The use and risk management of big data
The application of internet in various fields has produced massive amount of data, such as the data from online shopping, online ticket booking, various APPs and so on, which are very valuable to many companies. For example, companies could make a better business decision through big data analysis in the process of early product development and user demand surveys; or in the sales process, companies could obtain “User Portraits” through big data analysis, and use it to make an appropriate pricing, a more precise forecast, a better promotion plan and etc.
However, the method to obtain and use big data is a handicap that many companies have encountered or be going to encounter.
Article 127 of the “Civil Code”, which is newly implemented at the beginning of this year, firstly prescribes that data and network virtual property shall be protected. The “Personal Information Protection Law” which is implemented in Nov., stipulates many rules on the collection, use and other processing methods of big data. A significant rule is the rule of “Automatic decision-making” (“ADM”) stipulated in Article 24; and Article 73 stipulates that “ADM” refers to the activities of automatically analyzing and evaluating an individual’s behavior habits, hobbies or economic, health or credit status through computer programs and making decisions.
First, regarding the unfair treatment on different users through big data analysis, such as a tourist APP was sued for the price to VIPs was higher than new users, Article 24, paragraph 1, stipulates that personal information processors shall ensure the transparency of the decision-making and the fairness and impartiality of the results, and shall not impose unreasonable discriminatory treatment on individuals in respect of the transaction price and transaction conditions. Therefore, companies engaged in industries of online food delivery, online shopping, online car-hailing, online travel, etc., should conduct a self-checking on the implementation of this requirement.
Second, regarding the behavior of information pushing and commercial marketing to individuals through “ADM”, Article 24, paragraph 2, stipulates that personal information processors shall be accompanied by options that do not target the individual’s personal characteristics, or convenient rejection methods shall be provided to the individual. For example, when someone has ordered pizza twice via an ordering APP, such APP should not only push information related to pizza, but also push information for other options. In addition, such APP should give an option for the individual to reject the information, and the rejection methods should be convenient with clear guidance and simple steps.
Third, regarding the decision is made through “ADM” that has a significant impact on an individual’s rights and interests, Article 24, paragraph 3, stipulates that the individual shall have the right to require the personal information processors to make an explanation and reject the decision made by the personal information processors only through “ADM”. However, the criteria for determining the significant impact has yet to be clarified. At present, we can take the examples prescribes in the “Information Security Technology—-Personal Information Security Specification” (GB/T 35273—2020) for reference. The examples include applying “ADM” on the personal credit and loan limits, or the selection of interviewees and etc.
It should be noted that, according to Article 55 of the “Personal Information Protection Law”, a personal information processor shall conduct an impact assessment on personal information protection beforehand and keep a record of making use of personal information to make “ADM”. In addition, according to GB/T 35273-2020, if a decision is made through “ADM” that has a significant impact on an individual’s rights and interests, despite the impact assessment, the personal information processor shall provide an objection channel, if personal information subjects have objections regarding the results of “ADM”; and establish the manual review regarding such objections. It is recommended that companies shall pay attention to those detailed rules when establishing the personal information processing system.
In practice, some companies may have to insert a third-party’s tools or services (such as codes, scripts, interfaces, algorithm models, software development kits, applets, etc.) that have the function of collecting personal information auntomatically in their products or services. The compliance management on such situation is very important. According to GB/T 35273-2020, the following measures could be taken into reference: (1) to carry out technical testing and ensure that the third party’s personal information collection and use behavior meets the agreed requirements; and (2) to audit the personal information collection behaviors conducted by the tools embedded or accessed by third parties, and cut off the access once any behavior is not conducted in accordance with the agreement.