Personal information protection

28 Nov 2019 09:30h - 10:30h

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

The Open Forum on Personal Information Protection aimed to exchange international experiences and ways of safeguarding users’ right to privacy, and how to strengthen international co-operation. The discussion zoomed in on China’s legislative framework, and on other measures undertaken in the country to promote user rights.

In China, personal protection provisions can be found in the criminal code (Article 110 Right to Privacy), and in standards such as GB/T35273-2017 (Information Technology – Personal Information Security Specification). As Ms Zhang Jiyu (Executive Director of Law and Technology Institute, Renmin University of China) explained, the draft of the personality rights section of the civil code, submitted for a third reading followed by a public consultation, specifies a number of inherent rights such as the right of life, body, health, reputation, and refers to privacy and personal information in chapter 6.

According to Zhang, the personality rights section of the law is aligned with rapid technological development, in which social economy is being increasingly digitalised, and algorithms help shape technical products. The law provides an important measure to guarantee the dignity of personality and decent life of people in the new era. The law also distinguishes between privacy, that is, the private space, activities, and information which individuals would rather not share with others; and personal information through which individuals can be identified.

The underlying development of privacy norms is an important question, Zhang explained: Is the protection of personal information a means to an end, or an end in itself? Is the aim to prevent a violation of personal privacy and other human rights, or to enhance public trust in digital technologies? And how do we balance these with other values?

Turning to more practical aspects, Zhang explained that the current focus is on developing products with privacy by default settings, and machine learning that trains algorithms across multiple decentralised devices or servers that hold local data samples without exchanging key information. Personal data protection can be further safeguarded through a mix of regulatory models and through co-operation among relevant stakeholders to achieve common interests.

While various definitions of personal data exist across multiple regulations all over the world, China’s legislative framework relies on the general rules of civil law, criminal law, cybersecurity law, and on departmental rules. Mr Gu Haiyan (General Counsel of Legal Department, Sina.com Technology) explained that data protection legislation in China includes data security management measures (a draft law is currently available for comments), misuse of mobile applications which collect and use personal information and user behaviour (a draft is open for comments), and provisions which protect children’s personal information.

There are specific perquisites for the commercial use of data. These include: priorities related to national security, sovereignty, and stability; full respect of the informed consent approach when collecting user information; and the provision of detailed explanations on how and where data would be utilised. Since the use of big data is both a source of revenue, and subject to compliance rules, companies need to keep in mind the four stages of data use: data collection, processing, security assessment, and storage.

One example of a company which places privacy at the core of its business operations is the Meituan Dianping e-commerce platform. Representing the platform, Mr Liu Jian explained that the company ensures that customers are in control of their data at the various levels of its collection and processing.

Two other legal frameworks were highlighted. Referring to privacy protection in Europe, Ms Tanja Boehm (Director of Corporate, External, and Legal Affairs, Microsoft Germany) elaborated on the GDPR’s role in protecting personal data by enhancing privacy rights, increasing duty of protection, and imposing mandatory protection mechanism where there is a breach of personal data.

Microsoft’s privacy principles places users at the heart of its mission, by being transparent and compliant with the implemented legislation. The aim is to allow customers worldwide to be more in control of their data, and to ensure they know what is happening with their data. As a human right and as the foundation for trust in Microsoft’s business operations, there is a major focus on scaling efforts to protect personal information.

By Hanane Boujemi