In the big data era, online platforms process a large amount of personal information. After the promulgation of the Personal Information Protection Law (PIPL), new types of disputes are set to emerge between online platforms and their users. This article focuses on online platforms’ obligations to protect personal information, in order to reduce the occurrence of these disputes.
PIPL SCOPE OF PROTECTION
Aiming to protect the personal information interests of citizens at the institutional level, the PIPL sets out relevant provisions to regulate personnel in charge of processing personal information. According to article 4 of the PIPL: “Personal information refers to various information related to identified or identifiable natural persons recorded electronically or by other means, and does not include anonymised information.”
In terms of the type of technical processing, information, if “anonymised”, cannot be used to identify specific natural persons, nor can it be recovered; but “de-identified” information refers to information that can be used to identify or associate with the information subject with the help of additional information. Anonymised information is not personal information, but de-identified information is. Personal information discussed in this article refers to non-anonymised information. If online platforms have used anonymised information, it does not fall under the jurisdiction of the PIPL.
WHERE ONLINE PLATFORMS STAND
According to the PIPL, online platforms are personal information processors and therefore shall be responsible for the processing of personal information, and ensure their security. Online platforms are service providers serving users within the context of the internet environment and using internet information technology. Users interact or transact by relying on the convenience provided by the online platforms, but they do not substantively become involved in the activities.
As online platforms process a significant amount of personal information during the provision of services, they should:
- Establish internal management rules to regulate staff procedures in handling user information, as well as their access to such information;
- Adopt security measures, such as encryption and de-identification, for the classification and management of users’ personal information;
- Regularly conduct compliance reviews, risk control assessments and other works of internal control; and
- Take immediate remedial measures against any potential or existing leakage, tampering or loss of users’ personal information, and mitigate any potential damage to users to the greatest extent.
REGULATING ONLINE PLATFORMS
According to the PIPL, online platforms are mainly supervised by the public and the national cyberspace administrative authorities. Article 58 of the PIPL provides that: “Personal information handlers providing important internet platform services, that have a large number of users, and whose business models are complex shall fulfil the following obligations: … (4) Regularly release personal information protection social responsibility reports, and accept society’s supervision.”
Accordingly, online platforms should regularly publish reports accessible to the public regarding the above-mentioned obligations and be subject to public supervision. The national cyberspace administrative authorities are responsible for co-ordinating the supervision and management of personal information protection, which manifests as:
- Investigating and handling incidents of leakage of user information;
- Regularly organising external evaluation and investigation for online platforms;
- Formulating specific rules and standards for personal information protection; and
- Supporting research on developing, promoting and applying secure and easy-to-use technologies for the management of electronic personal information.
The PIPL makes reference to a person in charge of personal information protection, who is mainly responsible for supervising the processing of personal information and the measures taken to protect personal information. The EU’s General Data Protection Regulation (GDPR) features a similar role called the “data protection officer”, but it differs from the person in charge in key areas. The officer’s main responsibility is to report the compliance issues of, and potential risks to, the protection of personal information to corporate management. The person in charge is mainly responsible for supervising the personal information processing methods and protection measures adopted by the online platforms. The officer, however, is more inclined to provide the management team with guiding opinions on the personal information protection work of the online platforms. The appointment of the officer will help online platforms establish a sound personal information protection mechanism, as its duties will complement those of the person in charge and also comply with the obligations of online platforms.
The PIPL has been promulgated at a time when information is increasingly becoming a core resource in national and individual competition, and with the development of the internet economy, the protection of user personal information by online platforms has become a heated topic.
As direct processors of users’ personal information, online platforms should begin improving their internal user information management systems, set up a regular internal review mechanism for risk control, and abide by supervision from society and competent government authorities.
In addition, they may create a role similar to the data protection officer under the GDPR, one that timely reports to management on potential risks arising from the processing of users’ personal information, so as to prevent any damage to the information. As the supervisory authority of personal information protection, the Cyberspace Administration of China is expected to formulate specific rules and standards for personal information protection in accordance with the PIPL.
Wang Xiaoxin is a senior counsel at the BAC/BIAC. Yao Qingyuan also contributed to the article