Feature Article on China’s Personal Information Protection Law (4) – Impact of Personal Information Protection Law on APP and Internet Operators (Mainland China)


1. introduction

In the era of digital economy, obtaining user insights through apps, using big data to reduce operating costs, analyzing user history and monitoring market dynamics have clearly become the main strategy. development of most retailers today. However, although many apps are convenient for users, they have also become a source of harmful behavior. For example, problems arise when apps engage in big data-facilitated price discrimination, highly targeted marketing, excessive collection of personal information, and compulsive and excessive requests for access to personal information from users. data subjects and violate the privacy rights of individuals.[2]

2. The Personal Information Protection Act (“PIPL”) which came into force on November 1, 2021, clarifies the obligation of large Internet operators to protect personal information, limits the excessive collection of personal information and prohibits the price discrimination based on big data.

Prior to the entry into force of the PIPL on November 1, 2021, companies using applications to illicitly collect users’ personal information were mainly governed by the “Civil Code” and the “Cybersecurity Law of the People’s Republic of China”.[3] The PIPL clarifies the rights of users of Internet platforms and reinforces the obligations of large Internet operators with regard to the protection of personal information. For example, it requires internet platform service providers to inform and obtain separate consent from data subjects when processing sensitive personal information or transferring personal information generally. Furthermore, it prohibits the excessive collection of personal information, unreasonable discrimination through automated decision-making, including the use of big data to engage in price discrimination. The following explains the details of the aforementioned regulations under the PIPL, as well as other laws and regulations to which applications and Internet operators must pay particular attention under the PIPL.

3. The PIPL strengthens the obligations of large Internet operators to protect personal information

Given the transnational nature of the Internet platform in collecting personal information and its wide reach of users, Section 58 of the PIPL requires that processors of personal information who provide critical platform services form the Internet, have a large number of users and have complex business models: (1) establish an independent body composed mainly of external members monitor the protection of personal information in accordance with the laws; (2) formulate platform rules that clarify standards for handling personal information and the obligation of providers of goods or services to the platform to protect personal information; (3) cease the provision of services for persons in serious violation of laws or regulations; and (4) regularly publish a social responsibility report on the protection of personal information. Although currently the definitions of “critical Internet platform services”, “very large number of users” and “complex business structures” require further clarification from the central authority, it can be inferred from its legislative purpose that this provision is aimed at large scale enterprises, especially industrial giants. In addition, the researchers pointed out that, considering the flourishing trend of the Internet industry and information data, even an operator with a small number of users can be considered “very large” in a relatively small market.[4]

4. The PIPL Regulations on Automated Decision Making and the Bans on “Big Data to Kill Familiar”

Article 73 of the PIPL defines automated decision-making as “the act of making decisions by the automatic analysis of computer programs to assess individual behaviors, interests, financial situation, state of health or situation credit”. As such, almost any news delivery and marketing service involving automated algorithmic technology could constitute forms of automated decision-making under the PIPL.

Relevant regulations on processors of personal information using automated decision-making under the PIPL include:

(1) Automated decision-making using personal information must be transparent in its policy and produce fair and equitable results. Personal Information Processors must not unreasonably discriminate in their pricing or other transactional terms.

(2) Information dissemination and marketing practices involving automated decision-making must simultaneously provide the ability not to target an individual’s characteristics or provide the individual with a convenient method to reject the information.

(3) In cases where decisions made by means of automated decision-making have a significant impact on the rights and interests of a data subject, the data subject has the right to request explanations from the data controller. personal information and reject the personal information controller making the decision using automated decision making only.

According to the above rules, applications and Internet operators are prohibited from misusing big data and engaging in the behavior of “Big data to kill familiar”[5] between new and old users for an identical product. Additionally, when an Internet application or operator provides a product recommendation using data analysis based on users’ browsing and purchase history, they must also provide another option to not target product features. an individual, or provide the individual with a convenient method to decline the recommendation (for example, providing a “close” button to remove the recommendation) in accordance with the PIPL, otherwise the application or internet operator may be subject to liability for breach under the PIPL.

5. Other remarkable legal compliance PIPL matters

(1) The PIPL prohibits the excessive collection of personal information:With regard to the issue of excessive collection of personal information, Articles 5 and 6 of the PIPL expressly state that personal information must be treated in accordance with the principles of legality, ownership, necessity and good faith with a clear objective. and reasonable, and that the processing of information must be directly related to the purpose of the processing while minimizing the scope of the information collected as much as possible to achieve the purpose of the processing without excessively collecting personal information. Accordingly, applications and Internet operators should adjust its scope, consider whether the collected content is relevant to its purpose when collecting user information, and follow the principle of “minimum and necessary”. For example, companies whose applications require users to provide personal information and become a member before ordering may constitute an excessive collection of personal information.

(2) The PIPL expressly states that applications and Internet operators must not refuse the provision of goods or services on the sole ground that users refuse to accept their terms or privacy policy: In accordance with Article 16 of the PIPL, processors of personal information must not refuse the supply of goods and services on the basis of an individual’s refusal or withdrawal of consent to the processing of their information, unless this process is necessary for the supply of goods or services. This concept was also previously spelled out in the “Regulations on the Scope of Personal Information Necessary for Common Mobile Applications” according to which “application operators cannot deny users of their basic services for refusing to provide information unnecessary personal. As a result, the previously common practice of apps and internet carriers requiring users to agree to the company’s “privacy agreement” and all sorts of license terms before using the app or platform , and the only option was to “decline and quit” the application or platform where the user is refusing are in violation of the aforementioned regulations under the PIPL.

(3) The PIPL specifically states that operators of internet applications and platforms must implement convenient means for users to deny or withdraw permissions, such as a “one-click opt-out” option:According to Section 15 of the PIPL, individuals who have consented to the processing of their information have the right to withdraw their consent, and the controller of the personal information must provide a convenient means to do so. Withdrawal of consent does not impact any prior processing of personal information based on the individual’s consent obtained prior to withdrawal. As such, operators of internet applications and platforms must provide users with an obvious, convenient and user-friendly way to withdraw their consent. However, please note that “one-click withdrawal” does not mean account cancellation or termination of use of the service. If applications or Internet platforms ask the user to cancel their account to withdraw the authorization of personal information, this may still violate Article 15 of the PIPL. In addition, if the withdrawal authorization is not necessary for the provision of goods or services, the operators of the application or the Internet platform must approve the withdrawal and continue to provide services to the user. .

6. Suggestion for Internet Application and Platform Operators

After the PIPL came into force, previous common practices adopted by applications and Internet operators – including the use of automated decision-making for the dissemination of information, marketing or price discrimination at the against different users; require users to authorize personal information; or use account cancellation as a precondition to withdrawing permission – may require rectification as apps and internet operators risk violating the PIPL. Therefore, companies should assess their internal personal information protection system and modify it appropriately in accordance with the PIPL in order to establish a more comprehensive management system and strengthen information protection education and training for employees. personal.


About Author

Comments are closed.