The ID number is required to register for any application, the advertisements pushed to you seem to be "mind-reading", the big data "kill familiarization" can't be prevented, and the cancellation of the account is "more difficult than the sky".

The National Internet Information Office recently released the "Data Security Management Measures (Draft)" (hereinafter referred to as the "Measures"), the network operators in the data collection, processing and use, security supervision and management requirements, for personal data security added a lock.

Why did you introduce the Measures? This is obviously closely related to the current situation of increasingly serious personal information abuse and leakage. According to the official statistics of 100 commonly used cell phone apps, a significant portion of cell phone apps are forced to exceed the scope of the request for permissions, the average number of applications for each app to collect personal information related to the number of 10, but in fact, the user does not agree to open the APP can not be installed or run the number of permissions for an average of only three.

Big data from the e-commerce consumer dispute mediation platform also shows that in recent years, e-commerce platforms such as Tmall, Taobao, Jingdong, Suning.com, Vipshop, and other life service platforms such as Volkswagen Dianping, Baidu Nuomi, and Ctrip, have all experienced incidents of user information leakage. In 2018 alone, there have been many incidents of user personal information leakage, such as more than a billion personal information of Yuantong and Shunfeng being sold on the dark web, and millions of travelers' information of 12306 being sold online.

Data protection "has rules to follow"

In the Measures, data activities are defined as "the use of the network to carry out data collection, storage, transmission, processing, use and other activities. ". "Compared with the already released "Information Security Technology Personal Information Security Specification" and "Internet Personal Information Security Protection Guidelines", the Measures, which are likely to be released as departmental regulations in the future, have a higher level of effectiveness, which is both a reflection of the immediate need for data security in the era of big data, and is also paving the way for domestic data processing compliance in the 5G market." said Li Min, senior partner of Shanghai Hanson Law Firm.

Wang Yuwei, a partner at Beijing Guantao Zhongmao (Shanghai) Law Firm, also believes that compared with the Cybersecurity Law, this consultation draft is more detailed, and is also expected to provide a reference for future laws on personal information protection.

The "highlights" of the "Measures" also provide a framework for the protection of personal data. On the one hand, the Measures emphasize the user's right to choose, such as the explicit requirement to "develop and make public the rules for the collection and use of personal information", and emphasize that "if the rules for the collection and use of information are included in the privacy policy, they should be relatively focused and clearly prompted to facilitate the reading of", highlighting the importance of the rules for the use of information in order to facilitate the reading of the law. This emphasizes the importance of the rules for the use of information so that the subject of personal information can enjoy the right to choose. In addition, it is specifically stipulated that network operators shall not refuse to provide services for core business functions of network products without the consent of the subject of personal information for information other than "personal information for the operation of core business functions of network products". In other words, the network operator can not be in the data on the request for "asking for money".

"This is actually to avoid network service providers from adopting coercive or misleading behavior in order to collect data." Jiang Qiping, secretary-general of the Informatization Research Center of the Chinese Academy of Social Sciences, said that the dominant right to collect information and the right to choose must be given to consumers, which is a matter of principle for information services.

On the other hand, the Measures also further emphasize the protection of user privacy, the Measures require that "network operators to collect important data or personal sensitive information for business purposes, should be filed with the local net letter department." According to the "information security technology personal information security norms", including identity card information, telephone numbers, e-mail addresses, browsing records, location information and even personal fingerprints, voiceprints, which are all personal sensitive information. "Through the national coercive force on the collection and use of private information to be restricted, in the leakage of private information also have traces to follow, in order to realize the data security of personal privacy information." Li Min said.

Zuo Xiaodong, vice president of the China Institute for Information Security Research, said that only by being able to trace the collector of private information back to its roots can personal data security be protected from the source.

Solutions to address the "pain points"

"Measures" for the endless network data security issues in recent years to be refined, for new data security management provisions can fill the social development due to the law loopholes in a timely manner. of legal loopholes, and is forward-looking." Li Min said.

From the specific provisions of the Measures, many of the "pain points" that have been plaguing users have been explicitly named, such as just booking a ticket, and then immediately each application starts recommending destination-related information, which utilizes the user's browsing history to gain advertising revenue through targeted push. This kind of "precise advertising" utilizes the user's browsing history to gain advertising revenue through targeted pushing, which makes many users feel that they have no privacy at all. In this regard, the Measures clearly stipulate that the use of user data and algorithms to push news and information, commercial advertisements need to be significantly marked with the words "targeted push", and for users to refuse to accept targeted push information to provide the right to choose, "the user chooses to stop receiving the targeted push information, it should be stopped, and deleted.

"When users choose to stop receiving targeted pushes, they should stop the push and delete the user data and personal information that has been collected, such as device identifiers".

"It will be more difficult for advertisers to collect information about users, but this is also a global trend, and the relevant regulations in each major country, are emphasizing the protection of consumers' personal data privacy." Feng Qi, founder of online advertising platform Marteker, said.

Another example is the difficulty of canceling accounts and eliminating personal information after the account is canceled, the Measures also specifically proposed to protect the user's "right to be forgotten". The Measures emphasize that "the collection and use of rules should highlight the subject of personal information to withdraw consent, as well as the query, correction, deletion of personal information and methods." "When network operators receive inquiries about personal information, correction, deletion, as well as user account cancellation requests, they should be inquired, corrected, deleted or canceled within a reasonable time and cost."

"Highlighting the protection of the 'right to be forgotten' is also a highlight of the approach. 'Forgotten' is a reasonable demand of consumers." Zuo Xiaodong said.

In the view of Dong Yi Zhi, a lawyer at Beijing Yida (Shanghai) Law Firm, the "right to be forgotten" still needs to be further refined, "For example, after the user logs out of the account, how does the network operator deal with the information that has been distributed? The user has the right to ask the network operator to delete or be responsible for the information that has been distributed?"

In addition, including "web crawler" visits to collect traffic shall not exceed one-third of the average daily traffic of the website, to limit the "big data to kill maturity" and other discriminatory push behavior, to clarify the requirements of the post of the person responsible for data security, and to require the provision of the name and contact information of the person responsible for data security. The relevant provisions of the Measures provide solutions to a series of hot issues in personal data protection.

"The natural dominance of the head enterprises in the Internet industry has led to a lack of competition within the industry, and the stickiness established based on users' trust in the platform's services cannot be the backbone for certain platforms to implement differential pricing and repeated trading of data. From this point of view, the Measures put forward new requirements for the compliance of enterprises joining hands to utilize user information between the same industry and cross-industry." Dong Yi Zhi said.