26 November 2021
1. Introduction
In the era of the digital economy, obtaining user information via applications, utilizing big data to save operating costs, analyzing users’ history, and watching for market dynamics have clearly become the main development strategy of most retailers today. However, while many applications provide users with convenience, they’ve also become a source of harmful behavior. For example, issues arise when applications engage in big data enabled price discrimination, extreme targeted marketing, excessive collection of personal information, and compulsive and excessive requests to access personal information of data subjects and infringe individual privacy rights.[2]
2. The Personal Information Protection Law (“PIPL”) that went into effect on November 1, 2021, clarifies the large Internet operators’ obligation to protect personal information, restricts the excessive collection of personal information, and prohibits big data enabled price discrimination.
Before the PIPL became effective on November 1, 2021, businesses using applications to gather users’ personal information illicitly were mainly governed by the “Civil Code” and “The People’s Republic of China’s Cybersecurity Law.”[3] The PIPL clarifies the rights of Internet platform users and strengthens the obligations of large internet operators to protect personal information. For example, it requires Internet platform service providers to inform and obtain the separate consent of the data subjects when processing sensitive personal information or transferring personal information in general. Moreover, it prohibits excessive collection of personal information, unreasonable discrimination through automated decision-making, including using big data to engage in price discrimination. The following will explain the details of the aforementioned regulations under the PIPL, and the other laws and regulations that applications and internet operators should pay special attention to under the PIPL.
3. The PIPL heightens large Internet operator’s obligations to protect personal information
Considering the Internet platform’s transnational nature in collecting personal information and its broad user reach, Article 58 of the PIPL requires personal information processors that provide critical internet platform services, have a large number of users, and have complex business models to: (1) establish an independent body that mainly consists of outside members to supervise personal information protection in accordance with the laws; (2) formulate platform rules that clarify the personal information processing standards and the obligation of the platform’s goods or service providers to protect personal information; (3) cease service provision for those in severe violation of laws or regulations; and (4) regularly issue personal information protection social responsibility report. Although currently the definitions for “critical internet platform services,” “very large number of users,” and “complex business structures” requires further clarification by the central authority, it can be inferred from its legislative purpose that this provision is targeting large businesses of substantial scale, especially industry giants. Moreover, scholars have pointed out that, considering the internet and information data industry’s booming trend, even an operator having a little numbers of users may be regarded as “very large” in a relatively small market.[4]
4. The PIPL’s regulations on automated decision-making and prohibitions on “Big Data to Kill Familiar”
Article 73 of the PIPL defines automated decision-making as “the act of decision making through computer programs’ automatic analysis to assess individual behaviors, interests, financial status, health status, or credit situation.” As such, almost every information delivery and marketing service involving automated algorithmic technology could constitute forms of automated decision-making under the PIPL.
Relevant regulations on personal information processors using automated decision-making under the PIPL include:
(1) Automated decision-making using personal information shall be transparent in its policy and produce fair and just results. Personal information processors shall not unreasonably discriminate in its pricing or other transactional conditions.
(2) Information delivery and marketing practices involving automated decision-making shall simultaneously provide the option not targeting an individual’s characteristics, or provide the individual with a convenient method to reject the information.
(3) In cases where decisions made through automated decision-making have a great impact on a data subject’s rights and interests, he/she has the right to request explanations from the personal information processor and reject the personal information processor making the decision by using the automated decision-making only.
According to the above rules, applications and internet operators are prohibited from using big data in an abusive manner and engaging in the behavior of “Big data to kill familiar”[5] between new and old users for an identical product. Moreover, when an application or internet operator delivers product recommendation by using data analysis based on users’ browsing and purchase history, they shall also provide other option not to target an individual’s characteristics, or provide the individual with a convenient method to decline the recommendation (e.g., provide a “close” button to remove the recommendation) in accordance with the PIPL, otherwise the application or internet operator may be subject to violation liability under the PIPL.
5. Other noteworthy legal compliance issues under the PIPL
(1) The PIPL prohibits excessive collection of personal information:As for the issue of excessive personal information gathering, Articles 5 and 6 of the PIPL expressly stipulates that personal information shall be processed as per the principles of legality, propriety, necessity and good faith with a clear and reasonable purpose, and the information processing shall be directly relevant to the processing purpose while minimizing as much as possible the scope of the information collected to achieve the processing purpose without excessively collecting personal information. Accordingly, applications and internet operators should adjust its scope, consider whether the content collected is relevant to its purpose when collecting user’s information, and follow the “minimum and necessary” principle. For example, businesses whose applications require users to provide personal information and join membership before taking the order may constitute excessive personal information collection.
(2) The PIPL expressly stipulates that applications and internet operators shall not decline the provision of goods or services for the sole reason of users refusing to accept their terms or privacy policy: According to Article 16 of the PIPL, personal information processors shall not decline their provision of goods and services based on an individual’s refusal of, or withdrawn of his/her consent on, the processing of his/her information, unless such process is necessary for the provision of goods or services. This concept was also previously stated in “Regulations on the scope of necessary personal information for common mobile applications” that “applications operators cannot decline users of their basic services for refusing to provide unnecessary personal information.” Accordingly, the previously common practice where applications and internet operators would require users to accept the company’s “privacy agreement” and all sorts of licensing terms before using the application or platform, and the only option is to “decline and quit” the application or platform where the user declines are in violation of the aforementioned regulations under the PIPL.
(3) The PIPL expressly states that applications and internet platform operators shall set up convenient ways for users to decline or withdraw authorizations, such as a “one-click withdrawal” option:According to Article 15 of the PIPL, individuals who had accepted the processing of their information have the right to withdraw their consent, and the personal information processor shall provide a convenient way to do so. The withdrawal of consent does not cause impact on the previous personal information processing based on the individual’s consent obtained prior to the withdraw. As such, applications and internet platform operators shall provide users with an obvious, convenient, and user-friendly way to withdraw their consent. However, please note that “one-click withdrawal” does not mean account cancelation or cease using the service. If applications or internet platforms require the user to cancel their account to withdraw personal information authorization, it may still violate Article 15 of the PIPL. Moreover, if the authorization to be withdrawn isn’t necessary for the provision of goods or services, the application or internet platform operators shall approve the withdrawal and continue to provide services to the user.
6. Suggestion for applications and internet platform operators
After the PIPL goes into effect, previous common practices adopted by applications and internet operators — including the use of automated decision-making for information delivery, marketing, or price discrimination against different users; forcing users to authorize personal information; or using account cancelation as a prerequisite for authorization withdrawal — may require rectification as the applications and internet operators may be at the risk of violating the PIPL. Therefore, businesses should assess their internal personal information protection system and amend it appropriately per the PIPL to establish a more comprehensive managing system and strengthen employees’ education and training on personal information protection.
For further information, please contact:
Elva Chuang, Lee Tsai & Partners
lawtec@leetsai.com
[1] The authors are intern lawyer and of-counsel at Shanghai Lee, Tsai & Partners. However, the contents of this article merely reflect personal opinions and do not represent the position of this law firm.
[2] The three parties jointly and heavily released the “second quarter Safety Research Report of national mobile app” _ (chuanganwang.cn),website: http://www.chuanganwang.cn/shj/2021/0723/072021_80147.html, (last visited date: November 21, 2021)
[3] On July 4, 2021, the National Internet Information Office has notified the app store to remove the app “Di-Di travel” , because “Di Di travel ” has illegally collected and used personal information according to the relevant provisions of the People’s Republic of China’s Cybersecurity Law.
[4] Deep analysis and comparative interpretation of major industrial impact clauses under the PIPL, website: https://www.163.com/dy/article/GI48JFRG0512D80K.html, (last visited date: November 21, 2021)
[5]The so-called big data to kill familiar is defined as the price discrimination of Internet manufacturers against old users, that is, for the same commodity or service, the price displayed by Internet manufacturers to old users is higher than that of new users, so as to maximize their profits.