on.
In Beijing Guantao in Mao (Shanghai) Law Firm Wang Yu-wei view, the draft provisions in the protection of personal information, compared to the previous network security law to be a lot of detail, both as department regulations, it will have personal information security norms GB does not have formal legal effect, or become a future reference on the introduction of the personal information protection law.
"This" data security management approach "gestation period is very long, not just recently drafted." Said Wang Yu-wei, from the content point of view, large-scale data leakage that may occur with the original intention of the legislation earlier abroad, data abuse and other related events.
Prior to this, in spite of the protection of personal information, "Network Security Act" to do the corresponding provisions, but Beijing Heng Law Firm Partner Law Group, Shanghai Deng Xueping, had told the Economic Observer Online: "" Network Security Act "is still big and of the lack of mechanisms for the protection of personal information from the whole process of collection, storage, use and other relief. "
This "bold aesthetic" is not without reason.
Dr. He Yanzhe China Electronics Standardization Institute has said a lot of problems in the field of personal information protection not yet been finalized, such as Ownership of personal information on the consent of the ways and means and so on, it is better to specific individuals information protection Act clearly. At the same time it is because of these disputes, also resulting in an increase in the difficulty of the legislation itself.
And the draft of the personal information collection, use, and so the whole process has been compared to the "Network Security Act" and "Personal Information Security information security technology norms" more stringent requirements.
However, Wang Yu-wei feel, although in the draft for the collection and use of personal information made strict rules, but the approach is still in process of soliciting opinions, the impact may eventually bring it's difficult to really assess.
For the first time to carry out the provisions of reptiles
It is worth noting that the draft Chapter II Article XVI, network operators adopt automated means to access the site to collect data, shall not impede the normal operation of the site; such behavior seriously affect the operation of the site, such as automated access to the collection site daily flow exceeded traffic third visit to the site to stop automated collection should be stopped.
This is the first issue of reptiles provisions. But Wang Yu Wei pointed out that one of the "one-third of the average daily flow," the figures are based on what is counted out, debatable.
It seems Wang Yu-wei, the draft, on the use of personal information in Article 27 of Chapter III of a five-point exception, is one of the highlights of Article 27 network operators to provide personal information to others before, it should be assess security risks might bring, and obtain personal information subject consent.
With the following exceptions :( a) legitimate public channels to collect personal information from not manifestly contrary to the wishes of the body; (b) the subject of personal information voluntarily disclosed; (c) anonymized; (d) law enforcement agencies to perform their duties according to the law are necessary; ( e) safeguard national security, public interest, personal information necessary for the safety of the body.
But he also pointed out that "in the data collection, whether it should be considered with some exceptions." Unfortunately, not a way of personal information collected exception provisions.
Network operators to provide a clear privacy policy
"We may from time to time your personal data and other information to share and disclose to third parties"; "We are for commercial purposes, will share or sell your information with others, rent"; "Basically, anything can happen we are not responsible for. "this is the Southern Center for protection of personal information, Privacy Policy encountered once told APP 1550 for evaluation.
Some APP is explicitly mentioned in the privacy policy, "if you do not agree with this" Privacy Policy "of content, will result in the software and services from running correctly ......"
These issues are clearly stated and are defined in the draft.
In the second chapter in the provisions of Article VII, network operators collect personal information through websites, applications and other products, should be developed separately and publicly collect usage rules. Only when the user is aware collect usage rules and explicit consent, network operators may collect personal information.
Article VIII and IX later, the collection for writing specifications privacy provisions made provisions and pointed out that if the collection usage rules included in the privacy policy, the focus should be relatively obvious tips for easy reading. Another collect only if the user knows the rules and the use of explicit consent, network operators may collect personal information.
Chapter II Article XI, network operators may not improve the quality of service, improve the user experience, directional push information, research and development of new products and other grounds, the default authorization feature to bundle other forms of coercion, misleading personal information collected subject's consent Personal information. After the personal information subject consent to the collection to ensure that personal information networking products core business functions running, network operators should provide core business functions and services to personal information subject, not because of personal information subject to refuse or revoke consent other information other than the information collected, and refused to services provide core business functions.
Persons responsible for statutory data security
Wang Yu-Wei appears, a bright spot in the draft, is a clear range of data security responsibility of the person.
Chapter II Article 8 provides that collects usage rules, network operators should provide the main person in charge of data security responsibility for the person's name and contact information.
Chapter II Article XVII and XVIII mentions network operators to operate for the purpose of collecting important data or sensitive personal information should be clearly responsible for data security.
Data security responsibilities held by people who have relevant management experience and expertise in data security, it is important to participate in decision-making related data activities, reporting directly to the main person responsible for network operators.
Article 18 of the Data Security responsible person perform the following duties :( a) organizations to develop a data protection plan and supervise the implementation; (b) organize data security risk assessment, supervision and rectification of safety hazards; (c) as required to the relevant departments and networks Information department report incidents of data security and disposal; (d) receive and handle customer complaints and reports. Network operators should provide the necessary resources for the persons responsible for data security, safeguard their independence to perform their duties.
Artificial intelligence, data protection and balance
Despite the view that the strict rules for data security, artificial intelligence will limit the development of large data-based.
EU "General Data Protection Regulation" (GDPR), for example, the view is considered in GDPR, the relevant provisions of the "fairness algorithm" requires that all companies must explain their automated decision algorithms, which means that at present a large number of AI applications depth learning algorithm is no longer dependent on compliance with regulations.
Data protection and development of artificial intelligence, how to find a balance?
"GDPR protection of data privacy is very strict, not to aggregate large data the traditional way, which provides an opportunity for the upgrading and development of artificial intelligence techniques. In simple terms, the previous depth study is required to aggregate data into one place, now the data can not be local. "international experts in artificial intelligence, chairman of the international Society for artificial Intelligence, artificial Intelligence chief officer Yang Qiang micro-public banks with the team based on this proposed" Federal learning "program.
In short, it is an encryption distributed machine learning techniques both to ensure user privacy, but also complete the training models, so as to enhance the scope of application of AI technology. In the case of data partners may not be open to the public all the data, together with other partners through joint modeling data encryption way, enhance the effect of machine learning.
For example, the process of promoting medical wisdom in the medical field of health, disease, pathology reports, test results and other patient privacy data is often dispersed in a number of hospitals, clinics and other types of medical institutions in different regions. Between federal agencies can learn to make cross-regional collaboration, but no local data, build predictive models of multi-party cooperation can predict cancer, genetic diseases and other difficult diseases more accurately.
If all medical institutions to establish a federal Learning Consortium, perhaps the human health care to a new level.
Reproduced in: https: //www.jianshu.com/p/70db430220b7