Recently, the “Personal Information Protection Law of the People’s Republic of China” publicity meeting co-hosted by the China Public Relations Association and the China Association of Enterprises with Foreign Investment was held in Beijing.

At the publicity meeting, Hua Qing, director of the Cyber ​​Law Bureau of the National Cyberspace Administration of China, and Yang Heqing, deputy director of the Economic Law Office of the Legal Affairs Commission of the Standing Committee of the National People’s Congress, respectively introduced and interpreted the personal information protection law, and interacted with the company representatives on site. Discuss issues such as the “inform-consent” principle, the use of sensitive personal information, and corporate compliance.

Text / You Yiwei

Recently, the “Personal Information Protection Law of the People’s Republic of China” publicity meeting co-hosted by the China Public Relations Association and the China Association of Enterprises with Foreign Investment was held in Beijing.

At the publicity meeting, Hua Qing, director of the Cyber ​​Law Bureau of the National Cyberspace Administration of China, and Yang Heqing, deputy director of the Economic Law Office of the Legal Affairs Commission of the Standing Committee of the National People’s Congress, respectively introduced and interpreted the personal information protection law, and interacted with the company representatives on site. Discuss issues such as the “inform-consent” principle, the use of sensitive personal information, and corporate compliance.

Companies are advised to conduct a comprehensive assessment of their privacy policies

On August 20, the 30th meeting of the Standing Committee of the 13th National People’s Congress voted to pass the Personal Information Protection Law, which will be implemented on November 1. As my country’s first special legislation on personal information protection, the law is of great significance to further strengthen the supervision and protection of personal information security, and also puts forward more specific requirements for corporate compliance.

In Huaqing’s view, the Personal Information Protection Law pays great attention to balance, not only protecting the rights and interests of personal information, but also promoting the development of the digital economy. “. Regarding corporate compliance, he bluntly stated that the important subjects for fulfilling the personal information protection law are enterprises, platforms and institutions.

As far as big data is concerned, the Personal Information Protection Law stipulates that when personal information processors use personal information to make automated decision-making, they shall ensure the transparency of decision-making and the fairness and impartiality of the results, and shall not impose inequities on individuals in terms of transaction prices and other transaction conditions. Reasonable differential treatment.

“This is not a new provision of the Personal Information Protection Law.” Yang Heqing said that the Consumer Rights Protection Law has clearly stipulated that consumers have the right to fair trade. Whether a company is suspected of implementing unfair trading prices or trading conditions needs to be judged on a case-by-case basis.

Nandu Privacy Guard noticed that Yang Heqing repeatedly emphasized that the Personal Information Protection Law is in line with the relevant provisions of the Cybersecurity Law and the Civil Code, and that the Personal Information Protection Law further systematizes and concretizes the original legal rules. He suggested that companies conduct a comprehensive assessment of their privacy policies, review their management systems, and improve their personal information protection systems.

Enterprises need to implement the “inform-consent” rule in combination with different scenarios

The Personal Information Protection Law establishes the core protection rules of “notify-consent”, which is an important means to protect the right of individuals to know and make decisions about the processing of their personal information.

In addition, for sensitive personal information and some special scenarios, the Personal Information Protection Law also stipulates the protection rules of “single consent”.

Nandu · Privacy Guard noticed that many companies on the scene were very concerned about the above rules, especially the individual consent rules, and asked questions about it.

Yang Heqing said that the consent required by the Personal Information Protection Law must be given by individuals with full knowledge. In practice, companies generally fulfill their obligation of notification through privacy policies, requiring users to click and agree to perform a blanket authorization, which cannot guarantee users’ right to know and decide.

“Considering that handling sensitive personal information, providing information to other processors, and providing personal information across borders has a greater impact on personal information rights and interests, the Personal Information Protection Law requires the individual’s individual consent.” He emphasized.

The Personal Information Protection Law stipulates that personal information processors can process personal information if they meet the conditions necessary to implement human resources management in accordance with legally formulated labor rules and regulations and legally signed collective contracts. In this regard, Yang Heqing said that which situations are necessary for human resource management need to be judged based on specific scenarios, and if sensitive personal information is involved, more caution is required.

“Whether the enterprise is for human resources management or other purposes, it must comply with the principles of legitimacy, rationality, and minimal processing required by the Personal Information Protection Law.” Hua Qing emphasized.

Support relevant institutions to carry out personal information protection assessment and certification work, etc.

As a comprehensive and systematic work, personal information protection requires multiple subjects such as the government, society, enterprises, and citizens to jointly manage, coordinate governance, and have positive interactions.

The Personal Information Protection Law stipulates that the national cybersecurity and informatization department will coordinate and coordinate relevant departments to promote relevant work, including formulating specific rules and standards for personal information protection, targeting small personal information processors, processing sensitive personal information, and new technologies such as face recognition, artificial intelligence, etc. New applications, formulate special personal information protection rules, standards, etc.

At the introduction meeting that day, Huaqing focused on the next work plan.

The first is to actively mobilize forces from all walks of life to effectively promote legal publicity work, coordinate the use of various methods, strengthen the publicity and popularization of legal knowledge related to personal information protection, and create a good social atmosphere for the implementation of the personal information protection law.

The second is to give full play to the responsibility of overall planning and coordination, and constantly improve various supporting regulations. The Cyberspace Administration of China will coordinate and coordinate personal information protection work and related supervision and management work, clarify responsibilities, and build a coordinated and efficient supervision mechanism. For example, promoting personal information protection assessment and certification, promoting the construction of a socialized service system for personal information protection, and supporting relevant institutions to carry out personal information protection assessment and certification work, assessment and certification services, etc.

The third is to effectively implement the supervision and management system and strengthen the punishment of illegal acts. Departments that perform personal information protection duties should insist on giving priority to the protection of personal information rights and interests, properly solve the key and difficult issues of personal information protection that are concerned by the general public and the society, and guide personal information processors to make correct choices when weighing commercial interests and personal rights and interests. At the same time, make good use of the punishment measures, further deepen the crackdown on illegal activities, and seriously deal with illegal enterprises.

The fourth is to comprehensively compact the main responsibilities and promote the stable and long-term development of the industry. As the practitioners and actors of personal information protection, personal information processors must conscientiously implement legal regulations, actively fulfill legal obligations and social responsibilities, and move towards a virtuous circle. Satisfaction the needs of the people.