I. event background
CCTV News reported on July 21, 2020, "it is verified that didi Global Co., Ltd. has violated the network security law, the data security law and the personal information protection law. The facts are clear, the evidence is conclusive, the circumstances are serious and the nature is bad", "The state Internet Information Office imposed a fine of 8.026 billion yuan on didi Global Co., Ltd. and a fine of 1 million yuan on Cheng Wei, chairman and CEO of didi Global Co., Ltd. and Liu Qing, President of didi Global Co., Ltd. in accordance with the network security law, data security law, personal information protection law, administrative punishment law and other laws and regulations."
At the same time, the website lists the illegal behaviors of didi company, including the following 8 aspects and 16 items:
II. Legal analysis
It can be seen from the foregoing that didi company has collected a huge amount of user information through its various software, which not only involves the directly collected personal information of users, but also extends to the information retained in users' mobile phones and the analysis and speculation of users' habits. If didi company collects the user's face, phone number, identity, location and other information through in car monitoring, software real name verification and other means, it may have a legitimate reason and basis. Without clearly informing the user, analyzing the user's information and even collecting screenshot information, clipboard, application list and other information completely unrelated to the use of its products is obviously beyond the necessity of reasonable use, I'm afraid the means of collecting information do not meet the requirements of the law. The punishment, the wording of the regulatory authorities is very strict, from the "serious circumstances, bad nature" evaluation can be seen, Didi company's degree of violation is very serious, great social harm, can not be underestimated.
1. What is personal information
Article 1034 of the Civil Code stipulates: "personal information is all kinds of information recorded electronically or in other ways that can identify a specific natural person alone or in combination with other information, including the name, date of birth, ID number, biometric information, address, telephone number, e-mail, health information, whereabouts information of a natural person."
Article 4 of the personal information protection law stipulates: "personal information is all kinds of information related to identified or identifiable natural persons recorded electronically or in other ways, excluding information after anonymization."
Item (5) of Article 76 of the network security law stipulates: "personal information refers to all kinds of information recorded electronically or in other ways that can identify the personal identity of a natural person alone or in combination with other information, including but not limited to the name, date of birth, ID number, personal biometric information, address, telephone number, etc. of a natural person."
According to the definition of "personal information" in the law, personal information mainly refers to all kinds of information that can identify a specific natural person (ID number, biometric information, name, etc.), that is, personal information has "identifiability", but does not include information that can no longer identify a specific natural person after anonymization.
2. Why protect personal information
The situation of personal information protection in China is very serious. The main reasons include: the development of technology makes personal information and dissemination more convenient and rapid, and it is difficult to trace the source; Enterprises pursue economic interests, excessively collect and process personal information, set format terms, expand the scope of information authorization, and even sell information; People's awareness of personal information protection is not strong, such as: random scanning code to fill in personal information, express documents thrown around, etc., resulting in information leakage; The way of collecting information is becoming more and more hidden, such as through smart home, many users are not vigilant; The information collected is becoming more and more sensitive, from ID number, address, mobile phone number to face, relatives, etc; It is difficult to keep the collected information. Some information collectors are lazy to take perfect protective measures, resulting in leakage; The process of information processing is opaque... Etc. under the influence of the COVID-19, in the epidemic prevention and control, all regions collect personal information more widely, and use personal information to control the population. The importance of information protection is becoming more and more important and urgent.
Personal information leakage may lead to serious consequences, such as: suffering from Telecom fraud, malicious marketing, account theft, and even affecting personal freedom. The "red code" and "yellow code" events that caused heated discussion some time ago, as well as the events that a brand car boarded the hot search before automatically collecting in car data and uploading it to foreign servers, led to the topic of personal information protection being closely watched by the society. In addition, the protection of personal information is not only of great significance to individuals, but also has an important impact on national security. For example, the information, habits and conversations of certain persons with specific identities may involve state secrets and important information, and the disclosure may cause significant adverse effects. Therefore, under the background of vigorously promoting the protection of personal information in the provisions of the civil code and the personal information protection law, it is urgent to take effective measures to strengthen the protection of personal information and implement the requirements of relevant provisions.
3. What is the current situation of personal information protection in China
With the promulgation of a series of relevant regulations such as the civil code and the personal information protection law, China has established and is promoting the construction of a multi-level and diversified personal information protection legal system:
China's normative documents and national standards on personal information protection from high-level laws to low-level laws have set up a multi-level legal norm system, and deployed the protection of personal information in an all-round way from macro to micro. Infringement of personal information involves not only civil liability, but also administrative liability, which may constitute a crime and need to bear criminal liability. It can be seen that China is gradually strengthening the protection of personal information.
Although the state has increased the protection of personal information, is personal information really protected? At present, there is still much room for efforts. The case of didi company is not an isolated case. Many enterprises are also doing similar things, perhaps because the data collected by didi company is huge and extremely important and sensitive (user information and road data, even involving military secrets), It went abroad for listing again (in June 2021, after being interviewed by eight departments for rectification, Didi company still submitted its listing prospectus to the CSRC and completed its listing, and it was rumored that the listing leaked the above-mentioned data). There were other situations that might endanger the national data security, and it became a typical object that must be handled quickly. Other companies except didi company also inevitably have illegal and non-conforming personal information processing. Due to the convenient access to information, low cost and huge economic benefits after the access to information, as well as the imperfect information protection measures, excessive illegal collection and disclosure of information are still everywhere. From our daily life, we often receive fraud or sales calls that can accurately tell our personal information, we can see that the road of information protection is not smooth, and there are still many problems and difficulties that need to be solved step by step.
Judging from the punishment results of didi company, the state has made up its mind to vigorously protect network security, data security and personal information security, and severely punish the subjects who violate laws and regulations. The fine amount of 8billion yuan is not a small number, even for a company of Didi's size. Can it sound an alarm to other enterprises with similar behaviors or similar plans? Ignoring the national and social public interests and blindly pursuing profits will eventually be punished by the law.
From our personal point of view, we should fully recognize the importance of personal information, improve sensitivity and vigilance when personal information is collected, pay attention to whether the collection of personal information is necessary, reasonable and with our own consent, and do not discard and place items containing personal information at will. If you find that your personal information has been infringed, you should learn to use legal weapons to protect your rights. When the concept and method of personal information protection are deeply rooted in the hearts of the people, and when the cost of violating the law is higher than the income, it is believed that the subject of illegal collection and processing of information will inevitably converge, which will play a good role in personal information protection, network security, data security and even national security.
© Beijing JAVY Law Firm Jing ICP Bei No. 18018264-1