Globally, the use of big data to promote economic development, improve social governance, improve the best service and regulatory capabilities has become a trend, data has been rapidly integrated into production, distribution, circulation, consumption and social service management and other links, profoundly changing people's mode of production, lifestyle and social governance, becoming a basic factor of production and an important lever to drive innovation.
Challenges in the era of big data
As a basic factor of production, data is non-exclusive and non-exclusive, and can be used and shared by different subjects. According to Metcalfe's law, the value of a network is proportional to the square of the number of nodes in the network, and the number of nodes in the network grows linearly, while the connections (network value) that result from the increase in nodes increase exponentially. This shows that the more subjects connected to the network, the more data can be used by more subjects, the greater the network effect of data, and the greater the social value it can create. This is the intrinsic mystery of the rapid development of the digital economy and data-driven innovation in the era of big data.
On the one hand, the emergence of large models represented by ChatGPT has put forward higher requirements for data, algorithms and computing power, and the application of big data has opened up broad prospects for breakthroughs in general artificial intelligence technology. From the perspective of social governance, the effective collection and utilization of data lays a solid foundation for the modernization of the national governance system and governance capacity, and promotes profound changes in the governance system. The "Opinions of the Communist Party of China** on Building a Data Basic System to Better Play the Role of Data Elements" (hereinafter referred to as the "Opinions") clearly states that "the construction of a data infrastructure system is related to the overall situation of national development and security".
On the other hand, big data is a collection of data with large capacity, multiple types, fast access speed, and high application value, among which the most valuable is personal information. Through the collection, storage and correlation analysis of a large number of disparate and diverse data, new knowledge can be discovered, new value can be created, and personalized services can be provided to users. In the era of big data, as the value and role of data become increasingly prominent, personal information is facing more and more challenges in security protection. A large number of cases at home and abroad show that the illegal collection and abuse of personal information is directly related to the reputation of individuals, the peace of life, and even the safety of life and property. The infringement of personal information is usually characterized by a wide range of infringed objects, a long chain of harm, blurred boundaries of illegal acts, and high costs of rights protection and law enforcement, which makes it more difficult to protect personal information. Massive amounts of personal information form the basis of big data. The infringement of personal information not only infringes on the rights and interests of individuals, but also brings various extended and comprehensive challenges to economic security, social and public interests. If personal information is not effectively protected, it will inevitably shake the foundation of big data. However, if the normal flow and utilization of data is hindered in the name of information security and protection, it will inevitably create fragmented "data islands", which is also not conducive to the realization of individual rights and interests and public interests.
Personal information protection in the era of big data is not only related to network and information security, but also directly restricts the effective use and sharing of data. Handled well, it can achieve a win-win situation or a win-win situation; If we do not handle it well, we may lose sight of one at the expense of the other, and it will be difficult to balance security and development, and we will even fall into a lose-lose situation or a lose-lose situation, with neither security nor development. Personal information protection in the era of big data is a comprehensive and multiple-choice question. Promoting the use and sharing of data on the basis of effective protection of personal information is an inevitable requirement in the era of big data. The "Opinions" clearly put forward that "on the premise of maintaining national data security, protecting personal information and trade secrets, promoting the compliant and efficient circulation and use of data, and empowering the real economy", the construction of a basic data system is the basic guiding principle for personal information protection in the era of big data.
Better play the important role of the rule of law in consolidating the foundation, stabilizing expectations, and benefiting the long-term
When the rule of law is prosperous, the country is prosperous, and when the rule of law is strong, the country is strong. In order to effectively protect personal information, in recent years, China has a deeper and deeper understanding of the regularity of personal information protection, and the system design has become more and more complete, in the "Amendment (VII) to the Criminal Law of the People's Republic of China", "Consumer Rights Protection of the People's Republic of China", "Cybersecurity Law of the People's Republic of China", "Civil Code of the People's Republic of China", "Data Security Law of the People's Republic of China", "Personal Information Protection of the People's Republic of China" and "Personal Information Protection of the People's Republic of China" hereinafter referred to as "Personal Information Protection**" The Law of the People's Republic of China on Countering Telecommunications Network Fraud" and other important legislation have established relevant systems for the protection of personal information. For example, in terms of the basic framework, legislative purpose, scope of application, core concepts, basic principles, exception arrangements, legal liabilities, etc., a series of rules for personal information processing with "notification and consent" as the core have been constructed, and a systematic personal information protection legal system has been established for the first time in China. At the same time, the personal information protection fully respects the laws of big data, and while systematically strengthening the protection of personal information, it provides legal and compliant channels for the use and sharing of big data through a variety of system designs. For example, in addition to the individual consent mechanism, clarify other lawful bases for the processing of personal information, and provide more legal channels for data processing activities; Introduce mechanisms for de-identification and anonymization of personal information to provide legal safeguards for personal information processors to achieve classification and hierarchical processing of personal information through management or technical means; It is clearly required to "formulate special personal information protection rules and standards for small personal information processors, processing sensitive personal information, and new technologies and applications such as facial recognition and artificial intelligence" to reduce the data processing compliance costs of start-ups and small enterprises; In the design of the compliance audit and personal information protection impact assessment system, personal information processors are given more independent decision-making rights, which not only avoids the negative effects that may be brought about by traditional means such as testing and certification, but also realizes the innovation of management methods that focus on self-discipline and combine self-discipline with other disciplines.
The People's Republic of China Personal Information Protection** will come into force on November 1, 2021.
The establishment of China's personal information protection system and normative system is not easy to come by, reflecting the characteristics of the times and reflecting the laws of the times. To promote the protection of personal information in the era of big data, it is necessary to adhere to the basic principle of comprehensively governing the country according to law, and use the rule of law thinking and methods to promote the effective implementation of various provisions of the personal information protection law. First, it is necessary to improve the ability and level of administrative law enforcement, increase the intensity of law enforcement, and establish the authority of the rule of law through the implementation of law. Second, in the work of administrative law enforcement, it is necessary to grasp the basic laws of the era of big data in the fields where there are legal gaps, improve the initiative of law enforcement and justice, avoid legal formalism and mechanical law enforcement, and realize the unity of legal effect and social effect. Third, it is necessary to strengthen the formulation of legal interpretations and implementation rules, fill in the gaps in the law as soon as possible, clarify the norms of law enforcement behavior, standardize the discretion of law enforcement, improve the predictability of law enforcement, and enhance the confidence of market entities. Fourth, for some existing legal provisions that have proved to be unfavorable to promoting the compliant and efficient circulation and use of data, especially those that hinder interoperability, the legal system that is not suitable for digital development should be adjusted in a timely manner and in accordance with the procedures in accordance with the "Overall Layout Plan for the Construction of Digital China". Only by stepping up efforts to promote the enactment, reform, repeal and interpretation of relevant laws (including the formulation of regulations on open public data) can we further clarify the boundaries between data development and utilization and personal information protection, lay a legal foundation for the development and utilization of big data, and in turn better promote the implementation of laws related to personal information protection.
Promote personal information processors to actively perform their legal responsibilities
Personal information processors are the first person responsible for the protection of personal information and have the responsibility to fulfill various legal obligations. In the era of big data, because data can bring huge benefits, and the compliance cost of personal information protection is borne by information processors, information processors have strong incentives to use but lack the same degree of protection incentives. As the value of data becomes more and more apparent, the incentives for information processors to use data will become more and more intense, the incentive imbalance will become more prominent, and the challenges encountered in the implementation of the law will also become more and more significant. If it is not possible to mobilize the intrinsic law-abiding incentives of information processors according to the situation, and simply impose various prohibitions or mandatory provisions, the effective implementation of the law may be affected due to incompatible incentives, and may also lead to chain problems such as high enforcement costs, conflict between obligated subjects, poor enforcement results, damage to enforcement authority, sports law enforcement, and selective law enforcement. To this end, it is necessary to learn from the experience of the international community in recent years and the beneficial explorations of leading domestic enterprises, with the goal of cultivating the internal governance mechanism of information processors, embedding personal information protection requirements into the overall information security prevention system, and realizing the compatibility between the external requirements of legal norms and the internal needs and incentives of information processors, so as to achieve a win-win result of not only protecting the security of personal information, but also strengthening the security and prevention capabilities of information processors.
First of all, it is necessary to get out of the traditional pure technology path dependence on operation security and system security, adapt to the characteristics of the big data era, establish the concept of data security, regard data as the core asset, establish the basic value of the supremacy of users' personal information, cultivate the understanding that protecting personal information is to maintain the core competitiveness, and actively assume the responsibility of personal information protection. Second, information processors are encouraged and urged to improve their internal governance structures in accordance with the requirements of personal information protection, including designating a person in charge of personal information protection, being responsible for supervising personal information processing activities and the protective measures taken, conducting compliance audits and personal information protection impact assessments in accordance with law, and establishing an independent body composed of external members to supervise the protection of personal information by information processors that meet the "gatekeeper" standard. The person in charge of personal information protection shall perform their duties independently, enjoy job security, and be directly responsible to the top management of their unit, so that the highest decision-making level can directly intervene in personal information protection issues. Only in this way can we integrate personal information protection with information security management, and security management with business development from the organizational system. Thirdly, it is necessary to change the traditional practice of separating compliance from business process design and discussing compliance on compliance, embedding personal information protection requirements into products and services from the beginning of business process design, reflecting the concept of privacy by design and compliance by development, and realizing the transformation of the behavior mode of personal information protection covering the whole process and connecting the whole business. Finally, information processors are encouraged to actively adopt scientific and technological means to improve the level of network and data security protection, and explore ways to better realize the protection of personal information in the era of big data through privacy-preserving computing technologies such as multi-party secure computing, federated learning, and trusted execution environments, as well as de-identification and anonymization.
Construct a social co-governance pattern for personal information protection
In the era of big data, the protection of personal information must rely on the joint participation of multiple subjects and the use of a variety of different means to promote the formation of a social co-governance pattern. In order to achieve the coordinated development between the use of big data and the protection of personal information, it is necessary to fully mobilize the enthusiasm of information subjects and build a multi-dimensional governance structure between individuals, information processors, and law enforcers. Without the participation of information subjects and the support of a complete governance structure, it is difficult to achieve incentive-compatible results, and the development of big data and the protection of personal information cannot achieve a lasting balance. Personal information protection comprehensively stipulates the right to know and the right to decide on the processing of personal information, including the right to access, the right to copy, the right to data portability, the right to correct, the right to delete, the right to explain, and the right to claim litigation, providing a variety of means for individuals to protect their personal information rights and interests, so that individuals can truly participate in the protection of personal information. In practice, it is necessary to mobilize the enthusiasm of individuals to participate in the protection of personal information and form an effective governance structure for different rights and scenarios, from easy to difficult.
China's personal information protection has distinctive system design characteristics that combine public law enforcement and private law enforcement, which not only draws on international experience, but also reflects its own characteristics. China's overall system design emphasizes the combination of "prevention" and "punishment", strengthens publicity and education on personal information protection, and promotes the formation of a good environment for enterprises, relevant social organizations, and the public to participate in personal information protection. In practice, it is necessary to explore effective forms for different mechanisms such as industry self-discipline, social supervision, supervision, public interest litigation, and international cooperation, and multi-party participation to form a joint force of social co-governance. Article 70 of the Personal Information Protection Act stipulates that "where personal information processors process personal information in violation of the provisions of this Law and infringe upon the rights and interests of a large number of individuals, the people's procuratorate, consumer organizations prescribed by law, and organizations designated by the state cyberspace administration may file a lawsuit in the people's court in accordance with law", which provides a legal channel for social organizations to play their role. In particular, the people's procuratorate, as the main body of public interest litigation, has the characteristics of authority, professionalism, uniformity, etc., which can not only make up for the lack of scattered departments performing personal information protection duties to a large extent, but also strengthen the public interest litigation mechanism to form an effective social co-governance pattern.